On October 27, 2016, the FCC, under the leadership of Chairman Wheeler, stepped into protecting internet privacy in a big way. The new FCC privacy order, passed 3 to 2 along party lines, is controversial with broadband providers and advertisers as being unnecessary, overreaching, and creating regulatory confusion. However, this is the year of privacy and cybersecurity.  Users, from the top to the bottom, have come to expect limited privacy and having their data hacked by bad guys and their personal web search history known by providers and web sites.  Lengthy privacy notices are quickly agreed to.  Internet users, basically all U.S. adults, know that, by living online on their iPads and looking down at their mobile phones, they are giving up what the U.S. society thought privacy was when there was just the telephone. The FCC is attempting to address this loss of internet privacy for the firms it has authority to regulate, the broadband service providers.

A New York Times article by Farhad Manjoo (10/19/16) says it all: “Whoever Wins the White House, This Year’s Big Loser is Email.” With the hacking of the Clinton email servers, a cybersecurity issue, and the constant reporting of the loss of personal and financial data, even from government servers, again a hacking issue, privacy demands have come to the forefront. The EU has become far more aggressive than the U.S. with privacy protection requiring, for example, opt-in cookie notifications for every web site. The FCC may be seeking to give users more mandated protection, like the EU has done.  While some broadband providers have voluntarily enacted pro-consumer privacy policies, the FCC order will now mandate the policies for all broadband providers. 

The new FCC order regulates privacy practices of broadband internet service providers only, carving out non-broadband providers or “web” and social media companies like Facebook or Google which the FTC (Federal Trade Commission) regulates.  Broadband providers are those firms connecting users to the Internet at the edge as opposed to web sites which are accessed through the connection of the customer’s broadband provider. Wheeler's concern has been that broadband providers, that are now more tightly regulated under rigorous Chapter 47 Title II regulation through the highly controversial Network Neutrality order a/k/a Open Internet Order, would require customers to pay higher fees in exchange for limiting privacy.  The underlying technical difference from broadband providers and web sites is that the broadband providers connect customers to the internet web sites. That internet connection, through cable, DSL, or mobile phones, gives providers access to users’ information not freely available to web companies. The two simple examples of the type of information always available to the broadband provider but not to a web site or app company include precise geo-location data and the unique address of every web page visited by the user. The FCC has regulated on a limited basis privacy in the past. The FCC require telecommunications firms (think voice service) to keep customer data confidential. These FCC CPNI rules (Customer Proprietary Network Information) included basic information like a number called by the customer and when it was called.  The FCC privacy order is now expanding its Internet privacy rules far beyond the telephone CPNI rules.

The new FCC rules give customers “opt-in” and “opt-out” rights for their broadband providers, limiting or expanding as authorized by the customers to make commercial use of the customers’ private, personal information. When signing up for broadband service, the FCC rule will give the user the privacy right to “opt-in” to a technical process that will allow their broadband provider to use and share with third-parties the customer’s sensitive information like precise GPS location, web browsing history, and app usage. Customers of broadband service providers will also have the right to “opt-out” from their broadband providers’ practice of using and sharing with third parties non-sensitive information like the customers’ email addresses.  Moreover, broadband service providers will now be required to provide easy to understand, “transparent” notices to their customers stating what information is being collected and how that information may be used or shared with third parties. The FCC order will mandate privacy protection practices, addressing the cyber security hacking problems, requiring broadband providers to use reasonable data security practices and to implement best practices consistent with the FTC’s rules and the President’s 2015 “Consumer Privacy Bill of Rights.”   If a broadband service provider is hacked, these policies could arguably protect the broadband provider against liability if the provider is shown to have been implementing the reasonable security practices.

The FCC’s privacy order also imposes a “common-sense data breach notification” requirement for broadband providers to giving consumers and law enforcement notice of breaches. These type of notices for web sites in the U.S. vary based on differing state regulations (Massachusetts and California, for example, have the most comprehensive privacy protection and notice requirements) or different vertical related industry service statutes such as HIPAA/HITECH for healthcare related services and Frank-Dodd for financial related services. One advantage of the regulation for broadband providers is that they will be subject to one, national set of privacy and cybersecurity rules and that potentially different state regulation of the broadband providers’ privacy and cybersecurity notice practices will be pre-empted by the FCC.

Arguments against the privacy order articulated by the two Republican commissioners and by broadband service providers and on-line advertisers contend that: a) the FTC has already regulated privacy of web companies, b) the FCC’s new opt-in privacy rule for broadband providers will be confusing to consumers, c) the order would treat internet providers differently than web companies like Google or AOL, favoring Google type companies over broadband service providers, d) the order went too far in protecting certain non-sensitive consumer information like names, addresses, and phone numbers, and e) like the lengthy dissent argument set forth in the Network Neutrality decision, the FCC failed to follow basic comment periods and information evidence gathering requirements needed to comply with administrative law as provided in Chevron v.  Natural Resources Defense Council, Inc., 467 U.S. 837 (1984).   Based on the comments provided by those opposing broadband providers and advertising associations opposing the new privacy order, it is likely that the order will be challenged and appealed.    

See more of Barlow Keener's articles at TMCNet

This blog/Web site is made available by the contributing lawyers or law firm publisher solely for educational purposes to provide general information about general legal principles and not to provide specific legal advice applicable to any particular circumstance. By using this blog/Web site, you understand that there is no attorney client relationship intended or formed between you and the blog/Web site publisher or any contributing lawyer. The blog/Web site should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.