States Take On Internet Privacy After Trump Repeals FCC Rules

State legislatures are adopting internet privacy protections on a bipartisan basis in response to President Donald Trump and Congress repealing FCC ISP privacy rules. Trump signed the Congressional Review Act (CRA) repeal Monday (see 1704040059) after votes last week. Wisconsin directly rebuked that action Tuesday and Minnesota responded last week by adopting ISP privacy amendments on major state bills.

Other states are expected to follow, and pending privacy bills in additional states may gain momentum, privacy experts said in interviews. “States are really the place where more of the privacy protections are going to be happening,” said Ben Feist, Minnesota legislative director for the American Civil Liberties Union. “We have an ability to really come in and try to protect people on a more personal level.”

The federal repeal of ISP privacy rules opens the door for states to make their own policies, said the American Legislative Exchange Council’s Jonathon Hauenschild. The ALEC Communications and Technology Task Force director, who supported Trump’s signing of the CRA resolution, pointed to Minnesota, Illinois and New York with pending bills on privacy issues, and predicted the number will “jump.” Look for bills in states like California that are typically tuned into technology issues, plus upper-Midwest states where libertarians are strong, he said. Public utility commissions and other state regulatory agencies also may act on privacy, he said: States have “very large leeway” to make rules, because federal laws mostly don’t pre-empt states on privacy.

“This issue would best be addressed at the federal level,” emailed Minnesota Rep. Paul Thissen (D), House sponsor of the privacy amendment in that state’s omnibus jobs bill. “In the absence of the political will to protect the privacy of my constituents, we need to move forward. States are laboratories of democracy and I hope that if enough states act, we can create momentum for our federal colleagues to do the right thing.”

Legislation in New York and Illinois appeared before the CRA review. Repeal could give those measures a bump in attention that could push them forward, said Hauenschild. “It’s going to provide both greater awareness and in some states, like Minnesota, greater momentum.” The furor raised by the CRA vote highlighted privacy issues that many people didn’t know much about, said ACLU Illinois Director-Communications and Public Policy Edwin Yohnka. Illinois privacy legislation had been in the works for a long time before the repeal, but Trump’s signing of the override “may give it more momentum,” he said.

Shifting the task of privacy rules to states is good because it lets them weigh what works best for constituents, said Hauenschild. Having many different state rules could be more complicated for ISPs than one federal policy, he said. National companies may have the resources to untangle multiple state rules, but smaller regional companies could struggle, he said. Some ISPs could decide to apply rules from the strictest state to others, partly to ease the process, he said. Disclosure or opt-in rules may not carry over to other states, but a company may decide to apply one data management standard across the board, he said.

USTelecom said states shouldn’t stand in the way of clear and consistent broadband privacy protections. “Individual state efforts that deviate from a strong, consistent federal privacy framework do not fit with how consumers traverse the global internet and are more likely to harm consumers and internet innovation than help,” said a spokeswoman for the ISP association. “Verizon is committed to strong privacy principles for our customers -- both at the State and Federal level," a spokesman emailed. A CenturyLink spokeswoman said, "Now that the FCC and FTC can and have committed to work together on rules that make sense for all internet companies, adopting state specific rules or legislation would only deepen consumers' confusion and lack of confidence in how their information is protected." A White House official predicted Wednesday that the FCC will take a “fresh look” at ISP rules once it has five members (see 1704050027).

Wisconsin

One day after Trump signed the CRA resolution, Wisconsin senators added ISP privacy protections to a broadband bill (SB-49) proposed by Gov. Scott Walker (R). The Senate voted 33-0 to adopt the amendment, then 33-0 to pass the broadband bill (see 1704050044). “A provider of Internet access services may not collect information about a customer's use of Internet access services that results from the customer's use of those services unless the provider of Internet access services receives express written approval from the customer,” said the amendment.

Trump and Congress permitted ISPs to monitor online behavior and sell targeted ads without customers’ permission, protested Wisconsin Senate Minority Leader Jennifer Shilling (D) as she offered the privacy amendment on the floor Tuesday. "That seems really an intrusion of personal interests and information." The amendment "will ensure that consumers, not corporations, have the final say on how their personal information and internet communications are shared," she said. Other states also plan to respond to the CRA reversal, she added.

