LOOKING BACK AT THE FCC’S PRIVACY RULES
By: Ronald Waclawski, Volume 101 Staff Member
On October 27, 2016, the Federal Communication Commission (FCC) adopted a rule designed to protect consumer information by requiring telecommunication carriers to protect the confidentiality of customer information. On March 23, 2017, the Senate voted 50-48 to prevent the entirety of the FCC Privacy Rule from going into effect. The resolution also prohibits the FCC from issuing rules that are “substantially the same” in the future. Following the Senate vote, the joint resolution passed the Republican controlled House on March 28, 2017 by a vote of 215-205. On April 3, 2017, President Trump signed the joint resolution into law. Though the rule is now dead, it was poised to have a significant impact on consumer protection in the digital age.
I. THE FCC PRIVACY RULE
The FCC Privacy Rule had three primary objectives: (1) requiring carrier transparency; (2) increasing consumer choice with regards to disclosures of their personal information; and (3) broad data security and breach notification measures. The transparency provisions required internet service providers (ISPs) to disclose what types of information about consumers is being acquired, how that data is used, and to whom the data is available. The consumer choice provision established three tiers of standards regarding the type of consent needed by consumers for ISPs to share information. These tiers are indexed based on the nature of the data: sensitive personal information requires opt-in approval by customers before sharing, while non-sensitive personal information requires an opt-out option for customers. Both the transparency and consumer choice provisions had effective dates pursuant to review by the Office of Management and Budget.
The data security provision required ISPs and other telecom carriers to take “reasonable measures to protect customer [personal information] from unauthorized use, disclosure, or access.” This provision also required ISPs to take into account the sensitivity of the data it collects and the scope of the ISP’s activities when determining what security standards apply.
The data security provision was initially slated to become effective on March 2, 2017, but the FCC voted to block enactment of this provision on the eve of its effective date. This shift in policy for the FCC is a ramification of the 2016 presidential election, when shortly after his inauguration President Donald Trump designated Ajit Pai as chairman of the FCC. Pai had been a critic of consumer protection rules under the previous FCC chairman, Tom Wheeler. In a dissenting statement to the FCC Privacy Rules, then-Commissioner Pai argued that he sought harmonization with the Federal Trade Commission’s (FTC) standards governing online privacy, and that the FCC’s final order “leaves us with rules that radically depart from the FTC framework.” Pai’s argument rests on the differential treatment that would result between ISPs, governed by the FCC since 2015, and large internet companies like Google and Amazon, governed by the less stringent standards of the FTC, if the FCC Privacy Rules were to be fully implemented.
II. IS DIFFERENTIAL TREATMENT OF ISPS NECESSARY?
As would be expected, ISPs generally oppose the FCC Privacy Rule as unfairly burdensome on the industry. The consumer choice and transparency rules would likely hinder ISP monetizing consumer data by forcing them to disclose the types of information they have and allowing consumers the option to prevent the ISPs from sharing that information. The advertising and marketing industry, who would be on the receiving end of these ISP data transfers, are similarly opposed. In a petition to the FCC for reconsideration of the Privacy Rule, several major advertising and trade associations argued that the Rule—particularly the consumer choice provision—would “seriously undermine” the revenue and jobs created by the data-driven market economy. Large internet companies under the FTC don’t fall within the scope of the FCC Privacy Rule, which would give them a leg up over ISPs in data monetization. However, the types of data individual websites have—even ubiquitous ones like Google—is distinct from the data ISPs control, including internet browsing history, which could be extremely lucrative information for the ad industry. The Electronic Frontier Foundation has argued that without the FCC rules, ISPs could pre-install software on phones capable of tracking visited URLs and inject undetectable, undeletable tracking cookies in HTTP traffic.
On the other side of the argument are consumer advocacy groups, who generally favor the FCC Privacy Rules. Chris Lewis, vice president of Public Knowledge, a public interest group which promotes open internet, said that the FCC’s stay of enactment of the data security provision “gives ISPs a free ride while online services and other edge providers are still required to take reasonable measures to protect their customers’ information under the FTC’s framework.” The FTC rules against unfair and deceptive acts or practices don’t cover ISPs since their reclassification as common carriers. Working off Pai’s differential treatment argument, repealing the FCC Privacy Rules would effectively take away data transfer oversight of ISPs, putting those companies governed by the FTC at the disadvantage. As such, absent agency oversight and judicial remedies, ISPs would find themselves at the center of a huge gap in privacy laws.
However, others have argued that the scope of ability for ISPs to sell your data absent FCC protection has been overstated. Section 222 of the Communications Act of 1934 requires telecommunications carriers to protect the privacy of customer proprietary network information. Section 222 applies to ISPs since the 2015 Open Internet Order reclassifying broadband internet access as a telecommunications service. Customer proprietary network information is defined within the section to include information arising from the carrier-customer relationship, meaning that ISPs would be precluded from divulging personal information or browsing history under Section 222. Orin Kerr has also argued that ISPs could fall within the scope of the Wiretap Act by collecting certain types of information about customers.
- Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, 81 Fed. Reg. 87,274 (Oct. 27, 2016) (to be codified at 47 C.F.R. pt. 64). ↑
- S.J. Res. 34, 115th Cong. (as passed by House, Mar. 28, 2017). ↑
- Congressional Review Act, 5 U.S.C. § 801(b)(2). ↑
- S.J. Res. 34, 115th Cong. (as passed by House, Mar. 28, 2017). ↑
- Pub. L. No. 115-22. ↑
- Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, 81 Fed. Reg at 87,275–76. ↑
- Id.; see also James K. Willcox, FCC Votes to Block New Internet Privacy Rule, Consumer Rep. (Mar. 1, 2017), http://www.consumerreports.org/privacy/fcc-votes-block-new-internet-privacy-rule. ↑
- Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, 81 Fed. Reg. at 87,275. ↑
- Id. ↑
- Id. ↑
- 47 C.F.R. § 64.2005. ↑
- Id. ↑
- Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, 81 Fed. Reg. at 87,319. ↑
- Willcox, supra note 7. ↑
- See Brian Fung, Trump Taps Net Neutrality Critic to Lead the FCC, Wash. Post (Jan. 23, 2017), https://www.washingtonpost.com/news/the-switch/wp/2017/01/23/meet-donald-trumps-official-new-fcc-chairman-ajit-pai/?utm_term=.6b36fe204bf8; Jon Brodkin, Ajit Pai, Staunch Opponent of Consumer Protection Rules, Is Now FCC Chair, ArsTechnica (Jan. 23, 2017) https://arstechnica.com/tech-policy/2017/01/fcc-to-be-led-by-ajit-pai-staunch-opponent-of-consumer-protection-rules. ↑
- In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services (WC Docket No. 16-106), 2016 (Pai, dissenting). ↑
- See In the Matter of Protecting and Promoting the Open Internet, 30 FCC Rcd. 5601 (2016); see also U.S. Telecom Ass’n v. Fed. Commc’ns Comm’n, 825 F. 3d 674 (D.C. Cir. 2016) (holding that the FCC was justified in its decision to reclassify broadband as a telecommunications service). ↑
- See Willcox, supra note 7; see also generally Federal Trade Commission Act, Section 5, 15 U.S.C. § 45 (2016) (describing FTC authority over unfair and deceptive acts and practices); Children’s Online Privacy Protection Rule, 16 C.F.R. pt. 312 (requiring parental consent, among other provisions, for the collection of personal information by persons under the age of thirteen). ↑
- Petition for Reconsideration, In the Matter of Protecting the Privacy of Broadband and Other Telecommunications Services (WC Docket No. 16-106), 2017. ↑
- See Brodkin, supra note 15. ↑
- Jeremy Gillula, Five Creepy Things Your ISP Could Do if Congress Repeals the FCC’s Privacy Protections, Electronic Frontier Found. (Mar. 19, 2017), https://www.eff.org/deeplinks/2017/03/five-creepy-things-your-isp-could-do-if-congress-repeals-fccs-privacy-protections. ↑
- Shiva Stella, Public Knowledge Opposes FCC’s Stay of Data Security Regulation from Privacy Rules, Pub. Knowledge (Mar. 1, 2017), https://www.publicknowledge.org/press-release/public-knowledge-opposes-fccs-stay-of-data-security-regulation-from-privacy-rules. ↑
- See In the Matter of Protecting and Promoting the Open Internet, 30 FCC Rcd. 5601 (2015); see also Fed. Trade Comm’n v. AT&T Mobility LLC, 835 F. 3d 993 (9th Cir. 2016) (holding that the common carrier exemption in the Federal Trade Commission Act barred FTC action against defendant ISP for unfair or deceptive acts or practices). ↑
- 47 U.S.C. § 222 (2016); see also Mike Masnick, Yes, There Are Other Laws That Protect Privacy, but FCC’s Rules Were Still Helpful, Techdirt (Apr. 12, 2017), https://www.techdirt.com/articles/20170412/08255437133/yes-there-are-other-laws-that-protect-privacy-fccs-rules-were-still-helpful.shtml. ↑
- In the Matter of Protecting and Promoting the Open Internet, 30 FCC Rcd. 5601 (2015). ↑
- 47 U.S.C. § 222(h)(1) (2016). ↑
- Orin Kerr, The FCC’s Broadband Privacy Regulations Are Gone. But Don’t Forget About the Wiretap Act, Wash. Post (Apr. 6, 2017), https://www.washingtonpost.com/news/volokh-conspiracy/wp/2017/04/06/the-fccs-broadband-privacy-regulations-are-gone-but-dont-forget-about-the-wiretap-act/?utm_term=.58a1df27dcc1(arguing that broadband providers collecting full URLs are collecting the “contents” of communications, which falls within the purview of the Wiretap Act). See Electronic Communications Privacy Act, 18 U.S.C. §§ 2510–18. ↑