Notice & Comment

A Preemptive Grin Without the Statutory Cat?: Congressional Review Act Disapproval Resolutions & State Legislative Initiatives

The Congressional Review Act (“the CRA”)[1] establishes an expedited legislative process for preventing final agency rules from going into effect.  It provides a sixty-day period for Congress to adopt and the President to sign a resolution disapproving an agency rule.  5 U.S.C. §802(a).  If a disapproval resolution is adopted, the agency can neither “reissue [the rule] in substantially the same form” nor issue “a new rule that is substantially the same as the one disapproved. 5 U.S.C. §801(b)(2)(emphasis added).[2]  The academic literature discussing the CRA contains a lively debate over the breadth of section 801(b)(2)’s prohibition.  Does it permit the agency to modify the rule so that its costs and benefits are somewhat different (and, if so, how different must they be), or issue a similar rule if circumstances change, or does it “salt the earth,” prohibiting the agency from promulgating a rule in the subject area altogether?[3]

But what if one or more state legislatures find the disapproved agency regulation appealing, or at least wish to fill in the regulatory lacunae left by Congress’ disapproval of the agency regulation?  Can a state validly promulgate its own statute, or is the state, too, precluded from doing so by the CRA resolution of disapproval.  After all, federal law is the supreme law of the land, and thus preempts state law.  And joint resolutions, i.e., resolution passed by Congress and signed by the President, possess the same status as statutes.[4]  (Granted, Congress does not typically use joint resolutions to legislate general rights and responsibilities.[5]) What, if any, preemptive effect should CRA disapproval resolutions be given?  Does the answer turn upon a close analysis of the points made by members of Congress in debating the resolution?

Disapproval of the FCC’s Broadband Privacy Rules and Its Aftermath

At the beginning of the current Administration, the Republican Congress and President Trump adopted 16 resolutions disapproving regulations adopted late in the Obama Administration.[6]  One, Pub. L. No. 115-22, 131 Stat 88 (April 3, 2017), disapproved the Federal Communications Commission’s (FCC) broadband privacy rule, Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, 81 Fed. Reg. 87,274 (December 2, 2016)); Report and Order, Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, FCC 16-148, 31 FCC Rcd. 13911, ¶¶324-31 (October 27, 2016) (“ISP Privacy Order”).  The rule was premised on an earlier FCC determination that internet service providers (“ISP’s) provided a telecommunications service, like telephony, rather than an information service, and sought to provide technologically-neutral privacy rules in line with those governing other telecommunications services.  ISP Privacy Order, at ¶26.[7] 

The FCC rejected the broadband providers’ argument that they operated within “a larger online eco-system that include[d] edge providers,” and thus should not be subjected to a distinct set of regulations.  The Commission reaffirmed its view that such broadband providers had a “privileged place in the network [as] the bottleneck between the customer and the rest of the Internet,” allowing them to “collect ‘an unprecedented breadth’ of electronic personal information.”  Id. at ¶¶28-37.  The Commission reported that it had received over 275,000 submissions in response to its Notice of Proposed Rulemaking (“NPRM”). Id. at ¶4.

The Federal Trade Commission has asserted jurisdiction over the privacy of customer information generally under section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.”[8]  Under its authority to prevent the use of deceptive practices, the FTC has pursued enforcement actions against companies that fail to adhere to their own privacy policies.  Under its power to prevent the use of unfair trade practices, it has pursued actions against companies for data breaches.[9]

Resolutions disapproving the FCC’s broadband privacy rule were introduced in the Senate on March 7 and the House on March 10, and debated in both houses of Congress a mere two weeks later.[10]  The debate reflected several sources of dissatisfaction with the broadband privacy rule, namely that: (1) the FCC had taken jurisdiction away from the FTC,[11] (2) the current case-by-case enforcement approach was preferable to the promulgation of rules,[12] (3) the broadband privacy rules deprived consumers of the right to decide the level of privacy they desired,[13] (4) the broadband privacy rules subjected ISP’s to more onerous regulation than competing entities in the technology sector, such as edge providers,[14] and (5) the FCC’s decision was politically driven, excessively influenced by interest groups, and a “midnight” regulation hurriedly finalized in the Obama Administration’s final months.[15]  Interestingly, given the expressed desire for the FTC control consumer privacy matters, the Ninth Circuit had held that the FTC lacked section 5 authority of telecommunications carriers, due to the “common carrier” exemption in section 5.  FTC v. AT&T Mobility LLC, 835 F.3d 993 (9th Cir. 2016), rev’d, 883 F.3d 848 (9th Cir. 2018)(en banc).   Nevertheless, the Disapproval Resolution passed on largely party-line votes – 50-48 in the Senate and 215-205 in the House.

