Broadband Internet service providers are wary of a government plan to impose consumer privacy protection regulations on the sector.
The Federal Communications Commission likely will issue the proposed regulations by Friday. It will accept public comment on the proposal before taking final action.
The program would require ISPs to meet consumer privacy protection standards similar to the regulations that cover telephone service companies. ISPs currently are exempt from such requirements.
“The information collected by the phone company about your telephone usage has long been protected information. FCC regulations currently limit your phone company’s ability to repurpose and resell what it learns about your phone activity without your consent. The same should be true for information collected by your ISP,” FCC chairman Tom Wheeler said at a recent Georgetown University conference.
While consumers generally are aware that social media and website hosts collect a wealth of personal data from users and visitors, few are aware that the vehicle for such contacts — the ISPs — also track personal information, he said.
FCC Reveals Ability to Collect Consumer Data
“Your ISP handles all of your network traffic. That means it has a broad view of all of your unencrypted online activity — when you are online, the websites you visit, and the apps you use,” Wheeler said.
“If you have a mobile device, your provider can track your physical location. Even when data is encrypted, your broadband provider can piece together significant amounts of information about you — including private information such as a chronic medical condition or financial problems — based on your online activity,” he added.
The regulations would address the use and protection of consumer data generated through ISP operations, according to a draft of the proposal.
- Privacy: ISPs would retain the authority to use customer data for billing and marketing their own broadband services. However, the proposed rules “mandate that customers be given a choice as to whether an ISP can use customer data for other purposes,” according to a summary of the draft compiled by Dee Dee Fischer, a partner at Akerman.For example, customers will have the right to opt out of permitting ISPs to use their data for marketing services other than broadband, or sharing data for marketing purposes with affiliates that provide communication services. Additionally, ISPs would be prohibited from sharing customer data for any other purpose, such as targeted advertising, unless the customer opts in, according to the summary.
- Security: The FCC program will impose “robust and flexible data security requirements” on broadband providers, Fischer noted. ISPs will be required to take reasonable steps to safeguard customer information from unauthorized use or disclosure, including adoption of risk management practices, training of personnel, and use of customer authentication measures. ISPs must designate a senior manager for data security and take responsibility for the use and protection of customer information when shared with third parties. Breaches would have to be reported to consumers and the government within certain time frames.
“These new rules, if passed into law, will represent the first time that the FCC has imposed data privacy rules on ISPs, and would constitute some of the strongest privacy regulations of any segment of the technology and telecommunications industry,” Fischer said.
The regulations would affect a wide range of broadband companies, including AT&T, Comcast, Cox Communications, Time Warner Cable and Verizon.
Operators Challenge FCC Authority
Permanent adoption of the FCC proposal could face significant legal hurdles, however. A key factor is whether the commission has the legal authority to regulate ISPs at all.
In 2015, it decided to classify ISPs as telecommunications entities subject to the same type of regulation as telephone utilities. That empowered the commission to issue the proposed privacy regulations for ISPs.
Broadband operators challenged the decision in a case pending before the U.S. Court of Appeals for the District of Colombia. They contend that under the Telecommunications Act, ISPs are information services and as such cannot be regulated in the same fashion as telecommunications providers.
The technology and engineering associated with ISP connections is inherently different from the direct service to consumers provided by regulated telephone utilities, the ISPs argue. The FCC’s jurisdiction extends only to telephone utility data defined by law as consumer proprietary network information and does not cover the tiered ISP structure enabled by router-based connectivity.
ISPs Favor Flexible Regulation
Even if the FCC prevails and retains regulatory jurisdiction over ISPs, members of the broadband community have taken issue with its approach to regulating ISPs.
The rules for ISPs are at odds with the requirements for other online entities, according to the National Cable & Telecommunications Association. The FCC should work to ensure consistency in consumer privacy protection and fair competition.
The commission should embrace the approach taken by the Federal Trade Commission, which protects consumers while allowing IT providers flexibility in meeting privacy goals, CTIA urged. The FTC focuses on potentially deceptive activities by e-commerce providers in failing to inform consumers of privacy impacts, as well as prosecuting unfair practices in the delivery of services.
“There should be one set of rules that cover wireless operators, apps and over-the-top providers so that consumers know what, if anything, is happening to their information, regardless of which company holds it,” said Debbie Matties, vice president for privacy at CTIA.
“If the FCC does have jurisdiction over this issue, it should follow the FTC model that has resulted in innovation throughout the Internet while protecting consumers. Establishing a different set of rules for a limited subset of the industry will only confuse customers,” she told the E-Commerce Times.
Consumer advocates strongly endorse the proposal.
“The FCC is not just legally authorized to take action — it is imperative for the agency to issue a broad rule-making that addresses the full range of communications privacy issues facing U.S. consumers,” said Claire Gartland, consumer protection counsel at the Electronic Privacy Information Center.
“Because the U.S. currently lacks comprehensive privacy legislation or an agency dedicated to privacy protection, there are very few legal constraints on business practices that impact the privacy of American consumers. The FCC has the opportunity to fill this void,” she told the E-Commerce Times.
Groups Cite FCC Powers
Unlike the FCC, the FTC does not have rule-making authority to issue regulations on e-commerce, except in limited circumstances, Gartland noted.
“Fundamentally, the FTC is not a data protection agency. Without regulatory authority, the FTC is limited to reactive, after-the-fact enforcement actions that largely focus on whether companies honored their own privacy promises,” she said.
“Broadband Internet access system providers act as critical gatekeepers in the broadband ecosystem, and their data collection is detailed and captures much of a consumer’s online activity. Therefore, the FCC’s proposed actions are important, and it is good to see the FCC seize this rare and important opportunity to protect the privacy of broadband consumers,” said Katharina Kopp, director of privacy and data at the Center for Democracy and Technology.
“CDT believes that promoting innovation is not incompatible with protecting the fundamental right to privacy,” she told the E-Commerce Times. “Giving individuals the opportunity to affirmatively consent to uses of their broadband data for purposes unrelated to providing communications services is fair and will give them some much needed control. This will build trust in the process, in the economic marketplace and in further innovation.”