Tag Archives: ab375

Big broadband’s permission for, collection and use of customer info gets a federal review

by Steve Blum • , , , ,

The privacy practices of four major broadband service providers and one big disruptor are getting a hard look from the Federal Trade Commission. Comcast, AT&T, Verizon, T-Mobile and Google Fiber were given 45 days to produce detailed information about their business practices and subscribers, with particular emphasis on how they collect information about customers, whether it’s done with genuine permission, and what they do with it.

The information demanded by the FTC includes statistics on how many people actually read privacy policies, along with what promises to be a tall stack of those policies – every single one that’s been written by the companies, including copies that might be “different from the original because of notations on the copy”.

One particular concern of the FTC is whether the companies treat customers differently based on the degree of privacy they’re willing to surrender…

Has the Company ever offered different levels of service, quality of service, rates, pricing, rewards, or other incentives for consumers who opt-in to the collection of information about themselves, their Devices, their communications, their viewing history, or their online activities? If so, Describe in Detail such practices and produce Each materially different notice provided to consumers concerning the practice…

Has the Company ever denied service, or otherwise degraded the quality of service, for consumers who fail to opt-in to the collection of information about themselves, their Devices, their communications, their viewing history, or their online activities, beyond information that is necessary for the provision of Internet or cable services? If so, Describe in Detail such practices and produce Each materially different notice provided to consumers concerning the practice.

AT&T and Verizon will have to produce information about both their wireline and mobile subsidiaries. It’s probably a good assumption that Comcast will have to submit data about its wireless business practices too. One company that’s notably absent from the list is Charter Communications, which has nearly as big a market share as Comcast. Sprint is missing too, but it’s the smallest of the major mobile carriers and might not be around much longer anyway.

Intentional or not, the FTC’s fishing – whaling – expedition is a welcome response to a damning assessment by the federal general accounting office assessment that the agency is largely clueless about the online world.

Federal online privacy cop needs direction, says GAO study

by Steve Blum • , , , ,

Police academy

The federal government’s primary consumer protection agency – the Federal Trade Commission – doesn’t think too hard about policing online privacy violations, according to a report by the General Accounting Office. Generally, the FTC can act when a company engages in unfair or deceptive business practices. Figuring out what’s fair and what’s not in cyberspace is a complete puzzle, and impenetrable terms of service and other digital fine print typically give companies a get out of jail free card to companies, the report notes…

Some stakeholders said that FTC relies more heavily on its authority to take enforcement action against deceptive trade practices compared with the agency’s unfair trade practices authority. This was confirmed in our analysis of FTC’s Internet privacy enforcement actions discussed previously. However, a representative from a consumer advocacy group said that FTC’s ability to take such action is limited practically to instances where a company violates its own privacy policy—companies generally can collect and use data in any way they want if they include language in their policies asserting their intent to do so. According to a former FCC commissioner, a privacy statute could clarify the situations in which FTC could take enforcement action.

The report notes that both California and the European Union have online consumer privacy laws in place, but there’s no federal equivalent in the U.S. It concludes with a recommendation to congress that it “should consider developing comprehensive legislation on Internet privacy”, including identifying which agency is responsible for what and, somehow, balancing “consumers’ need for Internet privacy with industry’s ability to provide services and innovate”.

There’s also an interesting list of FTC privacy enforcement actions at the end of the report. It summarises 101 cases over ten years, between 2008 and 2018. Most ended with no penalties or other meaningful result at all, although a rumored multibillion dollar smack at Facebook would, if true, change that calculus. A few resulted in million dollar-plus penalties but the remainder ended with relative slaps on the wrist. It’s a clear illustration of why the FTC needs better direction and motivation if it’s to be the “nation’s premier consumer protection cop”.

Spreading high tech wealth and restricting self-employment on California governor’s to do list

by Steve Blum • , , , ,

California governor Gavin Newsom took aim at technology companies during his state of the state address on Tuesday. Although bullish on California’s high tech economy, he dangled the possibility of a tax on data…

California is proud to be home to technology companies determined to change the world. But companies that make billions of dollars collecting, curating and monetizing our personal data have a duty to protect it. Consumers have a right to know and control how their data is being used.

I applaud this legislature for passing the first-in-the-nation digital privacy law last year. But California’s consumers should also be able to share in the wealth that is created from their data. And so I’ve asked my team to develop a proposal for a new Data Dividend for Californians, because we recognize that your data has value and it belongs to you.

He didn’t explain what a “data dividend” is, but given his long list of new and expanded state programs, it seems likelier that he’s thinking in terms of taxing tech companies rather than requiring them to send dividend checks to everyone.