Shortly thereafter, the FCC implemented the Disapproval Resolution.  Declaratory Ruling, Report and Order, and Order, Restoring Internet Freedom, FCC 17-166, 33 FCC Rcd 311 ¶¶181-184 (2018)(“RIF Order”), petitions for review denied in pertinent part, Mozilla Corp. v. FCC, 940 F.3d 1 (D.C. Cir. 2019).[16]  The Commission reinstated its classification of broadband as an information service, rather than a telecommunications service, thereby “[r]estroring FTC jurisdiction over ISP,” and “enabl[ing] the FTC to apply its extensive privacy and data security expertise to provide uniform privacy protections that consumers expect and deserve.”  Id. at ¶181.  The Commission explained that its prior rules had “adopted sector-specific rules that had deviated from the FTC’s longstanding framework.  Id. at ¶181.  It noted the Disapproval Resolution and asserted that it prevented the FCC from adopting substantially the same rule.  Id.  The “uncertainty” thus created regarding “the Commission’s . . . authority over broadband privacy regulation” weighted in favor of “returning jurisdiction to the FTC.” Id. at ¶183.

But the State of Maine passed a law governing ISP’s use of personal information when providing service within its borders.  L.D. 946 (June 6, 2019).   The Maine Legislature felt constrained to limit its regulation to ISPs, leaving edge providers unregulated, believing that exercising jurisdiction over such providers would constitute an unconstitutional regulation of interstate commerce.[17]  The debate in the Maine House of Representatives reprised, in abbreviated form, some of the Obama FCC’s rationales for distinguishing ISP’s from other participants in the online ecosystem.[18]  Needless to say, the legislative record in Maine was far less extensive than that compiled by the FCC.

On February 20, America’s Communications Association (“ACA Connects”), an industry trade group, and several other trade organizations, filed suit challenging the Maine Law on a number of grounds, most prominently as a violation of the Free Speech Clause.  America’s Communications Association v. Frey, Dkt No. 1:20-cv-00055, Complaint (Feb. 20, 2020).  In particular, plaintiffs attacked some of the distinctions made in the law as insufficiently justified to satisfy the Central Hudson test’s constraints on commercial speech, relying heavily on Sorrell v. IMS Health Inc., 564 U.S. 552 (2011).[19]  More importantly, for purposes of this two-part series of posts, plaintiffs also asserted that the statute was preempted by Congress’ Resolution of Disapproval and by the FCC rule implementing the Disapproval Resolution.  Id. at ¶¶81-87.  Thus, the case may require the courts to decide the preemptive effect of the Resolution of disapproval.[20]

Upcoming Post

With the factual background of ACA v. Frey thus laid out, in the second installment of this series I will discuss an important issues the case raises, whether Congressional Review Act disapproval resolutions should have a preemptive effect on state authority, and illuminate the relevance of the reference to Lewis Carroll’s Cheshire cat in the title of this series of posts.


[1] The Contract with America Advancement Act of 1996, P.L. 104-121, tit. II, 101 Stat. 847, 868-874, §251 (codified at Title 5 U.S.C. §§801-808).

[2] By a “law” enacted after the joint resolution disapproving the original rule, Congress can “specifically authorize[]” the agency to reissue the disapproved rule or adopt a substantially similar one. 5 U.S.C. §801(b)(2).

[3] Adam M. Finkel & Jason W. Sullivan, A Cost-Benefit Interpretation Of The “Substantially Similar” Hurdle In The Congressional Review Act: Can OSHA Ever Utter The E-Word (Ergonomics) Again?, 63 ADMIN. L. REV. 707 (2011); see, Keith Bradley & Larisa Vaysman, CRA Resolutions Against Agency Guidance, 4 U. PA. J. L. & PUB. AFF. 459 (2019); Eric Dude, The Conflicting Mandate: Agency Paralysis Through the Congressional Review Act’s Resubmit Provision, 30 COLO. NAT. RESOURCES, ENERGY & ENVTL L. REV. 115 (2019); Sam Batkins, Congress Strikes Back: The Institutionalization of The Congressional Review Act, 45 MITCHELL HAMLINE L. REV. 351 (2019). 

