There is a vote coming up soon that could have far reaching ramifications on how technology and services are developed and used. You would be forgiven if you think I am referring to the presidential election, though its importance cannot be understated.
In just one week, on October 27th, the Federal Communications Commission (FCC) will vote on proposed privacy regulations for broadband providers, or Internet Service Providers (ISPs). Ironically, as is the FCC’s custom, these privacy regulations that could impact a broad swath of the internet ecosystem and nearly all Americans are being kept under such tight wraps that we have no idea what those rules will be until after the commissioners vote them into effect.
Why are technology companies concerned about rules reportedly aimed at ISPs? It is because we are a part of a broader ecosystem and, in spite of the distinct business models; we have a shared interest in seeing the advancement of privacy principles that honor consumer choice and expectation that also enable innovation. It is because of our belief in respecting and protecting the privacy of our customers, as well as our commitment to innovation, that we empathize with those groups pushing for quick passage for the FCC’s privacy rules while remaining steadfast in our call for further public input to ensure such rules work in the real world context.
Based on what little we know from press reports and the limited information released by the Commission, the rules the FCC is poised to adopt will significantly change the way privacy is regulated without demonstrating any added benefit over the current framework and may in fact ultimately degrade the internet experience for all consumers. Unfortunately, while FCC Chairman Wheeler wrote a blog and the Commission released a “fact sheet” on the revised proposed rule, those documents raise more questions than they answer. For example, we do not know:
- How the revised proposed rule is “in line with approaches taken by other privacy frameworks, including the Federal Trade Commission’s (FTC) and the Administration’s Consumer Privacy Bill of Rights.” The FCC moved closer to an opt-in/opt-out regime based on the sensitivity of the data, but it appears to reclassify nearly all data as sensitive according to the fact sheet. For instance, web browsing and app usage histories are just two of the categories of information captured by the revised proposal that are not treated as sensitive data under other frameworks. While we appreciate the move toward an opt-in/opt-out regime based on the sensitivity of data, this revision appears to be a distinction without a difference from the prior proposal, and represents a sufficiently significant shift from current privacy regulatory approaches that more public feedback is warranted.
- How a rule that requires pre-approval from a regulatory body for business decisions is “designed to…encourage innovation.” According to the fact sheet, “so-called ‘pay for privacy’ offerings raise unique considerations,” and should providers want to offer discounts or other innovative incentives enabling consumers to lower the cost of their subscribed services, they would have to pre-submit such plans to the Commission, which will then “determine on a case-by-case basis the legitimacy” of such programs. We question how this policy is “in harmony with other key privacy frameworks and principles – including those outlined by the Federal Trade Commission and the Administration’s Consumer Privacy Bill of Rights."
- How harm is defined in the data breach context. We agree that it is important for consumers to know when a data breach puts them at risk, but defining the type of risk and the level of such risk is also important. It is an issue currently before Congress and it should not be summarily decided by a regulatory agency.
There is no argument that the FCC should act to fill the regulatory vacuum left by reclassification in this space. While the ISPs formerly fell under the purview of the FTC for issues relating to privacy, as Chairman Wheeler’s blog and the Commission fact sheet point out, “there are currently no rules in place outlining how ISPs may use and share their customers’ private information.” We affirmed in my testimony before the Senate Commerce Committee, and in a letter to the FCC Commissioners a few weeks ago, the importance of acting. We also then called for—and affirm now—the importance of respecting settled privacy approaches established by the FTC that have proven effective, and, as well, allowing for adequate input where the FCC plans to deviate from those established norms.
That is why we urge the FCC to make their proposal public before next week and to continue further dialogue with stakeholders to ensure the proposed regulations hew closely to the existing privacy framework that has for so long both protected consumers and enabled continued innovation.