In the past few days, there have been many hyperbolic headlines about Congress “selling out the American consumer” or “voting to end internet privacy” or other things equally apocalyptic. Are things truly so grim for the data consuming public? What actually happened? Here’s the short version: utilizing the Congressional Review Act (CRA), both the House and the Senate voted to disapprove a privacy regulation that the Federal Communications Commission published on December 2, 2016 (Under the CRA, Congress can repeal new federal regulations via the passage of a joint resolution within 60 legislative days of a final rule’s publication) The rule in question was titled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services”, and created a set of new obligations for broadband service providers with respect to customer information.
What Did the Rule Do – Is Privacy Gone?
It is important to note that, prior to the adoption of the FCC’s new rule, there was no federal regulation specifically governing how ISPs were permitted to use and share their consumers’ information. The Commission described the rule as requiring companies to “put their customers in the driver’s seat” concerning decisions about the use of customers’ personal information, but stressed that the rule did not create any kind of blanket prohibition on the use or sharing of consumer information.
The December rule would have created a variety of new obligations for ISPs providing broadband to peoples’ homes, including:
- Notifying customers about what types of information the ISP was collecting
- Specifying how and for what purposes the ISP was using or sharing customer information
- Identifying which types of entities an ISP was sharing customer information
- Requiring ISPs to obtain customer consent via an “opt-in” to use and share “sensitive information” (which includes precise geo-location, children’s information, health information, financial information, social security numbers, web browsing history, app usage history, and the contents of communications.)
- Requiring ISPs to offer an “opt-out” for the use and sharing of all other “individually identifiable” customer information.
- Forbidding ISPs from offering “take-it-or-leave-it” plans (where an ISP would refuse to offer service unless a customer consented to the commercial sharing of their information).
- Forcing case-by-case adjudication of the legitimacy of “pay-for-privacy” plans that offer discounts or other incentives in exchange for customers’ express consent to the use and sharing of their information.
- Requiring ISPs to take “reasonable measures” to protect consumer data, in line with FTC requirements in the area.
- Creating breach notification requirements in the event that customers’ data is compromised.
These requirements would all have gone into effect between 90 days and 12 months from the rule’s final adoption, absent Congress’ actions this week.
What Else Matters?
Even with the repeal of the FCC’s rule, ISPs currently remain classified as telecommunications providers under Title II of the Communications Act and thus subject to more general obligations to protect customer privacy (although it seems likely that that will also change in the coming year). More importantly, the FCC is not the only source of consumer privacy regulations. It is critical to note that many states have their own internet privacy statutes—and several others are considering new legislation in the aftermath of Congress’ rollback of the 2016 FCC rule. Any provider should be sure to check what the legal requirements are in their jurisdiction before rolling out any new consumer data program.
Additionally, providers must consider the risk of running afoul of federal and state wiretap laws should they aggressively start intercepting, monitoring, or disclosing to advertisers their consumers’ internet communications absent those consumers’ consent. Currently, there is substantial legal ambiguity around the line between “content” (protected from interception by the Electronic Communications Privacy Act and analogous state statutes) and “metadata” (which is not), particularly in regards to the specific URLs a user visits while surfing the web.
For ISPs, the way forward is still murky. Although the affirmative obligations detailed in the December rule will not go into effect, there remain a variety of other potential sources for obligations to consumers, as well as the overarching question of whether they will remain classified as common carriers under Title II of the Communications Act. Additionally, aggressively mining customer data could lead to substantial bad press, or even (depending on the structure of a program) legal action by the FTC, state attorneys general, or private parties under ECPA. Prior to this rule, many ISPs had privacy policies and terms of service agreements that set boundaries around their collection, use and sharing of customer information; risk-averse entities would be wise to have caution when considering major changes.
It is also important to note that none of the hubbub around this rule relates to the privacy practices of websites, apps, or other online businesses not actually providing broadband services. Entities like Facebook, Google (except in its Google Fiber capacity) and Twitter remain under the authority of the Federal Trade Commission, which policies unfair and deceptive trade practices, and their obligations to their customers were unaffected by this week’s vote.