It's your data. Your privacy. Your choice.
That was the message Assemblyman Ed Chau, D-Monterey Park, delivered this week to a state Senate committee examining legislation that would limit what Internet service providers in California could do with customer data.
“People should be in control of their own personal data. And that privacy should not be a luxury reserved for those who can afford it,” Chau said of his bill.
His measure, AB 375, would require ISPs to allow customers to give their consent for the use, sale and sharing of their personal information. It would also prohibit so-called pay-for-privacy practices and ban penalties on customers who do not consent to unnecessary uses.
The bill is an attempt by Chau to build upon Internet privacy rules proposed at the federal level last year by the Federal Communications Commission but blocked this spring by Congress — a move Chau described as a “betrayal of every Californian’s right to privacy.”
Chau’s effort has drawn praise from consumer and privacy advocates but criticism from business and ISPs, including cable and telephone companies who argue that they have a vested interest in protecting their customers’ privacy and providing a service they can trust.
“There is no existing gap today in privacy protections for consumers,” said Bernie Orozco, vice president of governmental affairs for the California Cable and Telecommunications Association. “We have all committed to protecting our consumers’ privacy.”
There is also a dispute on whether state and federal law already provides the protections Californians need when it comes to their online personal information, and both sides sought to make their case Tuesday before the Senate Energy, Utilities and Communication Committee.
Jon Leibowitz, a former chairman of the Federal Trade Commission who testified in opposition, described Chau’s bill as “well-intentioned, but one that does nothing to protect user privacy."
Specifically, he argued that the FCC already has the statutory authority it needs to bring cases against ISPs if they do not protect customer information or engage in unjust or unreasonable practices. In California, the attorney general can hold ISPs accountable for unlawful, unfair or fraudulent business acts or practices against companies that break their commitments to customers or those that share sensitive data.
“If an ISP violates its privacy commitments or if it just decides to drop privacy commitments entirely and sell consumer information to the highest bidder, it would be in violation of existing law,” Leibowitz said.
Supporters of Chau’s bill and the blocked FCC rules say consumers want and deserve more explicit laws governing the use of their personal information, especially because many internet users have just one or two providers to choose from when shopping for a broadband provider.
Scott Jordan, the former chief technology officer for the Federal Communications Commission under the Obama administration, said the commission’s rules received more than 250,000 comments, largely in support because consumers were frustrated with their lack of control.
Nineteen other states have taken steps to enact the privacy rules, according to the Electronic Frontier Foundation, one of more than 25 civil rights, consumer advocacy, technology and nonprofit groups that support Chau’s bill.
California lawmakers appear poised to add the nation’s most populous state to the list, citing the unique ability of ISPs to track a person’s online browsing and location. The energy committee approved Chau’s bill by a 9-1 vote.
“This can reveal highly sensitive information about you, including personal or sexual activities, political or religious interests, health or financial problems, and more,” said Chau, who chairs the Assembly Committee on Privacy and Consumer Protection. “Coupled with your cellphone’s geotechnology, this trove of data about you can include where you go and what you do all day every day.
“And that,” Chau added, “should make us all more than just a little bit nervous.”