Just days after President Donald Trump signed legislation into law allowing Internet service providers (ISPs) to sell the personal data of customers, several states moved ahead with legislation to protect the data of their constituents.
The signature of Donald Trump has landed on a number of controversial bills and orders since he took office Jan. 20. But perhaps none of them have intersected with technology quite the way that the rollback of impending Obama-era Internet privacy protections has.
Removing the Federal Communication Commission’s (FCC) limitations on Internet service providers' (ISPs) selling customer data such as geolocation, browser history and other personal data to third-parties has sweeping implications that span all American Internet users.
“There’s nothing stopping a big Internet service provider from selling that data of an individual to advertisers, to even law enforcement agencies, to whoever the highest bidder is,” Steven Renderos, organizing director at the Center for Media Justice, told Jezebel.com, which also noted that once a user's data is out there, it’s analyzed and used to make decisions about how to tailor ads to you and, increasingly, make predictions about our behavior. But, Renderos told the news outlet, “Algorithms that are supposed to make determinations about us often times make assumptions that may or may not be correct.”
And Tim Berners-Lee, creator of the World Wide Web, has called the rollback "disgusting."
“When we use the Web, we are so vulnerable,” Berners-Lee told The Verge. “There are things that people do on the Web that reveal absolutely everything, more about them than they know themselves sometimes. Because so much of what we do in our lives that actually goes through those left-clicks, it can be ridiculously revealing. You have the right to go to a doctor in privacy where it’s just between you and the doctor. And similarly, you have to be able to go to the Web.”
Berners-Lee is not alone; this Internet privacy rollback has sparked a national trend of state legislative action meant to protect citizens from the sale of their data without consent.
On April 5, Senate Majority Leader Bob Duff announced plans to push for a state law to counter the federal rollback.
“Millions of Connecticut consumers are in danger of having their personal information about their Web-browsing history, and their children’s health, financial history and location that can be collected and sold,” Duff said. "We're proposing an amendment that would bar any telecommunication company, certified telecommunications provider, certified competitive video service provider or Internet service provider from providing its services to a consumer on the grounds that the customer has not approved, so basically an opt-in provision, and from collecting customers' personal information."
Duff also acknowledged that other states are going in this direction, and called the rollback "a gross violation of consumer rights and what most people would think is fair and reasonable."
On March 30 in the Prairie State, the House Cybersecurity, Data Analytics & IT Committee endorsed two privacy measures to bolster consumers' Internet privacy rights.
The first, according to the Associated Press, would allow consumers to request information on them that companies like Google and Facebook collect; the second would require that apps get consumer permission before tracking user locations.
Though just proposed April 6, a new bill in the Kansas House would require ISPs to seek the approval of their customers before any information was sold for the purposes of generating advertising.
The bill, proposed by Rep. Stephanie Clayton, a Republican representing Overland Park, would require ISPs to get approval from their customers before passing the information along to a third party.
The need for privacy spanned across party lines, Clayton told The Kansas City Star. “I would assume that any legislator that cares about the privacy of their constituents regardless of their party would be happy to support this,” she said. “My real question is: Who wouldn’t?”
Though Maryland doesn't have legislation on the books, it's not for a lack of trying. On April 3, the state's House of Delegates voted 90-45 to allow introduction of an Internet privacy bill by Majority Leader Bill Frick — just four votes shy of what's required for legislation to be considered this late in the session, which ended April 10.
According to The Baltimore Sun, Frick, D-Montgomery County, sought a suspension of the rules to introduce his bill. He reportedly told delegates that the General Assembly should do what it can to address what he called one of the most pressing issues facing the United States. Had the bill been introduced, it could have received a hearing before a House committee.
Frick also told the news outlet that the issue may still come before the legislature this year, as he has been working to write legislation with Sen. James C. Rosapepe, D-Prince George's County, who might attempt to introduce it in the Senate as early as the evening of April 10. Should the Senate move the bill through committee and pass it in the time remaining, according to The Baltimore Sun, it would come back to the House.
