The new Congress is reportedly considering repealing the privacy rules that Tom Wheeler’s Federal Communications Commission (FCC) put in place right before the presidential election. Proponents of the new rules are engaged in a furious public-relations campaign, claiming that consumers’ privacy will be violated left and right if the new rules are repealed. Frightening if true.
When it comes to using your data from web browsing and app usage, the Federal Trade Commission (FTC) has been the regulatory cop on the beat. Determined to be relevant in the digital economy, the FCC created its own, radically different set of privacy regulations targeting just Internet Service Providers (ISPs). By requiring an ISP’s customers to give permission for their data to be used, the FCC’s new privacy rules subject ISPs to a different and more restrictive set of regulations than their online advertising rivals.
The difference in the rules—“opt in” rules for ISPs versus “opt out” rules for edge providers—has significant competitive implications in the online advertising market, which is dominated by Google and Facebook. The reason is that consumers typically elect the default choice out of laziness and respect for the status quo. By making it relatively easier for edge providers to access consumers’ data, the FCC has perversely impaired the ability of ISPs to compete for online advertisers.
Not what you’d expect from an FCC Chairman who liked to chant “competition, competition, competition” as his raison d’etre.
Google and its minions are understandably upset that Congress might upend this regulatory arbitrage, and they have come out swinging. A February 20 blog post by the Electronic Frontier Foundation (EFF) in defense of the FCC’s rules begins with a breathtaking subtitle: “Cable and telephone companies are pushing Congress to make it illegal for the federal government to protect online consumer privacy.” The hyperbole doesn’t end there. EFF claims not once but twice that Congress “intends to eviscerate consumer privacy laws.”
Please. Even if the FCC’s new privacy rules are repealed, there are myriad layers of federal and state protection for consumers. None is mentioned in EFF’s blog.
Where to begin? At the federal level, the FCC has authority under section 222 of the Communications Act to prevent privacy abuses by telephone providers. Section 222 was originally designed to prevent traditional telephone companies from giving their wireless subsidiaries an unfair advantage over unaffiliated wireless companies by sharing customer information with them.
Even EFF admits that “Long ago, Congress made privacy a legal right, so that your telephone company was prohibited from using its position as your communications provider to exploit your personal information.” In case there is any doubt of the law’s relevancy in the Internet age, in 2015, the FCC’s Enforcement Bureau issued an advisory that made clear that even in absence of new privacy rules, the FCC will enforce section 222 against broadband providers.
Not content with section 222? Repeal of the FCC’s new privacy rules will not prevent the FCC from establishing a different privacy regime going forward. For example, in the name of regulatory symmetry, the new FCC could replicate the same opt-out standard used by the FTC.
Perhaps anticipating this rejoinder, EFF claims without citation to any case law or precedent that the mechanism being considered by Congress to repeal the FCC’s privacy rules “could possibly bar the FCC from enacting future consumer privacy rules even if they are more industry friendly.” Adding “possibly” after “could” seems redundant, unless there is simply no basis for making such a claim. (I’m anxious to be corrected.)
Moreover, repeal of the FCC’s privacy rules will not prevent Congress from establishing a different privacy regime going forward. To the extent that Congress repeals both the FCC’s 2015 Open Internet Order and its privacy rules, the FTC would be placed firmly back in control of privacy enforcement for ISPs. Before the FCC’s reclassification of ISPs as common carriers in March 2015 took away the FTC’s authority, the FTC was the primary privacy cop on the beat for ISPs. For example, in 2014, the FTC sanctioned AT&T Mobility for its alleged failure to adequately inform its customers of its data-throttling program.
EFF argues that a recent Ninth Circuit decision stripped the FTC of its “authority to penalize cable and telephone companies if they deceive their customers, meaning the FCC is the only broadband consumer protection agency.” But Congress could eliminate the FTC’s common-carrier exception, assuming the GOP majority could convince eight Democratic Senators to overcome the filibuster rule. This would also return privacy enforcement to the FTC.
Moving beyond federal protections, several states add yet another layer of protection against potential privacy abuses by ISPs. For example, Nevada and Minnesota require ISPs to keep private certain information concerning their customers, unless the customer gives permission to disclose the information. And under California law, non-financial businesses, including ISPs, are required to disclose to customers, in writing or by electronic mail, the types of personal information sold to a third party for direct marketing purposes.
If and when the FCC’s new privacy rules are overruled, the statute that empowers the FCC to police privacy abuses by ISPs will still apply. And nothing prevents the FCC from designing a different (and more symmetric) regulatory standard. Repeal of the FCC’s new rules will simply restore the regulatory environment that existed for more than 18 months between the FCC’s reclassification decision and its privacy rules. Given the myriad layers of protections and regulatory options, the notion that repeal would leave the ISPs without any privacy regulator is patently false.