Article

Cartoon Preemption in Federal Privacy Legislation

AEIdeas

By Jim Harper

June 2, 2026

Students of American cultural history will recall that in an Old West ably catalogued by Warner Bros., Aloysius Bartholamew “Yosemite” Sam claimed the mantle of the “hootinest, tootinest, shootinest bobtail wildcat in the West,” and the “fastest gun north, south, east, and west of the Pecos.” Laying claim to everywhere confessed a certain insecurity, which fellow gunslinger Bugs Bunny promptly exposed. Bugs invited Sam to “eeeeeehhh shadddaapp” and then parted Sam’s hair with a thrice-ricocheted bullet.

That might be a model for a provision in federal privacy legislation claiming to preempt every instance of state law that relates to privacy and data security. The hootinest, tootinest, shootinest preemption you ever saw calls for a Bugs-like response.

The SECURE Data Act (Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act) would do a lot. Ranging across the information economy—one might say north, south, east, and west—it would give consumers copious statutory rights and heap obligations on firms coming into possession of personal information. It hearkens not to the Old West but the Old World, where an utterly thorough regulatory superstructure has protected Europe and Europeans from—well, from having much of a tech industry at all.

Each section of the bill has enormous implications for different segments of the information economy or for dimensions of privacy, data security, and their protection. It would not be possible to assess them all. I don’t mean impossible to assess them in a blog post. It would be impossible to assess them all, full stop. Such are the pretensions of legislation that would purport to protect a whole panoply of contested and changing values in an environment of advancing technology and emerging business models.

The preemption section says what would happen to state law were the SECURE Data Act to pass. Federal law would reign in every direction on the compass. “No State or political subdivision of a State may prescribe, maintain, or enforce any law, rule, regulation, requirement, standard, or other provision having the force and effect of law, if such law, rule, regulation, requirement, standard, or other provision relates to the provisions of this Act.”

There is certainly bad statute and regulation in the states. But there are laws and legal approaches in state law that probably shouldn’t be cleared out like so much West Texas underbrush. The Constitution laid out a plan for distributed government, the value of which has not been undermined by the growth of the nation or global commerce and communications.

Take property rights. Recognizing that people have property rights in their data is a way to achieve many of the protections in the SECURE Data Act without prescriptive regulation. I argued in a law review article two years ago that personal information has taken on many hallmarks of common law property. According to an excellent Cato Institute brief to the Supreme Court in the Chatrie case, more than half of states have enacted or amended laws to treat digital records and data as personal property, which must include personal information in many cases. The states protecting people via property rights (cited in the Cato brief at footnote 5) are: Alabama, Arkansas, Colorado, Connecticut, Delaware, Georgia, Hawaii, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon, South Carolina, Tennessee, Texas, Utah, Vermont, Wisconsin, and Wyoming. To the extent these state statutes “relate to” the subject matter of the SECURE Data Act, the bill cancels them.

What about contract? If the SECURE Data Act were law, could a service provider promise to provide greater protections than those found in the Act? Well, they could promise it, but no such promise would be enforceable, as contract is state law, and the SECURE DATA Act would preempt it in cases that “relate to” the subject matter of the Act. It all starts to make one feel less secure.

Privacy and data security are vexing problems. Preemption is vexing, too. Lessons exist in our cultural pantheon for these situations. If you are going to fail miserably, don’t try.

Geoff Manne of the International Center for Law and Economics and I came up with a way for these issues to be outsourced, cleverly preserving competition around both corporate privacy practicies and the provision of privacy law among states—without the “patchwork” problem. That report is called A Choice-of-Law Alternative to Federal Preemption of State Privacy Law. I suppose it’s our little “eeeeeehhh shadddaapp” to European-style regulation and total preemption of US state law, both on offer in the SECURE Data Act.