In response to the federal rollback, six Republican state senators filed legislation on April 7 that would bar ISPs in Massachusetts from using or selling their customers’ data without getting the explicit permission, according to The Boston Globe, which also reported that the bill would ban ISPs from charging extra for Internet service to customers who refuse to share their personal data.
“The federal government has created a situation that threatens consumer privacy, and it needs to be addressed,” Senate Minority Leader Bruce Tarr of Gloucester, one of the sponsors of the legislation, told the news outlet.
On March 29, Minnesota’s state senators voted to add broadband privacy protections at the state level as an amendment to the state's economic development budget bill, S.F. No. 1937, introduced by Sen. Ron Latz, DFL-St. Louis Park. Latz offered the amendment because he said it was urgently needed to protect Minnesotans’ privacy after the congressional vote, according to the Pioneer Press.
Should the bill pass in the Minnesota House and be signed into law by Gov. Mark Dayton, ISPs would be required to obtain “express written approval from the customer” before collecting customer information from their users. As in other states, it also forbids ISPs and telecoms from refusing to provide service to someone that refuses to approve the collection of their personal data.
Sen. Warren Limmer, R-Maple Grove, even broke with his party to overturn the Senate president’s ruling and allow the Internet privacy amendment to continue by a single vote, the news outlet reported.
“We should be outraged at the invasion that’s being allowed on our most intimate means of communication,” Limmer, a longstanding privacy advocate, told the Pioneer Press. “This is an amendment that so urgently needs to be addressed.”
On April 3, the Montana Senate approved a budget provision that would bar ISPs from being awarded state contracts if they collect data from their customers without consent, according to the Associated Press.
"It has become apparent to us that they [ISPs] have the ability to use your information in ways to market to you, and, quite frankly, sell that information," Montana Sen. Ryan Osmundson, R-Buffalo, who introduced the measure, told the Associated Press. "We're basically saying they cannot do business with the state if they're collecting personal information without the consent of the individual."
Sen. Tim Kennedy, D-Buffalo, introduced legislation on April 4 that, like other states, would prohibit ISPs from selling customer browsing history and other personal information to third parties. As a public utility regulated by New York state, ISPs must comply with state laws and regulations. This legislation would ensure that New Yorkers continue to benefit from the privacy laws that were implemented under President Obama’s administration.
“When voters across the country elected this House and U.S. Senate last November, I doubt they were voting with the hope that their ISP would be allowed to sell their browsing history,” Kennedy said in a statement. “This kind of anti-consumer, anti-privacy action doesn’t benefit anyone except large corporations. This is not an abstract threat to regular folks — this is bad policy with real world consequences. The legislation I have introduced will ensure these actions never make it to New York state.”
After Trump signed the FCC rollback legislation April 3, a bipartisan coalition of Washington state legislators introduced two similarly themed bills in both houses of the state Congress in short order.
The first, House Bill 2200, outlines the need for ISPs to obtain written consent from their customers before passing it to a third-party. Additionally, the companies would not be allowed to deny services to customers who opt out of data sharing practices.
The state Senate’s version, Senate Bill 5919, though remarkably shorter, also places limitations on the sale of user data, but focuses on the state agencies in contract with and ISP. As in the house version of the legislation, the proposal limits the ability of telecommunications companies to refuse service based on whether customers opt out of sharing their data.
In addition to new funds for broadband Internet service expansion in rural areas, the so called Rural Broadband Bill also takes aim — through an amendment to the legislation — at the controversial privacy rollback by requiring ISPs to obtain permission from their customers before any personal data is shared.
Additionally, ISPs would be restricted from denying Internet services to customers who opted out of data sharing agreements. The initial bill was proposed by Republican Sen. Patrick Testin, of Stevens Point, but the amended customer consent language was added by Democrat Sen. Jennifer Shilling, of La Crosse. The bill cleared the Wisconsin State Senate April 4, and will proceed to the Assembly for another vote.
If successful, the law would offer residents in the state the same protections offered by the repealed FCC rules.