"This bill prohibits a provider of broadband Internet access service from using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access. The bill provides other exceptions under which a provider may use, disclose, sell or permit access to customer personal information. The bill prohibits a provider from refusing to serve a customer, charging a customer a penalty or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale or access. The bill requires providers to take reasonable measures to protect customer personal information from unauthorized use, disclosure, sale or access. The provisions of the bill apply to providers operating within the State when providing broadband Internet access service to customers that are billed for service received in the State and are physically located in the State."
Nobody cares, what provider does. What matters is whether or not you sign a damn consent form.
Suppose, that there is a popular mobile App, written by Zhang Li Ltd. The App allows you to buy travel tickets, receive discounts in local stores and upload contents of your address book to it's servers. After a while you notice, that everyone uses it. Your local store no longer sells large amounts of grocery unless you make a reservation from The App. All train tickets must be booked by using The App. A bunch of local utilities stopped accepting payments unless you send them via The App. The thing is just so convenient!
One day you notice, that The App requires you to sign some "consent form" in order to use it's advanced features. A month later it threatens to delete your account if you don't "consent" (of course, it won't say so directly — "our ML algo detected, that you are Russian hacker! plz confirm your identity! account secuuuurity!" — that's how it will roll). The App is absolutely not connected to your ISP — it's authors just want to buy the data, that's all!
Reminds you of anything?
You can go on a web browser even a phone browser and do almost all the activities you can do in an app, and not deal with the T&C of the app once declined. Of course, no one does because they can't be inconvenienced. Again, you might believe that you can't check your Facebook/tender/whatsapp/Snapchat/etc, but that's generally untrue for most of them..
In most places due to govt regulation, you only have one or two ISP's serving a geographic area. So the T&C in this case have an actual impact, not some mythical and perceived injustice by "big tech".
Those app providers have the right to suck every last detail from their meatspace, down to what color socks they like on Tuesday and sell it to Hanes.
It's entirely feasible to have two classes of customers, right? One that agreed to the provision, and one that didn't. One that gets a 500GB data cap, and one that gets 150GB, say.
Just because you serve a customer doesn't mean you must serve them equally. Afterall, technically, they are serving the customer, right?
> (2) Charge a customer a penalty or offer a customer a discount based on the customer's decision to provide or not provide consent under paragraph A.
It's against the spirit of the law of course, but maybe not the letter.
WTF is "consent" doing here? Why would ISP ever need to sell someone's data in order to operate? Do they also plan to explicitly prohibit ISPs from torturing customers and selling their organs? From selling illegal drugs to minors? Dear state of Maine, I too would like to waive all my legal liabilities by making my victims sign a bunch of paperwork!
Won't the law only help then?
Now it is going to become legal in Maine — as long as you are an ISP.
There's probably a "as necessary to provide the service" exception more than large enough to encompass internal logging.
People who use apps that sell their data should be bombarded with requests to use that data each and every single time, until they either decide the app isn't worth it or the app decides they should try a different business model.
And ad targeting should be included in that. Add a new notifications button to FB - companies that have requested advertising access to me. If I decline or don't answer, I never see their ads.
I think you're incorrect. I think most users recognize that they usually don't have a choice: they don't have money to provide for services that they need, so they are _forced_ to use services that are cheaper or free. And I think most users feel helpless to do anything about it because most politicians actively ignore them (because they're poor) or work against them (because not-poor businesses pay politicians), and also because most businesses providing free service do not provide any useful mechanism for human interaction. Ever have trouble with a free service? Your only recourse is to go on social media and complain and hope to catch enough public attention such that someone who works at the company will reply. And even then you're not guaranteed a resolution to your issue.
The problem isn't just that poor people are money poor. It's that they're also time poor. They're too busy making ends meet to care about this stuff. That Google collects so much of their data would probably not even be on their list of things to care about.
While I certainly think it's possible, it doesn't echo with my personal anecdotes of friends and family. They all fit in with "I don't want to be tracked but I'm helpless to stop it!" crowd. All of my family, most of my friends.
They can't really consent, because no-one truly understands what it is that they are agreeing to. It is simply not possible to have informed consent about the use, re-sale, re-combination, re-identification, long-term storage, profiling, credit/employment/health/housing impacts, etc. It's not possible to consent because you can't tell what you are giving away about other people who you aren't aware that you're impacting, and don't have their permission to do so. There just isn't any way for someone to say 'I understand and consent' and have it be meaningful.
That is a supposition of yours. I'm pretty confident that I understand what i'm agreeing to. And I agree to it.
