A recent repeal of federal consumer privacy rules has opened the door to potential sharing and use of sensitive, consumer data with only individual state privacy laws standing in the way.
President Trump signed a congressional bill on April 3 repealing Obama-era FCC consumer privacy rules for broadband internet service providers (“ISPs”) that had just been just adopted by the FCC this past fall. The Trump administration has not yet provided a replacement privacy regulation framework, leaving both ISPs and tech companies subject to potentially varying state-level consumer privacy regulations.
Regulating ISPs’ access to sensitive consumer data has long been a concern on both sides of the political aisle. The Obama-era FCC found that because ISPs are able to view vast swathes of consumer data, consumers should decide how ISPs use and share their data. In keeping with the goal of consumer choice, the FCC adopted the privacy rules on October 27, 2016, and they were set to go into effect on March 8, 2017.
The privacy rules required ISPs to provide, among other things, privacy notices that inform consumers about what confidential information the ISPs collect, information on how the ISPs use that confidential information, the circumstances under which the ISPs will share the confidential information, and the identity of the types of entities with which the carriers ISPs share the confidential information. These rules also required ISPs to give consumers the choice to opt in or to opt out of the use or sharing of the confidential information.
Proponents of the privacy rules argue that the rules protected consumers’ sensitive data from unauthorized use by ISPs, including selling individual browsing history to third parties. Critics of the privacy rules argue that the regulations placed stricter requirements on ISPs than on tech companies like Google and Facebook, thus placing ISPs at a competitive disadvantage.
In fairness, both ISPs and tech companies cannot tie internet or app usage data to sensitive information such as names, addresses, or social security numbers without consumers’ permission under the FTC’s privacy guidelines. Although ISPs and tech companies have pledged to follow this framework, the FTC cannot enforce its guidelines against ISPs because they fall under the FCC’s jurisdiction.
As a brief recap, the Obama administration brought ISPs under FCC jurisdiction in February 2015 in an effort to impose transparency neutrality rules. The FCC transparency rules were imposed when the Obama-era FCC voted to regulate the Internet under Title II of the 1934 Communications Act. Under Title II, ISPs were treated as common carriers along with utility services, railroads, and the postal service, rather than as an information service. Classifying ISPs as carriers allowed the FCC to exert regulatory power over ISPs and impose the net neutrality transparency rules that were rolled back by earlier this year.
FCC Chairman Ajit Pai and FTC Acting Chairman Maureen Ohlhausen argue that shifting responsibility over ISPs away from the FTC (“the agency with the most expertise handling online privacy”) to the FCC (“an agency with no real experience in the field”) was harmful to American consumers.
Pai and Ohlhausen point to the FCC’s adoption of rules that contradict FTC guidance – where the FTC concluded that “any privacy framework should be technology neutral” because “ISPs are just one type of large platform provider” and “operating systems and browsers may be in a position to track all, or virtually all, of a consumer’s online activity to create highly detailed profiles,” the FCC instead adopted privacy rules that would have made ISPs “subject to one standard and content providers would have been subject to another.”
Rather than pulling the ISPs back out from under FCC jurisdiction, the Trump administration repealed the FCC’s privacy rules before they took effect. The repeal adds to consumers’ worries about ISPs’ seemingly increasing ability to manipulate consumer choice in accessing certain sites and protecting sensitive data.
The FTC and FCC chairs reassure consumers that ISPs never planned to sell individual browsing history to third parties and the administration’s April 3rd decision did not remove existing privacy protections. Rather, the chairs argue, that the decision “simply cleared the way for us to work together to reinstate a rational and effective system for protecting consumer privacy.”
The question becomes: what consumer privacy protection system regulates ISPs? At the moment, the only privacy regulators for the tech industry operate at the state level, not federal level, analysts say.
Some states have risen to the occasion in providing consumer privacy frameworks for the tech industry. Maryland and Montana are two states considering passing legislation regulating how ISPs collect sensitive consumer data, while the Minnesota Senate voted in March to require consumer consent after a Congressional vote.
Unfortunately, leaving regulations to the states may present varying standards for the tech industry and consumers. As an USTelecom spokeswoman stated, “Individual state efforts that deviate from a strong, consistent federal privacy framework do not fit with how consumers traverse the global internet and are more likely to harm consumers and internet innovation than help.”
Experts expect policymakers, with possible collaborative efforts by the FCC and the FTC, to resolve this issue by providing privacy regulation at the federal level before shifting the focus back to net neutrality. In the meantime, the tech industry must be sure to review states’ consumer privacy laws when dealing with consumer data.
 Customer consent would have been inferred for certain purposes, including: (1) the use and sharing of non-sensitive information to provide and market services and equipment typically marketed with the broadband service subscribed to by the customer, (2) providing the broadband service, and billing and collecting for that service, and (3) protecting the ISP and its customers from fraudulent use of the provider’s network.