The Next Battle Between States And The Feds Is Over Your Personal Data

As the fight over net neutrality rages on, states are reviving efforts to keep ISPs from harvesting customer data, with surprising political dynamics.

The Next Battle Between States And The Feds Is Over Your Personal Data
[Illustrations: Bannosuke/iStock; LysenkoAlexander/iStock]

While the fight over net neutrality has attracted passion, press, and a flurry of lawsuits, another, related battle has smoldered for a year and is flaring up again. Happening in state capitals, it’s a surprising fight where traditional allies are taking opposite sides and frequent foes are joining together, focused on Congress’s decision to kill the rules that prevent internet service providers–including companies like Comcast, Charter, and Verizon–from selling their customers’ personal data.


Last March Congress passed, and President Trump signed, a resolution to scrap recent FCC privacy regulations for ISPs. Those rules would have required, for instance, that ISPs disclose what info they collect and how they use it, and would require customer approval to use or share their information for moneymaking purposes like advertising. The rollback was Republican-led, but the political divide over privacy bleeds well outside D.C. “Congressional Republicans put profits ahead of privacy,” wrote Washington state representative Norma Smith, a Republican, in a Seattle Times editorial criticizing her own party.

Washington was among over 20 states that quickly responded to Congress with their own ISP privacy legislation. The bills tend to have essentials in common, specifying that broadband providers can’t sell or share a customer’s personal information without permission. They feature plentiful examples of personal info, such as social security numbers, medical data, web browsing and app use history, and geolocation. They also describe exemptions, like responding to legitimate police inquiries or providing location info to emergency services.

Related: How To Roll Your Own Net Neutrality

Silicon Valley, a longtime supporter of net neutrality, opposed California’s privacy bill, AB-375, which passed the state assembly unanimously in 2017 but stalled in the senate. Ernesto Falcon, legislative counsel at the activist Electronic Frontier Foundation, blames Facebook and Google for leading the effort. “They injected themselves at the last minute in the debate on AB-375 to lend legitimacy to that confusion and hesitation about the campaign the ISPs were running,” says Falcon, positing that the Valley feared a precedent.

“If you started having privacy rules for other parts of the internet marketplace, there’s no reason why people wouldn’t start thinking about their social media and other online tools,” he says.


We contacted Google and Facebook, and the latter shared a letter to California senators signed by 47 parties, including Amazon, Facebook, Google, and major ISPs and wireless providers. It calls the bill vague–for instance, not specifying the kinds of companies it covers. Yet the bill states throughout that it applies to a “broadband internet access service,” a common term for an ISP. Opponents also charged that the restrictions would require overwhelming pop-ups requesting user permissions and prevent ISPs from collecting information needed to protect against hackers.

An opposition ad that ran in the Sacramento Bee and the Capitol Morning Report. The funder of the ad is not stated. [Image: via The Sacramento Bee]
Former Democratic FCC Chair Tom Wheeler counters that the legislation was straightforward. “What this bill was trying to do was get our approval, which is to say, nothing more than, ‘the consumer has the right to say whether or not they’re interested in participating,'” he said at a panel discussion on net neutrality in San Francisco last year. “It’s a simple opt-in process. We get to choose.”

ISPs argue for a national law instead of state measures. “We support federal legislation to establish an ‘Internet Bill of Rights’ that applies to all internet companies. It should guarantee transparency, openness, non-discrimination and privacy protection for all internet users,” AT&T told Fast Company in a statement. The words “all internet companies” could stoke Silicon Valley’s fear of expanding privacy regulations.

Beyond Red vs. Blue

The party divide that determined the vote in D.C. played little role in Sacramento, where Democrats dominate both houses. Activists instead look to a change within the Democratic leadership, when senate president Kevin de León (not seen as sympathetic to the privacy bill) steps down in late March to begin a national Senate run.

The party split hasn’t always fit stereotypes in other states, either. Though led by Democratic Assemblyman Andrew Zwicker, New Jersey’s privacy bill A1527 has broad Republican support, including several co-sponsors. “It cuts across, I’d say, not just political divides,” says Zwicker. “It cuts across every boundary—age, gender, social, economic. It doesn’t matter. People want control over their data.”


