FCC Prepares to Adopt Rules on Broadband Privacy
The Federal Communication Commission (FCC or Commission) will vote on whether to adopt rules for broadband privacy during its next open Commission meeting on October 27, 2016. This comes after heated debate at the FCC and on Capitol Hill, and pertinent developments in the U.S. Court of Appeals for the Ninth Circuit.
On October 6, 2016, FCC Chairman Wheeler announced in a blog post that he had circulated a draft Order to adopt broadband privacy rules taking into account feedback received in response to the Commission’s Notice of Proposed Rulemaking (NPRM). Although the proposed Order would still regulate privacy and security, and still single out Internet service providers (ISPs), the Chairman indicated that the proposed Order differs from earlier proposals in that it will align more closely with the approach long taken by the Federal Trade Commission (FTC).
Details remain uncertain, but the FCC has released a Fact Sheet summarizing the draft Order. According to the Chairman:
- “Under the proposed rules, an ISP would be required to notify consumers about what types of information they are collecting, specify how and for what purposes that information can be used and shared, and identify the types of entities with which the ISP shares the information.”
- “In addition, ISPs would be required to obtain affirmative ‘opt-in’ consent before using or sharing sensitive information. Information that would be considered ‘sensitive’ includes geo-location information, children’s information, health information, financial information, social security numbers, web browsing history, app usage history, and the content of communications such as the text of emails. All other individually identifiable information would be considered non-sensitive, and the use and sharing of that information would be subject to opt-out consent.”
- “The proposed rules also require ISPs to take reasonable measures to protect consumer data from breaches and other vulnerabilities. If a breach does occur, the rules would require ISPs to take appropriate steps to notify consumers that their data have been compromised.”
The draft Order therefore would, among other things, adopt a new definition of “sensitive information” that was not previously considered or discussed in the original NPRM. Industry members and others will not have an opportunity to comment on the revised definition before the Commission’s vote at the end of the month.
The FCC voted, 3-2, to release a Notice of Proposed Rulemaking on April 1, 2016, proposing to extend a heightened-form of its Customer Proprietary Network Information (CPNI) rules to broadband providers and adopt new data security rules. The NPRM did not propose to apply these rules to edge providers. Comments were due on May 27 and reply comments on July 6.
Industry comments explained that the proposed unbalanced regulation will harm the speed and availability of broadband service, while edge providers continue to use consumer information without limit. Industry commenters also took issue with proposed data security rules, which would require protections for all consumer information without making the critically important distinction between sensitive and non-sensitive consumer information. Several commenters have therefore urged the Commission to pursue a policy mirroring the FTC model—a case-by-case and technology-neutral approach to privacy enforcement, evaluating the sensitivity of data and personalized nature of customer communications at issue. In a June blog post, CTIA, CTA, Mobile Future, USTelecom, and the Wireless Internet Service Providers Association called on the FCC to correct “Chairman Wheeler’s plan to abandon the FTC’s well-tested and effective approach to online privacy and replace it with heightened and inconsistent rules for broadband providers.”
Federal Trade Commission Concerns
In response to the FCC’s NPRM, the FTC filed comments identifying several concerns with the FCC’s approach. The FTC stated it is “not optimal” that the proposed privacy rules would apply exclusively to broadband providers. The FTC also cautioned that the FCC’s overly broad proposal, including its definition of “personally identifiable information,” could unnecessarily limit the use of non-sensitive data to the detriment of consumers. “While almost any piece of data could be linked to a consumer, it is appropriate to consider whether such a link is practical or likely in light of current technology.” The FTC further questioned features of the FCC’s proposed consumer “opt-in” requirements, recommending the FCC consider instead adopting the FTC’s model, which “calls for the level of choice to be tied to the sensitivity of data and the highly personalized nature of consumers’ communications in determining the best way to protect consumers.”
Criticism from Capitol Hill
The U.S. Senate Commerce Committee has voiced serious concerns as well, both during its July hearing on the broadband privacy NPRM and its FCC Oversight Hearing in September. Noting the FTC’s well-established record for protecting consumer privacy, Chairman Thune and others questioned the wisdom of departing from the FTC’s approach. And during the FCC Oversight hearing, Chairman Thune severely criticized Chairman Wheeler for “pursu[ing] a highly partisan agenda that appears driven by ideological beliefs more than by a sober reading of the law.” He also pointed out that under Chairman Wheeler’s leadership in the last three years, there have been nearly twice as many partisan votes than in the previous 25 years combined.
Decision by the Ninth Circuit U.S. Court of Appeals
Meanwhile, the U.S. Court of Appeals for the Ninth Circuit recently held that the FTC lacks jurisdiction to sue AT&T for allegedly failing to adequately disclose its data throttling policy to customers with unlimited data plans—an act constituting an unfair and deceptive practice according to the FTC. The court reasoned that the FTC’s common carrier exemption is status-based, precluding any FTC action against common carriers, instead of activity-based, which would only preclude action on service-related activities of common carriers. FTC Chairwoman Edith Ramirez indicated during an FTC Oversight Hearing in September that the agency will seek en banc review of the decision.
Should the decision stand, it could have implications for the FCC’s broadband privacy proposal. Representatives from industry, Congress, and federal agencies have called on the FCC to defer to the FTC or, at a minimum, pursue an FTC-based approach to privacy. The role of the FTC in broadband privacy, however, could shrink if the court’s opinion stands.
Industry will continue to watch developments at the FCC in the privacy and security arena.