On June 19, 2017, California Assemblyman Ed Chau (D-Monterey Park) introduced a bill that would restrict Internet service providers (“ISPs”) from reusing or selling California subscribers’ personal information without consent. The bill is modeled on a rule adopted by the Federal Communications Commission (“FCC”) in 2016 but rescinded by the FCC following its change of leadership in 2017.
The bill, titled the “California Broadband Internet Privacy Act,” applies to providers of Internet access by radio, wire or equivalent means, but does not affect dial-up service. Covered ISPs would be restricted from using, disclosing, or permitting access to customer personal information without the customer’s opt-in consent. “Customer personal information” is defined under the bill to include any information the ISP collects “from or about an individual customer or user” solely by virtue of the customer’s Internet subscription, and specifically includes traditional categories of personally identifiable information, technical identifiers and browsing history.
Under the bill, covered ISPs could neither restrict services nor offer alternative pricing based on customers’ decision not to grant consent or to revoke their consent. The bill allows limited exceptions for which consent is not required (including providing Internet access itself, complying with legal process, and protecting the ISP’s rights), and allows for use and sale of aggregate customer information. Finally, the bill would codify a requirement that ISPs take reasonable security measures with respect to customer information and destroy such information when it is no longer needed for the purposes for which it was collected.
In October 2016, the FCC adopted a similar rule for broadband ISPs. The rules would have taken effect in 2017 but were repealed in a Notice of Proposed Rulemaking adopted by the FCC shortly after President Trump appointed Commissioner Ajit Pai to Chairman. Congress also acted, passing legislation under the Congressional Review Act to undo the new rule.
The California Broadband Internet Privacy Act would hardly be the first time California has stepped in to set its own privacy rules. In the last twenty years, for instance, the state’s first-in-the-nation data breach reporting requirement kicked off similar legislation in virtually all other states, and the California requirement to post online privacy policies has effectively set the standard for Web companies operating anywhere in the U.S. In this case as well, the bill’s text limits its scope to California residents, but in light of California’s natural nexus to the technology industry, it could if passed have a similar effect on ISPs’ offerings nationwide. For the same reason, though, ISPs themselves will almost certainly resist it, including on federal preemption grounds.
At press time, the National Conference of State Legislatures reports that twenty other states have introduced legislation aimed at ISP privacy, so it is likely that the landscape of ISP privacy regulation will evolve considerably over the next several years.