FCC Approves Broadband Privacy Rules

The Telecommunications Law Resource Center is the most comprehensive reference and news platform for communications law, covering broadcasting, cable, broadband, telephony and wireless;...

By Kyle Daly

Oct. 27 — The Federal Communications Commission Oct. 27 established new privacy rules for broadband internet providers, stepping up its oversight of an industry that is likely to challenge the agency's move in court.

The rules, which the commission approved on a 3-2 party-line vote, require internet service providers (ISPs) such as Comcast Corp. and AT&T Inc. to get express prior subscriber consent, known as opt-in, to collect sensitive data.

The agency defines sensitive data to include health and financial information, geolocation records and users’ internet browsing and app usage history. Consent would give ISPs permission to use that information to tailor advertising to a given consumer, or share it with a third-party marketer to do the same.

FCC Chairman Tom Wheeler said the new rules are aiming at giving consumers control over how their information is used.

“It is the consumer's information,” Wheeler said. “It is not the information of the network the consumer hires to deliver that information.”

Despite the FCC action, it's not clear whether or when they'll ever actually be enforced against ISPs, given the expected legal challenge. What's more, the privacy rules stemmed from the FCC's 2015 decision to reclassify ISPs as common carriers under federal communications law, which itself is still in legal limbo.

Broadband providers appealed the reclassification, which formed the basis of the agency's net neutrality rules, to the U.S. Court of Appeals for the District of Columbia Circuit. A three-judge panel upheld the FCC in June ( U.S. Telecom Assoc. v. FCC, D.C. Cir., 15-1063, decision rendered 6/14/16 ) . The providers have asked the full D.C. Circuit to hear the case.

Observers on both sides think it's unlikely the full D.C. Circuit or the U.S. Supreme Court would overturn the panel decision, but such a ruling would leave the new privacy rules on shaky legal ground.

Court Challenge in Offing

The differing standards between the FCC's approach and the Federal Trade Commission's privacy regime are likely to factor into a legal challenge to the rules, John Beahn, counsel on communications and national security at Skadden, Arps, Slate, Meagher & Flom in Washington, told Bloomberg BNA.

“It's becoming a rite of passage for major FCC orders to be appealed,” Beahn said.

The FCC's definition of what constitutes sensitive data, which is more expansive than the FTC's definition, drove criticism from the broadband industry and Republican commissioners alike before the agency vote. Critics said the move to require opt-in consent to collect browsing and app history could confuse consumers and make it harder for ISPs to compete in the online advertising market with so-called “edge providers” such as Alphabet Inc.'s Google Inc. and Facebook Inc. that provide online content.

A legal challenge to the FCC privacy rules would likely focus on whether the FCC has the authority to regulate the privacy practices of ISPs under federal communications law, Beahn said. Challengers would likely also raise concerns, he said, about whether the FCC violated administrative law by adopting an approach to privacy rules that significantly differed from its initial proposal without giving stakeholders extra time to weigh in.

It's unclear how much traction such arguments would have. Broadband providers used such arguments in their D.C. Circuit challenge to the FCC's 2015 reclassification decision.

FTC regulatory authority doesn't extend to common carriers. That agency, which previously regulated ISPs' privacy practices, continues to serve as the privacy watchdog for edge providers. Unlike the FCC in its new rules, the FTC, which has a long history of regulating the privacy practices of U.S. companies, hasn't considered browsing or app history to be sensitive information.

Regulatory Disconnect?

FTC Chairwoman Edith Ramirez said in a Oct. 27 statement she was “pleased” by the FCC's move.

“We look forward to continuing to work with the FCC to protect the privacy of American consumers,” Ramirez said.

As for the regulatory disconnect, the FTC theoretically could sync up its own sensitive data categories for edge providers with the FCC's new approach. Such a unified approach could neuter claims that the FCC's rules pose consumer harms and unique burdens for ISPs, Harold Feld, senior vice president of Public Knowledge, told Bloomberg BNA after the vote. But such a move would be a dramatic departure from the FTC's traditional case-by-case approach to privacy enforcement.

Despite opposing the rules, Republican Commissioner Ajit Pai likewise said the “ball is now squarely in the FTC's court” to “return us to a level playing field.”

After the rules are published in the Federal Register, which could take weeks, ISPs will have 90 days to comply with certain provisions on keeping data secure; six months to comply with requirements on informing customers of data breaches; and 12 months to comply with the central consent and customer notice regime established by the rules. Small ISPs will get an extra 12 months on the last point. If ISPs fail to adhere to the rules, they could face enforcement actions and fines.

If the FCC privacy rules take effect, ISPs will have to develop new systems for customers to choose and manage their privacy preferences. They will also be held to different consent standards than edge providers, unless the FTC decides to adopt the FCC's new privacy regime for the companies in its orbit.

FCC fines don't have to be rooted in demonstrable consumer harm, as FTC fines do. Ronald W. Del Sesto, Jr., a partner at Morgan Lewis & Bockius LLP in Washington told Bloomberg BNA that while it may be “seductive for agencies to show muscle,” he hopes the FCC will only seek forfeitures in the event of actual harms if an ISP fails to comply with any element of the rules.

Outside the chief function of establishing a privacy management regime, the rules gives ISPs guidelines on protecting customer data from breaches and requirements to notify customers of breaches in a timely manner. They also allow ISPs to freely collect and use certain data that would otherwise fall under the rules as long as they alter it so it can't be linked to a specific consumer or device.

Broadband providers will be able to use non-sensitive information under the FCC privacy rules, such as a user's name, address and data plan, without prior consent, though consumers can tell providers they don't want such data collected, which is known as opt-out.

The rules don’t ban outright service offerings under which ISPs give discounts to customers who agree to share certain data. The rules instead require opt-in consent for any such offering and have ISPs deliver additional disclosures on offering details. They do ban ISPs from forcing consumers to either give up data or forgo service altogether.

Industry Disgruntled

Several broadband providers and industry associations came out against the rules, largely citing the FTC-FCC divide.

Comcast Executive Vice President David L. Cohen in a blog post that the rules “will likely do more harm than good for consumers, competition, and innovation in the all-important internet ecosystem.” Joan Marsh, Senior Vice President of Federal Regulatory for AT&T, said the package of rules “departs from the FTC regime in significant and illogical ways” and will confuse consumers who think they've opted out of data collection only to continue seeing targeted ads served by edge providers.

The American Cable Association, which represents small and midsize cable companies, and NCTA – The Internet & Television Association, which represents broadband and cable providers more generally, both said the rules will harm ISPs' ability to compete.

Some lawmakers and groups, including Sens. Ed Markey (D-Mass.) and Patrick Leahy (D-Vt.), Free Press, New America's Open Technology Institute, Public Knowledge and the National Hispanic Media Coalition, hailed the vote. Many of them urged the FCC to enact an outright ban on pay-for-privacy offerings but said the rules adopted Oct. 27 will meaningfully protect consumer privacy.

[With assistance from Jimmy H. Koo.]

To contact the reporter on this story: Kyle Daly in Washington at kdaly@bna.com

To contact the editor responsible for this story: Keith Perine at kperine@bna.com

For More Information

An FCC fact sheet on the rules is available at: http://src.bna.com/jGK

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.