Newsom also talked about changes in employment law but, again, was short on details. Referencing a California supreme court decision that limited the ability of individuals to work as self-employed contractors – Uber drivers, for example – Newsom called for…

A new modern compact for California’s changing workforce…to ensure technological advancements in AI, blockchain, big data, are creating jobs, not destroying them, and to reform our institutions so that more workers have an ownership stake in their sweat equity.

He plans to give the job of figuring out how to do that to a new commission that will include representatives from businesses, but also from labor unions, which have actively worked to hinder self-employment in California in the past.

There was no mention of broadband or other telecoms issues in Newsom’s speech, but he did talk about electric utilities, primarily PG&E. He promised to be an active participant in PG&E’s bankruptcy case, saying he’s “convened a team of the nation’s best bankruptcy lawyers and financial experts from the energy sector” to “seek justice for fire victims, fairness for employees, and protection for ratepayers” while never wavering on safety or pursuit of clean energy goals. As with most everything else, Newsom didn’t say how he would do all that, but at least he offered a 60-day deadline for coming up with answers.

Consumer privacy law is back in play in Sacramento

by Steve Blum • , , ,

Sf naked the streets

Monday’s brief meeting of the California legislature didn’t produce any broadband-related bills, with the possible exception of a placeholder introduced by assemblyman Ed Chau (D – Los Angeles). Assembly bill 25 would amend the privacy bill that California lawmakers passed in 2018, but it doesn’t say how.

California’s new privacy law puts tight restrictions on how online companies can use customer data, and how they have to safeguard it. Chau was the author of that bill, which was passed as part of a deal to keep an even tougher privacy initiative off of the November ballot. But what the legislature gives, it can also take away. A coalition of various kinds of advocacy groups sent a letter to lawmakers on Monday, asking them to strengthen the law, and resist attempts to change it…

Irresponsible data practices lead to a broad range of harms, including discrimination in employment, health care, and advertising, data breaches, and loss of individual control over personal information. Technology practices and resulting concerns can limit adoption and use of new technology such as internet-connected devices, threaten e-commerce, and even decrease democratic engagement and speech. Many individuals do not understand and are worried about how their information is used or shared online. They feel that they have lost control of their data and they want government to protect them.

Whether or not consumers are really clamouring for more government protection is an open question. But there doesn’t seem to be much interest in having less, except among the telecoms and online services companies that opposed California’s new privacy law. Some of those companies give millions of dollars to lawmakers, and particularly to senators and assembly members that sit on key committees in Sacramento. With the help of those friend, their lobbyists are adept at carving up laws they don’t like. Chau’s new bill needs to be watched carefully.

Charter, Comcast tell FTC to kill California broadband laws

by Steve Blum • , , , ,

Comcast and Charter Communications want the Federal Trade Commission to preempt California’s data privacy law, and any other state laws regarding broadband service. In comments filed last week, the National Cable and Telecommunications Association (NCTA), which serves as a Washington, D.C. lobbying front for Comcast, Charter and other cable companies, ask the FTC to tell state lawmakers and officials that they can’t enforce broadband service rules beyond what federal regulators think is appropriate (h/t to Jon Brodkin at Ars Technica for the pointer)…

The FTC should ensure that the Internet is subject to uniform, consistent federal regulations, including by issuing guidance explicitly setting forth that inconsistent state and local requirements are preempted…

California’s recently enacted California Consumer Privacy Act of 2018 imposes numerous requirements that differ from, and even conflict with, federal law.174 Moreover, a patchwork of state-level rules applying only to BIAS providers would undercut existing federal policy basing enforcement on what information is collected and how it is used, rather than on who is collecting the information. Any FTC guidance to state entities on the need to ensure consistency with FTC and FCC policy and precedent in the Internet arena thus should cover privacy and data protection issues as well.

NCTA argues, falsely, that the market for broadband service is “substantially” and “increasingly”. That’s true in a few isolated areas, but overall the trend is toward greater monopolisation of the Internet service industry. The minimum speed level necessary to take advantage of what NCTA calls “a wide array of Internet-delivered video offerings” continues to rise. More and more, cable operators are the sole source of broadband service that meets contemporary needs.

Charter and Comcast are preparing a new line of attack against state-level privacy and network neutrality rules. If, as some legal experts believe, the Federal Communications Commission has taken itself out of the broadband regulation business, then the FTC is their best hope to kill those laws. Particularly California’s new consumer privacy law and its pending resurrection of network neutrality standards.

California legislature to decide privacy, Internet commerce bills

by Steve Blum • , , , ,

Consumer privacy, police surveillance, online retailing, bots and social media were all targets of bills introduced this year in the California legislature. One major bill already passed, a couple are dead and the rest are queued up for a decision this week, as lawmakers prepare to finish up the 2018 session on Friday.

Assembly bill 375 established strict consumer data privacy rules. It was signed into law by the governor earlier this year. It’s being tweaked, though. Senate bill 1121 exempts some medical, financial and driving record information that’s already regulated by federal and/or state law. It also allows credit reporting agencies to continue to use personal information, whether or not consumers consent, to the extent permitted by federal law. It makes other changes, mostly regarding how the law is enforced.

