Internet service provider privacy law not preempted but still bad policy

Nearly four years ago, Congress invalidated a Federal Communications Commission (FCC) rule that would have created a two-tier privacy regime, imposing greater restrictions on internet service providers (ISPs) than on other internet-based companies such as Google and Facebook.

Somewhat surprisingly, Maine has continued this fight by adopting the rules that Congress repealed. Last week, ISPs were dealt a setback when a federal court dismissed part of their lawsuit challenging Maine’s law. Even if the court ultimately concludes the law is permissible, ISP-specific privacy rules remain poor policy, and other states should carefully consider the costs and benefits before following Maine’s lead.

via Twenty20

Maine’s ISP-specific privacy law

In June 2019, Maine enacted a law governing ISP privacy practices. As the court explained, the statute “prohibits Maine providers of broadband Internet access service from using, disclosing, selling or permitting access to a customer’s personal information unless the customer expressly consents to that use, disclosure, sale or access, subject to certain exceptions.”

The act is one of many that have been introduced in state legislatures as part of an effort to recreate, at the state level, Obama–era regulations that were repealed at the federal level — some of which are almost word-for-word recreations of the defunct FCC rule. Notably, this opt-in regime applies only to ISPs, not to other internet-based companies that collect and monetize consumer data.

Last week’s court decision

A consortium representing ISPs challenged the Maine law in court on several grounds. Last week, the court made its first major decision in the case, denying the ISPs’ motion for judgment on the pleadings and granting Maine’s request to dismiss part of the complaint. Among other issues, the court rejected the ISPs’ arguments that Maine’s law was preempted by the joint resolution repealing the FCC privacy order, or by the FCC’s Restoring Internet Freedom (RIF) Order.

This
decision was correct. The joint resolution expressed Congress’s “disapproval”
of the FCC’s rules. Under the Congressional Review Act, the joint resolution restores
the status quo ante “as though such rule had never taken effect.” The FCC may
not issue a rule identical or substantially similar to the repealed rule. But the
act places no similar restrictions on states, which have long regulated privacy
in the absence of a controlling federal scheme. And while I have previously argued
that state net neutrality rules conflict with — and are preempted by — the RIF
Order, the same logic does not hold with regard to state privacy laws, as the
RIF Order did not seek to create a comprehensive privacy regime.

ISP-specific privacy rules remain bad
policy

The ruling did not end the case. Still pending are the ISPs’ arguments that the Maine law is void for vagueness and infringes on their First Amendment rights. The court found that the record was not sufficiently developed to decide these claims. But even if the court ultimately concludes that Maine could enact an ISP-specific privacy law, that doesn’t mean that it should have done so — or that other states should follow suit.

Reasonable minds can differ about whether the optimal privacy policy is an opt-out or opt-in regime. But as I have argued before, there is little reason to single out ISPs to bear a greater burden than internet-based companies. Supporters argue that because ISPs provide a consumer’s internet connection, they can develop a more complete personal profile on a consumer than other companies can. But this is a questionable assumption.

Technological limitations, such as encryption, limit what data ISPs can glean from the traffic sent through their pipes. But even if packets were completely transparent, my home broadband provider would know, at most, what I do at home. Google, by comparison, knows every site I visited while logged into my Google account, whether at home, work, or school, and can track my movements in real space using the Android operating system.

It’s
worth noting that the FCC itself did not adopt an ISP-specific privacy regime
because ISPs were a bigger threat than other firms. It did so because the FCC
lacked the authority to regulate non-ISPs. Supporters hoped that adopting an
opt-in rule for ISPs would prompt Congress to adopt a similar rule for other
companies. By comparison, Maine had the option to impose a blanket rule on all
providers, and chose to single out ISPs for disparate treatment — even though it
is Google and Facebook that make up two-thirds of the digital advertising market.

And that’s the big takeaway. Net neutrality advocates regularly decried the possibility of an “unlevel playing field” for internet companies. But ISP-specific privacy rules not only tilt the playing field in digital advertising markets, they do so in a way that entrenches existing incumbents from potentially disruptive competition by ISPs.