ISP Privacy Rule Update: Federal Government Out, State Governments In

The Federal Communications Commission (“FCC”) adopted rules in 2016 that restricted Internet Service Providers (“ISPs”), such as Verizon, AT&T, and Comcast, from sharing sensitive data, including browsing history and location data, without consumer consent. We discussed these groundbreaking rules in our previous blog post.

The new rules never took effect, however. On March 23 the Senate voted to repeal them, with the House following suit on March 28. The final nail in the coffin came on April 3, when President Trump signed Senate Joint Resolution 34, officially undoing the rules. Notably, because the rules were repealed using the Congressional Review Act, the FCC is banned from proposing substantially similar ones in the future.

With the FCC out of the picture, what can we expect on the ISP privacy front moving forward? At the federal level, FCC Chairman Ajit Pai has expressed his belief that the Federal Trade Commission should take the lead on consumer online privacy. However, with the failure of the FCC rules still so fresh, federal action seems unlikely for the time being.

States, on the other hand, have seen the demise of the FCC rules as an opportunity to establish their own standards regarding internet privacy and the collection of information by ISPs. New York, for example, has seen three bills introduced between January and April on the topic.

New York State Senate Bill S5516 is the most on point. Introduced on April 4, immediately following the rollback of the FCC ISP rules, this bill seeks “to prohibit internet service providers from selling the private information of consumers in New York State without consumers providing proper notice or risking the quality of their service.” More specifically, the bill proposes an added section to the General Business Law addressing the sale, transfer, or sharing of personal information by ISP’s, and requires ISP’s to keep specific types of personal information confidential, unless consumers consent to its release. Penalties under this proposed law would range between $500.00 and $1000.00 for each violation. Senate Bills S3367 and S3657 also address internet privacy issues, and are currently in committee.

New York lawmakers are not the only ones moving in this arena. Minnesota is ahead of the game, with laws already in place that regulate when and how an ISP can disclose personally identifiable information. Many other states, such as Illinois, Massachusetts, Rhode Island, Vermont, Washington, and Wisconsin, have similar ISP-privacy or consumer right-to-know bills pending. Bottom line, with the Federal Government unable or unwilling to act on this issue, consumers can expect more action from the states, leading to more complexity on what rules apply where, and to whom.

Last modified on