States are enacting their own online data privacy laws, creating a hodgepodge of restrictions that telecom and tech companies increasingly are railing against.
Last month, Maine Gov. Janet Mills signed into law what is now considered the nation’s toughest set of restrictions on internet service providers (ISPs). The law, which goes into effect on July 1, 2020, bars companies from using, selling or distributing customer data without the customer’s consent.
“The internet is a powerful tool, and as it becomes increasingly intertwined with our lives, it is appropriate to take steps to protect the personal information and privacy of Maine people,” said Ms. Mills, a Democrat.
Leading telecommunication and technology companies, including Verizon and AT&T, voiced opposition to the law. They argued it could violate the U.S. Constitution’s Commerce Clause, which protects companies from undue state regulation when conducting business across state lines.
“Data does not recognize state borders, and a fragmented, state-by-state approach sets uneven and inconsistent protections for consumers that are difficult, and sometimes impossible to implement,” said USTelecom, a coalition of broadband service providers.
In addition to Maine, Illinois, Maryland, Massachusetts, New Jersey, New York, Oregon, Texas, and Washington recently have moved to amend their data breach notification laws.
Meanwhile in California debate continues over the state’s Consumer Privacy Act, which was passed last year and takes effect in 2020. That law imposes tough privacy rules on a range of broadband providers, in addition to web companies including Google and Facebook.
More than 20 efforts were made earlier this year to change the California law, which the tech industry has strongly opposed.
According to the National Association of State Legislators, more than half of the country’s statehouses have considered privacy laws this year.
Privacy law experts attribute the flurry of activity to the frustration over federal inaction, in addition to revelations of privacy abuses and data breaches continuing to breed distrust about data security.
State-level proposals range widely and include expanding consumers’ rights to sue when abuses occur, requiring businesses to obtain customer permission before collecting data and allowing consumers to opt out of data collection entirely.
While privacy advocates have applauded the push to expand customers’ rights, the tech industry is expressing concerns that the states’ scattershot approach to regulation will create an unworkable business landscape. The states also appear to be trying to outdo each other in crafting restrictions, industry leaders say.
Legal questions also are emerging over the constitutionality of some of the proposals.
“From the viewpoint of consumers, the more laws and awareness there is, the more protection they will potentially receive,” said Françoise Gilbert, a privacy law expert based in Palo Alto, California.
“However, with so many laws that are inconsistent, it has created a huge burden for businesses to comply,” said Ms. Gilbert, who heads the privacy, data and security practice for the international law firm Greenburg Traurig.
In the wake of last year’s Cambridge Analytica scandal, in which the now-defunct consulting firm secretly harvested and used Facebook user profiles for political advertising, Washington lawmakers spent months grilling tech companies and threatening a crackdown on their use of personal data.
But no new federal laws have emerged, leaving states to address the issue.