States Push Their Own Internet Privacy Rules

Efforts gain steam after Congress kills federal regulations protecting consumer information

typing on a cell phone screen iStock-495514569

Now that Congress has killed internet privacy regulations due to take effect this year, a number of states are weighing their own measures to protect consumers' personal information.

The state proposals, like the now-defunct federal rules, would restrict how internet service providers (ISPs) like Verizon and Comcast collect and use customer data. The federal regulations were approved last fall by the Federal Communications Commission.

Privacy experts say the rollback of the FCC rules has left a void in consumer protection.

“In a matter of four legislative days, Congress wiped out groundbreaking internet privacy rules, carefully designed over 200 days, intended to empower consumers and protect their privacy," says Jonathan Schwantes, senior policy counsel for Consumers Union, the policy and mobilization arm of Consumer Reports.

According to a recent CR Consumer Voices Survey, 65 percent of Americans lack confidence that their personal information is private and safe from distribution without their knowledge. Consumer Reports has teamed with privacy and security experts to start developing a digital standard that calls on all kinds of companies to protect consumer privacy.

The FCC rules won't be coming back. Because they were overturned using the Congressional Review Act, the agency is barred from proposing similar privacy rules in the future.

What States Are Doing

Privacy advocates say the best chance for strong internet privacy rules may now reside with the states.

“More and more, states have taken the position that if Congress is not willing or able to enact strong privacy laws, their legislatures will no longer sit on their hands," says Chad Marlow, a lawyer at the American Civil Liberties Union.

Many states have only part-time legislatures, and Marlow says they're racing to get privacy bills passed before the members return to their districts. "The federal rollback has sent many of the states into a panic mode just to get something in place before their legislative session winds down," he explains. "Otherwise they'll have to wait another eight months before they can again take action."

But a leading ISP trade group says that state legislation is unwarranted.

“ISPs have long followed practices to protect and respect the privacy of their customer’s personal information," says Brian Dietz, vice president of communications and digital strategy for the Internet & Television Association, formerly known as the National Cable Television Association.

"These state proposals are generally at odds with the realities of today’s internet, are based on zero evidence of alleged harm from ISPs, and completely fail to respond to consumers’ desire for workable privacy standards that apply consistently to all parties collecting data online,” he says.

Here's quick rundown of current legislative actions. Some of them strengthen minor protections that already exist under state law. Congress maintains a site to help you find out how to contact your state and federal legislators if you'd like to weigh in.

The state is now considering two bills, both introduced within the past week. Both HB 230 and HB 232 bar ISPs operating in the state from collecting personal information from customers without their express written consent. It also prevents ISPs from refusing service to those who don't opt in to the data collection.

So far the state has been quiet on the internet-privacy front, but that will change soon, according to an aide to Assemblyman Ed Chau, a Democrat who heads the Privacy and Consumer Protection Committee. He says a number of bills will likely be introduced this year strengthening the state's protections for consumer privacy. "California has typically led the nation in privacy laws," he says, "but we need to make them more meaningful."

Senate Majority Leader Bob Duff, a Democrat, will be proposing legislation to bar telecommunication companies, video-service providers, and ISPs from collecting customers' personal information without getting prior consent. During a press conference announcing his proposal, Duff said that consumers were now vulnerable following the recent rollback of the FCC's privacy rules. "What I imagine we'll see across the nation are other state legislatures doing what they need to do to protect the information of their state residents," he said.

Adam Joseph, communications director for the Senate Democrats, says Duff's measure will be an amendment to a commerce bill that will be acted on before the Connecticut legislative session ends on June 7.

The state has several bills in the works. One is a "right to know" law, meaning it gives consumers the right to find out what information has been collected about them and who has access to it. But it doesn't ban data collection or require prior consent.

Another bill would prohibit apps from tracking user locations without express consent.

A third proposal would protect consumers from being spied on by devices such as smart TVs, laptops, and smartphones that have built-in microphones. The measure would require that you provide consent before the device's microphone turns on.

The first two bills have passed through a House committee but haven't yet been voted on by the full House. Corresponding Senate measures are awaiting a vote.

Earlier this month, Republican Rep. Stephanie Clayton introduced a bill in the House that would require ISPs to get the approval from their customers before their data could be sold to a third party for advertising purposes. The Kansas Legislature is in recess until May 1. "The bill does not yet have a number, as it was introduced at the end of the regular session" Rep. Clayton told us. "It will have one when the veto session begins on or shortly after May 1." (The Legislature uses the so-called veto session to wrap up outstanding business.)

A House bill that would penalize ISPs that don’t get a consumer's "express and affirmative permission” to sell or transfer personal data hit a procedural roadblock because it was introduced too late in the session. (The Senate had voted to suspend its own "too late" rules and allow a bill, SB 1200 (PDF) to be introduced.) That means the bill is dead until next January unless a special session is convened.

