Inspired by recent federal moves rolling back landmark internet privacy regulations, Nevada Democrats say they’re taking proactive action requiring that online giants explain what kind of data they’re collecting.
That’s the impetus behind Senate Majority Leader Aaron Ford’s SB538, which is scheduled for its first committee hearing on Wednesday and would add disclosure requirements to the state’s existing internet privacy law.
Ford said he introduced the measure as an emergency bill soon after Congress voted to roll back muscular internet privacy protections in late March, and wanted to make sure that Nevadans know what Internet Service Providers are doing with their shopping data or search history.
“It would have been a big leap forward to help us in this digital age, but they rolled it back,” he said. “So I pursued it on behalf of our consumers here.”
Tempers flared and outrage occurred after congressional Republicans pushed to block a proposed FCC rule adopted in December 2016 requiring that broadband providers obtain permission from a customer before collecting and sharing that information — which include sensitive information like browsing history or geolocation data — with third parties.
Congress nullified the rule in March under the Congressional Review Act before it took effect, which led privacy advocates and Democrats to sound the alarm on what they called a “crushing loss for online privacy.”
“If the bill is signed into law, companies like Cox, Comcast, Time Warner, AT&T, and Verizon will have free rein to hijack your searches, sell your data, and hammer you with unwanted advertisements,” Electronic Freedom Foundation blogger Ernesto Falcon wrote in March.
Telecommunication industry members have pushed back against the doom and gloom narrative, indicating that data privacy is already covered in federal law and saying that they should be treated equally with online giants such as Amazon and Google that collect, package and sell massive amounts of data and aren’t subject to the same data rules.
Several ISPs say that they’re already operating transparently.
“We operate in ways that promote transparency and try to provide consumers with options for informed choice. That was true before there were FCC rules and that will be true after FCC rules go away,” Internet & Television Association executive vice-president James Assey told NY Mag in March.
What the bill actually does
While much of the federal debate around internet privacy has revolved around the question of whether Internet Service Providers should be allowed to collect, access and sell off personal information or browsing habits, SB538 would require certain website “operators” — like Amazon and Google — to disclose personally identifiable information it collects on consumers and what kind of third parties have access to that data.
The bill would limit “operators” to whom the privacy rule applies into a category of businesses that run websites for a commercial purpose, collect and maintain personally identifiable data (such as name, address or telephone number) and direct or do business within Nevada.
Ford said the intent was to wrap in telecommunications companies as well as so-called edge providers, major online businesses such as Facebook and Netflix that use the internet to deliver content.
Such website operators affected by the bill would be required to create a disclosure detailing:
- The types of information it collects from consumers
- Processes by which website users can review and request changes to personal information collected by the website
- Exactly how consumers are notified if “material changes” are made to the data collection process
- Whether third parties can collect information about online activity of an individual over time and through different websites if they use the website providing the disclosure
It would also build on Nevada’s relatively unique status as one of only two states (the other being Minnesota) with a provision in state law requiring ISPs keep a customer’s information private unless the subscriber “opts-in” and gives permission for their data to be shared. Legislators approved the proposal during the 1999 session.
Ford said that the existing provisions in state law didn’t go far enough, and touted the bill’s requirement for the state attorney general to legally intervene and issue either an injunction or civil penalty to violators.
“If it was covered in state law, it was insufficiently covered,” he said. “What we’re looking to do is ensure we have a robust statutory scheme, and potentially regulatory scheme that addresses this privacy concern.”
At least 17 other states this year have introduced legislation curtailing or adding restrictions on what ISPs can do with consumer data, according to a tally by the National Conference of State Legislatures.
Ford said that a few minor amendments to the bill are planned, including provisions pushing back the implementation date to October and to possibly carve out the websites of minor, local businesses not primarily engaged in data collection. He said he’s worked with several telecommunications industry players, and didn’t expect them to oppose the bill on Wednesday.
He noted that while the required disclosures would be helpful to citizens concerned about their digital privacy, the measure was still only taking “incremental steps” toward a future where customers have full knowledge of what happens to the data they generate.
“We’re hoping that Congress is going to make a move to reconsider some of these rules that they have not done, but in the meantime, at a minimum, we can require the disclosure component,” he said.