California legislation to ‘protect’ privacy won’t solve privacy problems

Despite its name, the California Broadband Internet Privacy Act, awaiting votes in the state Senate, won’t do anything meaningful to protect consumer privacy on line.

Instead, it will curb innovation and reduce competition, hurting consumers whose interests it purports to protect.

The measure, AB 375 by Assemblyman Ed Chau, D-Monterey Park, is intended to crack down on internet service providers that are allegedly selling sensitive personal web browsing information without consumers’ consent. Its backers argue that it will fill a supposed “privacy gap” left when Congress repealed Federal Communications Commission draft rules adopted during Barack Obama’s administration.

Here’s why they’re wrong. First, the proposal attacks a nonexistent problem. Internet service providers have committed that they will seek permission from consumers before using sensitive personal information, such as health and financial data. Customers will have to affirmatively “opt in” before any such transaction could take place. So no one’s personal data is being sold.

Second, even if a problem exists, there are legal tools to combat it. In short, there is no legislative privacy gap. The Federal Communications Commission has statutory authority to bring cases against internet service providers that fail to protect consumer privacy. In addition, the California attorney general can bring cases under the state Unfair Competition Law, which prohibits “unlawful, unfair or fraudulent business acts or practices.”

California’s authority is modeled on the Federal Trade Commission, which the FTC, my former agency, has used repeatedly to bring privacy cases against companies large and small, including internet service providers and technology companies. If a broadband provider violates its privacy commitments or decides to sell sensitive information to the highest bidder, that represents a violation of existing state law.

Does anyone doubt that Attorney General Xavier Becerra would bring that case in a heartbeat?

Third, the state bill is based on a flawed proposal by the FCC. Don’t take my word for it. Ask America’s top privacy cop, the FTC. While the Federal Communications Commission was debating the rule, the Federal Trade Commission submitted a comment that raised 27 separate criticisms of the proposal. This was during the Obama administration, when the FTC was controlled by Democrats. It called the draft rules “not optimal.” That’s Washington-speak for “a really bad idea.”

The FCC proposal ignored consumer expectations, industry norms, differences between first- and third-party marketing, and appropriate distinctions between sensitive and nonsensitive data – that is, pretty much every best practice recognized by the Federal Trade Commission.

Former Rep. Henry Waxman, D-Los Angeles, said the FCC’s “sweeping default opt-in regime” would “undermine beneficial uses of data” and “could result in tangible competitive and consumer harm.”

California’s proposal is more problematic. Under AB 375, if a broadband provider wanted to offer a service to its customers, such as climate control to reduce energy use, it would need prior opt-in consent to do so. That makes no sense; consumers expect and want innovative new products. How does it help consumers to be deprived of access to information and discount offers?

Most disturbingly, the California proposal ignores the principle, almost universally accepted, that privacy should not be about who collects data, but rather what data is collected and how it is used. It would treat Internet service providers, a small subset of the Internet ecosystem, differently from every other company that collects consumer information online. That makes no sense, which is why the Obama administration called for all privacy protections over broadband providers, as well as other data collectors, to be solely under Federal Trade Commission oversight.

Strong privacy protections are critical, but emulating – or, worse, exacerbating – the FCC’s flawed model would be a big mistake. Let’s hope that lawmakers will be able to separate real facts from the alternative ones and give this proposal the burial it deserves.

This story was originally published July 17, 2017 at 11:12 AM with the headline "California legislation to ‘protect’ privacy won’t solve privacy problems."