Most people don't understand the value that comes from user data, and the potentially damaging effects it might have on their life (Facebook can detect that you are homosexual through your Facebook usage, and if you live in a country where they kill homosexuals you are going to be in serious trouble). Almost no users understand the impact of the third-party doctrine.
There are all sorts of other issues. If you talk to someone suspected of being a terrorist, then you are labeled as a suspected terrorist. Since this bill is about browsing data, if you read articles If you read articles that are seen as being objectionable (imagine reading articles about communism during McCarthyism) then you might be labeled as such even if you were reading them for purposes other than indoctrination. There is a reason that a court order is required to get the borrowing records of a particular library user and libraries cannot sell that information.
Ok, let's explore that. Can you describe, completely, what it is that you are agreeing to? And just so we are speaking at the same level "I agree that you can do anything you want" isn't a meaningful consent.
If you had to consent for the use of an incredibly popular app, is it really understanding? Or is it capitulation disguised?
I'm not going to categorically say that that's false, but I find that somewhat hard to believe, except under very contrived circumstances that could hardly be called 'willing' (e.g. "we'll kill your family if you don't"). Do you have a citation for that?
I'm far from convinced that this is true. Most users don't actually know the extent to which their data is being collected. I suspect that a large percentage of people, if they were informed (and believed it), would object mightily.
I'm not too sure how one user consenting to the data sharing guidelines should affect your experience. Elaborate?
Would you care to present evidence?
What's really great is that it can really help small businesses and startups over large corporations. Brands like Coca Cola can afford to canvas the world with their logo, but a business with a handful of employees must use their marketing budget very carefully. User data and profiling makes it realistic to find those people naturally through their internet habits.
Even if this is being used by politicians, I don't see the harm. If you think people can't think for themselves in the face of political advertising campaigns, then I don't see why you'd also believe that those same people can be trusted with the responsibility of the vote.
I can understand the need for treating data carefully and making sure the data is sufficiently scrubbed for personal identification, but this issue is something different.
If we had a reasonable micropayments system so I could spend a few cents per article I read online from non-subscription sites, I'd be thrilled. I do not want to see ads, ever. I do not want companies collecting or selling my activity patterns. If I've signed up for something, I don't want my personal details sold to someone else in order to fund the service. I will gladly pay my proportion of what's necessary to keep the service running in order to avoid the "you're not the customer, you're the product" mentality.
I totally understand that probably most people don't think the way I do. They are happy to exchange their privacy for free stuff, and in some cases wouldn't be able to afford to pay if this wasn't an option. But it's just sad that's the case.
5 bucks a month??!?! You were making 5 bucks a month off JUST ME WITH ADS?!!!!
But it's not that at all. It's simply that credit cards are so heinously inefficient and unreliable and costly to manage that they need to charge that amount of money to not lose money on average. Dealing with fraud and charge backs and the cut the banks take and the cost per transaction. It's just how terrible of a payment system credit cards really are.
If we were getting charged the actual price of the product, most people would happily pay! Load your browser up with 20 bucks and you'll have unobstructed internet for months.
I think this goal is pretty much what Brave is going for, they get a lot of criticism for their implementation here. Of course I'm not shocked, this is a hard problem, and the demand for the solution is irrationally low.
Therefore, to offset this, subscription fees needs to be much higher than the average ad revenue per user.
You'd create two internets: a bourgeoisie sphere of corporate sites with enough influence to be included in the micropayment system, and the unwashed masses, the sites deemed unworthy of monetization, forced to survive on crippled ad market. The handful of large corporate microtransaction payment processors would get to pick and choose who gets to be on the "good internet" without any oversight.
The problems so far with micropayments infra is that publications don't believe their readers will prefer payment over ads. Which is unfortunately largely true, so anyone starting a micropayments company will have a lot of trouble developing the network effects (both on payer and payee side) to be successful.
I don't know the solution to this, but I'd hope it's not legislation. Well -- a possible solution might be legislation that makes it economically infeasible to run sites on ad revenue and selling data. If we make it onerous or impossible to allow sites to collect and sell data, and make it harder for ad networks to target people, sites will have little choice but to implement subscription schemes, or, hopefully, adopt a micropayments-type structure.
Since both are complementary and independent revenue streams, why do you assume that you paying cash for something does not mean you will be monetized in other ways as well?
Tiered to nominal standards of use.
Centrally collected over a large set of services.
With an open and public process of service determination and interest advocacy.
