There is no federal-level law protecting your private web data from your internet-providing company anymore, and there likely won’t be a replacement anytime soon. So some states are trying to take matters into their own hands. But the latest, last-ditch effort in the tech capital of the U.S. has failed, after strong pushback from the very companies it would regulate.
The Federal rule
In late 2016, the Federal Communications Commission adopted a rule that would place some basic limitations on how your internet service provider can use your personal information.
Basically, the FCC split up all your personal data into two big categories. One was opt-in only: Your ISP could only share certain highly personal data (like your web browsing history) if you explicitly opted in.
Other data, however, was in the “opt-out” bucket: Your ISP would be permitted to use, sell, and share it until and unless you explicitly told them to stop.
The rule would have applied to home providers like Comcast and Charter, as well as to wireless providers like Verizon and T-Mobile. But it never got the chance to see the light of day: Basically as soon as the new Congress began in January, the House and then the Senate voted to reverse and block the rule. President Trump signed the resolution killing the privacy rule in May, and so its absence has been law ever since.
But the U.S., of course, operates at the state and local level as well as at the federal one, and so other jurisdictions have been trying to come up with their own ways to protect residents’ privacy ever since the federal rule was dropped.
Enter California, stage right
In February, a member of the state Assembly proposed a bill to create an ISP privacy rule in California.
The California Broadband Internet Privacy Act (AB-375) sought to limit ISPs ability to share your data in almost exactly the same way that the now-defunct FCC rule did — with the customer having the right to opt-out of some kinds of data usage, and the internet company being required to get affirmative customer opt-in for others.
Because California is both the nation’s most populous state and also headquarters to most of our biggest tech conglomerates, its state laws have outsized influence. For example, California’s 2003 privacy protection law requires all websites accessible in the state to conspicuously post their privacy policies. Because of the way the Internet works, the list of websites accessible to California residents is functionally the same as a list of all websites, and so all of us everywhere get to benefit.
Not so fast…
The bill, from the start, faced long odds. It was moving through the state Senate in an unusual way, procedurally, needing approval from three different committees in order to move forward.
Meanwhile, the same companies that objected to the federal government taking action to protect consumers’ privacy objected to the largest state doing it, too — and they had company from the Golden State’s own tech giants.
A massive coalition of internet groups sent a letter of opposition to AB-375 [PDF] to the California Assembly after the bill was last amended on Sept. 12. That coalition had every major ISP you can think of, including Altice, AT&T, Charter, Comcast, Cox, Frontier, Sprint, T-Mobile, and Verizon signing on, along with their representative lobbying groups, as usual. But both Facebook and Google also joined in, along with Verizon’s Oath, the recently-renamed giant that used to be Yahoo and AOL.
Digital-rights advocates began framing AB-375 as a classic consumers-vs-industry battle: AT&T and Comcast wanted to quash the bill; constituents began to rally support and try to make it happen. But California’s legislative deadline came and went on Friday night with no motion, and so the bill is toast until it can be raised again in 2018.