There is a concept in the United States Constitution known as the supremacy clause; found in article 6 clause 2, it states that federal law serves as the supreme law of the land and therefor would invalidate any conflicting state law. A consequence of this fact relates to a classic federalism concept, state innovation versus federal supremacy. When California enacted the California Consumer Privacy Act and then voters at the ballot added the California Privacy Rights Act with proposition 24, they created a direct political challenge to federal authority by stepping into a policy vacuum which congress had not yet filed. The CCPA and CPRA therefore sent the national legislature into a debate about preemption, forcing policymakers to confront whether federal privacy law should override California’s standards, adopt them as a national baseline, or allow states to continue shaping privacy policy independently. This struggle over regulatory authority and preemption forms the central political implication of the CCPA and CPRA, shaping how lawmakers respond, why they take their positions, and what ramifications follow for national privacy governance.
Preemption related to privacy law and where congress has historically played a role in the landscape is covered in a report prepared by Chris Linebaugh, a Washington DC Litigation Attorney. “There is no single comprehensive federal law governing companies’ data privacy practices. Rather, Congress has enacted various privacy laws that are primarily directed at certain industries and subcategories of data (Linebaugh, 2025)”. These sectoral or “sector specific” laws include COPPA for protecting children, the Fair Credit Reporting Act, the GLBA for financial institutions, and HIPAA for those who handle patient identifying information.
These laws contain inclusive preemption provisions that make regulations like GLBA and HIPAA a federal ‘floor’ rather than a ‘ceiling’ allowing states to enact more stringent requirements if they elect to (Linebaugh, 2025). After California passed the CCPA in 2018, as a ripple effect, 18 other states enacted their own comprehensive privacy laws. These laws feature similar language and structure while differing in the agreed upon parameters such as the income threshold where the law becomes applicable and only most required businesses to allow consumers to opt out of having their data sold to third parties. Many also pushed an “opt-out” strategy rather than an “opt-in”, placing the burden of protecting privacy information on the consumer rather than the business.
To reconcile these differences, in 2022 congress introduced the American Data Privacy Protection Act which failed to gain support in the 117th congress as its provisions included excluding preemption conditions which nullified most of the protections offered by the CPRA including those against inferences made from data collected. The introduction of the ADPPA reflected growing pressure on Congress to respond to California’s increasingly influential privacy regime and the expanding patchwork of state laws it inspired. However, the bill ultimately failed because lawmakers could not agree on the scope of federal preemption. “Since California passed the CCPA (and the CPRA), several other states have passed data privacy legislation, but none of them provide the protection that California law does. The protection is not as comprehensive as the CCPA if for no other reason, because of the states’ failure to include protection for inferences” (Blanke, 2022).
As noted by Jacklin Lee, the CCPA and CPRA have become models for subsequent privacy regulation at both state and federal levels, demonstrating how a single state policy can have influential bounds that extend far beyond its borders (Lee, 2024). Additional ramifications of the adoption of the CPRA combined with the failure of a national encompassing privacy policy include the emergence of a fragmented legal landscape, increased operational burden for business who operate in multiple states, and growing political divide over what level of privacy protection should serve as the national standard. Together, these developments demonstrate that the political implications of the CCPA and CPRA lie not only in their immediate privacy protections, but in how they have exposed the deep federalism tensions that make it difficult for policymakers to craft a unified national privacy framework that is acceptable to all Americans.
References:
Blanke, J. M. (2022). Richmond. Richmond Journal of Law and Technology. https://jolt.richmond.edu/files/2022/11/Blanke-Manuscript-Final.pdf
Lee, J. (2024). UC Law SF International Law Review UC law SF international law review. https://repository.uclawsf.edu/cgi/viewcontent.cgi?article=1691&=&context=hastings_international_comparative_law_review
Linebaugh, C. D. (2025, August 29). Preemption and privacy law | congress.gov | library of Congress. congress.gov | library of Congress. https://www.congress.gov/crs-product/R48667