With the voice of experience, the FCC’s sister Commission provides support, criticism.
As we alerted you a couple of months ago, the FCC is in the process of crafting rules intended to protect the private/propriety information (PI) of those of us accessing the Internet through Internet Service Providers (ISPs). If eventually adopted, the rules would impose significant obligations on ISPs providing broadband Internet access service (BIAS). So far, reaction from commenters has been predictably mixed. Consumer groups tend to support the Commission’s proposals as necessary protection for vulnerable privacy interests. ISPs, on the other hand, tend to oppose many elements of the proposals as unnecessary and overly burdensome. Many ISPs also oppose the new privacy rules as unfair because, as currently proposed, those rules would target only ISPs while leaving other major players in the Internet ecosystem – edge providers such as Google and Amazon – free from equivalent constraints.
While the FCC has some, relatively limited, experience dealing with online privacy concerns, another federal agency – the Federal Trade Commission – has extensive experience. Not surprisingly, the FTC’s approach has been cited, in a number of comments to the FCC, as a positive model. But what does the FTC itself think of the FCC’s proposals? While that may sound like a rhetorical question, we now have an answer to it, because the FTC submitted its own comments to the Commission – and one FTC Commissioner – Maureen Ohlhausen – submitted her own separate comments.
If your curiosity is piqued, so was mine.
Some background on the FTC/FCC relationship first.
The FTC’s principal responsibility is to protect citizens and businesses from deceptive and unfair practices. Under that broad authority (as well as a number of statutes specifically addressed to various sectors of the commercial universe), the FTC adopts guidelines governing, and adjudicates complaints of alleged misconduct in, those sectors. It has been especially active in the protection of privacy and security of consumer information, having brought more than 500 cases in that area. Generally, those cases involve allegations that the target companies have: made deceptive claims about how they collect, use, or share consumer data; failed to provide reasonable security for consumer data; shared sensitive, private consumer data with unauthorized third parties; or unfairly failed to take reasonable steps to secure the consumer data they obtained.
Among the handful of activities that Congress chose to expressly exempt from the reach of the FTC is the provision of common carrier services, including telecommunications services. Historically, this exemption didn’t include ISPs, because, historically, ISPs weren’t treated as providing “telecommunications services”. Accordingly, the FTC has had occasion to weigh in on ISP practices since the early days of the Internet. Its targets have included AOL, CompuServe, Prodigy and, more recently, Verizon and AT&T.
But all that changed last year, when the FCC declared (in its Net Neutrality, or “Open Internet”, decision) that, going forward, ISP provision of BIAS will be deemed a Title II telecommunications service. By doing that, the FCC effectively removed ISP provision of BIAS from the FTC’s reach, since those services suddenly became subject to the “common carrier” exemption from FTC regulation.
Recognizing this sea change, the FCC and FTC signed a Memorandum of Understanding establishing broad outlines for how they would work together in overseeing the online world. Under that agreement, the two agencies will engage in joint and parallel enforcement, with the FCC focusing on telecommunications services (including ISP-provided BIAS), while the FTC will focus its efforts on non-telecommunications services, including those provided by edge providers. But while the FCC and the FTC are sister agencies in the same administration, and the “sisters” have agreed to play nice together, there has been some tension in this relationship. (For example, some FTC Commissioners have openly suggested that Congress amend the FTC’s principal authorizing statute (the Federal Trade Commission Act) to eliminate the common carrier exemption. And FTC Commissioners and staff have suggested that the FCC look to principles in prior FTC actions as informative sources for new FCC ISP privacy rules.)
So, in light of this ambivalent relationship, what do the FTC’s comments say about the FCC’s currently proposed rules?
The FTC’s comments – technically filed by the staff of the FTC’s Bureau of Consumer Protection, but with the approval of the Commissioners – generally support the FCC’s proposed approach … with some notable reservations.
