FCC Votes to Block New Internet Privacy Rule
Consumer groups oppose the move, saying regulation is needed to protect personal data
The Federal Communications Commission voted 2-1 Wednesday to block one of several broadband privacy rules the agency approved last year to protect consumers' online activities.
The new rule, which had been scheduled to take effect Thursday, would have required internet service providers and phone companies to take "reasonable" steps to protect customers' information from theft and data breaches, and provide notifications if they did occur.
The FCC's new chairman, Ajit Pai, announced last week that he planned to block implementation of the data security rule in order to reconcile it with how the Federal Trade Commission regulates other parts of the internet.
All of the new broadband privacy rules have been opposed by the telecom industry, which said the FCC regulations would make it more difficult for ISPs to compete with companies such as Google and Facebook, which are subject to weaker privacy regulations by the FTC.
In a joint statement, Pai and acting FTC head Maureen Ohlhausen said their agencies "are committed to protecting the online privacy of American consumers."
The statement added: "We believe that the best way to do that is through a comprehensive and consistent framework. After all, Americans care about the overall privacy of their information when they use the Internet, and they shouldn’t have to be lawyers or engineers to figure out if their information is protected differently depending on which part of the Internet holds it."
Several Democratic senators, as well as consumer groups including Consumer Reports, opposed the move.
“Today’s vote appears to be a troubling first step towards unraveling critical, pro-consumer online privacy protections," says Laura MacCleery, vice president of policy and mobilization for Consumer Reports. "Consumers deserve to know, and to have a say in, who uses their data and how."
The organization has heard from more than 50,000 consumers who support the privacy rules, she says.
In a recent nationally representative Consumer Voices survey by Consumer Reports, respondents expressed concern about their privacy online. Sixty-five percent of Americans told us they are either slightly or not at all confident that their personal data is private and not distributed without their knowledge.
This week's tussle over broadband regulation is likely to be repeated throughout the coming months, involving both the FCC and Republican senators who say they plan to scuttle the rest of the FCC's broadband privacy rules. Ultimately, the regulatory authority over ISPs such as Comcast and Charter Communications may be transferred back to the FTC.
Here's a look at what the new rules are intended to do and what consumers can expect next:
How the New Rules Would Have Worked
Every time you go online, you reveal a lot of information about yourself: what you browse, where you shop and what you buy, which apps you use, and basically what you're interested in. That gives your ISP—a cable company such as Comcast or Charter, or a telco such as AT&T or Verizon—a lot of information about you. They can track, collect, and share this data with outside companies such as marketers.
The new broadband privacy rules—which were approved last year by the FCC when it was headed by Chairman Tom Wheeler—promised consumers greater control over how their personal information is collected and shared by their ISPs.
The rules mandated three main protections, to be rolled out in stages.
One is the data safety provision that was blocked from going into effect this week. ISPs would have been required to strengthen their protection of consumer information from breaches and other vulnerabilities, using industry-accepted best practices. The rule would also have imposed stringent requirements for disclosure if a data breach did occur.
The other rules are still scheduled to be implemented later in 2017. One calls for greater transparency. Your ISP would be required to tell you what kind of information was being collected about you, how it used that data, and which other companies got access to it. Right now, none of that information is available to consumers.
The regulations also mandate opt-in consent on data collection. This means that you would have to agree before an ISP could use, share, or sell your "sensitive" personal data. For regulatory purposes, the term normally covers all children's information, plus health and financial data, and Social Security numbers. But the FCC plan also pulls in web browsing and app usage histories, as well as the content of communications such as emails.
In addition to the opt-in, you'd have the right to opt out of the ISP's use of nonsensitive information, without risk of the ISP cutting off or refusing you service.
Why Is There a Debate?
Almost everyone says that consumers have a right to data privacy and security. But how to best tackle the issue is a much more divisive topic. At the heart of the debate is the question of which agency should set the rules.
Right now, the FCC is in charge. But Pai, industry groups, and many Republican members of Congress don't like that arrangement.
The FCC got involved in regulating broadband providers in 2015, when it reclassified ISPs as common carriers, akin to old-fashioned phone companies, under Title II of the Communications Act. That moved regulatory authority over the ISPs to the FCC from the FTC. The immediate result was that the FCC could establish Open Internet rules to enforce the concept of net neutrality—which prevents broadband providers from blocking, throttling, or creating special "fast lanes" for companies willing to pay for it.
Like broadband privacy rules, net neutrality is becoming a renewed subject of debate. This week, Pai called the policy "a mistake" while speaking at a mobile technology conference in Barcelona, Spain.
Once it had authority over ISPs, the FCC also approved the new privacy rules.
Opponents in the broadband industry argue that it's unfair for the rules to hold ISPs to stricter standards than Internet companies such as Amazon, Google, and Netflix, which also collect and monetize consumer data. Those so-called "edge providers" follow the FTC's less stringent requirements.
Consumer groups see it differently. They argue that ISPs should be held to higher standards because of their unique position sitting between the consumer and the entire internet. That gives the ISPs a unique position to see and track all our online activities, from social media posts to Google searches to email and beyond.
During a press conference this week, Sen. Ed Markey, D-Mass., and consumer groups vowed to put up a fight. Without the FCC privacy rules, Markey said, "broadband providers will be able to sell dossiers of the personal and professional lives of their subscribers to the highest bidder without their consent."
Advocates also point out that the FTC doesn't have the authority to regulate ISPs right now. So if the FCC doesn't set rules, no one else can, either. “Under the guise of putting local monopoly ISPs on a level playing field with competitive edge providers, the chairman’s actions will leave consumers without any protections at all," says Dallas Harris, policy fellow at Public Knowledge.
In an unusual move, FTC commissioner Terrell McSweeny and FCC commissioner Mignon Clyburn issued a joint statement last week saying that a rollback of the rules would leave consumers "without a cop on the beat protecting their personal information from misuse by their broadband service provider."
What Happens Next?
Now that the data-security rule has been blocked, attention is moving on to the FCC's other privacy rules. Commissioners could vote to overturn those regulations, as well.
But industry lobby groups have asked Congress to use another tool—the Congressional Review Act—to address the issue. This measure was enacted in the 1990s and was employed successfully for just the second time earlier this month, to repeal a regulation forcing oil, gas, and mining companies to disclose financial transactions with foreign governments. It would cancel the privacy rules and prevent the FCC from revisiting the issue in the future.
Consumer groups oppose that change. "To do away with these essential protections through the Congressional Review Act would be shortsighted," Consumer Reports staff attorney Katherine McInnis says. "The Commission should not be prevented from acting—now or in the future—in the public’s interest to protect consumers’ online privacy.”
The CTIA and NCTA - The Internet & Television Association—the main lobbying groups for the cable and wireless industries—as well as other groups representing ISPs and advertising companies, recently argued in a letter to Congress that the FCC rules "would create confusion and interfere with the ability of consumers to receive customized services and capabilities they enjoy and be informed of new products and discount offers."
The groups had also warned that consumers would be "bombarded with trivial data breach notifications" if the FCC rules were enacted.