When Privacy Meets Politics, Privacy Has a Price Tag: The FCC Broadband Regulation Rollback

Tuesday, April 18th, 2017 at 3:56 am, by Elizabeth Brasher

A Primer on ISPs: Our Gateway to the Internet

Internet service providers (“ISPs”) are our gateway to the Internet. In this capacity, they have the ability to collect, store, and share an “unprecedented breadth” of personal information about consumers, including consumers’ precise geolocation, browsing history, and content of communications. Consumers have very limited, if any, choice regarding their ISP usage; in many regions, ISPs “enjoy near-monopolistic power inside their service areas.” A recent FCC report contained data showing that as of December 31, 2015, a whopping 55% of census blocks had access to only one ISP providing at least 100 mbps downstream and 10 mbps upstream.

The FCC Broadband Regulation

In 2016, the Obama administration Federal Communications Commission (“FCC”) voted to adopt new privacy rules designed to regulate ISP consumer data collection, which applied the privacy requirements of the Communications Act of 1934 to ISPs. The new rules were approved against the backdrop of big data, sophisticated data mining, a booming digital advertisement industry, and a rapidly growing business of selling consumer data to advertisers. Given modern-day reliance on the Internet and the fact that “ISPs have started to monetize customer information quietly while selling them bandwidth,” the rules served as a necessary legal protection to consumers whose sensitive data may be sold for profit.  

The rules emphasized three pillars of consumer privacy: choice, transparency, and data security. With respect to choice, the rules critically required ISPs to receive opt-in consent from consumers prior to using and sharing consumers’ sensitive data with third parties. The rules defined sensitive data to include: (1) financial information; (2) health information; (3) Social Security numbers; (4) precise geo-location information; (5) information pertaining to children; (6) content of communications; (7) web browsing history; and (8) application usage history.  The rules did not per se prevent ISPs from collecting or sharing this data—they merely gave consumers an informed choice. Moreover, the FCC created a tiered approach to choice, whereby they required only opt-out consent for the use and sharing of non-sensitive data, and found implied consent for the use and sharing of data required to provide broadband services.  

With respect to transparency, the rules required ISPs to clearly inform consumers about what information they collect, use, and share, as well as with whom the information is shared. They also required ISPs to inform consumers about their rights to opt in or out of such ISP data use and to make all privacy notices persistently available and easily accessible.

With respect to data security and breach notification, the rules encouraged ISPs to consider data minimization, embrace privacy by design, and take “reasonable measures to secure customer PI.” They explained that “reasonable measures” were flexible and could be tailored to the scope of the activity, the sensitivity of the data, the size of the provider, technical feasibility, and an evolving conception of what is “reasonable.” They declined to mandate specific practices.    

The Repeal by a Republican Congress and Donald Trump

On March 22, 2017, a Republican-controlled Senate used the Congressional Review Act (“CRA”) to vote 50-48 in favor of repealing the FCC Broadband Regulation, overcoming fierce opposition by Senate Democrats such as Massachusetts’ Ed Markey.  One week later, the House affirmed the decision of the Senate, voting 215-205 to repeal the regulation. 15 Republicans joined the 190 House Democrats to oppose the rollback, including Anna Eshoo of California, who argued, “[ISPs] can use your information and sell it to the highest bidder.” Trump effectuated the repeal of the regulation on April 3, 2017 when he gave his executive approval.

We must ask, why would congress and Trump oppose this seemingly reasonable regulation designed to protect consumers, and who benefits from the repeal aside from ISPs and other entities that reap financial benefits from the sale of consumer data? Opposition was largely premised on the fact that the regulation “unfairly” imposed more stringent requirements on ISPs than were imposed on companies such as Google and Facebook. However, technology experts have drawn two important distinctions between ISPs and companies like Google and Facebook: (1) unlike Google and Facebook, ISPs are the gateway to the Internet; and (2) Internet consumers can choose whether to use Google and Facebook, whereas they often have no choice over whether—and which—ISP to use. Additional arguments made against the regulation include (1) overreach by a federal agency, (2) that only the Federal Trade Commission (“FTC”) has authority to regulate consumer online-privacy rights, and (3) that the rules limit ISPs’ ability to provide low-cost services—an argument based on a pay-for-privacy model suggesting that consumer privacy should be sacrificed to subsidize ISPs’ service. Some observers believe that those who voted in favor of the repeal sold out to the telecom industry (e.g., TechCrunch: “conservative members of Congress …  sold you out, plain and simple.”). For reference, The Verge published a list of all congress members who voted for the repeal and the donations they have received from corporations in the telecom industry and employees of those corporations.   