With a disinterested-party dispute resolution process.
Predicated on ability to pay.
> I really don't understand the extreme hostility to data collection and data markets.
I can easily explain my extreme hostility to this: that it happens without my consent and that companies put so much work into actively evading the defenses I put up against it.
> No one likes ads
This isn't about ads. This is about data collection. If ads existed without the spying, I wouldn't have an issue.
> What's really great is that it can really help small businesses and startups over large corporations.
No, that's not really great. I'm all for helping small businesses, but not by allowing them to abuse me.
> I can understand the need for treating data carefully and making sure the data is sufficiently scrubbed for personal identification
That's important too, but it doesn't address the issue of consent.
If data is being collected about me or my use of my machines without my informed consent, that's spying, period. I will treat anybody doing that as the attackers that they are.
I'm sympathetic to the fact that "don't use services that track you" is easier said than done, but all the same, you do have that option.
No, really, you cannot.
FB maintains shadow profles, even for nonusers.
Google tracks virtually all Web traffic. And most email.
Amazon backs or provisions a tremendous amount on online sevices.
Comcast, TimeWarner, AT&T, and Verizon have absolute local, and effective national, monopolies on point-of-presence service across the US. Indigenous telco monopolies operate similarly elsewhere.
Cloudfront, Limelight, Akamai. and other CDN, DNS, and interconnectivity providers see requests and traffic aggregated across huge opulations.
Visa and Mastercard see a huge fraction of financial activity.
And this doesn't even start to touch the vast B2B data services markets in advertising, marketing, finance, credit, risk, tol collection, healthcare (denial) systems, licence plate scanner, retail backends, payments processing, debt collection, and more.
There really is no effective possibility of opting out. Even with denying yourself an effective role in modern society.
data about you is private. The same as your business behind the bathroom door is private. Revealing it creates the "same" harm.
This sounds like snark, but I don't intend it that way. I genuinely want to know.
Who are the good actors? I really can't see any.
I think though that appropriate regulation is going to seriously hamper if not utterly destroy the business models of some really big players.
I want to pay for the ones I use!
It is increasingly becoming clear that free stuff is horrible.
It's not a problem with ads. It's a problem with tracking and data collection.
I do not want any company can follow my habits and have a list of my preferences, at least without my consent.
I like general ads (with moderation), not customized based on my past purchases, where I can find out something new and interesting. Like it is on magazines.
There are plenty of opportunities for abuse here in the US, and we're all reminded of them constantly. The proliferation of ad-blockers and anti-tracking software shows that 'extreme hostility' is widespread. I have yet to see any substantial animus in the EU over the reasonable measures they've taken. Hopefully action on a state-by-state basis in the US will encourage the industry to demand explicit legal restrictions.
I couldn't quite work out of this campaign was done out of legitimate concern or was a cynical attempt to derail it? I mean, I agree with them that privacy legislation should apply broadly, but then I'm happy to at least start somewhere.
I would bet on "cynical attempt to derail it", since it conflates two things that are not remotely comparable: providing internet service itself and providing a service that uses the internet.
"The 'opt-in' nature...would set it apart from other
state internet privacy laws...
the proposed Maine law also would prohibit any [ISP] from
making the sale of customer data part of its mandatory
[TOS]. It also could not charge higher fees to customers
who refuse to opt in"
My naive understanding of the market is that the market doesn't work this way -- you charge what the market will bear. How much a product costs to make has nothing to do with how much you should charge for it; you charge what people will pay you.
So if the market is already buying a product at a given price point, and you find a way to save some money or make some extra money on the side, you shouldn't lower your prices in response unless a competitor forces you to -- and the ISP market has notoriously low competition. You happily take the extra margin and move on with your life.
In the same way, if a margin on a product goes down, but the market still refuses to pay more for it, you shouldn't necessarily expect prices to rise. Sometimes products just have different percentage margins.
In other words, if a company like Apple has good data that people are perfectly willing to buy iPhones at $1200, and they figure out a manufacturing trick that allows them to save $100 on each iPhone they build, they're not just going to drop the price to $1100. Similarly, if Apple has good data that people are only willing to buy iPhones at $1200 (and presumably they do, or else they would charge more), then a buyback or warranty program that loses them $100 per iPhone isn't necessarily going to mean a price increase.
Of course, economic majors are welcome to correct me if I'm oversimplifying this.
