News & Insights


September 25, 2017

Data, Privacy & Security Practice Report – September 25, 2017

Proposed California Broadband Internet Privacy Act Put On Ice – On September 16, 2017, a proposed California bill modeled after the Federal Communications Commission’s (“FCC”) failed broadband privacy regulations was withdrawn from committee, creating an uncertain future for what would have been the first-of-its-kind state-level set of regulations over broadband internet service providers (“ISPs”).

Introduced by Assemblyman Ed Chau, the proposed California bill (AB-375) was specifically intended to “incorporate into statute certain provisions of the Federal Communications Commission Report and Order ‘Protecting the Privacy of Customers of Broadband and Other Telecommunications Services’ (FCC 16-148).”  In April 2017, the FCC’s regulations—developed during the Obama administration—were revoked by President Trump under the Congressional Review Act before going into effect.  The failed FCC regulations would have, among other things, required ISPs to obtain affirmative “opt-in” consent to use and share sensitive information such as financial and health information, social security numbers, information relating to children, and precise geo-location information.  The regulations also proposed transparency requirements that would have required ISPs to clearly disclose how they collect and use consumer information.

The Trump administration’s revocation of the FCC’s rules was applauded by those who believe the existing regulatory framework is preferable, under which the Federal Trade Commission (“FTC”) has broad authority to regulate consumers’ Internet privacy across all sectors of the cyber ecosystem.  Critics of the failed rules had argued that, because the FCC’s rules would only apply to broadband service providers, they would both undermine the FTC’s existing authority and create a patchwork of inconsistent Internet privacy rules that apply to different types of entities.

In the wake of President Trump’s revocation of the FCC privacy rules, California and other states began proposing legislation aimed at implementing the core components of the failed FCC rules at the state level.  For example, the California bill proposed similar opt-in consent requirements, prohibiting an ISP from disclosing a consumer’s sensitive proprietary information without first obtaining consent.  Additionally, the bill would have prohibited an ISP from refusing or limiting service to a consumer who does not waive his or her privacy rights, and also would have made it unlawful to charge a consumer a penalty for his or her refusal to waive privacy rights (or in the alternative, to offer discounts only to those willing to waive such rights).

As with its federal counterpart, the stalling out of the California bill is a win for the ISPs who opposed it, and another loss for advocacy groups like the Electronic Frontier Foundation, whose Legislative Counsel Ernesto Falcon lamented that “Californians will continue to be denied the legal right to say no to their cable or telephone company using their personal data for enhancing already high profits.” Others like Doug Brake of the Information Technology & Innovation Foundation agree that the California bill was unfitting for the same reasons as the FCC’s rules, and that “it is an even worse idea to splinter off special rules for an individual state’s broadband providers” when broadband activity often crosses state lines.

The California bill is not dead, however; it is only stalled for the rest of 2017, with the ability to be resurrected by the legislature in 2018.

Reporter, Robert D. Griest, Atlanta, GA, +1 404 572 2824,

National Telecommunications And Information Administration Issues Report Regarding “Botnets and Other Automated, Distributed Threats” – On September 18, 2017, the National Telecommunications and Information Administration (“NTIA”), the executive branch agency that is principally responsible for advising the President on telecommunications and information policy issues, issued a report titled “Report on Responses to NTIA’s Request for Comments on Promoting Stakeholder Action Against Botnets and Other Automated Threats.”

The Report was in response to an Executive Order issued on May 11, 2017 titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”  The Executive Order required the Secretary of Commerce and the Secretary of Homeland Security to “jointly lead an open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”

On June 13, 2017, NTIA issued a request for comments (“RFC”) on “Promoting Stakeholder Action Against Botnets and Other Automated Threats” in order to further the aims described in the Executive Order. The RFC requested feedback on approaches for dealing with botnets and other distributed, automated attacks. NTIA expressed a particular interest in mitigating ongoing attacks and securing vulnerable Internet of Things devices that can be used in attacks.

NTIA received 47 comments in response to the RFC. According to the Report, commenters ranged from “large trade associations to individual technical experts associated with a diverse range of industries and sectors, including Internet service providers, security firms, infrastructure providers, software manufacturers, civil society, and academia.”

The Report noted the following themes in the responses:

  • A general concern over securing devices across the Internet of Things and a desire for more tools and better, more widely adopted practices in the Internet of Things marketplace.
  • Emphasis on the importance of certifications and standards making it easier to build, deploy, and acquire more secure technology.
  • The importance of information sharing and collaboration between infrastructure providers, defensive security services that protect against DDoS attacks, and the victims of these attacks.
  • A call for an active government role in disrupting the networks that helped drive many of these distributed automated attacks, such as when law enforcement authorities use their powers to “take down” these networks through legal and other means.

The RFC comments will contribute to the development of the final report required under the Executive Order to be provided by the White House by May 11, 2018. A draft of the report is scheduled to be released for public comment on January 5, 2018, with a follow-up workshop to be conducted thereafter to discuss the plan of action prior to the drafting and submission of the final report.

The Report can be found here and the Executive Order can be found here.

Reporter, Stephen Abreu, San Francisco, CA, +1 415 318 1219,

News Of Apple’s Software Update Causes Debate In Ad Tech Community – On September 14, 2017, six major advertising groups addressed Apple with an open letter, asking the company to re-think its plans to introduce smart cookie-blocking technology in its upcoming software update for Safari in iOS 11. In their letter, the advertisers, including Interactive Advertisers Bureau, American Advertising Federation, the Association of National Advertisers and three others, argue that the technology called “Intelligent Tracking Prevention” (“ITP”) will replace user preferences with formal blocking standards developed by Apple and is not in the best interests of consumers. In the copy of the letter published by Adweek, the groups say “Apple’s unilateral and heavy-handed approach is bad for consumer choice and bad for the ad-supported online content and services consumers love.”  In response, Apple has countered that ITP will help preserve user privacy and improve consumer trust in Internet services.

According to the company, the new software will put a time limit on the first-party cookie, meaning that the information collected by the domain visited by a user on Safari will be available for ad retargeting only within the first 24 hours. After 24 hours the cookies will be blocked from use in third-party ads. Login cookies will remain valid for 30 days after logging into a website.

Some tech bloggers salute Apple’s efforts to block the use of big data without users’ permission in order to better meet consumer expectations. Some claim that the changes will have a substantial impact on the ad tech industry. Others comment that the new approach will benefit major players and have a negative impact on mid-size companies.

Reporter, Xenia A. Melkova, Moscow, Russia, +7 495 228 8519,

Also in the News

10th Annual King & Spalding Pharmaceutical University – King & Spalding will hold its tenth annual Pharma U event in Philadelphia on November 9, 2017. Join us for a full day of presentations on subjects critical to drug and biologics manufacturers, their in-house counsel, managers, and executives. The three-track symposium will address regulatory, enforcement, intellectual property, commercial, corporate, litigation, international trade, and political issues. Participants are eligible for up to seven hours of CLE credit. Additional information about the event and registration is forthcoming. Please register here. A detailed agenda will be made available shortly.