As far as I can tell, the amendments are technical. But SB 1121 should put everyone on notice, too: the legislature can and will change California’s new data privacy law. Given the influence that lobbyists and their cash payments to lawmakers have in Sacramento, future changes may not be so benign.

Other bills introduced this year include…

  • AB 1906 and SB 327 – aimed at the Internet of things, these two, linked bills require passwords and other security features on Internet-connected devices. Awaiting floor votes in the senate and assembly, respectively. Each will have to go back to its “house of origin” for concurrence votes on amendments made along the way.
  • AB 2167 – defines information gathered by ingestible sensors that collect or send information about an individual, and linked apps and devices, as protected medical information. On the senate floor, with assembly concurrence needed.
  • AB 2511 – requires merchants to “take reasonable steps to ensure that the purchaser is of legal age” of anyone who might purchase or view age restricted products or services. It was originally targeted only at online sellers, but now includes all businesses. The range of products and services covered was narrowed, too. Waiting for a floor vote in the senate, then would go back to the assembly for concurrence.
  • AB 2935 – adds privacy protections to health monitoring programs, online and otherwise. Would have had implications for fitness and athletic social media, such as Strava. It died in a senate committee.
  • SB 1001 – requires bots – computer programs that mimic people, used by companies to chat with customers – to identify themselves as such. Only applies to websites that get 10 million visitors a month. On the assembly floor now, with senate concurrence also needed.
  • SB 1186 – required local governments to disclose the types and uses of law enforcement surveillance technology. Quietly killed in the appropriations committee by assembly leadership.
  • SB 1424 – formerly a far reaching attempt to police free speech on the Internet, it was neutered as it moved through the legislative process and now just calls for the California attorney general to study “the problem of the spread of false information through Internet-based social media platforms”. If someone donates the money to do it. Awaits an assembly floor vote and senate concurrence.

California consumer privacy law, online and off, now on the books

by Steve Blum • , ,

Californians will have control over the way their personal information is used by businesses, including online platforms. Probably. Governor Jerry Brown signed assembly bill 375 into law, after it was approved by the state senate and assembly in whirlwind fashion yesterday. According to the analysis prepared by staff for the assembly privacy and communications committee – which is chaired by the bill’s author, assemblyman Ed Chau (D – Monterey Park) – consumers will gain…

The right to know what [personal information (PI)] is being collected about them and whether their PI is being sold and to whom; the right to access their PI; the right to delete PI collected from them; the right to opt-out or opt-in to the sale of their PI, depending on age of the consumer; and the right to equal service and price, even if they exercise such right.

AB 375 was briefly in the spotlight last year, when it was turned into an online privacy bill, only to be killed by tech and telecoms lobbyists. Its demise behind closed doors prompted a successful petition drive to put a tough consumer privacy initiative on the November ballot. Which scared those same big tech and telecoms companies. For two reasons: they would have to spend millions of dollars trying to defeat it, and if enacted by the voters, the legislature wouldn’t be able to change it.

That gave Chau an opening to resurrect his bill, and cut a deal with the initiative’s backers. If the legislature passed a sufficiently stringent consumer privacy bill, the backers – who faced an equally expensive campaign – would declare victory and withdraw the ballot measure. Yesterday was the withdrawal deadline, the legislature met it and the initiative was formally pulled.

The new law takes effect 18 months from now, in January 2020. That’s forever in political terms, though. The legislature will have plenty of opportunity and lobbyists will offer plenty of cash encouragement to water down the new law. They’ll want to do it as quietly as possible. It’s worth watching, if only to make sure it’s as noisy as possible.

Internet privacy bill rises from the dead at California capitol

by Steve Blum • , , ,

California lawmakers have another shot at creating strong data privacy rules. Assembly bill 375, authored by assemblyman Ed Chau (D – Monterey Park), was originally aimed at Internet service providers. It would have reinstated ISP privacy rules that were scrapped by the republican majority on the Federal Communications Commission. It died last year after legislative leaders bowed to back door pressure and “dirty tricks” from ISPs, like AT&T and Comcast, and Silicon Valley’s big online players, like Google and Facebook.

But with angst over Facebook’s epic face plant and other data breaches reaching a fever pitch, attention turned to how companies – of all kinds – collect, keep and use data about and belonging to consumers. A petition drive appears to have collected enough signatures to get a sweeping online data protection law on the November ballot. To head that off, Chau and senator Robert Hertzberg (D – Van Nuys) rewrote AB 375 and, on Friday, put it on a fast track for potential approval this week.

