Proposed BROWSER Act Would Require ISPs and Edge Service Providers to Give Users Opt-in and Opt-out Rights for the Use and Disclosure of User Information

Proposed BROWSER Act Would Require ISPs and Edge Service Providers to Give Users Opt-in and Opt-out Rights for the Use and Disclosure of User Information

Blog WilmerHale Privacy and Cybersecurity Law Blog

On May 18, 2017, Martha Blackburn (R-TN), Chairman of the House Committee on Energy and Commerce’s Subcommittee on Communications and Technology, introduced H.R. 2520, the Balancing the Rights of Web Surfers Equality and Responsibility Act of 2017 (“BROWSER Act” or “Act”).  

The BROWSER Act would apply to both ISPs and edge providers,1 such as search engines and social network sites, and would restore many of the provisions of the FCC’s since-repealed privacy rule for broadband Internet Service Providers, including imposing opt-in consent requirements for the use and disclosure of web browsing history.

Under the Act’s provisions, broadband ISPs and edge providers would be required to obtain express, opt-in consent from users prior to permitting use, disclosure, or access to a user’s “sensitive information.” The Act defines “sensitive information” to include financial, health and children’s information, Social Security numbers, precise geo-location information, web browsing history, and program usage history (including the usage of mobile applications). This definition is notably broader than the FTC’s current guidance on sensitive data. For non-sensitive user information, the Act imposes an opt-out consent regime.2

Further, the Act would prohibit covered providers from conditioning the provision of services on the users’ consent. In addition, the Act would require clear and conspicuous notice to users of the provider’s privacy policies, and would mandate that providers give advance notice to users of material changes to their privacy policies.

The Act would give the Federal Trade Commission enforcement authority pursuant to its unfair or deceptive acts or practices authority found in Section 5 of the FTC Act.3 It would also preempt state and local laws and FCC rules or regulations aimed at privacy for the covered providers. Chairman Blackburn’s reasoning, according to a statement she gave Recode, is to realign the system “to a posture where we have one regulator, one set of rules [and] everybody knows who’s in charge.”

Whether there will be any movement on the bill is yet to be seen. The bill, which is co-sponsored by Representatives Brian Fitzpatrick (R-PA) and Bill Flores (R-TX), has been referred to the House Energy and Commerce Committee. No hearings on the proposed bill have been scheduled to date.


1 The term “edge service” is defined by the Act to mean 
(A) … a service provided over the internet—

(i) for which the provider requires the user to subscribe or establish an account in order to use the service; 

(ii) that the user purchases from the provider of the service without a subscription or account; 

(iii) by which a program searches for and identifies items in a database that correspond to keywords or characters specified by the user, used especially for finding particular sites on the World Wide Web; or

(iv) by which the user divulges sensitive user information; and 

(B) includes a service described in subparagraph (A) that is provided through a software program, including a mobile application.  H.R. 2520, Section 6(4).
2 There are a handful of exceptions to the consent requirement including when the access, use, or disclosure is necessary to provide the services, for billing, and in emergency situations.  
3 See 15 U.S.C. § 45(a)(2)