Post

FCC Privacy Rules Must Protect Where We Go and What We Do Online

October 11, 2016 , , ,

Last week, the Federal Communications Commission released a fact sheet summarizing proposed final rules that would significantly upgrade consumer broadband privacy protections. The final proposal varies from the framework set forth in the original proposal in one important respect. The FCC initially proposed requiring Internet Service Providers to obtain opt-out consent for first party use of customer information and opt-in consent for third party use of customer information. Instead, responding to industry lobbying, the FCC will adopt the framework originally developed by the Federal Trade Commission that requires opt-in consent for “sensitive” information, but requires subscribers to affirmatively opt out from the ISP using information designated “non-sensitive.”

Opponents of the FCC broadband privacy proposal have consistently referenced the FTC’s 2012 privacy report, “Protecting Consumer Privacy in an Era of Rapid Change,” to support its claims that the FTC’s approach to privacy, which bases consent on whether information is sensitive or not, should be adopted by the FCC. One leader of a coalition opposing the FCC’s proposed ruled is former FTC Chairman Jon Leibowitz, who notably was the Chairman when the report was released. In 2012, because the FCC had not yet reclassified broadband as a Title II service, no specific statute regulated broadband privacy. As a result, the FTC report recommends treating search engines such as Google, social media platforms such as Facebook, and broadband providers such as Comcast exactly the same (since they were all governed by the same statute, 15 U.S.C. §45). The report also includes a recommendation to treat tracking people online as non-sensitive.

Now that broadband privacy is covered by 47 U.S.C. §222 rather than 15 U.S.C. §45, it is the FCC’s job to determine what the statutory requirements of Section 222 are with respect to ISPs. This is supported by the 2012 FTC report, which clearly states that the FTC framework is not meant to replace existing privacy statutes, like Section 222. Broadband lobbyists trying to cherry pick from the FTC report would, of course, prefer to focus on what the FTC said about broadband in 2012, before reclassification. Indeed, broadband lobbyists would prefer that reclassification had not happened at all. But we no longer live in the world of 2012. Broadband is a telecommunications service, subject to Section 222 of the Communications Act, and broadband companies have evolved their practices. To genuinely remain faithful to the FTC’s framework, the FCC should use it as a baseline to inform its own statutory responsibilities, just as HHS does for HIPAA and financial regulators do for banks. That includes the most sensitive personal information: where we go and what we do online.

As discussed at length in our February 2016 report, “Protecting Privacy, Promoting Competition,” the FTC shares consumer protection jurisdiction – including privacy jurisdiction – with a number of other specialized agencies. The FTC’s report explicitly recognizes that where Congress assigns explicit authority to another agency, the FTC’s framework needs to be customized and adapted by the relevant agency. In fact, the FTC states that its “framework is meant to encourage best practices and is not intended to conflict with requirements of existing laws and regulations.”

Critically, the FTC never recommends that its sister agencies reduce privacy protections. To the contrary, the FTC explicitly and repeatedly refers to its recommendations as a “baseline.” While the FTC report does encourage entities covered by existing statutes to adopt the FTC’s baseline framework in areas where the framework exceeds existing statutory requirements, the report actually describes a privacy regime where existing statutes (e.g. 47 U.S.C. §222, HIPAA, FERPA) are enhanced by the framework where applicable.

Despite the FCC’s efforts to model their approach after the FTC, industry lobbyists remain unhappy that the FCC’s latest proposal still requires express opt-in permission for tracking subscribers online. Broadband providers and other opponents still want “browser history,” where you go online, and “application history,” what you or your devices actually do online, designated non-sensitive. If opponents of the privacy proposal are going to continue to argue that where we go and what we do online is not sensitive, it is clear that they can no longer hide behind the FTC report for support.

Image credit: Flickr user perspec_photo88