Industry Decries Wash. Privacy Bill as More States Criticize Repeal of FCC Rules

State ISP privacy laws will confuse consumers and create litigation, industry officials testified at a legislative hearing live streamed Wednesday from Washington, one of several states moving bills to counter President Donald Trump and Congress’s use of the Congressional Review Act to kill FCC broadband privacy rules (see 1704060055). At least 10 legislatures are now mulling ISP privacy rules, and observers expect more to follow. A critical mass of states could push Congress to write federal rules, said Center for Democracy and Technology Policy Analyst Natasha Duarte.

The Washington House Technology and Economic Development Committee debated a bill that committee aide Lily Smith called “substantially similar to the repealed FCC rules” and committee Chairman Jeff Morris (D) said is “literally ripped from today’s headlines.” ISPs shouldn’t be allowed to use browsing history or search history without customer consent, said State Rep. Drew Hansen (D), one of about 75 sponsors of HB-2200. Hansen said there’s too much uncertainty about whether the FTC, FCC or Congress will replace the repealed privacy rules, and state legislators shouldn't wait: "We are not bound by what Congress does or does not do.” Two GOP committee members said their constituents want the privacy protections. But Rep. Richard DeBolt (R) called the bill a “knee-jerk reaction” because it addresses only ISPs and not internet companies like Facebook or Google. The committee may vote Friday on the measure and at least one amendment, Morris said as the hearing concluded.

Associations lined up to testify against the Washington bill, including TechNet, CompTIA, the Broadband Communications Association of Washington and the Washington Tech Industry Association (WTIA), which collectively represent ISPs including AT&T, Comcast and Charter Communications, and edge companies Amazon, Google and Microsoft. WTIA President Michael Schutzler said the bill won’t protect consumers and urged state lawmakers to “please wait a few months” for either the FTC or FCC to take on the issue: If all states “pass new laws based on the federal regulation but amended as you see fit, our entire industry -- the edge providers and the ISPs will be facing a staggering array of mostly confused litigation for years to come.”

Washington officials dismissed industry objections. "You'll never find a company that volunteers to be regulated, but once they are regulated, they actually learn to live with those rules and to build on those rules and build trust,” said Alex Alben, chief privacy officer for Gov. Jay Inslee (D). Companies know how to deal with laws from multiple jurisdictions, and many states are writing similar laws, simplifying compliance, he said. Attorney General Bob Ferguson (D) supports state legislators stepping in “where the feds have fallen short in protecting Washingtonians,” testified Deputy Solicitor General Alan Copsey. No federal preemption exists under current law, but Congress could add one, Copsey said.

The American Civil Liberties Union supported the Washington bill but said it could be strengthened. The bill requires opt in for sensitive information and opt-out for non-sensitive data, but opt in should apply to all customer data, said ACLU Washington Legislative Director Elisabeth Smith.

States Pile On

State ISP privacy bills have been introduced in Hawaii, Illinois, Maryland, Massachusetts, Minnesota, New York, Rhode Island, Vermont, Washington and Wisconsin -- as of Tuesday, said a report by the National Conference of State Legislatures. Media reports say legislation is introduced or imminent in California, Connecticut, Kansas and Montana, NCSL said.

Expect more state bills to surface, CDT’s Duarte said in an interview Tuesday. “There’s a growing interest in doing something about broadband privacy” after the CRA, she said. With many state legislative sessions closed or closing soon, some states may wait until next session, she said. Duarte said she’s not surprised to see bipartisan support for privacy rules in states because the issue historically hasn’t divided lawmakers by party. Federal debate over the FCC rules was partisan.

NCTA joined national ISP associations CTIA and USTelecom opposing the state bills. “ISPs have long followed practices to protect and respect the privacy of their customer’s personal information,” an NCTA spokeswoman emailed Wednesday. “These state proposals are generally at odds with the realities of today’s internet, are based on zero evidence of alleged harm from ISPs, and completely fail to respond to consumers’ desire for workable privacy standards that apply consistently to all parties collecting data online.”

State bills could have national impact, Duarte said. “State responses have been effective before in the privacy space,” she said. When California passed legislation requiring websites to disclose privacy policies, it had a “national effect” because it would have been difficult for the online businesses to tailor practices based on the location of the website visitor, she said. Some state-by-state variations are simpler to comply with, like data breach notification laws, because a company knows where it’s sending the notices, Duarte said: Generally, “when you have different standards, the safest thing to do is comply with the strictest one.” If ISPs prefer one set of privacy rules rather than 50 different rules in the states, Congress should act, she said. It may wait until there’s “a critical mass” of states enacting laws before it does, she said.

State agencies may not have authority under existing law to make ISP privacy rules, state experts said. “Many state laws constrain state regulatory authorities,” emailed the American Legislative Exchange Council’s Jonathon Hauenschild. National Regulatory Research Institute Principal Sherry Lichtenberg agreed: “State commissions might be able to address this through their own [customer proprietary network information] rules, although the prohibition on regulating IP-enabled services might cause a problem there, too.”

Some legislatures may empower state agencies to write ISP privacy rules, said Hauenschild, director of the ALEC Communications and Technology Task Force. Vermont legislators last week introduced SB-147 directing the attorney general -- in consultation with the state public service commissioner -- to adopt privacy and data security rules applicable to broadband companies, including disclosure and opt-in or opt-out procedures for obtaining customer consent to sharing data. The bill says “the rules shall be modeled after, and not more or less restrictive than, the Federal Communications Commission’s 2016 Privacy Order."