The Federal Trade Commission recently published its report on the privacy practices of the six major Internet Service Providers and three advertising affiliates associated with the major ISPs.
The FTC observed that:
- Many of the ISPs… amass large pools of sensitive consumer data.
- Many of the ISPs… gather and use data in ways consumers do not expect and could cause them harm.
- Although many of the ISPs… purport to offer consumers choices, these choices are often illusory.
- Many ISPs can be at least as privacy-intrusive as large advertising platforms.
These observations may sound shocking, but if you have been following ISP privacy for any length of time, this may give you déjà vu. In 2016 the Center for Digital Democracy issued a report about the growing practice of ISPs expanding their data collection practices to engage in targeted advertising. That very same year Public Knowledge filed complaints with both the Federal Communications Commission and the Federal Trade Commission about cable services using data from set-top boxes, as well as data they collected in their capacity as an ISP to deliver targeted ads to users. While it is good that the FTC engaged in this study and released this report, it ultimately shows how many steps backwards we have taken over the last four years when it comes to broadband privacy. So why is the FTC releasing a report instead of engaging in enforcement action? And why is the FTC working on ISP privacy issues, rather than the FCC? In order to answer those questions, a brief primer on privacy and broadband is needed.
The FCC has subject matter jurisdiction over “communications by wire and radio,” but its power to protect privacy depends on the technology used, and how a service is legally classified.
The FCC has a great deal of regulatory authority over services like telecommunications (telephone service) and cable TV. The law already imposes privacy requirements on them. If you are a telecommunications service provider, you have a duty to protect your customers’ “proprietary information.” In practice this restricts the sharing and use of customer data (i.e. the CPNI rules). Cable operators have their own privacy requirements under the Cable Communications Policy Act of 1984. The FCC issues regulations that apply specific statutory requirements to different services. In 2015, when the FCC decided that broadband was “telecommunications,” it began the process of crafting specific privacy rules for broadband providers (i.e. the Broadband Privacy rules).
Unfortunately, with the change in administration the ISPs found a sympathetic ear in the Republican-led Congress, which in 2017 blocked the FCC’s privacy rules from taking effect by repealing those rules under the Congressional Review Act. Then, in 2018, the FCC chose to reclassify ISPs as “information services,” rather than “telecommunications.” “Information services” are defined in the Communications Act, but they are not just one of the various services the FCC regulates — rather, it’s a catchall category of services the FCC does not have direct statutory authority over. This left the FTC, as a general purpose consumer protection agency, as the last agency standing. This is because the FTC Act itself does not have jurisdiction over “common carriers” such as telecommunications services. Thus, when the FCC properly regulates broadband as a telecommunications service, the FTC does not have authority over it.
Opponents of Title II classification and the FCC’s ISP privacy rules in 2016 argued that continued FCC authority would ‘deprive’ Americans of FTC privacy protection over ISPs (while simultaneously arguing that ISPs should have the same freedom to exploit that data as digital platforms). Indeed, in 2017, then FCC Chair Ajit Pai and then FTC Chair Maureen Ohlhausen boasted that reclassifying broadband as an information service and eliminating FCC oversight of the ISP industry would “restore” FTC privacy protection to ISPs. As the FTC Report clearly shows, the arguments of Public Knowledge and other privacy advocates that this was pro-industry privacy invasive nonsense were 100% correct. Rather than enhance consumer privacy protection, the FTC report finds an ISP race to the bottom with data collection, retention, and use practices — with the added insult that U.S. broadband subscribers must pay some of the highest subscription prices in the developed world while also enjoying the worst privacy protections for their internet usage. At the same time, as Public Knowledge repeatedly warned, the FTC appears unable to actually do anything about it.
The harm that comes from a lack of privacy rules is not theoretical. From 2018-2019 a flood of reporting chronicled wireless ISP providers selling real time location data that could be accessed by everyone from car salesmen to property managers, from bail bondsmen to bounty hunters. This free flow of location data even allowed stalkers to more easily track their victims. Ultimately, wireless carriers went too far even for the Trump FCC by selling hyper-accurate geolocation data collected for 911 responders. Since the 911 system is part of the telephone system, that data remained protected by the CPNI rules. But without those rules Americans go from being internet users to marketing data.
That doesn’t mean nothing can be done. But as the FTC report, as well as Chairwoman Lina Khan’s statement, makes clear, the FCC remains the agency best positioned to protect consumer privacy at the physical layer of the broadband network. Even today, the FCC retains authority under the Cable Privacy Act and Section 606 of the Telecommunications Act to investigate at least some of the privacy violations the report describes. Longer term, the FCC must move swiftly to reclassify broadband as a Title II telecommunications service. This will not restore the 2016 ISP privacy rules, as the Congressional Review Act prevents those rules or “substantially similar” rules from being reinstated. But reclassifying broadband as a Title II telecommunications service would restore the FCC’s statutory authority over ISP privacy policies and impose statutory obligations to protect user data. Indeed, the Republican repeal of the 2016 ISP Privacy Rules may turn out to be a blessing in disguise. For all that the ISP Privacy Rules were a major accomplishment at the time, they are weak tea by today’s standards. The FCC is free to adopt the much more consumer-friendly rules Public Knowledge and other advocates urged in 2016 — rules which abandon the sensitive/non-sensitive dichotomy and required an opt-in framework for marketing and prohibited the sale of personal information.
To be clear, we would also still need to pass comprehensive federal privacy legislation. However, general privacy legislation should not exclude specialized enforcers, and vice versa, the existence of a more specific statute should not preclude an enforcer with more general authority for having a role to play as well. For example, the FTC generally does not have authority over common carriers, however, we would recommend explicitly removing that exemption in a general privacy law, while leaving in place the FCC’s authority to adopt its own rules concerning privacy (each has its own unique statutory standard for acting). Having two cops on the beat, in this case both the FCC and the FTC, would provide greater protection for consumers. The recently proposed privacy bureau at the FTC demonstrates the increasing capacity the FTC would have to investigate and bring cases; but that doesn’t diminish the FCC’s expertise and authority to address the unique privacy concerns that can arise when an ISP violates a person’s privacy. We have been presented with a false choice: either the FCC or the FTC can protect our broadband privacy, but not both. We disagree and encourage Congress to think creatively when it comes to privacy, and not fall for the industry talking point of having to choose just one enforcer.