State Broadband Privacy Legislation

Introduction

After Congress rescinded the FCC's broadband privacy rules, several state and local governments have stepped forward with legislation to protect broadband users. Many of the proposed laws would require ISPs to obtain affirmative consent before the ISPs would be allowed to collect, use, or disclose their subscribers' personal information.

Exemplary Law: California’s Consumer Privacy Act (CCPA)

As a general privacy law, the California Consumer Privacy Act (CCPA) covers broadband providers. The law covers any business (1) with revenue above twenty-five million dollars, (2) has the personal information of 50,000 or more individuals, or (3) makes half or more of its revenue from selling consumer information. The CCPA will provide consumers the right to not have their private information sold and will prohibit broadband providers from refusing service or providing alternative service to customers based on privacy choices.

California residents also have the right to access their data, know what types of information a business collects about them, request information on whether that information is sold, and request that the business delete that data.

Recommendations

1. The confidentiality of electronic communications should be protected.
2. Privacy considerations must be recognized explicitly in the provision, use, and regulation of telecommunication services.
3. The collection of personal data for telecommunication services should be limited to the extent necessary to provide the service.
4. Service providers should not disclose information without the explicit consent of service users.
5. Service providers should be required to make their data collection practices known to service users.
6. Users should not be required to pay for routine privacy protection.
7. Service providers should be encouraged to explore technical means to protect privacy.
8. Appropriate security polices should be developed to protect network communications.
9. A mechanism should be established to ensure the observance of these principles.

Additional Resources

• NCSL: Privacy Legislation Related to Internet Service Providers (2018)
• FCC: Broadband privacy rules and fact sheet
• NCTA v. FCC (concerning privacy of CPNI)
• EPIC: Comments on the FCC's proposed broadband privacy rulemaking
• EPIC: January 2016 letter to the FCC on broadband privacy
• EPIC: June 2016 letter to the FCC
• EPIC: March 2017 letter to the Senate Commerce Committee on Oversight of the FCC
• The Harvard Gazette: On Internet Privacy, Be Very Afraid (2017)