Minnesota pushes back against allowing ISPs to sell their users’ data

As we’ve been telling you, the US Congress (or more precisely, these specific members of the House of Representatives and US Senate) recently voted to kill the FCC’s new ISP privacy rules before they took effect.

If, as expected, President Trump signs their bill, massive internet service providers like Verizon and Comcast will get more leeway in profiting from data they collect about you and your browsing habits – some of it potentially downright creepy. (“Exhibit A” might be Verizon’s AppFlash.)

But the US is more than its federal government: it’s 50 states, too. And there are rumblings of rebellion in the hinterland, starting with those allegedly nice and above-average revolutionaries in Minnesota. It’s not a done deal yet, but Minnesota’s legislators seem to be moving towards tightening the state’s ISP privacy rules, no matter what Trump and the Republican US Congress do.

According to the Twin Cities Pioneer-Press, Minnesota’s state senate has voted to “bar internet service providers from selling their users’ personal data without express written consent”.

To earn quick approval by the state senate, the bill needed to escape the conventional committee process. One Republican, Senator Warren Limmer of Maple Grove, broke with the rest of his party to make that possible. Calling the amendment urgent, he said:

We should be outraged at the invasion that’s being allowed on our most intimate means of communication.

Like the US Congress, Minnesota’s legislature has two houses who must both agree on a bill to send it to the executive for signature. (If you need a refresher on any of this, there’s always the famous Schoolhouse Rock video.) Minnesota’s other house has already voted for a similar measure in a different bill, so some reconciling still must happen before the bill goes to Democratic governor Mark Dayton.

If it becomes law, Minnesota’s provision would prevent telecoms or ISPs that have…

…entered into a franchise agreement, right-of-way agreement, or other contract with the state of Minnesota or a political subdivision, or that uses facilities that are subject to such agreements, even if it is not a party to the agreement, [from collecting] personal information from a customer resulting from the customer’s use of [their services] without express written approval from the customer.

The provision would also prohibit ISPs from refusing to provide services to customers who won’t allow data collection.

As DSL Reports’ Karl Bode writes:

Granted the rules don’t go nearly as far as the FCC rules would have… The rules also don’t address ISPs looking to charge users more money to opt out of data collection, which the FCC’s rules were supposed to tackle on a ‘case by case basis’.

But, hey, if you’re concerned about ISP privacy, it’s a solid start.

And it might not be the end. As the New York Times reported last week, the Illinois state legislature is considering a raft of privacy-related bills, including a European-style “right to know” bill that would…

…let consumers find out what information about them is collected by companies like Google and Facebook, and what kinds of businesses they share it with… [and bills that would] regulate when consumers’ locations can be tracked by smartphone applications… [and] limit the use of microphones in internet-connected devices like mobile phones, smart TVs and personal assistants like Amazon’s Echo.

The Times quotes ACLU lawyer Chad Marlow as noting that online privacy offers an unusual opportunity for local coalitions between “progressive Democrats and libertarian-minded Republicans, who see privacy as a bedrock principle”.

IANAL (I am MOST ASSUREDLY not a lawyer), but it’s worth noting that the federal government has sometimes been able to override state laws related to the FCC’s jurisdiction. For example, a key court allowed the FCC to override state regulation of VoIP (in the self-same Minnesota). The Obama era FCC also overrode state laws preventing cities from building their own municipal broadband networks to compete with private ISPs.

Those cases each have their own patterns of fact and law, so those outcomes don’t presage a similar result here. They’re just a helpful reminder that huge ISPs didn’t get that way without plenty of lawyers.