On September 16, 2017, a proposed California bill modeled after the Federal Communications Commission’s (“FCC”) failed broadband privacy regulations was withdrawn from committee, creating an uncertain future for what would have been the first-of-its-kind state-level set of regulations over broadband internet service providers (“ISPs”).
Introduced by Assemblyman Ed Chau, the proposed California bill (AB-375) was specifically intended to “incorporate into statute certain provisions of the Federal Communications Commission Report and Order ‘Protecting the Privacy of Customers of Broadband and Other Telecommunications Services’ (FCC 16-148).” In April 2017, the FCC’s regulations—developed during the Obama administration—were revoked by President Trump under the Congressional Review Act before going into effect. The failed FCC regulations would have, among other things, required ISPs to obtain affirmative “opt-in” consent to use and share sensitive information such as financial and health information, social security numbers, information relating to children, and precise geo-location information. The regulations also proposed transparency requirements that would have required ISPs to clearly disclose how they collect and use consumer information.
The Trump administration’s revocation of the FCC’s rules was applauded by those who believe the existing regulatory framework is preferable, under which the Federal Trade Commission (“FTC”) has broad authority to regulate consumers’ Internet privacy across all sectors of the cyber ecosystem. Critics of the failed rules had argued that, because the FCC’s rules would only apply to broadband service providers, they would both undermine the FTC’s existing authority and create a patchwork of inconsistent Internet privacy rules that apply to different types of entities.
In the wake of President Trump’s revocation of the FCC privacy rules, California and other states began proposing legislation aimed at implementing the core components of the failed FCC rules at the state level. For example, the California bill proposed similar opt-in consent requirements, prohibiting an ISP from disclosing a consumer’s sensitive proprietary information without first obtaining consent. Additionally, the bill would have prohibited an ISP from refusing or limiting service to a consumer who does not waive his or her privacy rights, and also would have made it unlawful to charge a consumer a penalty for his or her refusal to waive privacy rights (or in the alternative, to offer discounts only to those willing to waive such rights).
As with its federal counterpart, the stalling out of the California bill is a win for the ISPs who opposed it, and another loss for advocacy groups like the Electronic Frontier Foundation, whose Legislative Counsel Ernesto Falcon lamented that “Californians will continue to be denied the legal right to say no to their cable or telephone company using their personal data for enhancing already high profits.” Others like Doug Brake of the Information Technology & Innovation Foundation agree that the California bill was unfitting for the same reasons as the FCC’s rules, and that “it is an even worse idea to splinter off special rules for an individual state’s broadband providers” when broadband activity often crosses state lines.
The California bill is not dead, however; it is only stalled for the rest of 2017, with the ability to be resurrected by the legislature in 2018.