Certified Information Privacy Professional (CIPP): US - Preemption and Federal vs. State Privacy Laws

What This Is

Pre?emption is the legal doctrine that determines whether a federal privacy law (or a federal regulation) “takes precedence” over a state?level privacy statute. In the U.S., the interplay between federal statutes such as HIPAA, GLBA, or the FTC Act and state laws like the CCPA/CPRA, NY SHIELD, or Virginia’s CDPA can dictate which rules a company must follow, when both apply, and whether state?level requirements can be overridden.

Real?world example: A health?tech startup based in California collects patient?generated health data through a mobile app. The data are stored on servers in Texas. The company must comply with HIPAA (federal) and California’s Consumer Privacy Act (state). Understanding pre?emption tells the startup whether the stricter HIPAA safeguards automatically satisfy the CCPA, or whether the CCPA imposes additional obligations (e.g., a right to delete that HIPAA does not create).

Key Terms & Provisions

• Pre?emption: The principle that a higher?order law (federal) displaces a lower?order law (state) when the two conflict or when Congress has “occupied the field.”
• Supremacy Clause (U.S. Const. art. VI, §2): Federal law is the supreme law of the land; state laws that conflict with it are invalid.
• Express Pre?emption Clause: Language in a federal statute that explicitly states that the law “shall pre?empt any state law that is inconsistent” (e.g., HIPAA’s § 164.502(a)(1)(i)).
• Implied Pre?emption (Field Pre?emption): Occurs when Congress intends to occupy an entire regulatory field, leaving no room for state regulation (e.g., the FTC Act’s broad authority over unfair or deceptive acts).
• Conflict Pre?emption: Happens when compliance with both federal and state law is impossible, or when the state law adds a requirement that “stands as an obstacle” to the federal scheme.
• HIPAA (Federal): Governs “covered entities” and “business associates” handling protected health information (PHI). Pre?empts state statutes that are “inconsistent” with its privacy and security rules.
• CCPA/CPRA (California): Grants California residents rights to access, delete, and opt?out of the sale of personal information. Does not pre?empt HIPAA; HIPAA?covered data are exempt from CCPA’s consumer rights.
• GLBA (Gramm?Leach?Bliley Act): Federal rule for financial institutions; pre?empts state laws that are “inconsistent” with its privacy rule, but not those that are “more protective.”
• FTC Act (Section 5): Federal “catch?all” that can pre?empt state statutes only when the state law is less protective than the FTC’s standards.
• State?Specific “More Protective” Exception: Many statutes (e.g., CCPA, NY SHIELD) expressly state that they apply in addition to any federal law, unless the federal law expressly pre?empts.

Step?by?Step Process Flow

1. Identify the Data & Applicable Laws – Catalog the data type (PHI, financial, consumer, employee) and map the relevant federal statutes (HIPAA, GLBA, FTC Act, etc.).
2. Determine State Coverage – List all states where the organization has customers, employees, or operations; note each state’s privacy law (CCPA, CDPA, SHIELD, etc.).
3. Check for Express Pre?emption Language – Review the federal statute for an express pre?emption clause; if present, note the scope (e.g., “any state law that is inconsistent”).
4. Analyze Conflict & Field Pre?emption – If no express clause, ask: (a) Does compliance with both laws create an impossible situation? (b) Has Congress occupied the entire field? (c) Does the state law add a requirement that undermines the federal scheme?
5. Apply the “More Protective” Rule – When the state law is more protective (e.g., stricter breach?notification timelines), it generally survives pre?emption unless the federal law expressly forbids it.
6. Document the Pre?emption Determination – Record the analysis, the statutes consulted, and the final compliance path (federal?only, state?plus?federal, or state?only). Share with legal counsel and update the privacy program accordingly.

Common Mistakes

• Mistake: Assuming HIPAA automatically pre?empts all state privacy statutes.
  Correction: HIPAA pre?empts only inconsistent state laws; many state statutes (e.g., CCPA) expressly carve out HIPAA?covered data, so they coexist.

