The inconsistent burdens of the state regulatory patchworks affecting ISPs  

As the debate over federal- versus state-driven artificial intelligence (AI) regulation intensifies, many observers emphasize the risks of an emerging state AI patchwork filling the void left by the absence of a federal standard. Critics point to the more than 1,000 AI-related bills introduced in recent state legislative sessions as evidence of a fractured and sometimes conflicting regulatory landscape. Quietly, however, two state-level patchworks have already emerged in the regulation of internet service providers (ISPs), particularly in the areas of net neutrality and data privacy.

Following the FCC’s December 2017 decision to reclassify broadband internet access as an information service (upending federal net neutrality rules), several states passed their own net neutrality laws. While these laws largely prohibit blocking, throttling, and paid prioritization for residential internet users, the mechanisms they use differ significantly. For example, Colorado’s net neutrality law conditions broadband subsidy eligibility on compliance, while Oregon and Vermont require state agencies to contract only with ISPs that maintain net neutrality standards.

California and Washington, however, have laws that go much further. Each state’s law imposes net neutrality obligations on an ISP’s network, making it difficult for ISPs to partition net neutrality compliance by state. The result is a de facto nationwide floor set by the states with the most comprehensive net neutrality laws (currently California and Washington), even though legislators in those states are not accountable to voters elsewhere in the country.

State data privacy laws, by contrast, operate differently. Whereas current state net neutrality laws yield convergence and high spillover across states, the data privacy patchwork yields fragmentation. Some states, such as Maine, have ISP-specific data privacy laws to prevent these firms from using, selling, or disclosing consumer data without “express, affirmative consent” (otherwise known as opt-in consent). Virginia, by contrast, has an opt-out data privacy regime, which covers a far wider scope of digital firms beyond ISPs.

Currently, about 20 states have passed comprehensive data privacy laws, with many following Virginia’s broad opt-out model. Maryland, however, recently enacted comprehensive data privacy legislation that adopts a considerably more stringent data minimization framework, with Maine, Massachusetts, and Vermont following suit with similar proposed legislation.

The fragmented privacy patchwork is further exacerbated by the emergence of tangentially related data privacy laws that can have downstream effects on ISPs. Although Washington’s My Health My Data Act may appear to be just a health data privacy statute, the law could also apply to ISPs if they  collect or process consumer data from which health-related inferences can be drawn.

Though the two patchworks do not directly conflict, they pull in opposite structural directions. While the net neutrality laws push ISPs toward a converging nationwide standard, the differing state data privacy regimes yield segmentation. An ISP must adhere to the strictest network rule broadly, while also siloing its data privacy practices state-by-state. As a result, ISPs cannot rely on a single operating posture in compliance with both regulatory regimes.

Considering how ISPs work, this state-level regulatory incoherence is unsurprising. ISPs are forced to comply with both regimes because they operate within the internet’s end-user infrastructure that the network conduct rules govern and see the data moving through that infrastructure (falling under the data privacy rules).

Ultimately, the cumulative weight of the patchworks moving at cross-purposes is borne solely by the ISPs. Yet, with compounded compliance costs, the downstream effects tend to yield higher costs for the consumers the regulatory frameworks were meant to protect. The result is a large-scale burden that no one designed, and no one owns. With state legislatures focused primarily on their own regulatory priorities, ISPs are left to manage the divergent compliance pressures.