Since Congress and the FCC have taken steps to remove restrictions on ISPs using customer data, a number of states and even some cities have taken legislative steps to reintroduce some sort of privacy restrictions on ISPs. This is bound to end up in the courts at some point to determine where the authority lies to regulate ISPs.
Congress just voted in March to end restrictions on the ways that ISPs can use customer data, leading to a widespread fear that ISPs could profit from selling customer browsing history. Since then all of the large telcos and cable companies have made public statements that they would not sell customer information in this way, but many of these companies have histories that would indicate otherwise.
Interestingly, a new bill has been introduced in Congress called the BROWSER Act of 2017 that would add back some of the restrictions imposed on ISPs and would also make those restrictions apply to edge providers like Google and Facebook. The bill would give the authority to enforce the privacy rules to the Federal Trade Commission rather than the FCC. The bill was introduced by Rep. Marsha Blackburn who was also one of the architects of the earlier removal of ISP restrictions. This bill doesn’t seem to be getting much traction and there is a lot of speculation that the bill was mostly offered to save face for Congress for taking away ISP privacy restrictions.
Now states have jumped in to fill the void. Interestingly the states looking into this are from both sides of the political spectrum which makes it clear that privacy is an issue that worries everybody. Here is a summary of a few of the state legislative efforts:
Connecticut. The proposed law would require consumer buy-in before any “telecommunication company, certified telecommunications provider, certified competitive video service provider or Internet service provider” could profit from selling such data.
Illinois. The privacy measures proposed would allow consumers to be able to ask what information about them is being shared. The bills would also require customer approval before apps can track and record location information on cellphones.
Massachusetts. The proposed legislation would require customer buy-in for sharing private information. It would also prohibit ISPs from charging more to customers who don’t want to share their personal information (something AT&T has done with their fiber product).
Minnesota. The proposed law would stop ISPs from even recording and saving customer information without their approval.
Montana. The proposed law there would prohibit any ISPs that share customer data from getting any state contracts.
New York. The proposed law would prohibit ISPs from sharing customer information without customer buy-in.
Washington. One proposed bill would require written permission from customers to share their data. The bill would also prohibit ISPs from denying service to customers that don’t want to share their private information.
Wisconsin. The proposed bill essentially requires the same restrictions on privacy that were included in the repealed FCC rules.
This has even made it down to the City level. For example, Seattle just issued new rules for the three cable providers with a city franchise telling them not to collect or sell customer data without explicit customer permission or else face losing their franchise.
A lot of these laws will not pass this year since the new laws were introduced late into the legislative sessions for most states. But it’s clear from the laws that have been proposed that this is a topic with significant bipartisan support. One would expect a lot of laws to be introduced and enacted in legislative sessions that will occur later this year or early next year.
There is no doubt that at some point this is going to result in lawsuits to resolve the conflict between federal and state rules. An issue of this magnitude will almost certainly will end up at the Supreme Court at some point. But as we have seen in the past, during the period of these kinds of legislative and legal fights the status of any rules is muddy. And that generally means that ISPs are likely to continue with the status quo until the laws become clear. That likely means that ISPs won’t openly be selling customer data for a few years, although one would think that the large ones have already been collecting data for future use.