I certainly don't think they will pass all of the cost onto the customers; that's never how it works. But, since the costs per connection are still the same, and the revenue per connection is now lower, they probably won't be at their optimum anymore. They'll probably find a new optimum by raising their prices, making a bit more revenue per customer and losing some customers. Basic supply/demand curve stuff. Again, those curves are not quite the same in a monopoly market, but iirc it still applies to an extent. If the monopoly really had total control, they would take the customers for everything they have, and it's not quite that bad.
:shrug: maybe the actual effect will be marginal. I'm not an economist either.
One positive is that it changes the criteria of success in the market from "who can provide quality internet at a low price, and mine and sell the most data" to simply "who can provide quality internet at the lowest price".
When new companies enter the internet market (if such a thing still happens?) they will be asking "how can we provide good internet?" instead of "how can we mine more data from our users?"
Since only one ISP is available in my (and many other's) area, there is no pressure to provide quality internet at a low price at all.
(They should. Everybody deserves protection from this, even the people who don't understand the threat it poses. The uninformed, ignorant or naive all deserve protection, since preying on ignorance or naivety is generally considered abhorrent by anybody who's not totally morally defective.)
I was wondering about that point myself. I am thinking that they may not have the authority to create such law, so they still allow ISPs the ability to track but make it as restrictive as possible.
Alternatively maybe they didn't have the votes necessary for a more potent law. Maybe some of the politicians were scared of doing anything too dramatic maybe?
The bill prohibits a provider from refusing to serve a customer, ... if the customer does or does not consent to the use, disclosure, sale or access.
So if they do as you say, they will be in violation of the law.
The law makes that illegal as well
> the proposed Maine law also would prohibit any internet service provider from making the sale of customer data part of its mandatory terms of service. It also could not charge higher fees to customers who refuse to opt in, or penalize them in any way.
It's like bad drivers. If you have more and more people cutting cars exiting a freeway exit, people at the end will never make it off the freeway in a timely manner. Thus, people have to start being bad drivers themselves or else they will never get to their destination on time.
What is particularly tragic is that all it takes to get this rolling is the perception that others are doing something and people will move to follow.
Campaign attack adds, lying about diesel emissions, doctoring footage, falsifying compliance to environmental regulations and on and on.
The perception is becoming that if you obey the rules you are a fool and that is horrifically dangerous position.
Society by and large runs on a trust (but verify) model, I trust that when I walk down the street a random person isn't going to murder me but when that trust is eroded things go bad fast.
Scares the crap out of me and I'm not sure what we could do at this point, more genuine openness from government/authorities, properly funded government watchdogs with independent oversight that kind of thing but they are expensive and easy for either side to rally against "big government"/"the man".
This won't solve everything, but would be a nice start. There will always be scoundrels, but the current market dynamics seems to be pretty good at making manipulative and dishonest behaviour successful. We need to work on corrections that would promote honest businesses instead.
As a secondary avenue, I wish we could somehow have a cultural shift. "Dark patterns" isn't a new phenomenon; its very name has been a commonly-known term for years now. And yet, instead of avoiding them, most successful companies seem to look at them as sources of inspiration. Hell, they're becoming a part of "UX standard practice" these days.
Combined with asking you constantly if you say no and never asking again if you say yes.
I hate that shit and it creates a negative feeling for me towards whatever product is doing it, if I’m aware you are trying to trick me why would I trust you.
It must work (for some set of work) though or they wouldn’t do it.
Tired people, busy people, people who don't understand any of it. I too sometimes just click through consent forms without reading, 'cause ain't nobody has time for this crap, but I'm happy with the knowledge that GDPR makes this mostly safe (and in cases where it doesn't, at some point I'll start sending data access and removal requests just out of spite).
I'm not a legal professional, and my advice shouldn't be taken as rule. Please consult an attorney.
> “On display? I eventually had to go down to the cellar to find them.”
> “That’s the display department.”
> “With a flashlight.”
> “Ah, well, the lights had probably gone.”
> “So had the stairs.”
> “But look, you found the TOS and EULA, didn’t you?”
> “Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.”
Apparently it's opt-in.
She'll sign it. Mainer here who's been following what's been going on (she's our first female governor), she's been very committed to making sure our state is modernized. She quoted Kurt Vonnegut in her inaugural speech.
Yes, there are analysts sifting through your browsing data (if you're lucky, vaguely anonymized). Yes, I heard countless stories of this data being abused and misused. I simply can't imagine it has gotten much better by now.
Since you worked in this area: What specific things do they track, and by what technical mechanism? DNS requests? (Do they capture those that don't go to their servers?) IP addresses? HTTP snooping? Full HTTP (non-TLS) MITM?