As rewritten, AB 375 meets the needs of the initiative’s backers. It would give consumers the right to ask companies what kind of personal data they’re collecting, what they’re doing with it and who they’re sharing it with. Consumers could also tell online businesses to delete information and prevent them from sharing or selling personal information to others. Those backers will scrap it if the legislature approves AB 375 and governor Jerry Brown signs it into law by Thursday (the deadline for pulling the initiative).

According to a story by Taryn Luna in the Sacramento Bee, avoiding a ballot measure will also avoid a massively expensive campaign, fuelled by money from the big incumbent ISPs and online platforms that oppose it…

[Alastair Mactaggart, the main proponent of the initiative], who has dished out $3.5 million to support his own cause by paying signature gatherers to qualify the initiative, expected his opponents to spend as much as $100 million on the campaign against the Consumer Privacy Act before the Nov. 6 election. As of this week, the opponents of the initiative had given nearly $2.2 million to tank it.

You can count on those same companies to flood Sacramento with lobbyists this week, just as they did last week to oppose network neutrality bills.

Internet, telecoms legislation introduced in Sacramento, but not all cards are on the table

by Steve Blum • , , ,

A handful of substantive telecoms and Internet services bills and a stack of placeholders were introduced in the California legislature by last Friday. That was deadline for new bills, although it’s largely a formality – any of the placeholders (or the substantive bills) can get gutted, amended and turned into anything at all, right up to the end of the session in August.

Assemblyman Ed Chau (D – Monterey Park) is taking another run at Internet privacy, although in a more limited way than last year. Assembly bill 2511 would tighten privacy requirements for websites – social media, particularly – that serve minors, and AB 2935 would do the same for health monitoring services. Broader legislation could come later, though.

Social media gets a call out in two other bills. AB 1950 by assemblyman Marc Levine (D – Marin County) would prohibit bot-driven advertising or clicks, and AB 3169 by assemblyman James Gallagher (R – Butte County) would ban censorship by social media platforms or search engines “on the basis of on the basis of the political affiliation or political viewpoint of that content”, or “removing or manipulating content” from search results.

AB 1906, by assemblywoman Jacqui Irwin (D – Ventura County), would require an Internet–connected device to have password protection – in other words, you’d have to authorise your Alexa device before it could start eavesdropping on you.

Lifeline telecoms programs – which can include broadband service – would be less restricted under AB 3111, authored by assemblyman Eduardo Garcia (D – Imperial County). Right now, only one person per household can receive lifeline subsidies, which is a problem if the service is delivered via a mobile phone, rather than a wireline connection that can be shared by everyone. AB 3111 would allow different people living at the same address to receive lifeline service, although the one account per family restriction would stay in place. How that distinction would be policed by the California Public Utilities Commission isn’t clear, though.

So far, there’s been no move to introduce a new version of senate bill 649, which would have opened up city and county property to wireless operators, at nominal, below-market-value rental rates. It was vetoed by governor Jerry Brown because it went a bit too far. You can expect to see similar language slipped into a bill by wireless lobbyists in the coming months. Stay tuned.

Comcast asks FCC for privilege without responsibility

by Steve Blum • , , , ,

Comcast has joined Verizon in pushing the Federal Communications Commission to override state and local laws that might affect their business. In a required notice filed after a private meeting with FCC chair Ajit Pai’s top staffers, a lawyer for Comcast said they urged the FCC to overturn its 2015 decision to regulate broadband as a common carrier service, and to make sure that state and local governments didn’t try to pick up the slack…

At the meeting, we reiterated Comcast’s support for restoring its prior classification of broadband Internet access service (“BIAS”) as an interstate information service and reversing the 2015 decision to classify BIAS as a [common carrier] telecommunications service…

We also emphasized that the Commission’s order in this proceeding should include a clear, affirmative ruling that expressly confirms the primacy of federal law with respect to BIAS as an interstate information service, and that preempts state and local efforts to regulate BIAS either directly or indirectly.

Comcast and Verizon are worried about state initiatives like California’s assembly bill 375, which would have restored consumer privacy rules scrapped at the national level. It was eventually brought down by an all out attack by telecoms lobbyists who control millions of dollars of payments made to legislators in Sacramento. But the effort will, in all likelihood, be made again next year, and Comcast wants to head it off.

But it’s about more than just a few bills. If – when – the current FCC follows through on its promise to scrap broadband’s common carrier status, Internet service providers, like Comcast, will lose their existing exemption from consumer protection laws at both the state and federal level. Although it’s under challenge in a federal appeals court, that exemption basically puts the FCC in charge of regulating most aspects of common carrier telecoms services. Even the Federal Trade Commission can’t set business rules for common carriers.

Comcast likes the advantages, such as immunity from state and federal consumer laws, that come with a common carrier label. But it doesn’t want the common carrier obligations, such as net neutrality rules or FCC oversight, that follow. It would be reckless if the FCC accommodates them.