On April 3, 2017, President Trump signed a repeal of new Federal Communications Commission (FCC) rules that would have subjected broadband internet service providers (ISPs) to more stringent consumer privacy regulations. Specifically, the FCC’s rule would have required ISPs to obtain opt-in consent from consumers before using and sharing sensitive information such as geo-location, web browsing history and app usage history. This repeal allows Internet providers to compete with “edge providers” (which were not covered by the new FCC rules) in mining consumer browsing history and contributing to targeted online advertising.
This repeal, in and of itself, does not create any landmark changes in the legal landscape–the new FCC rules were only passed late last year, and had not yet taken effect. However, it is symptomatic of the Trump administration’s antipathy towards government regulation of consumer privacy. More importantly, President Trump’s retreat has already begun to spur state legislatures and Attorneys General to strengthen their stance on privacy, concentrating scrutiny at the state level.
For example, in Massachusetts, Republican state senators introduced legislation on April 7 that would bar ISPs from selling browsing histories without customers’ explicit permission. That bill would also prohibit ISPs from charging increased rates to consumers who refuse to share their personal information.
Similarly, last week in Illinois, lawmakers introduced multiple measures that would impose new restrictions on companies that collect or use geo-location information, enable or turn on device microphones, and transfer Illinois consumers’ data to third parties. Illinois legislators are also scheduled to hear two more bills, introduced in March, that specifically target commercial website operators. Other state legislatures that have introduced or otherwise begun to consider Internet privacy bills in the last three weeks include Connecticut, Kansas, Maryland, Montana, New York, Washington, and Wisconsin.
This shift is also becoming evident via increased executive enforcement at the state level. Advertisements and applications that use and share consumers’ location appear to be an area of particular concern. For example, in March, the Massachusetts AG’s office obtained a settlement with an advertising company that used geofencing to send targeted anti-abortion ads to consumers in certain cities who entered reproductive health clinics. In New York, the Office of the Attorney General (OAG) recently entered settlements with three health and fitness mobile application operators, which demand, among other things, that the app providers limit or obtain affirmative consent prior to collection of certain sensitive information.
Though the Trump administration’s laissez-faire approach toward privacy might, at first glance, appear to signal a shift towards lightening the burden of privacy regulations, it may well have the opposite effect, by creating backlash at the state level. Accordingly, businesses, particularly those who operate online, will need to be more cognizant than ever of differing state policies moving forward.