The CRA’s Senate sponsors anticipated this interpretive problem: “The authors intend the debate on any resolution of disapproval to focus on the law that authorized the rule and make the congressional intent clear regarding the agency’s options or lack thereof after enactment of a joint resolution of disapproval.” 142 CONG. REC. S3686 (Statement for the Record by Senators Nickles, Reid, and Stevens).

[4] Plaintiffs in America’s Communications Association v. Frey, Dkt No. 1:20-cv-00055, Complaint, ¶83 (Feb. 20, 2020), cite Nuclear Energy Inst., Inc. v. EPA, 373 F.3d 1251, 1309 (D.C. Cir. 2004).  There is other precedent as well.  U.S. v. Stockslager, 129 U.S. 470, 475 (1889); Watts v. U.S. 161 F.2d 511 (5th Cir. 1947); see generally, 142 CONG. REC. S3683, S3686 (Statement for the Record by Senators Nickles, Reid, And Stevens).   

One of the earliest statements of this view is an Attorney General’s opinion, Caleb Cushing, Resolutions of Congress, 6 OP. ATT’Y GEN. 680 (1856). There the Secretary of the Treasury refused a claim for compensation made on behalf of a deceased Revolutionary War veteran.  Both houses of Congress adopted a resolution directing payment of the claim.  Cushing held that while a joint resolution, one adopted by both house of Congress and signed by the President, had the effect of a statute and would have required the Secretary of the Treasury to reverse course, a concurrent resolution had no effect on the scope of the Secretary’s discretion.  Id. at 681-83, 692.    In a way, the case was an ante-bellum discussion of the permissibility of the “legislative veto.”

[5] Congressional Research Service, Bills and Resolutions: Examples of How Each Kind Is Used (Dec. 2, 2010)

[6] Congress Strikes Back, supra note 3, at 374-77; 163 CONG. REC. at S1954 (Sen. Cornyn) (“for the last several weeks, this Chamber has worked very hard to undo harmful rules and regulations that had been put forward by the Obama administration, at the last moment, as he was headed out the door”); see, 163 CONG. REC. at H2489 (Rep. Blackburn)(“[s]ince President Trump took office Republicans have been working diligently to loosen the regulatory environment that is suffocating hard-working taxpayers”).  

[7] In the ISP Order, the Commission reviewed the history of its privacy regulations regarding telecommunications services.  Id. at ¶¶20-24.  Customer information has been dubbed “customer proprietary network information (CPNI).” 

The Commission’s order that had changed the status of ISPs from information services to telecommunications services, In re Protecting and Promoting the Open Internet, FCC 15-24, 30 FCC Rcd. 560 ¶308 (2015); accord, id. at ¶¶310-387, was presumably no longer subject to CRA review by the time the Trump Administration took office.

[8] 15 USC §45(a)(1); Federal Trade Commission, Comment of the Staff of the Bureau of Consumer Protection of the Federal Trade Commission, In re Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, at 3 (May 27, 2016)(“FTC Staff Comment re Broadband Privacy”)(“The primary law enforced by the FTC, the FTC Act, prohibits ‘unfair’ and ‘deceptive’ acts or practices in or affecting commerce.”); accord, 163 CONG. REC. H2495 (Rep. Latta)(“For decades, the Federal Trade Commission has been the privacy cop on the beat for most industries, including the technology sector, protecting consumers from unfair or deceptive acts or practices. The Federal Trade Commission has brought over 500 privacy and data security cases to protect consumers.”)

[9] ANDREW B. SERWIN, INFORMATION SECURITY AND PRIVACY: A GUIDE TO FEDERAL AND STATE LAW AND COMPLIANCE §33:2 (2019-2020 ed.)(available on westlaw); David J. Bender, Tipping The Scales: Judicial Encouragement Of A Legislative Answer To FTC Authority Over Corporate Data-Security Practices, 81 GEO. WASH. L. REV. 1665, 1674-76 (2013); FEDERAL TRADE COMMISSION, PRIVACY & DATA SECURITY: UPDATE 2018, 2-5.

