California Joins Fray on Internet Service Provider Privacy

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Laura Mahoney

California joined more than a dozen states considering restrictions on internet service providers’ use of customer personal data with a bill introduced June 19.

Assemblyman Ed Chau (D) introduced A.B. 375 to require ISPs such as Verizon Communications Inc., Comcast Corp., and AT&T Inc., to get permission from consumers before using, disclosing, selling, or allowing access to customer information.

Chau said the bill is a response to the repeal of Federal Communications Commission regulations that would have increased broadband customer control over the information. It largely mirrors the FCC rules. “Congress and the administration went against the will of the vast majority of Americans,” Chau said at a June 19 news conference.

President Donald Trump signed a congressional resolution April 4 that rescinded a FCC rule requiring ISPs to seek subscribers’ permission before using their web-browsing history for marketing and other purposes. The rule was rescinded before it took effect.

Not all parties supported Assemblyman Chau’s bill.

Kara Bush, director of government affairs for the western region at CompTIA—an association that represents ISPs—told Bloomberg BNA June 19 that the group has concerns about the bill. “We must preserve commerce and innovation while enforcing the right of consumers to protect information that is truly private,” she said.

The bill doesn’t " achieve that balance, and could have significant repercussions to the internet economy of California and to consumers nationwide,” she said.

Similar Consent Laws

In addition to requiring opt-in consent from consumers before sharing data, the bill would set standards for clarity and language in consumer notices about their opt-in rights, prohibit providers from penalizing customers who choose not to allow their data to be shared or offer incentives to those who do allow it, and require ISPs to use reasonable security measures to protect consumer data.

Similar ISP consent laws are under consideration in 13 states, including New York, New Jersey, and Washington. Bills have already died this year in Connecticut, Maryland, Montana, and Vermont.

In recent debates over the measures in other states, ISPs have argued that they protect their customers’ data with their current practices. Although they opposed the FCC rules that the Trump administration repealed, they also object to a state-by-state patchwork of laws.

Chau announced his bill flanked by representatives of consumer groups, including the American Civil Liberties Union, Electronic Frontier Foundation, and Privacy Rights Clearinghouse.

Chau and the advocates said they took their time to craft a bill that is stronger than those that were introduced in a rush in other states after the FCC rules were repealed and have since failed. The groups also took time to review arguments the broadband companies have raised and have worked to address them, Consumer Federation of California Executive Director Richard Holober said.

Chau said he expects the bill to face legal challenges if it becomes law, but he believes the right to privacy included in the California Constitution, the U.S. Constitution, and the provisions in the repealed rules allowing states to act put the state on strong legal footing.

“We’re hopeful that we pass the bill and that it’s a way for the rest of the country to follow as well,” Chau said.

To contact the reporter on this story: Laura Mahoney in Sacramento, Calif. at

To contact the editor responsible for this story: Donald Aplin at

For More Information

Full text of the bill is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security