Last week President Trump signed a Congressional resolution that overturned internet privacy rules promulgated by the Federal Communications Commission (FCC) during the Obama administration in 2016. The rules would have made it more difficult for broadband internet service providers (ISPs) to track, use, and sell information about its customers’ online activities.
The FCC derives its privacy jurisdiction under the Communications Act of 1934. Specifically, section 201(b) of the Communications Act prohibits telecommunications providers from engaging in “unjust and unreasonable practices,” and section 222 requires telecommunications providers to protect the confidentiality of customer proprietary network information (CPNI)- which includes customer billing and network use information.
Prior to 2015, ISPs were regulated by the Federal Trade Commission (FTC). In 2015, ISPs were reclassified as telecommunications providers, and thus came under the regulatory authority of the FCC. However, some of the Communication Act’s provisions did not translate well to ISPs, and, in November of 2016, the FCC set forth new privacy rules that would more appropriately cover both broadband ISPs and telecommunications providers.
The FCC’s ISP privacy rules
The new FCC privacy rules separated the consent to use and share customer information into three categories based on the sensitivity of the information:
- Sensitive information: the rules required ISPs to obtain affirmative “opt-in” consent from customers to use and share sensitive information.
- Non-sensitive information: the rules permitted ISP’s to use and share non-sensitive customer information, such as email addresses and service tier information, unless the customer chose to opt-out.
- Exceptions: the rules permitted ISPs to infer from the customer-ISP relationship consent to use and share customer information for purposes including providing service, billing, and collection.
The rules also included requirements for ISPs regarding transparency, choice, and cybersecurity:
- Transparency: provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences
- Choice: engage in reasonable data security practices and consider implementing industry best practices, providing appropriate oversight of cybersecurity practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.
- Cybersecurity: provide notice of data breaches within seven days.
Criticism of the rules
One of the main criticisms of the new FCC rules was that they created an uneven regulatory playing field since they placed more stringent privacy requirements on ISPs than websites and other “edge service providers” (such as Google and Facebook) that are not regulated by the FCC and fall under the authority of the FTC. A key difference between what the FCC rules would have required and what the FTC rules require is the level of customer consent required to share or sell a customer’s sensitive information.
The FCC rules required opt-in consent for “sensitive information,” which was broadly defined and included not only information that has traditionally been considered sensitive, such as financial information, health information, children’s information, and social security numbers, but also additional categories of information such as precise geo-location, web browsing history, app usage history and communications content. These additional categories of information are key to enabling targeted advertising, a major source of revenue for ISPs. On the other hand, the FTC’s rules that required opt-in consent were much more limited in scope.
Among those who criticized the new FCC rules was then-FCC Commissioner Ajit Pai (a Republican), who is now the FCC Chairman.
Proponents of the rules
Those who were in favor of the new rules argued that placing more restrictive privacy requirements on ISPs was justified since the internet itself is the pathway consumers must take to even get to internet company websites, such as Google and Facebook. And, in many geographic areas there is little ISP competition for consumers to choose from, whereas consumers seeking greater privacy protection from websites or edge service providers can more easily choose among many competitors.
The Congressional resolution
Congress voted (along party lines) for a Congressional Resolution of Disapproval to overturn the FCC rules before they had taken effect by using an obscure law called the Congressional Review Act (CRA), which had only been used once before this year. The CRA allows Congress, with a simple majority vote in both the House and the Senate, to overturn any regulation imposed during the final six months of the previous administration.
Significantly, when the CRA is used to overturn a regulation, it prohibits regulatory agencies from imposing any future regulation that would be “substantially the same” without Congressional approval. And, use of the CRA is not subject to judicial review.
What happens next?
The FCC’s new rules were slated to take effect on a rolling basis in 2017. However, that process was stayed by FCC Chairman Pai in March, and put to an end by President Trump last week before any of the key privacy portions of the rules took effect. Therefore, there is little immediate impact to the status quo (other than perhaps those who were in favor of the rules now pondering what might have been).
As things stand now, ISPs must still adhere to the Communications Act and “protect the confidentiality of proprietary information of and relating to … customers” and refrain from “unjust and unreasonable practices”- but that is as specific as the Communications Act gets. One open question is how aggressively the Trump administration’s FCC will enforce internet privacy under the authority of Communications Act.
While the FCC could promulgate new rules for ISPs, the CRA prohibits them from being “substantially the same” as the rules that were overturned. Therefore, anything new from the FCC would likely be substantially different, and would likely be more akin to the FTC’s privacy standards, which are far less onerous than the FCC rules that were overturned.
We could also see the FCC or Congress reclassify broadband internet as an information service, which would place ISPs under the FTC’s jurisdiction once again. Both FCC Chairman Pai and key members of Congressional committees with jurisdiction over the FCC have previously stated their support for this change.
The most immediate and interesting development could come from state legislatures. In response to the FCC’s privacy rules being overturned, several states are currently considering their own bills that would place greater privacy limits on ISPs.
For example, the legislature in Minnesota is considering bills that would require ISPs to obtain express written consent from a customer prior to using or sharing information. Illinois is considering a “right to know” bill that would require ISPs to identify the categories of personal information it collects as well as the categories of third parties it shares personal information with. Like the overturned FCC rule, the proposed bill in Illinois would define “personal information” very broadly, and include internet browsing history. Another proposed bill in Illinois would limit the use of microphones in internet-connected devices (Internet of Things devices) like smartphones, smart-TVs, and personal assistant devices such as the Amazon Echo. California and Connecticut are considering similar bills as well.
If states were to implement their own ISP privacy laws, ISPs could either come up with separate policies and practices for each state (probably a difficult option) or, if enough states implement stricter privacy laws, make the change on a national level.