Back in the dark days of late 2016 and early 2017, there was a brief flicker of light, one you’ve probably forgotten about. In October 2016, the Federal Communications Commission passed forward-thinking and balanced protections to give consumers real choice over how broadband providers use their information.* The rules were particularly important because broadband providers, as I’ve argued before, have nearly comprehensive views into the online activity of their customers. Providers would love to turn around and use that information to gain an advertising revenue stream on top of the exorbitant amount that you already pay them. The FCC’s rules, overwhelmingly supported by the public, protected broadband customers against unknown and unexpected uses of their private information by their broadband providers, unless the customers opted in. But shortly after the FCC acted, Congress unceremoniously overturned the agency, 215–205. (Among the 205 who voted to retain the protections were 15 Republicans.)
Thanks to Cambridge Analytica and other scandals, the federal government is now discussing tech platform privacy issues more than ever. But localities—most recently, New York City—have been stepping in to try to fill the broadband privacy gap. Other local officials should look to New York City as a model for their own legislation or rules, and the public should be pushing their local representatives to protect broadband privacy.
After Congress’ vote, nearly 30 states introduced legislation to counteract the repeal, and New America’s Open Technology Institute, where I work, released a model state broadband privacy bill. (Disclosure: New America is a partner with Slate and Arizona State University in Future Tense.) Broadband providers, however, fought the state bills with misleading arguments that such new legislation would create recurring pop-up messages, thus giving opportunities to hackers, and would prevent broadband providers from protecting their networks from cybersecurity threats. Broadband providers also relied heavily on the questionable argument that the states could not act because the federal government pre-empted state action. Many state legislators, unfortunately, trusted these misrepresentations, and not a single state has yet passed a broadband privacy bill as a result.
Some localities, however, have continued to pursue the broadband privacy fight despite these fallacious arguments from broadband providers. Because cities typically have authority over cable franchise agreements, local rules generally apply only to cable broadband providers—and thus apply to companies like Comcast but not AT&T or T-Mobile. In 2017, Seattle became the first city to enact cable privacy rules. The Seattle rules require cable operators to obtain opt-in consent prior to collecting or disclosing information about browsing habits, financial information, and a variety of other types of information. It also requires cable providers to delete personally identifiable information that is no longer used within 90 days. In July, the District of Columbia proposed and sought comment on a similar rule.
New York City has now followed suit. The NYC Council recently proposed a bill that would codify robust cable privacy rules governing all cable providers in the city. In addition to the provisions in the Seattle bill above, the NYC bill prevents so-called “pay-for-privacy” regimes in which cable providers price-gouge their customers for the privilege of protecting their privacy. The NYC bill grants a private right of action (granting individual people the ability to bring a lawsuit in court), with specific statutory damages, so customers can directly hold cable providers accountable for privacy invasions. At the same time, it grants the NYC Department of Information Technology and Telecommunications the right to seek civil penalties from transgressive cable providers—up to $1 million for each violation, as well as the ability to pass rules that further clarify the obligations of cable providers. The NYC bill would provide vital privacy protections that local residents currently do not have (but still deserve) due to the Congress’ repeal.
Without the FCC’s broadband privacy rules in place, there are no rules on the books protecting consumers from misuse of their information collected by their broadband provider. Seattle residents continue to be protected thanks to their forward-looking cable privacy rule.
With any luck, D.C. and NYC residents will soon enjoy those protections as well.
Correction, Nov. 14, 2018: This article originally misstated when the FCC passed broadband privacy protection rules. It was in October 2016, not January 2017.