Rosenworcel Launches Task Force on Consumer Privacy

The commission “has an important role to play ensuring the privacy of consumer communications,” Rosenworcel said. “The Communications Act provides us with clear communications privacy authority” as laid out in sections 222 and 631, she said.

One of the first targets will be a follow-up on wireless carrier responses to July letters asking about their data retention and data privacy policies (see 2208250057), Rosenworcel said. “The FCC had never done that before,” she said: “Now we have investigations underway to follow up on this data gathering.” Rosenworcel also said she will circulate a proposed enforcement action against two unnamed companies “that have put the security of communications customers at risk.”

Rosenworcel also urged her fellow commissioners to approve fines, which she circulated last year, proposed in notices of apparent liability in 2020 against the then four national wireless carriers for failing to safeguard data on their customers' real-time locations. In early 2020, then Chairman Ajit Pai proposed NALs of more than $91 million against T-Mobile, $57 million against AT&T, $48 million against Verizon and $12 million against Sprint, which hadn't yet combined with T-Mobile (see 2002280065). But an order on the fines has been stalled at the 2-2 commission (see 2212190055).

It’s time to back the NALs up with enforcement orders and fines, said Rosenworcel. “It’s time to hold [the carriers] accountable and make them pay for this behavior -- and by that I mean the more than $200 million in fines proposed by the last administration,” she said: “Let me call on my colleagues to bring this chapter to a close. … We need to make clear that when you violate consumer communications privacy there are consequences.”

The task force will also help the FCC modernize its data breach rules, Rosenworcel said. “They are due for a digital age update” and were last modernized more than 15 years ago, she said. The FCC sought comment in January on revised rules for carriers to report data breaches (see 2301060057). Commissioners approved an NPRM in December proposing to eliminate the “outdated” seven-business-day mandatory waiting period before notifying customers of a breach and requiring the reporting of inadvertent but harmful breaches to the FCC, FBI and Secret Service.

The NPRM followed several high-profile data breaches, most recently a 2021 T-Mobile breach that included information from about 7.8 million postpaid customer accounts and the records of more than 40 million former or prospective customers (see 2108180062). The task force will also follow up on a SIM swap and port-out fraud notice released last year (see 2111160036).

“We live in an era of always-on connectivity,” Rosenworcel said. “Connection is no longer just convenient. It fuels every aspect of modern civic and commercial life. … Too often this always-on connectivity, which has brought so many benefits, can require a sacrifice of our privacy.” The monetization of data “is big business,” Rosenworcel said. With the cost of data storage significantly lower than in the past, “the market incentives to keep our data and slice and dice it to inform commercial activity are enormous, and they are only growing,” she said.

The task force is a good move by Rosenworcel, said Public Knowledge Senior Vice President Harold Feld, who spoke during a panel after the speech. The agency has a mixed record on privacy enforcement, Feld said. “There are times when the FCC has been very aggressive -- times when it seems to be lost,” he said.

Feld and Caitriona Fitzgerald, Electronic Privacy Information Center deputy director, said it’s past time for the FCC to move on the 2020 NALs.

HWG’s Adrienne Fowler said the companies she works with want to “honor” the trust placed in them by consumers. “Typically speaking, that’s the goal of the FCC, that’s the goal of industry,” she said. There are many nuances involved in privacy protection, she said: “The old privacy maxim of ‘don’t be creepy,’ is highly fact-specific.”