Eyes on California After ISP Privacy Bills Lose Steam in Other States

ISPs and privacy advocates are watching California, after other states’ broadband privacy legislation failed to cross the finish line. Privacy advocates tell us passing the California bill could rebuild momentum for state bills that lost steam after initial excitement in about 20 states to counter President Donald Trump for repealing the FCC privacy rules through the Congressional Review Act. It’s “very much a 2018 fight” in the other states, said Electronic Frontier Foundation Legislative Counsel Ernesto Falcon.

Many state legislatures have finished 2017 sessions, but California is still “full steam ahead,” said American Civil Liberties Union California Director Nicole Ozer. Privacy advocates and ISP lobbyists are focusing much attention on the state, said Center for Democracy and Technology Director-Privacy and Data Project Michelle De Mooy. The California bill “has the greatest likelihood of passing,” said American Legislative Exchange Council’s Jonathon Hauenschild. He said to look for “a few” more ISP privacy proposals in the fall and spring legislative sessions, especially in states that moved bills this year.

California Senate committees last week cleared AB-375 before recessing for summer, and the bill could get a full Senate vote in August (see 1707190009). The state legislature has a Sept. 15 deadline to pass bills. If it passes the Senate, the bill still needs Assembly concurrence and the governor’s signature. The legislation may be tweaked to align more closely to the repealed FCC rules under an amendment in development, privacy and industry officials said. De Mooy is wary of tweaks because the proposal already contains strong privacy protections consistent with the former FCC rules.

The California privacy bill "received substantial support from various members of the Legislature who have seen and heard the bill, and is also backed by a broad coalition, which demonstrates support for the concept here in California," emailed sponsor and Assembly Privacy and Consumer Protection Chairman Ed Chau (D). "The challenge is going to be getting the details right and helping members understand the issue."

Political distractions stalled other state privacy bills, observers said. “There was a lot of momentum coming right after the CRA,” De Mooy said. “The problem has been there’s just been so much going on,” including the FCC net neutrality proceeding and White House controversies, she said. That “distracted legislators, the general public, and even the press,” said Hauenschild. Many legislatures ran out of time, said Ozer, with April’s federal repeal occurring late in many state sessions.

“The bills have failed in more than 20 states and have not passed in any state,” said DLA Piper’s Jim Halpert, who runs the State Privacy and Security Coalition, including ISPs, edge providers, retailers and health sector entities. The bills failed “as legislators learned that ISP privacy is not unregulated at the federal or state level,” he said. Hauenschild, who supported Trump signing the CRA resolution that repealed FCC broadband privacy rule, said bills “stalled as legislators learned more.”

CDT observed ISPs spreading “a lot of misinformation” into states, such as saying ISP privacy rules would hurt emergency service communications, De Mooy said. If FCC Chairman Ajit Pai removes Communications Act Title II Section 222 privacy protections for ISPs in the net neutrality proceeding, ISPs will lose another of their arguments, Falcon said. “Every ISP in every state pointed to Title II as a reason to not pass state bills protecting consumer privacy.”

Watch California as a signal for what’s to come in other states, De Mooy said. “California has always been a leader in privacy law,” and smaller states often look to bigger ones for guidance, she said. Passing a state law there could complicate companies’ privacy policies nationwide if they must treat one state differently, she said. California laws “can be really important models for other states to move through similar legislation,” agreed Ozer. Passing ISP privacy rules has a good chance in California due to the state’s history of passing consumer protections on a bipartisan basis and because its state constitution guarantees people a right to privacy, she said.

Passing the legislation “will likely give a boost to the Republican and Democratic legislators who were initially stalled,” said EFF’s Falcon. “I would expect every state that had a bill to introduce new bills in 2018 and more to join once voters across the country start asking why are Californians entitled to stronger privacy protections.”