When President Donald Trump signed a law killing Federal Communications Commission privacy rules for internet service providers, it created widespread consumer privacy fears: Would ISPs run roughshod over their data? Could their personal data be sold to the highest bidder?
Amid the confusion, legislators across the country have been bombarded with calls from constituents hoping their state governments would fortify online privacy protections.
The result is upwards of 21 new privacy bills in 11 states, some intended to replicate the deflated federal regulations at the state level.
Proposed legislation has popped up in states including Minnesota, Nevada, Illinois, Massachusetts, Wisconsin and Montana and Washington.
"We have some people right now in this country that are worried about their data privacy," said Rep. Richard DeBolt, a Republican and assistant ranking minority member of the Washington House Technology and Economic Development Committee during a hearing last week in relation to an internet privacy and security bill winding its way through the state legislature.
"We've seen it all over the country. People are reacting to their data being sold."
Industry Coalition Brings Out Legal Guns
Well, not so fast.
"Arguments that the repeal of the FCC broadband privacy rules has freed ISPs to sell customers' personal information are simply false," said Kate Lucente, associate at global law firm DLA Piper. And so the industry finds itself engaged in a multi-state game of Whack-a-Mole as it attempts to defeat proposed privacy legislation at the local level.
Just one of many lawyers industry parties have commissioned to take their message of opposition to the states, Lucente was on hand to represent the State Privacy and Security Coalition -- a group comprised of the Association of National Advertisers along with well-known digital media firms, large retailers, cable operators and telcos.
Among the points she made in her testimony was that all major ISPs have committed in their privacy policies not to sell their customers' sensitive data unless they obtain their consent.
The moribund FCC rule, however, would have labeled data the industry historically has not deemed sensitive as such – particularly web browsing, location and mobile app-usage data. It would have required that ISPs obtain "opt-in" consent from consumers before using and sharing that information.
Privacy advocates were in favor of the FCC rules because, while they did not prohibit ISPs from using what the commisssion had defined as sensitive data, they afforded more control to consumers over their information by requiring the opt-in.
Since rumblings emerged earlier this year of congressional momentum to stop the FCC's rules before they could go into effect, privacy advocates and left-leaning political groups have fanned the flames of consumer backlash, aided by sometimes ill-informed and hyperbolic media headlines declaring things like, "Congress Just Killed Your Internet Privacy Protections."
"These bills are misguided responses to the recent and unfounded controversy on the federal level," Christopher Oswald, VP of advocacy for the Data and Marketing Association (formerly the Direct Marketing Association), wrote in an email sent to Ad Age. The DMA is also actively opposing the state bills.
One thing that seems to have been lost in many media reports and messaging decrying the death of the FCC rules is that they applied only to ISPs rather than so-called "edge providers" such as Google or Facebook. They also wouldn't have encumbered data gathering and sharing capabilities of mobile industry third parties that have already obtained opt-in permissions to collect location data from consumers in order to enable mobile apps.
Even before President Trump signed the law earlier this month squelching the never-implemented FCC rules, lawmakers on both sides of the aisle began introducing bills intended to replace them on a state level. The likelihood of any of the bills passing is unclear. "It's possible that somewhere between one to four state bills might get through this year," said Jim Halpert, co-chair of DLA Piper's global data protection, privacy and security practice.
In general, ISPs and other digital industry corporations worry that, were the bills to become laws, they would be forced to navigate a complex system of state roadblocks requiring them to obtain opt-in permission from consumers every time their services come in contact with web browsers.
Why Maryland's Bill Was Dead on Arrival
In Maryland, an effort to prohibit ISPs from selling or transferring consumers' personally identifiable information died in committee before the state ended its three-month General Assembly April 10. It appears some state lawmakers were concerned about rushing through legislation the consequences of which members of the chamber did not fully understand.
"To try to do this on the fly, it just doesn't work for me," said Democrat Dereck Davis, chairman of Maryland's House Economic Matters Committee, who was quoted in an April 10 Baltimore Sun article detailing the fate of the bill.
There is great irony here. Industry tends to push for federal standards in the hopes of homogenizing disparate state rules. In this case, however, industry groups fought the federal FCC rules it considered over-reaching only to now be compelled to contend with several hastily-crafted state bills.
"It is ironic that this is the next step following repeal of the FCC rules, but the response by advocates is an effort to regain some ground, and apply political pressure," suggested Halpert.
Passage of the state bills would result in "a very balkanized regulatory framework," said Dan Jaffe, group executive VP-government relations at the ANA, which was a vocal critic of the FCC rules.
"This is an important issue," he said. "It's going to be continually fought."