I know that HTTPS provided a technical hurdle that our company and data providers worked around after about 6 months.
My guess is that some MITM-type collection? Some data providers gave us IPs and some just gave us some Tokenized ID. I don't know if ISPs provided IPs, but probably not.
Note that we did lots of data linking. Let's say an ISP provided us your age, URL, and Timestamp. We would link that into another data provider that provided past purchases, URL, and Timestamp (shopping toolbar/plugins do this) to get a bigger picture of who you are.
Sorry if I'm reading too much into this, but are you saying this data being collected and sold contains PII?
Most data being sold has some good faith effort to remove PII, but that's never 100% complete, and by utilizing multiple data sources, an industrious person or team could de-anonymize your data. We were mostly doing this type of work for segmentation and persona analysis. Targeting an individual was never a goal, but would not have been terribly difficult.
I'll give you an example. We might receive all urls a person visited. Many contain person information that would not be caught in usual PII filtering process:
Many ISP support centers use commercial software  to display a detailed analysis of website usage whenever a customer calls in for support.
This includes the top websites visited, how much data was transferred for each site (yes, including those of a more salacious nature), the number and type of devices inside a home, nearby Wi-Fi networks, etc. 
This information can then be queried and used used for marketing purposes at the subscriber level (or to individuals within a dwelling).
"To advertise or market the provider's communications-related services to the customer;"
With ISPs that own networks, e.g. Comcast -> NBC, would a service like NBC Sports be considered a communication-related service of Comcast's? If yes, then could they feed that customer data into NBC's advertising infrastructure? If so, could NBC then sell that data?
Do Maine judges tend to honor the spirit or the letter of the law more often?
It is much easier to just assume these third parties will do whatever they want and either not share the data or accept that it will be used in ways you can't control.
Eg, right now (or at least a few years ago) companies could basically do anything with your data. And they did. It's getting worse too, with advanced techniques on identifying individuals across website bounds, etc.
That is what is spawning these sorts of debates, laws, etc. So my question to you is while I agree that we have to assume malice (for ease of discussion), we can't actively allow or encourage malice right? So if we do nothing, do we just accept that they do who knows what with our data?
Ie, I think we mostly agree that what is going on right (with our data) now is bad. So don't we have to do something? What do you see as the right solution?
They already know all the tricks to stop people getting out of their contracts, they're just going to start applying that to this kind of opt-out situation too.
It would be like police setting up cameras and using them to train a machine learning model on drunk driver detection. It's not collecting who is driving, just observing how normal cars subtly drift in and out of a lane and brake vs. intoxicated drifting/braking and using that to train a DUI detection model.
In this day and age when correlating and analyzing data from a wide variety of sources is commonplace, the only effectively "anonymized" data is data that has been discarded.
I don't know if I agree with that.
It is possible, for instance, to collect individual data, tally up certain characteristics in the aggregate, then discard the individual data points and only keep the aggregate statistics.
With certain narrow exceptions, though, no data about me personally should be collected without my explicit permission regardless.
Well, I don't agree with that. I don't see any reason people should have a right to "own" information observed about them.
I make observations all the time about other people. You can't force me to forget what I've observed. Computers make it easier to "remember" and process observations, true, but at the root there is no difference between me observing stuff and writing it down and a computer observing stuff and writing it down.
> at the root there is no difference between me observing stuff and writing it down and a computer observing stuff and writing it down.
If that computer isn't talking with other computers, I agree. I actually don't have much of a problem with individuals making individual observations of public behavior and writing them down or storing them in a computer.
My concern is more about the parameters around sharing that data (mostly because of the existence of databases and data mining). Further, I'm far more concerned about data collected about me on the internet than in the physical public square.
That said, I do and will continue to go out of my way to avoid as much surveillance as possible even in physical public spaces. For instance, any store using those surveillance devices intended to analyze my shopping behavior, moods, etc., in order to target ads at me is a store I won't be stepping into.
Anonymous data: Red car observed on Dawn Road at 23:34 on May 31 2019. DUI predictor - likely sober. Speed - 53 mph.
Can this information be de-anonymized? Sure can!
Police: "The suspect fled 7-11 Around 23:30 and either went on Dawn Road or Lost Haven Road. Let's filter all red car observation events that happened that night between 23:30 and 23:40 on Dawn and Lost Haven. Yup, found him"
So you are saying we have to scrub it further? You end up removing all information until there is nothing left.
"car observed on May 31"
This might make it worth having me park a server in the state and get my internet feed through a VPN to that server.
