GOP lawmaker who helped kill ISP privacy rules proposes new privacy rules

Bill requires opt-in consent, but prohibits states from imposing stricter rules.

Jon Brodkin

Seven weeks after Congress voted to prevent implementation of new ISP privacy rules, a lawmaker who helped lead that effort has proposed legislation that would impose similar rules in a new form.

Rep. Marsha Blackburn (R-Tenn.) introduced the House version of legislation that ultimately killed those privacy rules in March. But now she's back with a new bill (full text) that requires broadband providers and websites to obtain users' opt-in consent before using or sharing Web browsing history, application usage history, and other sensitive data like the content of communications and financial and health information.
There's one big caveat: Blackburn's bill would prevent individual states and municipalities from imposing laws that are stricter than the proposed federal standard.
Still, the proposed opt-in requirement is very similar to one the Federal Communications Commission tried to impose on all home and mobile Internet providers. Republicans in Congress objected to those rules, saying that ISPs shouldn't face stricter requirements than Web companies like Google and Facebook. Websites are regulated separately by the Federal Trade Commission and just need to offer users a way to opt out of the use and sharing of browsing data.
Browsing data is commonly used to serve personalized advertisements.
The Blackburn proposal would ensure parity by imposing the opt-in requirements on both ISPs and companies that offer websites and other services over the Internet. But with Republicans in Congress pushing for less regulation of ISPs, it doesn't seem likely that Blackburn's proposal would be approved. "It's not clear that the bill has the support it would need to move through Congress, and it currently lacks a corresponding version in the Senate," Axios wrote in a story yesterday.
The bill was introduced yesterday and referred to the House Committee on Energy and Commerce.

Regulatory parity and states' rights

Congress could have ensured regulatory parity between ISPs and websites by allowing the FCC's rules to take effect and imposing similar rules on websites. Instead, Congress eliminated the FCC rules entirely without any replacement. President Trump made that decision final by signing the repeal legislation on April 3.
There are some key differences between Blackburn's proposal and the FCC regulations that would have taken effect later this year if not for Congress repealing them. Blackburn's bill would empower the FTC to enforce the rules using its authority to prevent unfair and deceptive acts and practices, cutting out the FCC entirely. The bill "prohibits the FCC from promulgating regulations related to the privacy of user information," according to a fact sheet Blackburn's office provided to Ars.
While the FTC is prohibited from regulating common carriers such as ISPs, the bill provides an exception that would allow the FTC to regulate ISP privacy practices. That could end up being moot anyway, as the FCC yesterday took a preliminary vote to eliminate the common carrier classification of ISPs.
As previously mentioned, the Blackburn bill would also preempt any state, city, or town from imposing its own privacy rules on ISPs and websites. Blackburn, who is chairperson of a Congressional telecommunications subcommittee, has an inconsistent history when it comes to states' rights in telecom. When the FCC tried to prevent states from imposing laws that restrict the growth of municipal broadband providers, Blackburn stood up for "states' rights" to protect private ISPs from municipal competition. In this case, Blackburn doesn't want states to impose any consumer protection rules different from the ones in her bill.
After Congress eliminated the FCC privacy rules, lawmakers in several states responded by trying to impose state-level privacy protections. Blackburn's proposed ban on state privacy laws may have been spurred by those actions. But she also may have felt pressured to support a federal privacy law after feedback from voters, as large majorities of both Republicans and Democrats opposed the privacy rollback in a recent survey.

Specific requirements

The Blackburn bill would require ISPs and websites to "clearly and conspicuously notify users" of their privacy policies and material changes to their policies. The policies would have to be "persistently available" for users to view.
ISPs and websites would have to "obtain opt-in approval from a user to use, disclose, or permit access to the sensitive user information of the user." Sensitive information that would be subject to the opt-in requirements includes "precise geo-location, children’s information, health information, financial information, Social Security numbers, Web browsing history, app usage history, and the content of communications," according to the bill fact sheet.
ISPs and websites would only need to offer an opt-out system before using or sharing information that isn't considered sensitive.
Users would be able to grant or withdraw their approval at any time. "A provider of a covered service shall make available a simple, easy-to-use mechanism for users to grant, deny, or withdraw opt-in approval or opt-out approval at any time," the bill says.
ISPs and websites would not be allowed to deny service to users who refuse to provide their consent to data usage and sharing.
No opt-in or opt-out requirements are required for using or sharing information needed "to provide broadband service, and bill and collect for the service; to protect the provider and its customers from fraudulent, abusive, or unlawful use of the provider’s service; [and] to provide location information in times of emergency," the fact sheet said.