Lee Tien writes:
Our main conclusion: Kerry-McCain would preempt many state privacy laws, because § 405(a) of the bill expressly preempts all state laws “relating to” covered entities “to the extent that such provisions relate to the collection, use, or disclosure of” either “covered information” as defined in the bill or “personally identifiable information or personal identification information addressed in provisions of the law of a State.” (There are some carve-outs for state laws concerning the collection, use, or disclosure of health or financial information, required notifications pursuant to a data breach, and state laws that “relate to acts of fraud.” § 405(b)(2).)
The broad scope of preemption results from three factors. First, a comprehensive privacy law—regulating offline as well as online activity—by definition runs into the many state laws that currently protect information privacy. Second, Kerry-McCain isn’t a federal “floor” law like the Wiretap Act. It’s the opposite, setting a federal “ceiling.” So if it were enacted, states would be hampered from passing stronger protections for consumer privacy. Third, Kerry-McCain reaches entities like common carriers and non-profit organizations that the Federal Trade Commission (which under the bill would develop regulations) normally can’t regulate.
Read more on EFF.