The United States Federal Communications Commission last week adopted privacy rules for both wired and wireless broadband ISPs aimed at giving consumers greater control over their data, more privacy, and stronger security safeguards for that data.
The rules implement Section 222 of the Communications Act. They establish a framework of customer consent required for ISPs to use and share their customers’ personal information, calibrated to the sensitivity of the information.
The new rules are consistent with the Federal Trade Commission’s privacy framework and the administration’s Consumer Privacy Bill of Rights, the FCC said.
The rules establish three approaches to information use and sharing:
- Sharing sensitive information requires customer opt-in. Sensitive information includes precise geolocation data, financial information, health records, children’s information, Social Security numbers, Web browsing and app usage history, and the content of communications.
- ISPs can share non-sensitive information on an opt-out basis, consistent with consumer expectations. Non-sensitive information includes email addresses and service tier information.
- Exceptions to consent requirements are granted for certain purposes, including the provision of broadband service or billing and collection.
The FCC “did the right thing in distinguishing between sensitive and non-sensitive information,” said John Simpson, Consumer Watchdog’s privacy project director.
“Could it have been stronger? Sure,” he told the E-Commerce Times. “Would I like them to extend the authority over Google and Facebook? I believe they have the authority and they don’t, but I’m not going to belittle a major step that’s going to be a major improvement.”
The rules provide clear guidance for ISPs and consumers about the transparency, choice and security requirements for customers’ personal information.
Among the things they don’t regulate:
- Privacy practices of websites or apps, like Twitter or Facebook, which come under the aegis of the U.S. Federal Trade Commission;
- Other services of broadband providers, such as the operation of social media websites; or
- Address issues such as government surveillance, encryption or law enforcement.
The new rules require that ISPs that use or share de-identified data outside the new consent framework meet a three-part test, given that it has become easier to re-identify customer information.
The rules prohibit take-it-or-leave-it offers. Further, they increase disclosure for plans providing incentives in exchange for customers’ express consent to the use and sharing of their personal information.
Various industry bodies were quick to criticize the FCC’s rulemaking.
The FCC “is casting too wide of a net by classifying Web browsing information, app history and other such data as sensitive,” argued Mark MacCormack, vice president of public policy at The Software & Information Industry Association. The opt-in requirement “is likely to create substantial confusion for consumers.”
Web browsing and app history “have never been considered sensitive by the FTC or any other regulatory body,” Mark MacCarthy, SIIA senior vice president for public policy, told the E-Commerce Times.
The FCC’s definition of “sensitive information” is “absurdly large,” said Information Technology and Innovation Foundation Telecom Policy Analyst Doug Brake in an interview prior to the FCC’s adoption of the new rules.
It effectively would require ISPs “to obtain opt-in consent for any uses of consumer data — a scenario that will chill investment and diminish competition by establishing disparate privacy rules for separate segments of industry,” he told the E-Commerce Times.
The FTC’s Role
The FCC didn’t harmonize its rules with those of the FCC, noted Telecommunications Industry Association CEO Scott Belcher and ITIF’s Brake in separate statements.
The FTC “does not have rules; what it has are guidelines,” Consumer Watchdog’s Simpson pointed out. “The only authority the FTC has is the unfair and deceptive practice authority under Section 5 of the FTC Act.”
The FTC is limited to making recommendations on privacy, and its policy “is to suggest opt-in as a higher level of protection,” he noted, “so it’s disingenuous on one level for all these companies to say the FTC has rules in effect.”
Further, the FTC “persuaded the FCC that this notion of sensitive data deserves a higher level of protection,” Simpson said.
Six major e-commerce business associations, including the Direct Marketing Association and the Association of National Advertisers, lobbied heavily against the FCC’s adoption of the new rules, contending that the commercial and functional health of the Internet is dependent on the collection and use of consumer-related data, especially for marketing purposes.
In a joint letter sent earlier last month to the commission, the groups focused on subjecting Web browsing and app history to opt-in regulations. The opt-out mechanism already in use was sufficient, they argued.
With the opt-out feature, e-commerce entities could send email to consumers without prior consent, but the messages would contain a response mechanism — such as a check box — allowing consumers to request that such messages be terminated.
“Web browsing and application use data is not sensitive data, and requiring opt-in consent for such data would stifle e-commerce and bombard consumers with unnecessary notices,” the trade groups told the FCC.
“Repeatedly, courts considering such practices have found that the advertising use of Web browsing histories tied to device information does not harm or injure consumers. These cases support the view that Web browsing data, and analogous data collected on application usage, are not sensitive for consumers,” they said.
That view is not held universally, however.
Web browsing and app use history, and the content of communications “are critical pieces of information that are tremendously revealing about you,” observed Consumer Watchdog’s Simpson following adoption of the new rules. “We completely applaud the FCC for [protecting] it.”
More Wrangling to Come
Given the strength of opposition, there likely will be legal challenges to the new rules.
Despite the FCC’s move to align its approach more closely with that of the Federal Trade Commission, court cases related to the role of each agency are still in process.
“Determining which agency should regulate in this space, and to what extent, is largely affected by outstanding jurisdictional questions,” Meaghan Pedati, associate attorney at McGuireWoods, told the E-Commerce Times prior to the adoption of the rules.
The FCC’s approach “is more in line with other privacy frameworks, but depending on the definition of ‘sensitive,’ it may still result in restrictions on ISPs that do not apply to other edge providers, such as website publishers, search engines and data aggregators,” said Christin McMeley, chair of the privacy and security practice at Davis Wright Tremaine.
“This can result in disparate treatment of consumer information and consumer confusion,” she told the E-Commerce Times in an interview last month. “ISPs will be able to comply, either way. How burdensome compliance will be will depend on the final rules. We’re just not sure yet.”