Status of Internet Privacy Legislation By State

In April 2017, majorities in the House and Senate passed and President Trump signed a law overturning strong, commonsense privacy rules that gave consumers control over what internet service providers (ISPs) could do with their data. The rules that were overturned would have prevented ISPs from sharing our browsing history with advertisers, forced ISPs to be clear about what information they’re collecting, and required ISPs to take reasonable steps to protect our data from hackers.

The response from many states was almost instantaneous. State legislators around the nation are now considering laws to restore the privacy protections that Congress and President Trump eviscerated.

Working closely with our affiliates in state capitols around the country, we’ve been tracking ISP privacy legislative activity and working to make sure privacy-protective bills become law. The chart below shows the current status of the 2017 state legislation as we understand it.

Click any highlighted state to learn more
X

Map Data:

Show map data
Scroll for details on each state

Alaska

States where legislation has been introduced

Alaska’s HB 232, and the similar HB 230, prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. It also prevents ISPs from conditioning service on a customer giving them consent to collect personal information.

Hawaii

States where legislation has been introduced

A proposed version of Hawaii’s SB 1201 prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. It also prevents ISPs from conditioning service on a customer given them consent to collect personal information. However, the current version of the legislation does not include any privacy language.

Kansas

States where legislation has been introduced

Kansas’s HB 2423 prevents ISPs that do business within the state from collecting or otherwise storing the personal information from a resident of Kansas without express, written consent. It also prevents ISPs from refusing to provide their service to a resident of Kansas who has not given approval for the collection, storage or sale of their personal information.

Maine

States where legislation has been introduced

Maine’s LD 1610 prohibits an ISP from using, disclosing, selling, or permitting access to a customer’s personal information without express, affirmative consent (absent certain emergency and other exceptions). The bill defines personal information as including web browsing history, app usage, and precise geolocation information, among other sensitive types of data. It prohibits conditioning the sale of a service, or changing a penalty for that service, if a customer does not provide consent. The bill also requires ISPs to take reasonable measures to protect customer’s personal information against unauthorized use, disclosure or access.

Maryland

States where legislation has been introduced

A bill was introduced just six days before the end of the legislative session and failed to pass through Maryland’s state legislature, SB 1200, due to the lack of time to consider the issue. It would have prohibited ISPs from selling or transferring a customer’s personally identifying information—which includes browsing history and IP address—for marketing purposes without affirmative consent from the customer (absent certain legal exceptions). It would have prevented ISPs from showing ads to customers from the ISP based on the customer’s browsing history, without affirmative permission. The bill would have prevented ISPs from conditioning service on a customer giving them consent to collect personal information. And the bill would have required the state’s Joint Committee on Cybersecurity, Information Technology, and Biotechnology to monitor enforcement of the act and provide recommendations on future changes needed to the law.

Massachusetts

States where legislation has been introduced

There are several internet privacy bills pending in Massachusetts. HB 3698 prohibits an ISP from collecting, using, disclosing, or permitting access to a customer’s sensitive propriety information without opt-in consent (absent certain emergency and other circumstances). Sensitive proprietary information includes financial and health information, information about children, precise geolocation, browsing history, and app usage, among others. The bill also requires that ISPs disclose, at the point of sale or during significant changes to their practices, the types of information the ISP wishes to collect, the purposes for which it would use the information, and the types of third-parties who would receive the information when asking the customer for opt-in consent.

S 2062 would prohibit ISPs from collecting, using, disclosing or permitting third-party access to a customer’s proprietary information, which includes web browsing history and app usage, without affirmative consent (absent certain emergency and other exceptions). It also requires the ISP to ask for opt-in approval when material changes are made to the company’s privacy policy, and it requires that customers be given a conspicuous notice of what information is collected, the purpose for which it would be disclosed, and the type of third-party it would be disclosed to. It also prohibits conditioning the sale of a service, or changing a penalty for that service, if a customer does not provide consent.

Minnesota

States where legislation has been introduced

A number of similar broadband privacy amendments were attempted in Minnesota. HF 2209 has a provision that prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. HF 2579HF 2606, and HF 2309 have the same language but also prohibit conditioning the sale of a service on a customer given them consent to collect personal information.

Nebraska

States where legislation has been introduced

LR 136, designates the Transportation and Telecommunications Committee to conduct an interim study of the effects of the overturning of the FCC’s broadband privacy rule. If the study concludes that repeal of the rule does impact the privacy of Nebraskans, it may consider state legislative and administration options to restore privacy protections to consumers. The bill was introduced with bi-partisan support.

New Hampshire

States where legislation has been introduced

An amendment to HB 305, which was not adopted, prohibited ISPs from using, disclosing, selling or permitting access to a customer’s personal information without affirmative consent (absent certain emergency and other exceptions). The amendment defined personal information as the content of communications, demographic information, browsing history, financial and health information, information pertaining to children, app usage, and precise geolocation, among others. The amendment also required ISPs to take reasonable steps to protect customer personal information from unauthorized use, disclosure, or access.

