Sharply Divided FCC Agrees To Move Ahead on ISP Privacy NPRM

“We have all heard this is a complex, challenging kind of issue,” FCC Chairman Tom Wheeler said. “We’ve heard a lot of assertions, allegations and alarms up here.” But Wheeler said there is one “indisputable fact” that faced the FCC. “It is consumer information, and the consumer should have the right to say whether it is used for nonnetwork purposes.”

Customer data that is “necessary to provide broadband services and for marketing the type of broadband service purchased by a customer -- and for certain other purposes consistent with customer expectations, such as contacting public safety -- would require no additional customer consent beyond the creation of the customer-ISP relationship,” said a news release on the NPRM. ISPs would be allowed to use customer data for marketing other communications-related services and to share, subject to an opt-out requirement, customer data with affiliates that provide communications-related services for the purposes of marketing, the release said. “All other uses and sharing of consumer data would require express, affirmative ‘opt-in’ consent from customers.”

Pai said it makes no sense to impose tighter restrictions on ISPs than on edge providers like Google in the online advertising space. ISP-specific rules would further tilt the playing field against ISPs, “new entrants” in that world, he said. Consumers often don’t know which particular online companies can access their personal information or the regulatory classification of those entities, Pai said. “They do care that their personal information is protected by everyone who has access to it.”

“When it comes to privacy, the principle of parity makes sense,” Pai said. “Slanted regulation is bad enough. Illogically slanted regulation is worse.” Pai noted that the Electronic Privacy Information Center “has cried foul,” finding that the FCC’s “maniacal focus” on ISPs is “inconsistent with the reality of the online communications ecosystem, incorrectly frames the scope of communications privacy issues facing Americans today, and is counterproductive to consumer privacy.”

Pai read a list of headlines from recent new reports. “Google is spying on K-12 students, privacy advocates warn … Your Samsung TV is eavesdropping on your private conversations … Why is Netflix cracking down on essential privacy tools?” Yet the FCC can focus on ISPs only, he said. “Reclassification’s chief corporate backer, Netflix, admitted just last week that it had selectively throttled its own customers’ traffic without their knowledge or their consent,” he said.

Regulatory Humility Absent

As an agency with little expertise on privacy, the FCC should practice “regulatory humility” on privacy and proceed incrementally, O’Rielly said. “But instead of taking time to understand the current privacy landscape … the notice falls back on the familiar cut-and-paste job” forcing CPNI rules onto broadband, he said. “The commission also sets off on a statutory fishing expedition to find new language to support additional privacy rules.”

The FCC proposes to impose opt-in rules, previously reserved for the most sensitive information, on ISPs in many areas, O’Rielly said. “That’s just the privacy section.” The notice also proposes cybersecurity rules even though there is already a policy statement circulating among the commissioners calling for a voluntary approach, he said.

But Commissioner Mignon Clyburn countered that like other Americans, she is concerned that her ISP knows everything from which websites she visits to how long she spends at each website and, if not encrypted, the content she accesses at each site. “This is a treasure trove of information that is not only very personal to me but is also very valuable to marketers and retailers,” she said. “As a consumer of these services, I want the ability to determine when and how my ISP uses my personal information, and I am not alone.”

Clyburn cited a recent Pew survey that found 93 percent of consumers say that being in control of who can access information about them is important and 90 percent say that controlling what information is collected about them is important. The NPRM is “both timely and relevant,” she said. “It seeks comment on proposals that would allow consumers to be in control of their information, and ensure transparency, consumer choice, data breach notifications and safeguards for security.”

Commissioner Jessica Rosenworcel said privacy is complicated and warned that the NPRM poses, by her count, more than 500 questions. The monetization of consumer data “is big business,” she said. People rarely read the fine print “before swiftly checking a box to enjoy the wonder of free shipping,” she said. “There are some contradictions here that make privacy complicated.” But it is also clear that under Section 222 of the Communication Act CPNI is “entitled to protection,” she said. “Moreover the commission has a responsibility to ensure that its privacy policies … reflect the current communications landscape.”

Part of the fight over the rules played out on Twitter. “Odd to hear those who question @fcc authority at every turn urge agency to use Sec. 706 2 regulate edge #privacy,” tweeted Wheeler aide Gigi Sohn. “Odd to hear those who’ve never thought FCC had legal constraints suddenly cite authority to help favored corporate interests,” replied Pai aide Nick Degani.

Markey Urges Quick Action

Sen. Ed Markey, D-Mass., urged the FCC to move forward quickly on final rules. ISPs “have a duty to protect the privacy of consumers who use the company’s infrastructure to connect to the world,” he said. “Consumers have the right to know what information their broadband provider is collecting, the right to say ‘no’ to its use, and whether it is shared with other companies."

Lines on the NPRM were firmly drawn months ago. But numerous groups released statements after the vote, weighing in again.

“To be sure, privacy is a societal concern, but the FCC's proposal is a solution in search of a problem,” said Adonis Hoffman, chairman of Business in the Public Interest and a former aide to Clyburn. The FTC should remain the primary privacy cop, he said. “They have the expertise, institutional knowledge and experiential insight to handle the range of privacy issues sure to arise,” he said. "The other troubling part of the FCC plan is that it leaves the real privacy perpetrators outside the reach of the rule. Google, which collects and houses more data than all ISPs combined, should be covered, but it is not.”

“The FCC has invented a privacy crisis, then exploited that crisis to claim vast new powers,” said Berin Szoka, president of TechFreedom. “Essentially, the FCC is replicating the FTC’s unfairness and deception authority -- but without the underlying legal requirements that constrain the FTC’s discretion, or at least shame the FTC into better justifying its interventions.”

“The FCC has rightly recognized the duty ISPs have to protect their customers’ privacy,” Free Press Policy Counsel Gaurav Laroia said. “The law is clear, and the FCC must adopt the strong protections obligated by Section 222 of the Communications Act.”

Jeff Chester, executive director of the Center for Digital Democracy, said some members of the FCC don’t understand that the FTC has largely failed to protect consumer privacy. “Consumers should have the right to make decisions on how their information can be collected, shared or sold,” he said. “With a set of FCC safeguards, Americans will have some of their privacy restored.”

The FCC's “prescriptive rules would actually make it more complicated for consumers to exercise control over their personal data,” said Tom Power, general counsel at CTIA. “This is in stark contrast to the FTC privacy model, which has protected consumer privacy while allowing for innovation across the Internet, and applies to all companies in the broadband space, not just ISPs.”