Op-Ed: Internet Privacy: Who’s The Boss?
The Federal Communications Commission’s recent adoption of net neutrality rules generated unprecedented controversy in the communications community. Large communications companies argued vociferously against what they see as outdated utility regulation, while public interest groups argued just as hard for regulatory requirements that they view as necessary to the Internet’s role as a haven for innovation and new entrants.
While this fierce debate has dominated coverage of the commission’s net neutrality rules, those rules quietly shift responsibility over broadband privacy from the Federal Trade Commission to the FCC. This is a profound change, with far-reaching implications for broadband providers.
Why would new net neutrality rules mean the FCC is now the boss of broadband privacy? The answer lies in Title II of the Communications Act and Section 5 of the FTC Act.
The FTC Act empowers the FTC to “prevent unfair methods of competition, and unfair or deceptive acts or practices in or affecting commerce.” But this jurisdiction is limited — the FTC’s authority does not reach “common carriers” — which is another way of saying the FTC’s power does not reach entities regulated under Title II of the Communications Act. The FCC’s decision to ground the new net neutrality rules on Title II means that broadband providers that were not common carriers will become common carriers when the net neutrality rules take effect. As a result, these broadband providers have suddenly found their customer privacy mostly governed by the FCC rather than the FTC.
Is this a good thing? Travis LeBlanc, chief of the FCC’s Enforcement Bureau, certainly thinks so. Late last year, LeBlanc argued that the FCC is in a better position than the FTC because the FTC is “primarily a policing agency” while the FCC has the benefit of housing policymakers and rule enforcement together: “we can go talk to [the policymakers] before we do an enforcement action.” Companies on the losing end of recent enforcement action at the FCC may beg to disagree, and any entity facing enforcement may have legitimate questions about whether their individual enforcement action is actually part of a larger policy agenda.
The FTC, with its well-developed enforcement regime, likely also has a different view. FTC Commissioner Maureen Ohlhausen recently argued that the net neutrality rules will have a bad impact on consumers. While recognizing that a common carrier classification essentially “fence[d] out” the FTC as a result of the “common carrier exemption,” Ohlhausen said that it is “ultimately up to the courts to decide what’s a common carrier under the FTC Act.”
On cue, a federal district court recently decided that the FTC may retain a limited role in policing common carriers’ privacy practices. There, the FTC alleged that AT&T Inc. engaged in unfair and deceptive practices by failing to disclose to its customers that it throttled data speeds on its mobile broadband networks. Since this was prior to the release of the net neutrality rules, AT&T argued that the FTC could not bring the case because the company was a common carrier based on its provision of voice services. The court disagreed, holding that the FTC could bring enforcement actions against common carriers for their “non-common carriage services.” AT&T has appealed the ruling.
What is certain? Uncertainty. The FCC now has a much bigger role in the regulation of privacy practices of broadband providers, and the FTC a much smaller one. So providers that are familiar with the FTC’s enforcement regime must now become familiar with the FCC’s rules and policies. However, they must do so without yet knowing whether the FCC will only slightly modify its existing privacy rules and apply them to broadband, import FTC precedents, adopt an entirely new set of requirements, or combine some or all of these approaches.
Traditionally, the FCC has confined its oversight of privacy matters to a relatively narrow class of information known as customer proprietary network information — that is, information about the customer’s usage of service and account-related data — which Congress designated for special protection in Section 222 of the Communications Act. The FCC’s existing CPNI rules limit the way carriers can use CPNI and dictate the measures that carriers must take to protect it. But in its net neutrality order, the FCC forbore the application of its existing CPNI rules to broadband service providers because the rules are geared toward voice services and “do not address many of the types of sensitive information to which a provider of broadband Internet access service is likely to have access.”
What rules should apply, if not the existing CPNI rules? The FCC explored this question in a public workshop and a rulemaking proceeding Tuesday.
The FCC may find that CPNI obtained in the context of voice services is more benign than the type of proprietary information that an Internet service provider can obtain from a customer’s use of broadband service, and propose more stringent CPNI regulations for broadband providers. What constitutes CPNI will be especially interesting in the context of mobile broadband services, which are also subject to the new net neutrality rules.
The FCC may also attempt to adopt privacy regulations for broadband providers that cover more than just CPNI. In several recent enforcement actions, the FCC interpreted Section 222 of the Communications Act to require telecommunications providers to protect not just CPNI, but also customer “proprietary information,” a currently ill-defined category of personal information about customers not directly related to their use of telecommunications services, such as their names, addresses, and social security numbers. The FCC may use a rulemaking proceeding related to broadband providers’ privacy and data security obligations as an opportunity to clarify what qualifies as PI and what service providers must do to protect it.
The FCC may also decide to layer on additional case-by-case privacy oversight through an FTC-style regime designed to supplement CPNI (or CPNI and PI) rules. ISP behavior that would have constituted an unfair and deceptive practice under the FTC Act could be deemed by the FCC to constitute an unjust and unreasonable practice under the Communications Act. The FCC used this approach in several recent enforcement investigations, and LeBlanc has signaled that broadband enforcement actions will be a trend in the upcoming year.
While the FCC sets to work determining its new role in the broadband privacy arena, there may be confusion among companies and customers as they try to determine how the privacy regime will work. Broadband providers should start planning now to shift from the FTC’s enforcement environment to the FCC’s regime of prescribed rules and compliance obligations.
Until the FCC adopts prescribed rules, the substance of broadband providers’ privacy and data security obligations under the Communications Act likely remain similar, if not identical to, their prior obligations under the FTC Act. But the FCC can be expected to act more rigorously and seek larger fines when enforcing privacy regulations against broadband providers.
For example, the FCC recently entered into a consent decree with AT&T related to the company’s alleged failure to properly protect its customers CPNI and PI. The decree requires AT&T to pay a $25 million civil penalty, undertake new privacy and data security efforts, and submit to ongoing FCC oversight of its privacy and data security practices.
Broadband providers should take a close look at their privacy and data security practices to ensure that they (1) are taking all reasonable steps to protect potentially sensitive customer information from unauthorized access and use, (2) are living up to the promises they are making to consumers about their privacy and data security practices, and (3) have a robust compliance program in place. Providers should also participate in the FCC’s proceeding to ensure that the commission does not adopt rigid rules that impede providers’ ability to offer services.
Jennifer Bagg and Brita Strandberg are partners in Harris Wiltshire’s Washington, D.C., office. Adrienne Fowler is an associate in the firm’s Washington office and a former trial attorney in the U.S. Department of Justice‘s Consumer Protection Branch.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.