Need for State Internet Service Provider Privacy Laws Debated

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Aaron Nicodemus

More than a dozen states are considering bills to restrict internet service provider use of customer personal data. But whether such laws are desirable is a matter of debate among privacy professionals, consumer advocates, and ISPs.

The state legislative efforts focus primarily on requiring customer consent to sell or share user data—the same general premise as a now defunct Federal Communications Commission regulation struck down earlier this year by Congress and President Donald Trump. Wisconsin enacted an ISP law in 2017, and bills to limit ISP use of consumer data are under consideration in 13 other states.

Advocates for such measures say states are moving to fill a privacy void left by the federal government’s rollback of a rule to require ISPs, such as Verizon Communications Inc., Comcast Corp., and AT&T Inc., to get customer consent to share their personal data. That perception is shared by consumer advocacy groups that see such laws as necessary to prevent ISP overreach in control of collected data.

But a nearly 15-year-old Minnesota law that bans ISP consumer data sharing hasn’t been used and is largely forgotten. To an ISP trade group, that proves the point that such state laws are unnecessary. The ISPs say that creating a patchwork of state laws, and the attendant compliance headaches, is more objectionable than having a single federal standard.

State Bill Status

Before this year, just Minnesota and Nevada had laws to address ISP use of customer data. Wisconsin’s new ISP customer consent data use law brings the total to three states.

Minnesota’s 2003 law set an outright ban on the sale of customer data by ISPs. An attempt this year to add a consent provision to the law failed.

In 2015, Nevada became the first state with an internet privacy law that required ISPs to get consent from users in order to sell or share their information with third parties.

Efforts to pass ISP consent laws in Connecticut, Maryland, Montana and Vermont died in their respective 2017 sessions. ISP user consent bills are still under consideration this year in 13 states.

Minnesota Law Largely Unnoticed

Until recently, Minnesota’s internet privacy law had gotten little attention. The law has never faced a legal challenge, a spokesman for Minnesota Attorney General Lori Swanson (D) told Bloomberg BNA.

Brent J. Christensen, president and CEO of the Minnesota Telecom Alliance, a trade association, said the organization and its members “were not even aware a law existed” until the FCC regulations were rescinded. ISPs in Minnesota conduct business there just as they do everywhere else, he said.

“We don’t sell our customers’ private information,” Christensen said. Efforts to pass new internet privacy laws are “a solution in search of a problem,” he said.

During the debate on the FCC rule, large national ISPs made similar arguments, saying they don’t sell customers web-browsing or geolocation histories to third parties.

Elusive Federal Standard

US Telecom, a trade group which represents dozens of ISPs, including Verizon and AT&T, lobbied hard against the FCC rule. Now the group says that a single federal internet privacy rule is preferable to a state patchwork.

“The internet doesn’t stop at state lines, which is why it’s preferable to have federal privacy rules that provide consistent protections for consumers,” Amy Schatz, vice president for media affairs at US Telecom, said in a statement provided to Bloomberg BNA. “Consumer privacy protections on the internet should be uniform across the nation to avoid unintended consequences for consumers and businesses.”

However, coming up with a single federal standard may prove difficult. During debate over whether to rescind the FCC rule, ISPs said that covering them with a rule requiring consumers to opt in to the use of their data put them at a disadvantage compared to edge providers that are largely governed by Federal Trade Commission standards requiring that they give consumers an opt-out mechanism. Edge providers stream online content, such as Netflix Inc.; provide search engines, such as Alphabet Inc.'s Google; and run social media platforms, such as Facebook Inc.

Rep. Marsha Blackburn (R-Tenn.), who supported the repeal of the FCC law, has introduced the Balancing the Rights of Web Surfers Equally and Responsibly (BROWSER) Act ( H.R. 2520), which would set user consent standards for ISPs and edge providers.

The billl, which has four GOP cosponsors and has been referred to the House Energy and Commerce Committee, on which Blackburn sits, would allow opt-out mechanisms for “non-sensitive” data but require an opt-in mechanism for “sensitive” data, including financial, health, and geolocation data, and web-browsing history.

Consumer Privacy at Stake

Jeff Chester, executive director of the consumer advocacy group the Center for Digital Democracy, told Bloomberg BNA that ISPs are investing heavily in big data analytics projects that seek to monetize information about their customers.

“ISPs are already doing this, but the killing of the FCC privacy rule now means there are no constraints for full blown big data ISP eavesdropping on the public,” Chester said.

Chester pointed to big data research projects, including Verizon’s Smartplay, Comcast’s big data research teams, and AT&T’s Consumer Insights Platform, as ways companies are monetizing consumer data.

Ernesto O. Falcon, legal counsel for the privacy advocacy group the Electronic Frontier Foundation told Bloomberg BNA that there is “clear intent” by the largest ISPs to track what websites customers visit and “leverage that information into something profitable.”

Comcast responded to Blomberg BNA’s request for comment on their use of consumer information by referring to a blog post by Chief Privacy Officer Gerard Lewis, who wrote, “At Comcast, we respect and protect our customers’ personal information. Always have, always will. We do not sell our broadband customers’ individual web browsing history. We did not do it before the FCC’s rules were adopted, and we have no plans to do so.”

Michael F. Balmoris, assistant vice president at AT&T and a former spokesman for the FCC, told Bloomberg BNA that the ISP “has always said consumers expect their online data to be protected by a comprehensive and uniform privacy framework that applies across the entire Internet ecosystem and includes operating systems, browsers, devices, ISPs, apps, online services, and advertising networks.” AT&T supports the BROWSER Act bill, he said.

Verizon didn’t respond to Bloomberg BNA’s requests for comment.

To contact the reporter on this story: Aaron Nicodemus in Boston at anicodemus@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security