Jokes aren't explicitly against the guidelines either, but I think the site likes to emphasize high quality content that will not alienate people who don't understand obscure references.
Actually I wonder, have there been any major decisions since Roe v Wade that have affirmed a right to privacy?
This has been going on for a very very long time.
As for the "improving service" angle, e.g. Netflix could ask if it's OK to collect history to improve/personalize recommendations.
And a lot of "improvements" and metrics do not really need detailed data collection per person anyway. Collecting anonymous data in broader groupings is often quite fine. E.g. "Strange Things is really popular our total-views counter says ergo order a new season". There is no need for Netflix to know exactly who specifically watched the show to make such a decision.
> It was fine.
To say that "it was better", because there was more competition.
That's a keen insight, that it might be a "generational thing". I remember things, in general, working better before the Shermann Antitrust Act stopped applying to technology companies.
If they ask for the data for that purpose, then they should only be allowed to use the data for that purpose.
This isn't true of Facebook.
This isn't true of Apple.
This isn't true of Amazon.
This isn't true of Netflix.
Google... likely they would be wounded, but it definitely wouldn't make them go out of businesses.
In my mind, that's perfectly reasonable - what I do within the boundaries of their business is our shared interaction and we both have the opportunity to make decisions based on those interactions. The major exception for Amazon is affiliate links, which, for the business i was in, weren't used as data sources.
Apple is not significantly different. Between Apple and me, who else knows our business and what does Apple know about me outside of my interactions with them (maybe more now with Apple Pay).
For the most part, Netflix is the same. Sure they know what I watch, but why does that matter if they're only using it to improve their own business and make programming choices?
Google and Facebook, on the other hand, blanket the internet with tracking beacons, read my email, keep shadow profiles (I don't have a facebook account, never have had one, but I'm sure they know more about me than I'd like), eavesdrop on conversations (I suppose Amazon is in that business now, too), track locations, steal contact data, trick people training their ML algos, etc. As is said, "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.", FB and Google have far more than that and a single bad actor with access to that data could make life extremely difficult for just about anyone in the world.
This is one _huge_ advantage to cash in the current market, but that doesn't apply to the dozens of other ways companies are tracking people.
Imagine if this law also applied to Google and Facebook, and they couldn't charge more when you opt out of their data collection?
You argument is essentially that it is not right to ban persuasive surveillance on the roads if it is possible for people to use those roads to reach destinations where surveillance is allowed.
In your analogy, perhaps the ISPs are the highways, and tech companies are the neighborhood streets, but they're both roads. Because you're not trying to get to Facebook, you're trying to get to your grandma's photo album, that unfortunately you can only get to through Facebook.
No matter which she chooses, though, to get to it a large number of people only have one choice for high speed internet access to go through.
ISPs are low level infrastructure tied to specific geographical locations. If you don't like the infrastructure where you live then generally you only way to pick something better is to move to another region.
If you don't like your photo hosting site, or you blog hosting site, or you online backup site, or your stock tracking site, etc., an alternative is a URL change away.
That's why different regulatory handling of ISPs and the places you reach through those ISPs makes sense.
Facebook is more like a bar or club or church in the physical world analogy than it is like a street. You go there to interact with other people who go there, but it is a destination, competing with other destinations that those people could meet at instead.
That said, Facebook does offer communication services, and so some regulation of communication services that makes sense would make sense to apply to both them and ISPs.
Pretending platforms are a wholly different thing than infrastructure, and easily switchable seems willfully ignorant of the real world. Moving platforms is almost as difficult as moving real world locations. And popular opinion aside, most people have two or more ISP options. (I have three wired residential ISPs here, two offering gigabit connections, and at least four wireless carriers.)
If you create and pass toothless legislation that can be nullified by agreeing to a private contractual agreement that overrules said legislation, it doesn't serve anything but a facade to mislead those it purports to protect. Intent is of course always questionable and unknowable but if the trend is passing legislation with deceitful naming conventions and summaries that confuse the average citizen, it's shameful.
There are cases where private contracts have been ruled invalid when they step deeply on constitutional rights, but even those are typically the exception, not the rule, and require time, money, and risk to pursue litigation on behalf of the individual which not all are inclined or even capable of pursing.
It has yet to be signed into law, enforced, or litigated.
Given past track records on such matters, there's ample room for pessimism.
(An ineffective bill can be worse than none at all, since it's existence may confuse people who believe they have protection when in reality the legislation is less effective than their perception of it.)