New Democratic governor Phil Murphy is also a privacy and net neutrality advocate. “Since you have both political parties buying into the bill and the governor is ready to sign it if it gets to him, it seems to me that’s the state where the ISPs are most worried,” says Falcon.

But Silicon Valley companies don’t seem as concerned. “None came to testify. I have not had emails from any of them,” says Zwicker, a physicist who chairs the Assembly’s Science, Innovation and Technology committee.

Related: The Net Neutrality Defender Fighting Trump From The Other Washington

Washington State’s privacy bill passed its House of Representatives last year, then stalled. “My Republican colleagues in the senate just refused to give it a hearing,” says Democratic state representative Drew Hansen, who authored the bill, HB 2200 (as well as a recently passed a strict net neutrality law). Hansen believes the bill would have passed a full senate vote, as does his Republican co-sponsor representative, Norma Smith. “I’m very hopeful about the bill, because we do have bipartisan support,” she says. HB 2200 is making its way through the Democrat-controlled house again, and this year will face a Democrat-majority senate.

“I don’t think a single state has ever voted down ISP privacy. I think every legislator understands how that would look with voters,” says Falcon. “And industry knows they could never win a vote. So they do what they can to make sure it never gets to a vote.”


Republicans have sometimes played the spoiler, as with a 2017 Minnesota measure added to budget legislation. “The house voted unanimously to support it. The senate voted almost unanimously, just one no vote,” says Democratic Senator Ron Latz of his privacy amendment. That one dissenting vote belonged to the Republican co-chair of the committee that finalized the budget. “The conference committee refused to put it in the final conference report, which was a bit stunning to me,” says Latz. “I think it reflected a vigorous lobbying effort on behalf of the ISPs.”

Newly under Democrat control, Nevada’s legislature passed a modest privacy bill in June 2017. “We care deeply about our privacy,” says Senate majority leader Aaron Ford. “And speaking to it from that perspective, frankly, it would have been difficult for anyone to oppose it.” His bill, SB538 passed the state’s senate and house unanimously.

Back To The States

Nevada’s new law requires only that ISPs disclose how they use customers’ information. But it comes on top of a law, dating back to 1999, that already required ISPs to keep customer information private. Minnesota has similar legislation on the books, dating back to 2002. So Latz’s bill would reinforce existing protections.

These longstanding Minnesota and Nevada laws show another way that the politics of ISP privacy and net neutrality differ. While the FCC insists that states don’t have the right to create their own net neutrality laws, it’s been much quieter about privacy laws. “It’s not, by definition, inter-state the way that net neutrality is,” says Andrew Zwicker. “So it may not be as obviously in their purview.”

Related: Snubbing FCC, States Are Writing Their Own Net Neutrality Laws


Many state ISP privacy bills are amendments to statutes that regulate business practices and consumer protection. “There is growing support… for the concept that, while there are laws against identity theft, burglary, unscrupulous businesses in the real world, why aren’t there laws to protect the same on the internet?” says New York State Senator Tim Kennedy. He introduced last year and reintroduced this year his own ISP privacy bill, which amends New York’s general business law.

While California and New York are not the farthest states along, they are critical, says Falcon, because they are big enough to exert national economic pressure and motivate smaller states. Dozens of different state privacy laws is the nightmare scenario for ISPs.

“We feel the [Federal Trade Commission] should be the gatekeeper for a national set of privacy rules. It benefits no one to have a patchwork of rules that vary in every state,” says Verizon, in a statement to Fast Company. “These protections should be uniform across the nation, and they should be enforced by a single government agency,” says AT&T.

Of course, ISPs previously lobbied Congress to abolish federal rules, and Congress seems unlikely to agree on a law establishing new ones. That leaves it to state legislatures, which are often much more aligned with privacy advocates. “The public’s wishes are very, very strong and very, very clear on this topic,” says Ron Latz. “I think that any politician that gets in the way of that is going to be at serious risk.”

About the author

Sean Captain is a Bay Area technology, science, and policy journalist. Follow him on Twitter @seancaptain.