Last fall, the Federal Communications Commission (FCC) voted 3-2 along party lines to impose upon internet service providers (ISPs) bifurcated broadband privacy rules that would negatively affect consumers and innovators alike. In choosing which entities in the internet ecosystem could access consumer data, rather than which type of data could be accessed by all entities, the agency threw a giant wrench into the system.
Fortunately, on March 23 the Senate voted 50-48 to repeal the previous FCC’s privacy rules via the Congressional Review Act (CRA), which allows Congress 60 legislative days to repeal regulations enacted by agencies with simple majority votes in the House and Senate, along with the President’s signature.
The Senate’s action makes sense. From the advent of the internet until the FCC’s recent Title II reclassification and adoption of these rules, data was treated uniformly. The same privacy protections applied wherever along the internet continuum consumer data was located. The FCC disrupted this uniform treatment, giving consumers a false sense of security with regard to their privacy protection expectations and setting the stage for needless confusion.
With its new rules, the FCC singled out one small segment of the internet for special treatment. ISPs that provide broadband internet connections would only be allowed access to general consumer data, such as web browsing histories, following receipt of affirmative op-in consent to the data collection from consumers. As a practical matter, given consumer behavior, affirmative op-in consent would almost never be given — ISPs would effectively be precluded, therefore, from collecting these data under FCC rule.
In sharp contrast, companies at the other end of the internet continuum — the major online content providers, including Google, Facebook, and Amazon — are still overseen by the Federal Trade Commission (FTC) and have privacy practices grounded in the collection of non-sensitive consumer data based upon opt-out consent, under which the company may collect the data unless the consumer acts to prevent it.
Under this longstanding arrangement — which previously also applied to ISPs — so-called edge providers could continue to pursue business models based on the generation of consumer preference profiles comprising web browsing histories and individual website visitation. Internet advertising reliant on these profiles keeps internet content inexpensive — indeed, generally free — and highly accessible for consumers. It’s a system that has long benefited both the edge provider companies and the consumers who enjoy a content-rich internet experience.
The FTC’s framework also identifies specific categories, including Social Security numbers, financial, health, location and children-related information as sensitive. That information is only available to edge providers following affirmative opt-in consent.
Nevertheless, the FTC’s sensible approach was ignored by the FCC in its decision to place large amounts of harmless data beyond the reach of ISPs. As Google has pointed out, the FTC “recognizes that while U.S. consumers consider healthcare or financial transactions, for example, to be sensitive information that should receive special protection, they do not have the same expectations when they shop or get a weather forecast online… consumers benefit from responsible online advertising, individualized content, and product improvements based on browsing information, regardless of the company collecting the data.”
It’s well understood that even before the FCC’s rule, edge providers accessed far more consumer browsing and app usage data than broadband providers and monetized it through internet advertising to a much greater degree. Edge providers governed by the FTC’s more flexible regulatory approach have virtually unlimited insight into their users’ web activities. Conversely, about 70 percent of global internet traffic is invisible to ISPs, due to end-to-end encryption, virtual private networks and other proxy services. Thus, the FCC’s rules would do little more than confuse consumers about which data is protected and when.
Applying privacy rules equally throughout the internet ecosystem will avoid consumer confusion and ensure a consistent and enforceable set of consumer rights and expectations, while supporting investment and continued digital innovation.
With longstanding expertise in internet privacy, the FTC is better equipped than the FCC to oversee privacy requirements for both ISPs and edge providers. A return to privacy jurisdiction for all internet companies to the FTC would be ideal. In the alternative, the FCC could usefully apply to ISPs the same rules the FTC oversees for edge providers.
Congress is now taking positive steps to accomplish this result by passing the resolution of disapproval with regard to last year’s FCC privacy rule — the House is expected to vote on the measure this week. This is good news for consumers, who will be better off with consistently applied privacy rules that allow the internet ecosystem to thrive.
Originally published at Bloomberg BNA