As Washington continues to set new records for gridlock and futility, it’s understandable that state “laboratories of democracy” are ramping up to protect their residents and attempt to solve problems the federal government seems incapable of addressing.

Maine’s push to enact a local internet privacy law is a perfect example. I don’t support state-specific legislation. As I argued to your legislature in recent testimony on this bill, one state alone cannot meaningfully protect consumer privacy on an internet that recognizes no state boundaries and bounces data from Bangor to Bangladesh in the blink of an eye. A patchwork of local rules is also anathema to small businesses and individuals who simply don’t have the legal and financial resources to comply with 50 different sets of rules — Google can afford that, but a Bar Harbor B&B cannot.

Nevertheless, one look at the dysfunction in Washington makes it hard to blame states like Maine that have grown frustrated by federal impasse. They recognize state-based privacy laws may be imperfect or incomplete but feel helpless as profiling, data-mining, and hacks continue to pile up. I understand that sitting on the sidelines in these circumstances feels unacceptable.

But the bill that’s currently on the table — which inexplicably exempts the biggest and most important companies that collect, use and sell your data — is simply the wrong way to respond to that frustration.

Maine’s privacy legislation would apply only to broadband access providers — the cable and phone companies that connect consumers to the internet. It does nothing to rein in any other data user, from the big search and social media giants to the smallest local Maine-only businesses like financial planners.

That limitation flies in the face of the policies we set during the Obama Administration when I led the Federal Trade Commission, the nation’s top privacy cop. A bedrock principle of our 2012 Privacy Roadmap was “tech neutrality” — applying one consistent set of rules to all data collectors and users and ensuring that consumers are protected by the same strong privacy regime everywhere they go and with everything they do online.


The reason for this is simple — in the fast-changing digital world where a company can be a bookstore one day and a cloud data service the next, what matters is not the identity of the company collecting and using consumer information, but what information is collected and how it is protected and used. Americans intuitively understand this — in a 2016 survey by leading Democratic pollster Peter Hart, 94% of Internet users said that all companies collecting their data online should follow the same set of rules.

Maine’s proposal abandons that straightforward principle, and in a particularly unwise way — by exempting the giant search, social media, data brokers, and technology companies that are the most voracious and aggressive collectors and users of data in the marketplace. Trying to protect privacy while exempting the tech giants would be like trying to stop climate change with rules that exempt Big Oil.

Again, Americans already know this. Recent Pew surveys found that 80% of Americans are worried about how their data is handled on social media and only 9% of social media users are “very confident” these companies will adequately protect their privacy.

Supporters of the bill claim internet providers should have heavier regulation because they carry so much data, but that simply makes no sense. While internet providers carry a lot of data, they collect and use far less of it than other data and advertising-driven companies and, due to the widespread use of encryption, cannot even access or understand the great majority of it.

That’s why it’s not surprising that a recent GAO study found that, out of 101 recent internet privacy enforcement cases at the FTC, only 1 involved a broadband company — the rest involved other companies that would not be covered by the legislation on the table in Maine, including those whose business models entirely depend on making money off of your information.

For this reason, any legislation that fails to provide comprehensive and technology neutral privacy protections, will be a missed opportunity for the legislature to meaningfully protect the privacy of Maine’s internet users. In my view, the best thing Maine can do to effectively protect its residents’ privacy is to push its federal representatives to demand action on nationwide privacy legislation.

Jon Leibowitz served at the Federal Trade Commission from 2004-13 and is now a partner at Davis Polk law firm, where he represents both broadband providers and tech companies.

Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.