Soon after President Donald Trump took office with a pledge to cut regulations, Republicans in Congress killed an Obama-era rule restricting how broadband companies may use customer data such as web browsing histories.
But the rule may be finding new life in the states.
Lawmakers in almost two dozen state capitols are considering ways to bolster consumer privacy protections rolled back with Trump’s signature in April. The proposals being debated from New York to California would limit how AT&T, Verizon Communications and Comcast use subscribers’ data.
The privacy rule is just one example of states resisting policy changes wrought under the Trump administration. After Trump withdrew from the Paris climate accord, the governors of New York, California and Washington formed a coalition to fight global warming. California has also balked at Trump’s review of fuel-efficiency standards for automobiles and said it would fight any move to weaken them. And 35 states are pressing for the right to enforce laws guaranteeing internet service speeds live up to advertisements.
“If the federal government lags, the states have to lead. And that’s what we’re doing,” said Tim Kennedy, a Democratic New York state senator. Kennedy introduced a bill to prohibit internet service providers from selling customer web searches, social media histories and other personal information to third parties — the crux of the nixed federal regulation.
In New York, Kennedy’s bill in the Republican-dominated Senate didn’t advance before the legislative session ended. He says he’ll be back.
“We’re going to continue to drive this agenda forward, so consumers know their privacy is at risk,” Kennedy said in an interview. He blamed “a misguided decision, once again out of Washington, that helps the large multibillion-dollar corporations but hurts the little guy.”
The federal rule, which passed the Federal Communications Commission in October, hadn’t yet taken effect. It said internet providers such as AT&T, Verizon and Comcast would need consumers’ permission before using or selling customer data for marketing or other purposes.
The restrictions covered broadband providers that are regulated by the FCC because they provide a telecommunications service. The rule didn’t cover web-based companies that track consumers, such as Facebook and Alphabet Inc.’s Google, whose privacy practices are regulated by a different U.S. agency — the Federal Trade Commission.
Critics including the broadband providers said the differing treatment wasn’t fair. The problem stems from the FCC’s earlier decision to classify broadband as a telecommunications service it could regulate, said Rep. Marsha Blackburn, the Tennessee Republican who sponsored the privacy-rule nullification Trump signed. By setting that classification, the FCC removed broadband providers from regulation by the FTC. The measure to repeal the privacy rule passed with only Republican votes.
“What it did was to preserve the status quo, and allow us back to the posture where we had been” with “one regulator and one set of rules for the entire ecosystem,” said Blackburn, who leads the House subcommittee on communications.
Congress for years has failed to pass consumer privacy rules and “of course the states are looking at what they need to do,” she said.
Broadband companies don’t want to deal with a patchwork of different state laws.
“The internet doesn’t stop at state lines, which is why it’s preferable to have federal privacy rules that provide consistent protections for consumers,” Amy Schatz, a spokeswoman for US Telecom, a Washington-based trade group with members including AT&T and Verizon, said in an email. Both companies opposed the FCC’s rule, and each in statements welcomed its rejection by Congress.
Blackburn on May 18 introduced a bill to bring broadband providers and web companies under regulation by the same agency, the trade commission, and require consumer assent to use data. Democrats haven’t signed on, and the measure’s been criticized by advertisers and the Internet Association, a trade group with members including Google and Facebook, companies known for tracking users.
At least 21 states have filed measures responding to the federal repeal, according to a tally kept by the National Conference of State Legislatures, which conducts policy research for state governments.
In California, lawmakers have yet to consider a measure introduced by Assemblymember Ed Chau, a Democrat, to require permission by subscribers before a broadband company uses personal information.
“We believe that we should treasure our personal information,” Chau said in an interview. Constituents “generally are worried that their information is being used. They want to have a say in how their personal private information is used.”
“We want to set the pace,” Chau said. “And we hope to be the leader when it comes to privacy protections.”
A law passed in California would apply only to companies operating in the state, but it could have an indirect impact elsewhere, said Chris Conley, a policy attorney with the American Civil Liberties Union of Northern California.
“If we can get a strong model that is workable, then it’s something that can be adopted elsewhere,” Conley said in an interview. “We would still prefer that the federal government be the one driving this. But they’re not.”
“These state proposals are generally at odds with the realities of today’s internet” and are based on “zero evidence” of harm to consumers, said Brian Dietz, a spokesman for NCTA – The Internet & Television Association, a Washington-based trade group with members including largest U.S. cable provider Comcast and Charter Communications Inc. The measures “completely fail to respond to consumers’ desire for workable privacy standards that apply consistently to all parties collecting data online,” Dietz said in an email.