Maine Should Avoid Fragmenting Privacy Rules

Doug Brake May 23, 2019
May 23, 2019

(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)

The “Act to Protect the Privacy of Online Customer Information” or L.D. 946 has been gaining momentum in Maine’s legislature. The bill, championed by Senator Shenna Bellows (D-Manchester), aims to increase Internet users’ privacy by restricting the collection and use of customers’ data by Internet Service Providers (ISPs) like Spectrum or Verizon.

There are good opportunities to improve regulation of data privacy in the United States, but this proposal is not one of them. This legislation fails to balance privacy with other key interests and wouldn’t effectively increase users’ privacy.

It is relatively easy to write bills that simply turn up the dial on consumer privacy. It is much harder, however, to write good legislation that strikes the right balance between increased data privacy and other values, such as regulatory cost, consumer usability, and innovation. Bills like L.D. 946, that simply restrict the use of a broad class of data without, for example, tailoring the restrictions to the sensitivity of the data, do a poor job of balancing competing interests in privacy legislation. There is good empirical evidence that innovation can be easily harmed by heedless data restrictions. 

It would be much better to simply require ISPs to offer users who are especially concerned about their privacy to simply opt out of data collection. Research at the Information Technology and Innovation Foundation shows all large ISPs already offer this option to their users.

This legislation would also do poor job of actually increasing Mainers’ privacy, as it would restrict the practices of only Internet Service Providers—those who sell access to the Internet—and leave the same information open to collection by others. This is odd, because ISPs have relatively little access to private information, mostly because most websites are now encrypted. Rules that focus solely on ISPs also risks limiting business model innovation and locking-in today’s industry structure forever. LD 946 would essentially say ISPs are only in the broadband business and cannot even offer customers a lower bill in exchange for serving targeted ads, for examplesomething many low- and moderate-income Maine households in particular might find attractive. Restricting privacy regulation to just one part of the Internet ecosystem might be politically popular (most customers don’t particularly like their ISP) but is bad policy for encouraging a dynamic, competitive market for connectivity and related services. 

For those of us who live and breathe these issues, this bill feels out of step. Back in 2017, there were several of these state-level ISP-focused privacy bills, all of which cropped up in response to Congress repealing the 2016 privacy rules written at the Federal Communications Commission (FCC). Those FCC rules never went into effect and were only removed as part of the process of returning broadband privacy authority to the Federal Trade Commission (FTC). Now that the privacy practices of ISPs are rightly returned to FTC authority, most states have abandoned ISP-only legislation, and the focus has turned to work on broader privacy legislation.

Admittedly many do not think FTC oversight offers sufficient protection of consumer data, which is part of the reason for the serious work on a comprehensive privacy legislations at the federal level. Surely this is the right way forward—a strong, uniform, national privacy framework—rather than a fragmented mess of mediocre state-level protections, some of which focus on only one set of companies.