Last week, President Donald Trump signed a Congressional Review Act resolution repealing internet privacy rules passed by the Federal Communications Commission (FCC) during the end of the Obama Administration. A key component of these regulations required internet service providers (ISPs) to receive consent from consumers before selling “sensitive data” (e.g., browsing history, geolocation, and financial and medical information) to third parties who could then use the personal data to create targeted advertisements.
Rather than ending the fight over internet privacy, the recent repeal only managed to shift the battleground to the states.
Lawmakers in at least 10 states — Hawaii, Kansas, Maryland, Minnesota, Montana, New York, Rhode Island, Vermont, Washington, and Wisconsin — are now pushing back against the repeal of FCC rules by introducing legislation that specifically reinstates the consent or “opt-in” requirement. The bills follow a common framework that require ISPs to obtain express consent from customers before selling their browsing history or other private data. Lawmakers have also announced similar initiatives in several other states. Connecticut Senate Majority Leader Bob Duff (D) announced plans to introduce similar legislation this session, and New Jersey Senate Majority Leader Loretta Weinberg (D) stated that she will introduce a similar bill at the next quorum session scheduled for May 1.
The congressional repeal resolution passed with only Republican votes, but on the state level, there is bipartisan cooperation for legislation restoring the consent requirements. For example, six Republicans co-sponsored a bill in Massachusetts and Representative Stephanie Clayton (R) introduced a bill in Kansas. “I would assume that any legislator that cares about the privacy of their constituents, regardless of their party, would be happy to support this,” said Clayton. “My real question is: Who wouldn’t?”
These bills will inevitably be challenged in court. However, for the time being, it appears that state lawmakers may have the upper hand. During an interview with NPR, Washington Representative Drew Hansen (D) was asked about jurisdictional authority and stated, “Well, there's no conflict here. I mean, the federal entities have just chosen not to act. Federal law in this area is a floor rather than a ceiling. There's nothing to protect states from being more protective of privacy than the federal government has chosen to do.”
Legality might depend on the bill’s individual language. Some states, such as Illinois and Rhode Island, are taking the consent requirements a step further than the FCC regulations by applying privacy requirements to “commercial websites,” which presumably includes Facebook and Google in addition to ISPs. Sponsors and supporters are calling these bills “right to know” acts. Some question whether these bills are overreaching in their attempt to protect privacy.
The greatest challenge for these bills, at least for this legislative session, will be timing as lawmakers race to file bills before introduction deadlines and adjournment dates. Because the issue emerged so late in the legislative session, some lawmakers were forced to introduced privacy protection as amendments (as is the case in Hawaii, Montana, Minnesota, and Wisconsin). Even if a lawmaker can get the proper language introduced in time, some feel there is not sufficient time for debate, which is why Maryland's bill (MD SB 1200) died this week in a House committee.
Even before the FCC rule repeal, internet privacy legislation became a trending topic in state legislatures as websites and popular apps collect more and more data from users. Lawmakers in Illinois filed a “right to know” bill (SB1502) in February as well as a geolocation privacy protection bill (IL HB 3449) that requires consent from consumers before a private entity can use geolocation information from location-based apps. Also in February, New York lawmakers introduced a comprehensive data privacy bill (NY AB 5220) that creates disclosure requirements for businesses, including website and mobile applications, that sell user information to third parties.