New Jersey

States where legislation has been introduced

SB 3156 requires ISPs to keep their customer’s personally identifiable information—which includes browsing history and precise geolocation—confidential unless the customers provide affirmative consent. It also provides that ISP give written notice of this requirement to each customer. The provisions of the bill do not apply to investigations undertaken pursuant to the “New Jersey Wiretapping and Electronic Surveillance Control Act. Importantly, an ISP cannot refuse to offer internet service to customers simply because the customer does not consent to disclosure of personal information.

AB 3027 instructs the Board of Public Utilities, in consultation with the Division of Consumer Affairs and the Department of Law and Public Safety, to undertake a public awareness campaign to promote consumer understanding of ISP’s information disclosure practices. The campaign would include information about state and federal privacy laws, the circumstances under which ISPs can disclose customer information, and guidance for how consumers can access and understand the privacy policies of ISPs. The bill does not specifically address how the campaign will be clear and accessible to the public.

New York

States where legislation has been introduced

New York has the most currently pending bills of any state. A 7191 and S5603 prohibit any ISP that do business within the state from collecting or disclosing a customer’s personal information—which includes browsing history and the contents of data-storage devices—without affirmative consent . However, the bills have a number of exceptions for the consent requirement, including provisions that would allow law enforcement to access customer data without a warrant. The bills also require ISPs to take reasonable data security steps and provide a cause of action for ISP violations of its provisions.

A 7236 and S 5576 require ISPs to obtain affirmative consent from a customer prior to using, sharing or selling that customer’s sensitive information, which includes browsing history, financial and medical data, biographical data, the content of communications, and internet usage. Non-sensitive data, which includes aggregate data or subscription data, does not require consent for disclosure. The bills also require ISPs to provide customers with a copy of a privacy policy that includes: data collection and use practices; the ISP’s relationships with third-parties, the purposes for which the ISP collects data; and information for how consumers can exercise control over their privacy. Any ISP that violates the provisions would be guilty of a misdemeanor and subject to fines.

A 7495 and S 5516 require ISPs to keep confidential, unless given affirmatives consent, customer information including biographical information, browsing history, financial and health information, and information about political affiliation, among others. The ISP is also required to provide written notice of the requirements of the bill to each customer.

S 3367 requires ISPs to keep all customer information confidential unless affirmative consent is provided. The bill also creates a find of $500 per offense for any ISP found to be in violation.

Oregon

States where legislation has been introduced

HB 2090, which has been passed by the Oregon legislature, makes it a violation of that state’s consumer protections law for a company to engage in practices that are inconsistent with its stated privacy policy.

HB 2813 prohibits an ISP from disclosing, selling, or permitting access to a customer’s personal information without affirmative consent (absent certain emergency or other exceptions). The bill defines personal information to include demographic information, browsing history, app usage, the content of communications, information about finances, health or children, and precise geolocation, among others. The bill also prohibits an ISP from conditioning service on or charging a higher rate to customers that do not provide consent for their information to be used. The bill requires ISPs to take reasonable measures to protect customer personal information from unauthorized use, disclosure, or access. And the bill gives a private right of action against an ISP that discloses or sell their information in violation of the bill’s provisions.

Rhode Island

States where legislation has been introduced

HB 6086 prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. It also prevents ISPs from conditioning service on a customer given them consent to collect personal information.

South Carolina

States where legislation has been introduced

HB 4154 prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. It also prevents ISPs from conditioning service on a customer given them consent to collect personal information.

Washington

States where legislation has been introduced

HB 2200, which has already passed the House twice, prohibits an ISP from selling or transferring a customer’s proprietary information, which includes communications content, browsing history, precise geolocation, and financial and health information, among others, without opt-in consent. The bill also prohibits an ISP conditioning service on a customer’s consent to use their proprietary information, and further must disclose the terms and conditions of any financial incentive provided to a customer that consents to having their information used by the ISP.

SB 5919 prevents ISPs that do business within the state from collecting the personal information from customers without express, written consent. It also prevents ISPs from conditioning service on a customer given them consent to collect personal information.

Vermont

States where legislation has been introduced

HB 535 directs the Attorney General, in consultation with the Commissioner of Public Services to adopt privacy and data security rules for ISPs. SB 147 uses similar language, but also requires that the rules adopted include disclosure requirements for ISP privacy policies, opt-in or opt-out procedures for obtaining customer approval to use and share sensitive or non-sensitive customer propriety information, and data security and breach notification requirements.

SB 72 directs the Attorney General, in consultation with the Commissioner for Public Service and industry and consumer stakeholders, to submit a recommendation or draft legislation regarding whether and to what extent the state should adopt privacy and data security rules for ISPs.

Wisconsin

States where legislation has been introduced

SB 233 prohibits an ISP from using, disclosing or permitting access to a customer’s proprietary information without affirmative consent (absent certain emergency and other exceptions). The bill defines proprietary information as the content of communications or information that relates to the quantity, technical configuration, type, destination, location, or amount of use of an ISP’s service. The bill also requires that ISP provide notice to consumers about how they collect and use their information and it requires reasonable data security practices and notification of data breaches.

Stay Informed