California’s dedicated privacy regulator is intensifying its campaign against federal legislation that could override the state’s landmark consumer privacy regime, setting up a new flashpoint in the broader battle between Washington and the states over who will shape the future of digital regulation.
The California Privacy Protection Agency (CPPA) is preparing a lobbying push against the proposed SECURE Data Act, a federal privacy bill that agency officials warn could preempt major portions of California’s consumer privacy laws and weaken the state’s enforcement authority.
According to a Bloomberg Law report, CPPA Executive Director Tom Kemp plans to travel to Washington this month to press lawmakers, including Republicans, to remove broad federal preemption language from the proposal and strengthen the legislation’s substantive privacy protections.
“You need that when you are looking at the data capture, collection, flows associated with trillion dollar companies,” Kemp told Bloomberg Law. “It’s critical to allow flexibility for the states to decide how they want to supplement, complement the enforcement of the privacy law.”
The fight highlights the increasingly contentious divide between states that have aggressively expanded privacy and AI oversight and a growing federal push for uniform national standards favored by many large businesses. Industry groups and companies have generally supported comprehensive federal privacy legislation on the grounds that a single national framework would reduce compliance burdens created by a patchwork of state rules.
But California officials argue that the SECURE Data Act, at least in its current form, would substantially weaken protections established under statutes including the California Consumer Privacy Act and the state’s Delete Act. The CPPA warned lawmakers in a letter that the bill could strip privacy rights from “tens of millions of people.”
The agency has emerged as one of the nation’s most aggressive state privacy enforcers since its creation. Bloomberg Law noted that the CPPA has already brought more than a dozen enforcement actions resulting in millions of dollars in penalties against companies including Ford Motor Co. and Todd Snyder Inc..
Critics of the federal proposal argue that the preemption language is sweeping enough to invalidate large numbers of state laws across the country.
“Interpreted broadly, the preemption provision could wipe out hundreds of laws in California alone, and thousands across the country,” Daniel Solove, director of the Privacy & Technology Law program at George Washington University Law School, told Bloomberg. “It would be an enormous mass slaughtering of laws.”
At a recent agency meeting in Sacramento, CPPA officials warned board members that the bill could have a “catastrophic effect” on California’s regulatory structure, per Bloomberg. Jennifer Urban, chair of the agency’s board, reiterated the agency’s opposition to broad federal override provisions.
“I will once again repeat that we cannot support any law that has a broad preemption provision in it,” Urban said. “We believe that all Americans should have privacy rights. It is unfortunate that this particular bill is so, very weak.”
Kemp also argued that many federal lawmakers remain unfamiliar with California-developed privacy mechanisms, such as the state’s opt-out preference signal framework and the DROP platform that enables consumers to request deletion of personal data held by registered data brokers through a single action.
The preemption concerns extend beyond consumer privacy statutes alone. Bloomberg Law reported that proposed amendments to the federal Gramm-Leach-Bliley Act could also override California rules governing privacy and data-sharing practices among financial institutions.
In a March letter to members of the House Financial Services Committee, CalPrivacy’s deputy director for policy and legislation, Maureen Mahoney, warned that the proposals could undermine both the CCPA and California’s financial privacy protections.
“By seeking to preempt the states, this proposal could significantly weaken privacy protections Californians currently enjoy under the CCPA and the CFIPA and would prevent states from responding to emerging threats and concerns,” Mahoney wrote.
The federal-state conflict is also expanding into AI governance. Kemp told Bloomberg Law that the Trump administration’s broader effort to preempt state AI laws has increased pressure on California’s developing regulations covering automated decision-making technologies and AI uses of personal data.
Despite the agency’s concerns, privacy analysts noted that the legislation remains subject to negotiation. Cobun Zweifel-Keegan of the International Association of Privacy Professionals told Bloomberg Law that lawmakers could still revise the language before passage to preserve some state authority.