Massachusetts is considering a bill (SD2157) that would bar ISPs that do business in the state from collecting, using, disclosing, or otherwise disseminating personal information "without express written approval from the customer."

An aide to the bill's sponsor, Senate Minority Leader Bruce Tarr, a Republican, told Consumer Reports it also prevents ISPs from imposing a surcharge or refusing service if a customer opts out. The bill has been referred to the rules committees of both houses of the Legislature.

With strong bipartisan support, the Minnesota Senate passed an amendment to an omnibus funding bill (S.F. No. 1937) that bars ISPs from selling their users’ personal data without express written consent.

According to an aide for its sponsor, Democratic Sen. Ron Latz, there is a similar bill in the House, and a committee is working to reconcile the two measures. The final version will then be sent back to each house for a vote by May 15, and could be signed by the governor soon after.

Montana is considering action to bar ISPs from being awarded state contracts if they collect data from their customers without consent. This legislation, called SB95, is a companion bill to the state's 2018-2019 budget bill (HB2). The budget bill has passed the state Senate and is now under consideration by the House, which is reviewing dozens of amendments. SB95 is on the floor of the House for its second reading. Once it's approved by the House, the Senate will then consider the amendments that were added to the bill.

Kris Wilkinson, lead fiscal analyst for the Montana Legislature, says that if the Senate doesn't concur with the amendments, a conference committee might be appointed to resolve the differences. At this time SB95 could be amended to include the language barring ISPs from state contracts. If approved by the House and Senate, the budget and companion bill will be sent to the governor.

Montana's Legislature meets only once every two years, and its current session ends April 30.

New York
New York has several pending pieces of legislation. In the Senate, S3657 seeks to establish an online privacy act as well as an Office of State Online Privacy Protection and Internet Safety. The bill is currently in committee. Another bill, S 5516, introduced by Sen. Timothy Kelly, a Democrat, would prohibit ISPs from selling customers' browsing history and other personal information to third parties and protect customers from poor service. Another bill, S3367, requires that ISPs keep all customer information confidential unless a customer provides written consent.

According to the press secretary for the Pennsylvania House Democratic Caucus, there are now six bills that will make up an online privacy and security legislative package.

The measures, introduced by several members, range from right-to-know proposals to bills that limit how ISPs can collect and sell data. One bill deals with safeguards and notifications in the event of a data breach. The state is one of the few that are in session all year, so it doesn't face a time constraint.

Rhode Island
Legislators have proposed H 6087, otherwise know as the "Right-to-Know Act." Currently in the House Corporations Committee, the bill establishes a consumer's right to know how his or her personal data is being collected and then shared with or sold to third parties.

Senate Democrats have introduced a bill, S 147, that would basically require the state attorney general, in consultation with the Commissioner of Public service, to adopt privacy and security rules modeled on the FCC's 2016 privacy order, the set of rules rolled back by Congress in March. The Vermont bill has been referred to the Committee on Finance.

The House passed a bipartisan bill (HB2200) that would, among other things, require ISPs operating in the state to get customers' consent before collecting or using their personal information. It also calls for greater transparency and disclosure when breaches happen. The bill is now in a Senate commitee. A legislative aide to Democratic Rep. Drew Hansen, one of the bill's sponsors, said there's a similar bill in the Senate (SB5919). According to local press reports, that bill will likely face tougher odds of being passed.

New Federal Laws Proposed

Though most of new efforts on consumer privacy are taking place at the state level, federal lawmakers have also introduced two bills.

Last week Sen. Richard Blumenthal, D-Conn., proposed the Managing Your Data Against Telecom Abuses Act (MY DATA), which would put the Federal Trade Commission in charge of ISPs rather than the FCC. This agency, which regulates internet companies such as Google and Facebook, had authority over ISPs until 2015.

The bill would also provide the FTC with rule-making abilities to establish safeguards in the areas of privacy and data security.

“Signing up for internet should never mean you have to sign away your rights to privacy,” Blumenthal said in a statement. “My bill makes sure the FTC has the authority it needs to restore consumer control and allow individuals to use the internet without fear of invasive and intrusive practices that turn our private lives into yet another commodity on the open market.”

That bill joins another piece of legislation, S.878, introduced earlier this month by Sen. Edward Markey, D-Mass. It would essentially restore the FCC internet privacy rules. It is backed by 10 other Democratic senators.

James K. Willcox

I've been a tech journalist for more years than I'm willing to admit. My specialties at CR are TVs, streaming media, audio, and TV and broadband services. In my spare time I build and play guitars and bass, ride motorcycles, and like to sail—hobbies I've not yet figured out how to safely combine.