FCC Adopts 3-2 Tough Privacy Rules for ISPs Largely as Proposed by Wheeler
Commissioners approved ISP privacy rules Thursday in a party-line FCC vote, as expected, largely as proposed by Chairman Tom Wheeler (see 1610260065). ISPs lost in their attempts to get the agency to drop a plan to classify web browsing and application use history as sensitive data, requiring opt-in consent. Commissioner Mignon Clyburn was unsuccessful in her push for restrictions on ISPs inserting mandatory arbitration clauses in service contracts, though the majority did commit to seeking comment on that issue in early 2017.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
“The FCC took an important step to protect the privacy of broadband consumers and in particular to protect our children,” Wheeler said in the news conference afterwards. “This whole debate always comes back to the same, simple principle -- it’s the consumer's information.”
Wireline Bureau Chief Matt DelNero said the order is long and complicated and it could take some time before it's released. For now, the agency released a revised fact sheet. “The rules are designed to evolve with changing technologies and encourage innovation, and are in harmony with other key privacy frameworks and principles” from the FTC and the administration, the fact sheet said.
FTC Chairwoman Edith Ramirez sees the rules as providing "robust privacy protections, including protecting sensitive information such as consumers’ social security numbers, precise geolocation data, and content of communications, and requiring reasonable data security practices,” she said in a statement. “We look forward to continuing to work with the FCC to protect the privacy of American consumers.”
Commissioner Ajit Pai dissented, saying he had sought changes to the rules to better align them with the FTC framework. “Over the past three weeks, my office diligently pursued a compromise framework that would have minimized the vast differences between the order’s approach and the FTC’s regime, one that would have protected consumer privacy while also allowing for more competition in the online advertising market, where edge providers are currently dominant,” Pai said. He urged the communications agency to acknowledge that persistent online identifiers, like static IP addresses, are a bigger privacy issue than more transitive identifiers. “Distinguishing between the two in our de-identification standard would incentivize ISPs to compete with edge providers for online ads and do so through more privacy-protective technologies,” he said. “Unfortunately, my colleagues were unwilling to compromise on this or in any other meaningful respect.”
Edge providers like Facebook and Google, which have more insight into consumer behavior than ISPs, will be subject to less-strict rules than companies regulated by the FCC, Pai said. “If the FCC truly believes that these new rules are necessary to protect consumer privacy, then the government now must move forward to ensure uniform regulation of all companies in the internet ecosystem at the new baseline the FCC has set.” Pai clarified during a separate news conference he doesn’t favor new rules for edge providers, just parity.
Requiring opt-in notice for web browsing and app usage history “is a significant departure from the FTC approach,” said Commissioner Mike O’Rielly, who also dissented. The rules will cause consumer confusion, he predicted. “Consumers will receive notices from the broadband providers asking them to opt in,” he said. “If they do not opt in, but continue to see advertisements based on their web browsing and application usage, some will understandably assume that their broadband providers are violating their privacy policies.” But it could be the case the ads originate instead from third parties not subject to FCC rules, he said.
Clyburn concurred with parts of the order because of concerns about arbitration. “Mandatory arbitration, put simply, forces consumers with grievances against a company out of the court system, and into a private dispute resolution system,” she said. “Their options are limited.” The FCC majority agreed to her proposed edits to strengthen protections for people with disabilities. “It also toughens our pay-for-privacy safeguards, and improves the abilities of businesses to contract for their own privacy protections,” she said.
Commissioner Jessica Rosenworcel, as expected (see 1610140035), voted for the order largely as circulated by Wheeler. With the growth of the IoT and many more devices connected to the internet, the need for rules is growing, Rosenworcel said. “The monetization of data is big business,” she said. “The cost of data storage has declined dramatically. The market incentives to keep our data and slice and dice it to inform commercial activity are enormous and they are going to grow.”
Verizon Encouraged
Among major ISPs, Verizon was mostly supportive, saying the order appears to be closer to the FTC’s framework. “Verizon is encouraged by the preliminary information we heard this morning,” said Kathy Grillo, deputy general counsel. “From the outset of this proceeding, we stressed the importance of creating a consistent approach to privacy that gives consumers the same information and choices about the use of their data, regardless of the type of company they interact with online.”
AT&T is committed to protecting its customers’ privacy but has deep concerns about the order, said Joan Marsh, senior vice president-federal regulatory, in a blog post. “The framework adopted today … departs from the FTC regime in significant and illogical ways, most importantly in the treatment of web browsing and app history data,” she said. “The FCC’s order falls short of recognizing that consumers want their information protected based on the sensitivity of the information collected, not the entity collecting it.”
Comcast Senior Executive Vice President David Cohen expressed similar concerns to AT&T's, and about rules on first-party marketing. The FCC rules depart “significantly from the FTC’s sensible sensitivity-based approach for the use of web browsing and apps usage data, and flatly ignored the FTC’s and Administration’s approach of encouraging companies to inform their customers of new and discounted services with few regulatory burdens,” Cohen said in a blog post.
Privacy advocates were mostly pleased. Executive Director Jeff Chester said in a news release the Center for Digital Democracy would have preferred the first version of rules proposed by Wheeler that didn’t differentiate between sensitive and nonsensitive information. But Chester still sees the vote as a win for consumers. The vote was “a rejection of the intense lobbying conducted by the phone and cable lobby, as well as by other Internet giants, to effectively kill the plan,” he said.
The rules provide “the highest level of protection” for web browsing and app usage data, said Sarah Morris, director-open internet policy for New America’s Open Technology Institute. “The rules also take a critical stance on so-called ‘pay-for-privacy’ regimes that are particularly harmful for low-income users. Today’s vote ensures that consumers do not have to trade basic privacy protections for broadband access.”
Hill Reaction
Senate Democrats cheered the FCC’s announcement about a coming forced arbitration cause rulemaking. Senate Judiciary Committee ranking member Patrick Leahy, D-Vt., is “encouraged,” he said. “The evidence of the profound negative impacts of forced arbitration for consumers continues to mount -- forcing people into a shadow justice system without transparency must not be tolerated.”
“This is huge news for nearly every American who signs a television, internet, or phone contract,” said Sen. Al Franken, D-Minn. “For decades, big corporations have locked the courtroom doors on their customers by slipping mandatory forced arbitration clauses into contracts. And ever since joining the Senate, I’ve made it a priority of mine to change that, because I believe if you’re wronged, you should be able to seek justice in our legal system.” The step “could be a true game changer,” he said, thanking Clyburn. The two wrote an opinion piece on the topic (see 1610260065).
House Commerce Committee ranking member Frank Pallone, D-N.J., commended the vote and alluded to the pay-for-privacy debate, which his counsel mentioned earlier this week (see 1610240041). “No consumer -- regardless of their income -- should be forced to choose between their privacy and staying connected,” Pallone said. “I will therefore be reading the new pay-for-privacy rules closely to make sure consumers come out ahead.” Leahy called the vote itself “an important step” and said the FCC “was right to adopt new rules requiring consumers to expressly consent before internet service providers may use their sensitive private information,” despite calling for a “higher standard” for protections across the internet and touted his Consumer Privacy Protection Act. “These broadband privacy rules are the next logical step since enshrining net neutrality in our telecommunications playbook,” said Sen. Ed Markey, D-Mass., who pressed for commission action leading up to the vote.
“The FCC’s privacy approach is out of touch and out of date,” tweeted Sen. Steve Daines, R-Mont., a member of the Commerce Committee. “These rules are bad for business and bad for consumers.”