Why was the long-awaited federal privacy bill of 2022 so controversial among privacy advocates? The answer lies in one paragraph of the 143-page bill draft: the bill’s preemption provision. And that provision is not limited to this now-dead bill: It is likely to reincarnate in future federal privacy legislation. This Article assesses the risks that such a preemption provision would create for consumer data privacy. First, the Article narrows the scope of concern to only the prevention of future state laws. Other concerns, like preempting current state laws or forcing privacy cases into federal court, are likely to be of little consequence. Next, the Article divides the danger of preventing future state privacy laws into two buckets: (1) preventing laws that patch one of the privacy theories in the bill; and (2) preventing laws that introduce new privacy theories. The Article then examines the risks in both buckets. For the first bucket, the Article first sketches a novel framework for evaluating how an implementation of a privacy theory can ossify, and then applies that framework to the two implementations of privacy theories in the 2022 bill. For the second bucket, the Article evaluates whether the bill’s preemption provision preempts different privacy theories. Ultimately, this Article does not reach a conclusion about whether a strong consumer data privacy law could be worth preemption. Rather, it merely clarifies the risks so that privacy advocates can unite for—or against—future federal privacy bills.
