States Step in to Fill Rescinded FCC Web Privacy Rule Void

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Aaron Nicodemus

More than a dozen states are moving to fill the void left by the federal government’s departure from broadband privacy regulation through a spate of proposed laws that would require consumer consent to share online data with third parties. Two states, Minnesota and Wisconsin, have already passed such laws.

The state legislative proposals are a reaction to President Donald Trump’s repeal of a Federal Communications Commission regulation that had not taken effect and would have expanded online privacy rules to broadband providers, such as AT&T Inc. and Verizon Corp. The regulation would have required telecommunications companies to notify customers if they intended to sell their information to a third party. In addition, the regulation heightened its data security and data breach notification requirements.

Internet service providors argued that the rule set higher privacy standards for FCC-regulated ISPs than for internet companies, such as Alphabet Inc.'s Google and Facebook Inc., which are regulated by the Federal Trade Commission.

Telecommunications companies were glad to see the FCC rule go, but state legislatures may create a patchwork of regulations presenting even more difficult compliance problems.

“When you have state legislatures regulating Internet privacy state-by-state, and you have no single standard or rule, you’re likely to find inconsistency,” Thomas G. Jackson, technology practice group chair at Phillips Nizer LLP in New York. N.Y., told Bloomberg BNA.

Craig Shue, assistant professor of computer science at Worcester Polytechnic Institute in Worcester, Mass., told Bloomberg BNA that the state internet privacy efforts may mirror what happened with vehicle emission standards, where California has stricter regulations than the federal government and most other states. “ISPs may have to treat customers in different states differently,” Shue said, or online companies may have to treat all customers according to the strictest state law.

Laws, Bills and Promises

Steven A. Augustino, a telecommunications partner at Kelley Drye & Warren LLP in Washington, told Bloomberg BNA that California, Connecticut and Massachusetts “are likely to pick up the mantle of privacy enforcement if the federal agencies cannot, or do not, act on broadband privacy matters.”

Minnesota was ahead of the game in regulating ISP use of consumer data. It enacted a law in 2003 that requires ISPs to get permission from subscribers before disclosing information about web browsing history. Minnesota recently passed a new law requiring user consent to collect such data in the first place. The law also prohibits ISP providers from refusing service to customers that decline to give permission to collect their information.

Wisconsin recently enacted a similar law.

In Illinois, a “right-to-know” bill, H.B. 2774 would require ISPs to notify consumers before selling their data. The bill accompanies H.B. 3449, which would prohibit the use of geolocation information without customer consent.

The Montana House of Representatives approved an amendment to the fiscal year 2018-19 budget bill (H.B. 2) barring ISPs from receiving state contracts if they collect personal information from a customer without the customer’s consent.

In Washington state, companion bills H.B. 2200/ S.B. 5919, would protect the privacy of Internet users.

Lawmakers have introduced similar bills in Massachusetts, Rhode Island and Vermont.

New York Sen. Tim Kennedy (D) issued a statement supporting the state’s proposed online privacy legislation, calling the repeal of the FCC rule an “anti-consumer, anti-privacy action” that “doesn’t benefit anyone except large corporations. This is not an abstract threat to regular folks – this is bad policy with real world consequences.”

Legislators in California, Colorado, Connecticut, Kansas and Hawaii have announced plans to file bills.

It is unclear whether an attempt in Montana to add a rider to the budget bill to require passage of a separate ISP privacy bill will be successful.

An internet privacy bill in Maryland passed the Senate but died when the legislature adjourned for the year.

To contact the reporter on this story: Aaron Nicodemus in Boston at anicodemus@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Minnesota's ISP user data collection privacy law is available at http://src.bna.com/nWt. Wisconsin's law is available at http://src.bna.com/nUM.

Illinois H.B. 2774 on ISP data sharing is available at http://src.bna.com/nUH. Illinois H.B. 3449 on geolocation information is available at http://src.bna.com/nUJ.

Washington H.B. 2200 is available at http://src.bna.com/nUN. S.B. 5919 is available at http://src.bna.com/nUP.

Massachusetts S.D. 2157 is available at http://src.bna.com/nWE .

Rhode Island H. 6087 is available at http://src.bna.com/nW5.

Vermont S. 147 is available at http://src.bna.com/nWN.

New York S.B. 3657 is available at http://src.bna.com/nWL.

The Montana budget rider is available at http://src.bna.com/nYJ.

Maryland S.B. 1200 is available at http://src.bna.com/nW3.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.