FCC, FTC Promise to Work in Concert on Consumer Privacy Rules in Broadband

The Telecommunications Law Resource Center is the most comprehensive reference and news platform for communications law, covering broadcasting, cable, broadband, telephony and wireless;...

By Lydia Beyoud

April 28 — Federal Communications Commission and Federal Trade Commission officials indicated a desire to work together to regulate and enforce future rules governing how consumers' online data is collected, stored, used, and shared under the new regime resulting from the reclassification of broadband Internet services under Title II of the Communications Act.

During an April 28 workshop, FCC officials noted a tension between between ISPs' desire for regulatory certainty and consumer advocates' call for strong and evolving rules that can adapt to emerging privacy challenges.

The FCC is in the preliminary phase of determining how to apply rules designed for the type of data collected by telephone service providers under Section 222 of the Communications Act of 1934, and apply them to the Internet ecosphere. Indeed, the commission may contemplate creating new regulations specific to online data and consumers' expectations of how their data is safeguarded and used across a network.

Content or Metadata?

The line between the type of online information traditionally considered as content and as metadata will only continue to blur as data use increases, said technologist Matt Blaze, an associate professor for computer and information science at the University of Pennsylvania. For consumers, metadata increasingly feels like content, which is afforded greater legal protections; meanwhile, natural market pressure for ISPs and edge providers to monetize consumer data and thus push more information to the side of metadata will only increase, he said.

AT&T Inc.'s Chief Privacy Officer and a senior lobbyist, Bob Quinn, called for the commission to factor into their decision-making that numerous content providers collect as much, and in some cases, more data than ISPs do.

“Entity-based regulation is a last-century approach to privacy,” he said. Regulations imposed solely on ISPs on how their customers' data is used and shared by them could inhibit their ability to compete with new entrants whose business models are entirely driven by advertisement, said Quinn.

“If we can't compete on an ad supported model, we're going to end up with the opposite” of the agency's policy goal of further deployment of broadband services, he said.

Although Section 222 could provide strong rules and a good model for the FCC to follow in its rulemaking, the agency has an opportunity to establish new rules to serve as a model for baseline principles that apply to other actors on the Internet, said Erik Stallman, director of the Open Internet Project and general counsel for the Center for Democracy and Technology. “This is an opportunity to pass some of the most significant privacy regulation in years,” Stallman said.

Other consumer advocates questioned, however, whether an ad-driven model of Internet infrastructure is in need of protection. Trillions of dollars have been invested in Internet infrastructure, such as with voice over Internet protocol (VoIP) calling, without the need for an ad-based model, said Harold Feld, senior vice president for Public Knowledge.

Another panelist said ISPs are fundamentally different from edge providers in their role as a gatekeeper to an essential service, and ought to be held to a higher standard. Broadband providers have a unique ability to view personal communication and track all of a user's online movement, said Laura Moy, senior policy counsel for New America's Open Technology Institute.

Notice, Consent

Several panelists said the FCC could balance stakeholders' concerns by implementing strong consumer notice and consent requirements depending on which role an ISP is playing in its interaction with a user.

Consumers have the right to know which information is collected, how it is used, and receive assurances that the data will be reasonably protected, said Joshua Seidemann, vice president of policy for NTCA-The Rural Broadband Association.

Those broad principles could help ensure a strong yet flexible, self-regulating standard online, he said. Several panelists noted that consumer expectations likely assume that their data sent through a mobile application is protected in the same way as, for example, call data sent through their broadband provider's network.

Location Information

How location information is used will be a key element of a possible rulemaking. Section 222(f) requires customer consent in most cases for both wireline and wireless ISPs to collect location data.

Although consumers have a privacy interest in their location information, the law is unclear in terms of what kind of location information should qualify as customer proprietary network information (CPNI) in the broadband context, said Nancy Libin, a partner at Wilkinson Barker Knauer LLP.

To contact the reporter on this story: Lydia Beyoud in Washington at lbeyoud@bna.com

To contact the editor responsible for this story: Heather Rothman at hrothman@bna.com