(Courtesy of OTI)
New America’s Open Technology Institute (OTI), supported by many consumer advocacy and privacy organizations, have published model legislation to aid states in improving privacy protections for broadband customers. The model is designed to provide Americans real choices over how broadband providers like AT&T and Verizon can use, disclose, and provide access to customer information. States must consider their own broadband privacy legislation to fill the gap left by Congress when it repealed the Federal Communications Commission’s (FCC’s) broadband privacy rules.
The need for state action on broadband privacy
The need for broadband privacy protections has long been clear: broadband providers collect and see extensive data about their customers, primarily by virtue of owning the conduit over which all internet traffic travels. That data includes web browsing records, geolocation data, and financial and health information. This universe of data can reveal highly personal and detailed information about a person, including race, nationality, sexual preference, religion, physical location, presence at home, personal banking details, and physical ailments.
In October 2016, the FCC recognized the important and unique privacy concerns that apply to broadband providers when it passed robust, clear broadband privacy rules focusing on consumer choice, data security, and transparency. Among other things, the rules required broadband providers to protect by default (through so-called “opt-in” consent) information the FCC deemed “sensitive.” The rules protected web browsing and app usage history in addition to categories traditionally considered sensitive—such as information about health, finances, and Social Security Numbers..
Unfortunately, Republicans in Congress, aided by President Trump’s signature, repealed the FCC’s broadband privacy rules earlier this year. In a rushed and ill-conceived plan, Congress stripped the FCC’s privacy protections before they could even begin protecting consumers by using a blunt tool called the Congressional Review Act. This law, which was rarely used prior to 2017, allows Congress to repeal administrative rules in a manner that bypasses normal legislative procedure, including public hearings, and rushes the measure to a final vote with little notice. President Trump signed the measure and the rules vanished, leaving in its wake a void.
Americans were rightfully upset over the repeal of the broadband privacy rules. Consumers care deeply about their online privacy. Consumers believe they have lost control over their data and thus want more control. Many consumers have limited their online activity and speech because of privacy concerns. Specific to broadband privacy, polls showed that most Americans wanted the FCC’s privacy rules to stay in place.
Without strong rules protecting consumers, states have the opportunity to fill the void left by Congress and provide clear rules-of-the-road when it comes to protecting the privacy of broadband customers. Approximately twenty-two states have introduced broadband privacy legislation. Many bills have been introduced in state legislatures that rely on different language and different authority. In general, some provisions will change by state, depending on what laws already exist and what authority the state has over consumer protection. Our model language can provide a starting point for states that care to protect their citizens’ privacy rights.
OTI’s model legislation
Since Congress’ broadband privacy repeal, OTI has worked closely with states in crafting broadband privacy legislation. While OTI has previously supported the FCC’s broadband privacy rule and continues to support states that adopt language similar to the FCC’s rule (like California and the District of Columbia), this model language improves on some areas where OTI determined the FCC’s rule did not go far enough.
The model language takes a comprehensive approach to protecting broadband privacy. Rather than separate certain buckets of data into sensitive and non-sensitive (as the FCC did and the Federal Trade Commission does with respect to other industries), the model requires broadband providers to protect all information they collect by default. The model does that by requiring broadband providers obtain opt-in consent before using, selling, disclosing, or providing access to customer information for any purpose, with some exceptions. The model also requires broadband providers to provide clear and prominent notice of its privacy practices and to use reasonable security measures in protecting data.
The model bans so-called “pay for privacy” schemes, where a broadband provider will upcharge a customer that wants to protect his or her privacy—or will provide a steep discount to customers who agree to essentially no limitations on how the broadband provider can use his or her data. OTI has argued against this practice several times. It is a predatory practice that is designed to induce or at worst, coerce customers into giving away their privacy rights. The best example is AT&T’s now-defunct plan that cost $30 less per month for a privacy-invasive plan. .
States have the opportunity to correct Congress’ mistake in repealing the FCC’s broadband privacy rules. This model will hopefully get that conversation started, or will help continue that conversation, within state legislatures.
Model Broadband Privacy State Legislation