Repeal of planned FCC privacy rules leave ISPs largely unregulated
Last week Congressional Republicans successfully passed legislation to repeal privacy regulations that would have imposed several constraints on the ability of broadband Internet service providers (ISPs) to collect, analyze, sell, and otherwise manage personal information about their customers and their use of the Internet. The repealed rules, which were developed by the Obama administration and passed by the Federal Communications Commission (FCC) in October 2016, were set to go into effect this year. The new, now abandoned, FCC rules applied key privacy principles like transparency, choice, and consent to different categories of personally identifiable information, notably requiring customers to give affirmative consent (that is, to “opt in”) to use or sharing of sensitive personal information. The rules consider sensitive information to include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history, and the content of communications. ISPs would have had more freedom to use or share non-sensitive personal information, but customers could still opt out of any use of their information if they choose to do so.
Beyond consent and use of personal information, the FCC would have added requirements that ISPs provide customers with “clear, conspicuous, and
persistent notice” regarding what information the ISPs collect, how that information may be used, and with whom and under what circumstances it will be shared. This element is consistent with notice of privacy practices requirements that the Federal Trade Commission (FTC) imposes on many types of companies, including e-commerce vendors, social media sites, and website operators. ISPs also would have been obligated to implement industry best practices for data security, authentication, monitoring, and oversight, again consistent with FTC best practices and the Consumer Privacy Bill of Rights, and to notify customers and law enforcement agencies notice of data breaches or other failures to protect customer information.
Instead, now that President Trump signed the measure into law, ISPs like Comcast, Verizon, and AT&T have few practical restrictions on how they handle their customers’ information and are subject to substantially fewer regulations than web content providers, e-commerce companies, and technology firms like Google and Facebook that depend on the ISPs so that end users can reach their products, content, and services. Since the new FCC rules never went into effect, it might seem that privacy protections for customers of Internet service providers are no worse than they were before, but unfortunately that is not the case, due to a separate decision the FCC made in early 2015. That decision, when the FCC voted in its Open Internet Order to adopt “net neutrality” principles, reclassified Internet service providers as common carriers, placing them under the jurisdiction of the Telecommunications Act of 1934 and, by treating them in a manner analogous to conventional telephone companies, shifted the regulatory authority for ISPs from the FTC to the FCC. The exemption from FTC oversight was made explicit in a landmark ruling last year by the 9th Circuit Court of Appeals, which found AT&T was not subject to action by the FTC, even for behavior that occurred prior to the Open Internet Order. One clear intent of the Obama-era FCC privacy rules was to bring regulations for ISPs in line with FTC rules and enforcement actions applicable to other technology companies. Now, unless further regulatory changes are introduced that somehow alter the common-carrier designation, Internet service providers are uniquely positioned to capitalize on the personal information and online behavior patterns of their customers.