Privacy Legislation Falls Short of Providing Consumers With Comprehensive Online Privacy Protections

 img
 img

Ever since Congress repealed the Federal Communication Commission’s broadband privacy rules, consumers have expressed outrage over their lack of privacy protections when accessing broadband networks. The FCC’s rules prevented broadband providers from sharing sensitive customer information without permission. Repealing these privacy rules left a significant gap in consumer protection in the internet ecosystem.

In response to the public outcry, members of Congress have introduced legislation to enhance consumers’ online privacy protections. Thus far, Senator Ed Markey, Senator Richard Blumenthal, Representative Jerry McNerney, and Representative Marsha Blackburn have all introduced online privacy legislation. Each bill has strong components that provide various levels of online privacy protections for consumers. However, the three bills all have limitations that must be addressed to provide Americans all the privacy protections they deserve. Fortunately, the bills at least open the door to a discussion on what true comprehensive online privacy legislation should look like and what protections consumers expect when it comes to their online privacy.

Senator Markey’s Privacy Bill

Of the three bills introduced, Senator Markey’s privacy bill is the most straightforward. The bill simply restores the repealed FCC’s privacy rules by embedding them into the United States Code of Laws. The FCC adopted a privacy framework that was recommended by the Federal Trade Commission in its 2012 Privacy Report. The rules required Internet Service Providers to:

  1. provide their customers clear notice of the data they collect and share;
  2. provide opt-in consent from their customers prior to sharing their sensitive information; and
  3. take reasonable measures to secure customer data and provide notice when the data is breached.

These rules provided the strongest privacy protections for consumers on broadband networks to date, and codifying these rules would be ideal.

Senator Markey’s bill is not intended to provide privacy protections when it comes to edge providers. Edge providers include purely online services, apps, and brick and mortar businesses that have an online presence. Like broadband providers, edge providers have the ability to collect and share their subscribers’ sensitive information. However, it is important to note that an edge provider only has access to a subset of a subscriber’s online activity, whereas a broadband provider has access to all of a subscriber’s online data. While there are indeed inherent differences between ISPs and edge providers, this does not mean edge providers should be completely exempt from privacy protection requirements. Comprehensive legislation would start with the strong rules of the Markey bill and add adequate protections for edge providers to the government-wide framework of privacy protections.

Representative Blackburn’s BROWSER Act

Representative Blackburn’s bill, the BROWSER Act, offers consumers privacy protections on both edge and broadband providers. The bill requires both edge providers and broadband providers to get opt-in consent prior to sharing their subscribers’ sensitive information. The bill specifically defines what constitutes sensitive information, which includes the categories the FTC outlined in its 2012 Privacy Report, as well as web browsing history and application usage history.

Requiring opt-in consent of sensitive information for both broadband providers and edge providers is indeed the strongest privacy protections introduced so far. However, the bill places all edge providers in the same opt-in framework without considering the various types of edge services. Edge services come in all sizes, from brick and mortar business that operate online, to small start-ups that have a purely online presence, to enormous platforms such as Facebook, Amazon, and Google. Adopting the same exact framework for all edge services without carefully considering its impact may be problematic. For example, a platform like Facebook that is entirely ad-supported and relies on collecting and sharing subscriber data to operate may need to be treated differently than a website that does not rely on advertisements at all or a cable company that has a monopoly in many communities. These are challenging questions that comprehensive legislation must answer in order to provide sufficient protections for consumers while allowing different business models to function.

Representative Blackburn’s bill is problematic for other reasons as well. First, the bill completely removes the FCC’s jurisdiction over privacy. Congress gave the FCC statutory authority to protect consumer privacy on all communications networks under the Communications Act. The FCC also has authority to adopt privacy rules on voice services over internet protocol. The FCC has authority under the Cable Communications Policy Act to require cable companies to get explicit consent prior to collecting customer information. Congress granted these authorities to the FCC because of the agency’s expertise in overseeing communication networks. Indeed, Representative Blackburn’s bill does not propose to preempt other federal agencies’ privacy jurisdiction, such as Health and Human Services or financial regulatory agencies. These agencies, like the FCC, have specialized experienced and the authority to enact industry-specific privacy rules. Completely stripping the FCC of its authority would remove the only privacy cop on the beat with the experience and knowledge to protect consumers in the telecommunications sector.

Additionally, the bill completely preempts states from enacting their own online privacy legislation. States have always had shared jurisdiction with federal agencies in protecting consumer privacy, and states are often in a better position to respond to fast-changing technologies and to the needs of their communities. In fact, since Congress repealed the FCC’s broadband privacy rules, states are at the forefront in pushing legislation to ensure consumer online privacy remains protected. Comprehensive legislation should be a floor rather than a ceiling that preempts states from protecting consumers in this space. Ultimately, a combined approach that involves both expert federal agencies and state efforts is necessary to protect consumer privacy online.

Senator Blumenthal’s and Representative McNerney’s MY DATA Act

Senator Blumenthal’s bill, the MY DATA Act, which was also introduced in the House by Representative McNerney, places broadband providers and edge providers under the same general framework as well. The bill proposes to give the FTC discretionary rulemaking authority over both edge providers and broadband providers, yet it may be too vague about how the FTC should use this power to ensure adequate consumer protection. For example, the bill fails to provide any guidance on what type of rules the FTC should adopt for either edge providers or broadband providers. The bill also does not define what data constitutes sensitive information, whether the FTC should apply an opt-in or opt-out framework, and what services should fall into these respective regimes. The bill has a broad definition of edge providers, but provides no direction to the FTC on how or if to distinguish between edge services and what privacy protections to adopt for each type of service. The FTC is primarily an enforcement agency with very limited rulemaking authority. Given its limited experience in promulgating rules combined with its lack of expertise in communications networks, it’s difficult to automatically trust the agency to craft a strong set of rules without more guidance from Congress.

Second, the bill may inadvertently appear to weaken the FCC’s role over broadband privacy. Although Congress repealed the FCC’s rules, the agency still has Title II statutory authority to enforce broadband privacy protections and can also adopt a new set of rules in the future. The FTC and FCC have a long history of coordination and collaboration on consumer protection concerns that cross both agencies areas of expertise—from privacy to truth in billing issues to overseeing the National Do Not Call Registry. FCC Commissioner Mignon Clyburn and FTC Commissioner Terrell McSweeny have noted the strength of this approach. Congress has created shared responsibilities in the past by entrusting multiple agencies with sector specific privacy regimes. By giving the FTC discretionary rulemaking authority over broadband providers without clear direction to set coordination between the two agencies, the bill runs the risk of allowing those who want to promote a turf war over privacy to gain traction. Both the FTC and FCC can be essential to maintaining robust internet protections if they work together as they have in previous areas of consumer protection.

Consumers Want Comprehensive Online Privacy Protections

As members of Congress continue to develop online privacy legislation, they should understand consumers want comprehensive online privacy protections. According to a recent Harvard-Harris poll, nine in 10 Americans think they have less privacy today than they did 10 years ago, and 90 percent agree that companies have more access to their personal information than they are comfortable with. Consumers expect and deserve a basic standard of privacy regardless of the types of services they use. Adopting this standard will require a careful and nuanced approach in its application to different online services. Further, ensuring consumers receive comprehensive online privacy protections will require a collaborative approach from expert federal agencies, states, and other key stakeholders. Congress should adhere to these principles when considering how to provide online privacy protections to all Americans. We applaud members of Congress for starting to address this critical issue and urge them to keep working to devise comprehensive consumer protections. 


Eraser image credit: Flickr user opensourceway

The Latest