Washington State

House of Representatives

Office of Program Research

BILL

ANALYSIS

Technology & Economic Development Committee

ESHB 2200

This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.

Brief Description: Protecting the privacy and security of internet users.

Sponsors: House Committee on Technology & Economic Development (originally sponsored by Representatives Hansen, Taylor, Smith, Buys, Harmsworth, Graves, Maycumber, Walsh, Kraft, Haler, Condotta, Nealey, Bergquist, Steele, Van Werven, Stonier, Macri, Farrell, Cody, Slatter, Tarleton, Senn, Kagi, Pollet, Frame, Chapman, Dye, Hudgins, Stanford, Reeves, Dent, Hayes, Ryu, Peterson, Sells, Kloba, Santos, Johnson, Fitzgibbon, Holy, Ormsby, Caldier, Sawyer, Wylie, Hargrove, Kilduff, Blake, Orcutt, Gregerson, Young, Appleton, Shea, Koster, Morris, Tharinger, Irwin, Muri, Schmick, Volz, Goodman, Clibborn, McCaslin, Pellicciotti, Doglio, Jinkins, Dolan, Kirby, Sullivan, Lytton, Kretz, Riccelli, Rodne, McBride, McCabe and Pettigrew).

Brief Summary of Bill

  • Requires Internet providers to obtain opt-in consent to sell or transfer certain customer information.

  • Requires Internet providers to obtain opt-in consent to send or display an advertisement to a customer based on certain customer information.

Hearing Date: 1/18/18

Staff: Lily Smith (786-7175).

Background:

Federal Communications Commission.

The Federal Communications Commission (FCC) regulates interstate and international communications in commerce, with particular requirements for common carriers under Title II of the federal Communications Act (Title II). Providers of telecommunications services are considered common carriers.

Prior to 2015, the FCC classified the provision of broadband Internet access services (Internet service) as an information service, which is not subject to common carrier regulation under Title II. In a 2015 order, the FCC reclassified Internet service as a telecommunications service, which subjected Internet providers to Title II. Section 222 of Title II requires common carriers to protect the confidentiality of customer proprietary information.

In October 2016 the FCC adopted new rules implementing section 222. The rules used a sensitivity-based framework for customer information, and included requirements regarding:

The 2016 FCC rules did not apply to online services beyond Internet service, such as websites, electronic mail, and music and video streaming services (sometimes referred to as "edge services").

In April 2017 a law enacted through the Congressional Review Act (CRA) repealed the 2016 FCC rules. Issuance of a rule substantially the same as one repealed under the CRA is prohibited, unless the rule is specifically authorized by a law enacted after the date of repeal of the original rule.

In 2018, the FCC issued an order reclassifying Internet service as an information service.

Federal Trade Commission.

The Federal Trade Commission (FTC) is tasked with preventing unfair or deceptive acts or practices in or affecting commerce under the Federal Trade Commission Act (FTCA), along with enforcement of specific consumer protection and antitrust laws.

The FTCA does not apply to common carriers when engaged in business as a common carrier. Prior to the 2015 FCC order reclassifying internet service as a telecommunications service, the FTC had authority over internet service providers under the FTCA. The 2018 FCC order returns that authority.

State Consumer Protection Act.

The state Consumer Protection Act (CPA) prohibits unfair or deceptive acts or practices in trade or commerce. A private person or the Attorney General may bring a civil action to enforce the provisions of the CPA. A person or entity found to have violated the CPA is subject to treble damages and attorney's fees.

Summary of Bill:

An internet provider must obtain opt-in approval to (1) sell or transfer customer proprietary information (PI), or (2) send or display an advertisement to a customer that was selected based on the customer's PI. Approval must be solicited at the time of sale, and new approval must be obtained for changes inconsistent with the terms or conditions at prior approval. A mechanism must be provided for a customer to grant, deny, or withdraw approval.

An Internet provider may not condition or refuse service as a consequence of a customer's refusal to waive privacy rights. If an Internet provider offers a financial incentive in exchange for customer approval regarding customer PI, it must disclose certain information regarding the use of the information and provide a mechanism to withdraw participation.

A violation of the act is enforceable under the CPA.

The Utilities and Transportation Commission (UTC) is authorized to adopt rules further defining the definitions and prescribing appropriate notice to be provided to customers.

The substantive sections of the act expire upon determination by the UTC that the federal government has established Internet service customer protections standards substantially equivalent to the levels of protection provided in the act.

"Customer proprietary information" means any of the following an internet provider acquires in connection with its provision of internet service:

Appropriation: None.

Fiscal Note: Available.

Effective Date: The bill takes effect 90 days after adjournment of the session in which the bill is passed.