Will states be able to protect our online privacy?

CYBERSLEUTH

For decades, communications laws have protected consumers' personal information and usage data. These laws were passed by the U.S. Congress, codified by the Federal Communications Commission (FCC), and implemented by the states in a so-called "cooperative federalism" arrangement. That was, until Donald Trump was elected president, the Republicans took control of both houses of Congress, and collectively they began dismantling or severely hobbling federal agencies' regulatory authority.

Late last year, the FCC issued broadband privacy rules that were set to take effect this December. In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, Report and Order, FCC 16-148, Nov. 2, 2016. In March, however, the FCC blocked those rules from taking effect, Congress voted to repeal the FCC's order and on April 3, President Trump signed the measure. Public Law No: 115-22.

The broadband privacy rules would have prevented internet service providers (ISPs) such as AT&T, Frontier and Comcast from compiling and marketing customer profiles using information from the electronic trail users leave behind when they visit websites, download movies, or access personal data over the internet. These ISPs not only can track users' online visits but they can view the contents of digital data packets through techniques called "deep packet inspection."

With the federal privacy rules gone, state legislators and regulators are realizing that the referee has left the field and they are the only line of defense. Some states and even cities have stepped forward to fill the federal vacuum. The National Conference of State Legislatures reports that in response to the repeal of the FCC's broadband privacy rules, 21 states have stepped forward to enact their own legislation to prevent broadband providers or ISPs from collecting, disclosing or otherwise using consumer data without their consent. Both Minnesota and Nevada have passed laws preventing ISPs from disclosing personally identifiable information about customers, and Minnesota requires ISPs to get permission before disclosing information about customers' Internet activities. Minn. Stat. Sections 325M .01-.09.

Other states such as New York, New Jersey, Maine, Maryland, Washington and California are currently working to enact similar privacy laws. In California, Assemblyman Ed Chau, D-Monterey Park, introduced Assembly Bill 375, called the California Broadband Internet Privacy Act, which would give consumers more control over how their information is used and shared by ISPs. The legislation would prohibit an ISP from using, disclosing, selling or permitting access to a customer's personal information, unless the customer gives prior opt-in consent, which may be revoked by the customer at any time. The bill would also prohibit an ISP from refusing to serve or to limit service to a customer who does not provide consent or charging a customer a penalty or offering a customer a discount or another benefit based on the customer's decision to provide consent.

While these efforts are laudable, there is a real question whether they can be effective. The most obvious problem is that fewer than half of the states are moving forward with broadband privacy legislation. Notably absent from the list are larger states in which the governor is Republican, or that voted for Trump for president -- Texas, Florida, the Deep South and much of the Midwest.

The internet is by nature interstate, so if a consumer resides in a state that has enacted online privacy protection, but the server hosting the website accessed or the content provider is located in a state without privacy protections, which rules apply? Would state protections apply only to residents, or would they protect users on vacations or business trips while they are in the state? Even the states that may enact privacy protections won't likely enact uniform protections.

Without a national-level agency that can issue a uniform set of protections and have a comprehensible enforcement mechanism, it seems unlikely that internet privacy will be effective. That makes the battle over regulatory classification of broadband all the more important. In 2015, the FCC applied Title II of the Federal Communications Act of 1934 to regulate ISPs under the same framework as traditional telephone common carriers. 47 U.S.C. Section 201 et seq. In the Matter of Protecting and Promoting the Open Internet, WC Docket No. 14-28, Report and Order on Remand, Declaratory Ruling, and Order, 30 FCC Rcd 5601 (rel. March 12, 2015) (Net Neutrality Order).

In the Net Neutrality Order, the FCC decided to forebear from applying long-standing privacy rules set forth in 47 U.S.C. Section 222 because it was actively working on the broadband privacy rules in a separate proceeding. Section 222, prevents telephone carriers from disclosing personally identifiable information about customers or their calling patterns, dubbed Customer Proprietary Network Information.

The FCC has proposed scraping the Net Neutrality Order and is currently taking comments from interested parties on whether and how to proceed. If the Net Neutrality Order survives, privacy advocates should push to have the FCC reverse its decision to forebear and apply Section 222 to Internet activity. While not perfectly tailored to broadband, Section 222 would at least offer some minimal and uniform protection until something better can be enacted -- maybe years from now.