California lawmakers are considering legislation, Assembly Bill 375, they hope will “restore” internet privacy rights.
This effort is in response to a Congress overturning what was misleadingly described as a Federal Communications Commission “privacy” rule. This clever marketing trick left many concerned that Congress gave internet service providers some new freedom to auction off their web search history and personal data.
But, that is not true.
The FCC “privacy” rule that folks became concerned about never actually took effect – nothing was lost. Internet privacy today is no different than it was two years ago. And more importantly, this “privacy” rule was not about privacy at all.
In reality, the FCC used the hot button word “privacy” to mask what was actually a massive power grab. The FCC, which has little experience policing internet privacy violations, stripped enforcement authority away from the Federal Trade Commission, the agency with the most expertise in enforcing internet privacy, and then pushed a “privacy” agenda that would have resulted in negative consequences for consumers and the future of the internet.
To be clear, we are not talking about data breach here, but how consumer information is gathered commercially. The FTC combined sensitivity-based and harms-based approaches to protect informational exchanges, focusing on what data was held, the level of data sensitivity, and how consumers would have been affected if the data were misused. This allowed the FTC to punish bad actors in hundreds of privacy violations over the last decade, while still allowing for innovation.
The FCC’s method to privacy enforcement, on the other hand, would have zeroed-in on who held the data, not what the data were. The FCC would have put onerous requirements on ISPs only, and not the rest of the industry, which is a very ineffective approach to take if protecting privacy is the true intention.
Compared to individual websites, for example, ISPs see far less of what you do online. That is because over 70 percent of websites use https encryption. An ISP can only see which website you visit, not what you do on the websites. ISPs do not know your movie preferences, product purchases, email content, or anything of the like.
So, contrary to politically motivated claims, Republican members of Congress, such as Reps. Jeff Denham and Darrell Issa of California, did NOT vote to allow ISPs to expose consumers’ private information, nor did they functionally change how Californians or any other consumer in the United States interacts with ISPs. Federal laws that protect personal information have been and are still in place, and apply no matter who holds the data.
Denham, Issa and their Republican colleagues who voted to end the discriminatory, over-the-top FCC rule took the first step in rectifying FCC overreach. They signaled that the FTC is the proper agency to police internet privacy, which is a big win for consumers and innovation. Not a loss.
While it may still be tempting for state lawmakers to respond to this phony “loss of privacy” narrative by passing their own privacy laws, they should avoid doing so. State-level internet “privacy” laws are not only completely unnecessary; they would also inflict a great deal of harm on the people of California and stifle innovation.
The costs and consequences of complying with a patchwork of many state privacy laws throughout the country would make it much more difficult for ISPs to maintain and expand their services, and invest in the next generation of broadband. As such, state level privacy laws could leave consumers with fewer choices, outmoded technology, and an overall lower quality internet experience.
Efforts to restore privacy enforcement authority to the FTC are currently underway. Until this process is complete, the FCC still has authority to bring enforcement actions against privacy violations perpetrated by ISPs, and fortunately for consumers, FCC Chairman Ajit Pai has vowed his agency will follow the old, more effective FTC regime until power is given back to the FTC.
While this process is playing out, Californians would be best served by resolving to follow the FTC rules without new legislation in order to maintain consistent privacy protections across the internet, from ISPs to web services to apps.