States grow more active on Internet privacy issues as Washington steps back

Capitol Building St Paul

3 April 2017. By Mike Swift & Amy Miller.

Faced with the prospect of reduced privacy and data security regulation at the federal level, state legislators in a number of states are considering a range of measures that in some cases would go well beyond existing or former federal rules enacted under the Obama Administration.

In the wake of votes in Congress last week that would erase privacy and data security rules for Internet service providers approved last year by the Federal Communications Commission, the Minnesota legislature has already moved to pass a state law that would replace the FCC rules. Other states, including Illinois, are considering new privacy laws that would require websites or online services that share personal information with third parties to disclose that information upon the request of consumers.

On Monday, President Trump signed the rollback of the FCC regulations, which required fixed and wireless ISPs to obtain consent from consumers before sharing personal information such as a web browsing history with marketers or other third parties. But the administration has signaled the president supports the rollback, and plans to dismantle the FCC's net neutrality rules.

In response, some state attorneys general, including New York's Eric Schneiderman, who called the Congressional votes on ISP privacy "a huge step backward," have also suggested there is a need for stronger privacy and data security enforcement by the states.

"Broadband providers have access to an enormous amount of personal data on our internet use and behavior. Without enhanced regulation, that access is ripe for abuse," Schniderman said in statements he posted on social media last week. "Consumers nationwide deserve strong Internet privacy protections. No matter what happens in Washington, I will fight to ensure strong privacy protections for New Yorkers."

Legislation approved by the Minnesota House and Senate last week would prevent ISPs from collecting personal information without the customer's consent, just as the FCC rules would have done.

The Minnesota Senate added an amendment to its budget bill last Wednesday that says ISPs may not "collect personal information from a customer resulting from the customer's use of the telecommunications or Internet service provider without express written approval from the customer." Also, as with the FCC rules, the amendment would prohibit ISPs from refusing to provide services to customers who don't allow their personal information to be collected.

Democratic attorneys general have often grown more active on privacy issues during past Republican administrations, such as that of President George W. Bush. There are now 22 states and the District of Columbia headed by Democratic attorneys general.

Some of the largest online privacy enforcement actions in US history have involved state, not federal, enforcers, such as a $33 million settlement California's attorney general reached with Comcast in 2015. In that case, then-Attorney General Kamala Harris alleged that the cable television and Internet provider deceptively published online the names and other data of people who had paid to have unlisted Internet-based phone service.

Illinois is also considering a "Geolocation Privacy Protection Act," which says websites and mobile apps "may not collect, use, store, or disclose geolocation information from a location-based application on a person's device" without "affirmative express consent."

Both of the Illinois bills carry an increased risk of litigation, as well as state regulation, because they provide a means for consumers to recover monetary damages from privacy violations. The geolocation bill, for example, would allow consumers to recover liquidated damages of $1,000 or actual damages, whichever is greater.