For instance, in the FTC’s view, the FCC’s proposed rules “would impose a number of specific requirements on the provision of BIAS services that would not generally apply to other services that collect and use significant amounts of consumer data. This outcome is not optimal.” Not optimal, indeed – this is the same concern expressed by ISP critics of the FCC’s proposal, who point out that the FCC’s rigorous proposals would not apply to the largest collectors of consumers’ PI on the Internet – edge providers such as Google and Amazon.
But the FTC isn’t completely on board with those critics. The critics generally claim that this regulatory imbalance would lead to consumer confusion and unfair burdens on ISPs, while failing to provide real protection to consumers – their suggestion being that the FCC should thus refrain from imposing any regulations at all. The FTC, however, comes to the opposite conclusion: “The FTC has repeatedly called for Congress to pass additional laws to strength privacy and security protections provided by all companies, however, including through baseline privacy, data security, and data breach notification laws applicable to all entities that collect consumer data.” [emphasis added]. In other words, the FTC is on board with the notion of privacy regulation along the lines proposed by the FCC, but the FTC would prefer to have such regulation apply to all businesses that interact with the public in similar ways, whether or not those businesses happen to be deemed by the FCC to be providing telecommunications service.
In the meantime, the FTC suggests that the FCC be sure to clarify that the FCC’s privacy rules apply to ISPs only to the extent that those ISPs are engaged in the provision of BIAS. That is, the FTC wants it to be clear the FTC still has jurisdiction over ISPs to the extent that they are not providing BIAS.
Other notable suggestions from the FTC Staff include the following:
Defining Personally Identifiable Information.
Under the FCC’s proposed definition, protected “customer proprietary information” or “customer PI” would include two categories: (1) customer proprietary network information (CPNI); and (2) personally identifiable information (PII) acquired by the BIAS provider in connection with its provision of BIAS; PII would in turn be defined as “any information that is linked or linkable to an individual.” The FTC sees problems in that latter element.
The FTC recognizes that including information that is “linkable” to a consumer provides stronger privacy protections to consumers. But it notes that “linkability” may render the definition overbroad, because “almost any pieced of data could be linked to a consumer”. As a result, the FCC’s proposed definition “could unnecessarily limit [ISPs’] use of data that does not pose a risk to consumers”. As an alternative, the FTC suggests that the FCC consider a definition based on “whether such a link is practical or likely in light of current technology”, i.e., that the definition of PII include only information that is “reasonably” linked to an individual. Under this approach, the FCC would tie “reasonable linkability” to both individuals and their devices to better capture persistent identifiers like cookies, IP addresses, MAC addresses, and unique device identifiers. So the FTC seems to be suggesting that the FCC narrow its target a bit.
Customer Consent to Use of PI – Options Based on Sensitivity of Data, Rather Than the User/Use of the Data.
In its privacy proposals, the FCC is trying to give consumers greater control of ISPs’ use of consumers’ PI for various purposes other than the provision of BIAS. The FCC would establish a bifurcated approach based on who would be using the PI and for what:
If the ISPs themselves (or through their affiliates that provide communications-related services) would be using the customer PI to market other communications-related services, they could do so without prior customer approval as long as the customer has the opportunity to opt-out.
But customers would have to opt-in before the ISPs would be permitted either to share customer PI with non-communications-related affiliates or third parties or to use customer PI themselves (or through their communications-related affiliates) for any purpose other than the provision of BIAS.
Thus, the FCC’s distinction between opt-in and opt-out customer consent is primarily related to the entity that proposes to use the customer data and the nature of the proposed use. The FTC suggests a different focus.
In contrast to the FCC, the FTC recommends that the level of customer consent be based on the nature and sensitivity of the customer data being used or shared. This is based on the idea that the level of consent should be related to customer expectations regarding the sensitivity of their information and the way in which the ISP will use the data. Under this approach, because customers feel that that the “content” of their communications (e.g., text of emails, substance of social media, search terms, media consumed) and certain other data (e.g., social security number, health/financial or geolocation data) is sensitive, use of those data should be subject to affirmative opt-in choice by the consumer, regardless of whether the user is the ISP, its affiliate, or a third party. The FTC recognizes that the FCC’s user-based distinction has the advantage of tracking the existing FCC CPNI rules, and provides an easier “bright line” for industry to follow. Nevertheless, the FTC recommends an approach that it believes better reflects consumer expectations.