Sen. Scott Fitzgerald (R), stood to say he shared Shilling’s concerns. While at first questioning the germaneness of the amendment to the Walker broadband bill, Fitzgerald later withdrew his point of order and voted with other Republicans for the amendment. Republicans, who control the chamber, voted against all other Democratic amendments to the broadband bill.

TDS Telecom supported S-49 since introduction. It's is studying the privacy amendment, a spokeswoman emailed. “We are looking into the amendment to better understand the impact it will have on our customers/company." Adding the amendment could mean the bill won’t pass until May, she said. The governor didn’t comment.

Minnesota

Last week, while Congress repealed the FCC rules, Minnesota added privacy provisions to jobs omnibus (SF-1937, HF-2209). The Senate passed the amended bill 58-9 Wednesday in the GOP-controlled chamber, and the Minnesota House is scheduled to vote Thursday.

“No telecommunications or internet service provider that has entered into a franchise agreement, right-of-way agreement, or other contract with the state of Minnesota or a political subdivision, or that uses facilities that are subject to such agreements, even if it is not a party to the agreement, may collect personal information from a customer resulting from the customer's use of the telecommunications or internet service provider without express written approval from the customer,” said the Senate amendment, which duplicates the House version. “No such telecommunication or internet service provider shall refuse to provide its services to a customer on the grounds that the customer has not approved collection of the customer's personal information.”

The people should decide whether web browsing activity and other personal information can be sold or shared for profit, Thissen said. Minnesota may require that because state and local governments provide the right of way and regulate ISP facilities, he said. Thissen’s amendment covers ISPs and a few other entities. The legislator told us another amendment in the works will cover social media sites and web browser companies. The omnibus bills will go to conference committee where House and Senate lawmakers will work out differences and send a final bill to the governor, Thissen said.

“It was a really quick reaction to the FCC language being repealed,” but consistent with Minnesota’s “long history of being more protective with personal data than a lot of states,” Feist said. The state has a bipartisan coalition of lawmakers interested in internet privacy, and both parties supported the amendment, he said. The measure had to be attached to the omnibus bill because it was too late in the session to file a stand-alone policy bill, he said. There’s more work to do on privacy, but “it was the best [Minnesota legislators] could come up with at short notice,” he said. Legislators are trying to finish the omnibus this week, but it’s not a lock to become law, Feist said. Minnesota Gov. Mark Dayton (D) may support the privacy policy, but Republicans control the legislature and Dayton might not like their omnibus overall, Feist said. Dayton didn’t comment.

Other States

Illinois lawmakers are mulling Right to Know legislation. SB-1502 and HB-2774, introduced in February, await votes by the respective chambers. They require an “operator of a commercial website or online service that collects personally identifiable information through the internet” about “individual customers” to disclose that information upon request by the customer. Companies would have to establish an email address or toll-free number customers can use to seek the information. It’s not clear whether it covers ISPs, Hauenschild said. HB-3449 would require companies to get customer permission before collecting, using, storing or disclosing geolocation information. That bill added about 25 co-sponsors since its second reading before the House last Thursday.

The Illinois legislation is “an important step” in “bringing the consumer back into the process,” said Yohnka. Taking a broad approach, it would “restore some informational authority," he said, "to the consumer.” Other issues have divided Illinois lawmakers, but Yohnka said there has been space to debate privacy issues and he sees a “real possibility here of moving forward.” State lawmakers previously passed bills about geolocation, drones and cell-site simulators “by overwhelming bipartisan margins.”

Privacy legislation in New York similarly requires companies to make collected personal information available upon request. Companies would have to disclose data sold to third parties and the names of those third parties upon request. AB-5220 and SB-72 haven’t moved much since February introduction. SB-3367 requires ISPs to keep all customer information confidential unless the customer provides written consent, but it hasn’t moved since January introduction.

The Center for Democracy and Technology supported the Illinois bills and predicted other state measures. “Both [Illinois] bills come at a critical time in consumer privacy,” wrote CDT Privacy and Data Project Director Michelle De Mooy in a blog post last week. “The United States’ scattered sectoral approach to privacy law has resulted in uneven privacy regulations and enforcement, leaving gaping holes in protection (a trend dramatically exacerbated by the repeal of the broadband privacy rules). States across the country appear poised to fill these gaps -- Nevada has introduced a similar geolocation privacy bill and states like Michigan and Alabama are expected to file comparable bills soon.”