• Mistake: Believing the FTC Act always pre?empts state consumer?privacy laws.
  Correction: The FTC’s authority pre?empts only when a state law is less protective; many state statutes are more protective and therefore remain enforceable.

• Mistake: Ignoring “more protective” language and applying the stricter of two standards arbitrarily.
  Correction: Verify whether the federal statute expressly allows more protective state rules; if silent, the default is that the more protective rule can coexist unless it creates a conflict.

• Mistake: Treating “opt?out” rights under the CCPA as a universal requirement for all personal data.
  Correction: CCPA’s opt?out applies only to data not covered by HIPAA, GLBA, or other federal exemptions; verify the data classification first.

• Mistake: Over?relying on a single “state?law checklist” without re?evaluating when federal guidance changes (e.g., new FTC guidance on data security).
  Correction: Maintain a living matrix that flags which federal statutes have express pre?emption clauses and schedule periodic reviews when regulations are updated.

CIPP Exam Insights

1. “Express vs. Implied” Pre?emption – Expect a question that asks you to pick the correct pre?emption type for HIPAA (express) versus the FTC Act (implied/field).
2. “More Protective” Exception – Exams love to test whether a state law that is more protective than a federal rule survives; remember that CCPA, NY SHIELD, and Virginia CDPA all contain such language.
3. Scope of Federal Pre?emption – A classic trap: “Does the GLBA pre?empt the CCPA for all consumer data?” The correct answer is No; GLBA pre?empts only inconsistent state provisions that relate to financial?institution data.
4. HIPAA & CCPA Interaction – Be ready to identify which data categories are exempt from CCPA because of HIPAA (e.g., PHI held by a covered entity).

Quick Check Questions

1. Scenario: A California?based e?commerce site collects email addresses and purchase histories from customers nationwide. The site also sells health?related supplements and stores customers’ self?reported health symptoms.
   Question: Which law pre?empts the CCPA for the health?symptom data?
   Answer: HIPAA does not pre?empt the CCPA because the site is not a HIPAA?covered entity; the health?symptom data are not PHI, so the CCPA applies.

2. Scenario: A Texas bank processes credit?card transaction data and shares it with a third?party analytics vendor. The vendor is located in New York.
   Question: Can New York’s SHIELD Act impose stricter breach?notification timelines than the GLBA?
   Answer: Yes – SHIELD’s “more protective” clause allows it to apply in addition to GLBA, so the bank must meet SHIELD’s 30?day breach?notification deadline.

3. Scenario: A SaaS provider stores employee payroll data for a client in Illinois. The client asks whether the provider must comply with the Illinois Biometric Information Privacy Act (BIPA).
   Question: Does BIPA pre?empt the federal Fair Labor Standards Act (FLSA) regarding employee data?
   Answer: No – BIPA is a state law that is more protective and does not conflict with the FLSA; both can be enforced concurrently.

Last?Minute Cram Sheet (10 One?Liners)

1. HIPAA’s §164.502(a)(1)(i) – Express pre?emption of any inconsistent state health?privacy law.
2. GLBA’s “more protective” rule – State statutes that add protections survive unless they conflict with GLBA’s privacy rule.
3. FTC Act §5 – Implied pre?emption only when a state law is less protective than the FTC’s unfair?practice standard.
4. CCPA/CPRA exemption – PHI covered by HIPAA is exempt from CCPA consumer?rights provisions.
5. NY SHIELD Act – Applies to any business that conducts business in NY or processes NY residents’ data, regardless of physical presence.
6. Virginia CDPA – Pre?empts only if a federal law expressly states pre?emption; otherwise, it co?exists.
7. California’s “more protective” language – CCPA/CPRA survive federal pre?emption unless the federal law is expressly pre?emptive.
8. Supremacy Clause – Federal law trumps state law only when there is a direct conflict or Congress has occupied the field.
9. HIPAA vs. State “Right to Delete” – HIPAA does not create a right to delete; state “right?to?delete” statutes may still apply to non?PHI data.
10. BIPA vs. FLSA – State biometric privacy law is not pre?empted by the federal labor law; both can be enforced simultaneously.