ISP Data Security and Breach Notification
Well aware that significant data breaches are now a regular occurrence, with potentially devastating effects on consumers (we’re looking at you, Ashley Madison members), the FCC has proposed robust data security rules. In particular, ISPs would be expressly required to take a variety of steps to safeguard customer PI, and to notify customers when the ISP’s security wall has been breached. Again, the FTC has some reservations about the FCC’s proposed approach.
While generally supporting the FCC’s proposals, the FTC would reduce the stringency of those proposals in a few ways. For example, while the FCC would require ISPs to take “reasonable” security measures, the FTC notes that the FCC’s proposed underlying obligation to “ensure the security” of customer PI is itself unconditional. Such strict liability may not be appropriate in all situations, so the FTC recommends that the proposed rule be re-written to require ISPs to “ensure the reasonable security” of the PI. Along the same lines, the FCC proposes that breach notifications be sent to consumers within 10 days (subject to the needs of law enforcement) of the breach. But, as the FTC sees it, this time period may be too short to allow companies sufficient time to conduct an investigation. In the FTC’s view, ISPs should be required to provide breach notice “without unreasonable delay, but not later than an outer limit of between 30 and 60 days.” And, expressing a concern that consumers can become “numb” from over-notification of minor breaches, the FTC suggests that the FCC reduce the scope of breaches triggering the reporting requirement.
The “Warning” in the Separate Comments of FTC Commissioner Ohlhausen
While FTC Commissioner Ohlhausen joined in the approval of the comments filed on the FTC’s behalf, she also filed her own separate comments, more sharply critical of the FCC’s proposals. Her goal: to “emphasize the differences between the FTC’s approach and the proposed FCC approach to consumer privacy, and to warn that the FCC’s approach may not best serve consumers’ interests.” Well …
First up, the issue of customer consent to use of their PI. Recall that the FCC would tie the type of consumer consent needed (i.e., opt-in vs. opt-out) to the nature of the user and anticipated use of the PI, while the FTC would tie the type of required consent to the nature of the data to be used. Noting the burden on both consumers and industry in providing and obtaining consent, Commissioner Ohlhausen points out that the FCC’s proposal would require more burdensome opt-in consent for many uses of non-sensitive data, yet would require no consent at all for certain uses of sensitive data by ISPs. This is a valid concern about an issue marked by difficult cost/benefit calculations.
Next up, the FCC’s proposal to prohibit ISPs from offering service to customers at a discounted price in return for customers’ consent to the use and sharing of their confidential information in certain additional ways. One example cited by the FCC: an AT&T offer to discount BIAS price in exchange for permission to use “individual Web browsing information,” including search and browsing history, “to tailor ads and offers to [customers’] interests.” In advancing that proposal, the FCC also relied on an FTC Report that, according to the FCC, indicated that such pricing models “unfairly disadvantage low income and underserved communities.” But according to Ohlhausen, that mischaracterizes the FTC Report. In her view, discounted-rate BIAS supported by targeted ads may in fact increase adoption of BIAS in underserved communities, so such offers should not be prohibited in competitive markets where the terms are transparent and fairly disclosed. In effect, she appears to believe that the FCC is moving from protecting consumers to smothering them.
It comes as no surprise that the FTC generally supports the approach of its sister agency. Nevertheless, it is notable that the FTC seems to think that the FCC’s proposals go too far, and that some reductions in the scope of those proposals are in order. It will be interesting to see how the FCC reacts to the suggestions from the agency that it “competes” with to be the nation’s premier privacy regulator.
Reply comments in this proceeding are due by June 27, 2016. Please contact us if you need more information, or wish to participate.