[10] The Senate debated the Resolution on March 22 and 23, 163 CONG. REC. S1925-S1929, S1943- S1944, S1947-S1949, S1951, S1954-55. The House debated the Resolution on March 28.  163 CONG. REC.  H2489-H2501.

[11] See, e.g., 163 CONG. REC.. H2489 (Rep. Blackburn); 163 CONG. REC. S1925 (Sen. Flake); 163 CONG. REC. S1928 (Sen. Thune).  Ironically, the FTC provided formal comments in response to the FTC’s NPRM which were generally supportive of the FCC’s proposal. The FTC staff did observe that the FCC’s proposed rules would impose a number of specific requirements on the provision of [broadband information access “BIAS”]services that would not generally apply to other services that collect and use significant amounts of consumer data.  The FTC Staff’s proposed solution was congressional enactment of more protective general privacy legislation. FTC Staff Comment re Broadband Privacy, supra note 8, at 8.

[12] 163 CONG. REC. H2489 (Rep. Blackburn); 163 CONG. REC.  H2495 (Rep. Latta)(“[t]he Federal Trade Commission’s work in privacy and data security has long been held up as a model by both parties, praising the agency for strong enforcement without overly burdensome regulations”); 163 CONG. REC. H2497 (Rep. Capuano)(“[b]oth the FCC and the FTC will retain authority over consumer privacy on a case-by-case basis” (emphasis added)) ; see 163 CONG. REC. S1928 (Sen. Thune) (expressing concern about “abandoning the time-tested enforcement approach”).

[13] 163 CONG. REC.  H2493 (Rep. Flores); 163 CONG. REC. H2494 (Rep. Johnson).

[14]163 CONG. REC. S1928 (Sen. Thune); 163 CONG. REC.  H2493 (Rep. Flores); 163 CONG. REC.  H2497 (Rep. Capuano).

[15] See, e.g., 163 CONG. REC. H2495 (Rep. Latta); id. at H2495 (Rep. Lance)(“midnight regulation”); id. at H2496 (“midnight rules”); 163 CONG. REC. S1925 (Sen. Flake); id (“the FCC unfairly picked one politically favored industry-the edge providers-to prevail over a different industry-broadband”; the FCC rules are “the hasty byproduct of political interest groups and reflect the narrow preferences of well-connected insiders”). 

[16] The FCC determined that a combination of requiring disclosure of ISP privacy practices, together with consumer protection enforcement by the FTC, better comported with those goals than “complex and highly prescriptive privacy regulations for broadband Internet access service.” RIF Order ¶ 158; accord ¶ 181 (“[r]estoring FTC jurisdiction over ISPs will enable the FTC to apply its extensive privacy and data security expertise to provide the uniform online privacy protections [across the Internet ecosystem] that consumers expect and deserve.”)

[17] Maine Journal & Legislative Record H-698 (May 29, 2019)(Rep. Riley)(“[w]e can’t touch the edge providers like Google and Facebook”).  As one representative explained: “Some also have said this bill doesn’t go far enough because it doesn’t regulate edge providers like Google and Facebook and I agree that would be great to do if we could.  This bill indeed does focus on internet service providers doing business in Maine because that is who we, as Maine policymakers can regulate.  We cannot regulate interstate commerce.”  Maine Journal & Legislative Record, supra, at H-699 (Rep. Grohoski).

[18] The May 29, 2019 debate in Maine’s House of Representatives appears at pages H-697 to H-699 of the Maine Journal & Legislative Record. One representative noted that many Mainers had only one option for an ISP provider, and another noted the unique bottleneck status of ISPs. See Maine Journal & Legislative Record, supra, at H-699 (Reps. Grohoski and Rykerson).

[19] The Central Hudson test was announced in Central Hudson Gas & Electric. v. Public Service Commission (“Central Hudson”), 447 U.S. 557 (1980), and modified by Board of Trustees, SUNY v. Fox, 492 U.S. 469, 479–80 (1989).

[20] Plaintiffs also argue that the FCC’s rule report and order implementing the Disapproval Resolution preempts Maine’s law.  Complaint ¶¶88-92.