Both Congress and state legislatures enact privacy laws. The key question is whether a federal law preempts state law: HIPAA lets states pass stricter rules, while CAN-SPAM preempts stricter state email rules.
Both the federal Congress and state legislatures enact privacy and security laws, regulating uses of information, certain industries, certain data elements, or specific harms. Law-making power is shared: under the Tenth Amendment, powers not delegated to the federal government are reserved to the states.
The critical analysis is whether a federal law preempts - overrides - state law on the subject. Sometimes federal law sets a floor states may exceed; sometimes it bars stricter state rules entirely.
Floor (states may go stricter) vs. ceiling (federal preempts)
Law
Effect on state law
HIPAA Privacy Rule
States MAY pass stricter requirements (federal sets a floor)
CAN-SPAM Act (commercial email)
Federal PREEMPTS stricter state law; states cannot impose greater obligations
⚠️ Don't reverse the two examples
A classic trap: HIPAA allows stricter state laws, but CAN-SPAM preempts them. Memorize which way each cuts.
Key terms - quick answers
What is “Preemption”?
Where a federal law overrides state laws on the subject, so states cannot impose stricter requirements.
What is “Tenth Amendment”?
Reserves to the states (or the people) all powers not delegated to the federal government nor prohibited to the states.
What is “CAN-SPAM Act”?
The Controlling the Assault of Non-Solicited Pornography and Marketing Act, which limits commercial email and preempts stricter state email laws.
What is “HIPAA”?
The Health Insurance Portability and Accountability Act; its Privacy Rule sets a floor that states may exceed with stricter requirements.