Implications of the Rollback

The rollback of the FCC Broadband Regulation has been described as the “single biggest step backwards in online privacy in many years.” It effectively gives ISPs legal permission to collect and sell their customers’ sensitive data for profit without consumer consent. Due to the lack of choice consumers have over their ISP usage, they are left with virtually no choice but to risk having their data sold to the highest bidder, which, given the potentially enormous returns for ISPs, is a very real risk. As the Senior Legislative Manager at Access Now explained, “this resolution is a vote for big corporate profits over the rights and civil liberties of average people.”

While the effects of this repeal are largely up to ISPs, and while this action is merely a rollback as opposed to a promulgation of rules affirmatively granting ISPs rights (as TechCrunch has rightly noted, “technically you’re not losing any protections—they’re just preventing you from getting them in the first place”), it has been predicted that the resulting legal uncertainty will encourage a shift away from anonymized data use to a “more granular personalized targeting.”  Moreover, the rollback may increase the susceptibility of consumers’ sensitive data to unauthorized breaches. The regulation had required ISPs to comply with data security and data breach notification requirements, including taking “reasonable measures” to secure customer personal information. Under the rollback, not only can ISPs legally sell sensitive consumer data to third parties for profit without consumer consent—which is in of itself an incentive to increase data collection—but the data collected may not be as secure against hackers as it would be otherwise, since ISPs now lack the legal incentive to invest in heightened data security practices.

Now What?

Perhaps the biggest implication of the rollback is that, under the CRA passed in 1996 to allow Congress to overrule regulations created by federal agencies, the FCC is prevented from enacting substantially similar rules in the future. Let me reiterate this—even if Republican congress members change their minds about repealing the rule, the FCC is legally prevented from reenacting similar rules in the absence of a new law specifically allowing them to do so.

So, one may ask, why doesn’t the FTC—the federal agency that has historically handled consumer privacy protection—step in and enact similar rules? In its 2015 Net Neutrality Order, the FCC exerted authority over ISPs by categorizing them as providers of a “telecommunications service,” which had the effect of eliminating FTC jurisdiction under § 5 of the Federal Trade Commission Act (“FTCA”), which excludes the ability to regulate “common carriers” from FTC authority. The 9th Circuit confirmed the FTC’s lack of jurisdiction over ISPs in an opinion holding that § 5 of the FTCA’s common carrier exemption is status-based as opposed to activity-based, and thus any entity acquiring the “status” of a common carrier falls outside FTC jurisdiction. While it has been predicted that the FCC and Congress will roll back the Net Neutrality Rules, reestablishing FTC jurisdiction over ISPs, this will not occur for several years.

So, now what? It is critically important that state and local authorities, such as state attorneys general (“state AGs”), fill the void and protect consumer privacy against abusive ISP monopoly power by encouraging transparency, choice, and data security. Every state has a state Unfair and Deceptive Acts and Practices (“UDAP”) Statute permitting its state AG (e.g., the New York Office of the Attorney General’s Bureau of Internet and Technology or the California Department of Justice’s Privacy Enforcement and Protection Unit) to prohibit a company from deceiving consumers. This power may be leveraged against ISPs to stop them from falsely representing that they protect consumer privacy and safeguard consumer data. But until such authorities step in—and until our elected representatives in Congress prioritize consumer privacy over big corporate profits—consumers should consider investing in a virtual private network (“VPN”), because apparently privacy has a price tag and consumer data is for sale.