What's Next? Consumer Privacy After Dismantling of FCC RegPresident Trump Signs Legislation Eliminating FCC Rule
Now that President Donald Trump has signed legislation to eliminate the Federal Communications Commission's oversight of the way internet service providers sell their customers' information, could other jurisdictions - such as states - step in?
The president on April 3 signed legislation recently approved by Congress to nullify an Obama-era FCC regulation that would have required ISPs to get their customers' permission before selling their information to advertisers and others. The FCC rule, now voided, would have gone into effect in the fall.
A proponent of the annulled regulation, the advocacy group Electronic Frontier Foundation, suggests states could take up the cause to safeguard browsing histories and other customer data. "We urge state lawmakers and technology providers to look for ways to shore up individual privacy until Congress is ready to listen to the consumers who don't want to trade away their basic privacy rights in order to access the internet," Kate Tummarello, a policy analyst at the foundation, writes in a blog.
Conflicting Legal Views
But legal experts offer conflicting views about whether states can step in and regulate how ISPs treat their customers. Herb Lin, a senior research scholar for cyber policy and security at Stanford University, points out that municipalities license ISPs, and they might require the providers to agree not to sell private information without receiving customers' permission as a condition of receiving that license.
Dana Simberkoff, chief compliance and risk officer at cloud services provider AvePoint, says some states have begun to develop regulations to safeguard the privacy of ISPs' customers. "If enough states work quickly to adopt these kinds of opt-in laws for ISPs, then it's likely that the ISPs will generally require opt-in just to avoid the headache of providing and managing different services in different markets," Simberkoff says.
Scott Hempling, an attorney who specializes in state utility regulation, says states could regulate ISPs unless federal law specifically prohibits it. "I see no reason why state legislatures could not enact such legislation," Hempling says. "For a state [utility] commission to regulate in this area, it would have to receive regulatory powers from the state legislature."
But other lawyers contend federal law pre-empts states from regulating ISPs.
"States can try to do this, but the FCC could issue an order pre-empting the states," says Robert Litan, an adjunct senior fellow at the Council on Foreign Relations, who in 2014 wrote a paper on regulating internet access as a public utility. "ISPs may not even wait for such an order; they could sue a state and claim the current order implicitly pre-empts. There's a reasonable shot ISPs would win."
Litan explains that the FCC has regulatory authority over the nation's communications network under the Communications Act of 1934, the law that created the FCC. "ISPs would claim that state action that interferes with national networks are pre-empted," he says.
In the absence of a federal law, states have adopted their own data breach notification laws - some with prescriptive steps organizations must take to safeguard customers' data. But such statutes would not be analogous to states regulating an ISP, says Mark Mao, a partner specializing in cybersecurity and privacy law at the firm Troutman Sanders.
In 2015, with the backing of the Obama administration, the FCC designated ISPs as common carriers so they could be regulated. Trump's signing of the rescinding of an FCC regulation doesn't change the common carrier status of ISPs, but it limits actions the FCC can take in regulating them. Most Republicans - including the new FCC chairman, Ajit Pai - opposed the net neutrality decision the FCC adopted in 2015 that gave the commission jurisdiction over ISPs. Pai, then one of two GOP commissioners on the five-member FCC, voted against the FCC regulating ISPs. He's calling for the elimination of net neutrality.
Last August, a U.S. Ninth Circuit Court of Appeals ruled in FTC vs. AT&T Mobility LLC that the Federal Trade Commission has no jurisdiction over ISPs.
In announcing that Trump signed the measure invalidating the FCC rule, the White House did not provide his rationale for doing so. But Pai, a Trump appointee, praised the president and the Republican majority in Congress that approved the bill for appropriately invalidating one part of the Obama-era plan to regulate the internet.
"American consumers' privacy deserves to be protected regardless of who handles their personal information," Pai said in a statement. "In order to deliver that consistent and comprehensive protection, the Federal Communications Commission will be working with the Federal Trade Commission to restore the FTC's authority to police internet service providers' privacy practices. We need to put America's most experienced and expert privacy cop back on the beat. And we need to end the uncertainty and confusion that was created in 2015 when the FCC intruded in this space."
How would the FCC and FTC work together? Pai didn't say.
Mao, the attorney, suggests the two regulatory agencies could collaborate on resolving the dilemma created by a decision made by the U.S. Ninth Circuit Court of Appeals that ruled the FTC has no jurisdictions over ISPs. The appeals court decision only applies to the seven western states within the district.
"The FTC has not conceded that it has no authority over traditional deception and unfair practices by ISPs, and we will have to see how the FCC and FTC address this under their new chairs and what will be Republican majorities." says privacy and data security lawyer Alan Friel of the BakerHostetler law firm.
"The FCC could simply adopt the FTC's existing approach to consumer privacy, whether by issuing regulations that mirror that approach, or by letting the FTC just handle it," Friel says. "The FTC, unlike the FCC, however, lacks the ability to issue fines for privacy violations, except in narrow areas where Congress granted it such authority such as for children's privacy. So, the FCC issued new regulations that reflected the FTC's approach to privacy, they could have more enforcement authority than were the FTC to be left to enforce Section 5 of the FTC Act."
Section 5 prohibits unfair or deceptive acts or practices that affects commerce.
Consumer Protection Debate
A big disagreement between proponents and opponents of the quashed FCC rule is whether the FTC regulation protects consumer privacy.
Proponents of the revoked regulation say that requiring ISPs to get their customers to opt-in - or provide affirmative approval - before selling their private data, such as browsing history, personal finances and health information, as required under the regulation, would have allowed consumers to maintain control over their own information.
"Poll after poll shows that this is something that the public has long desired," the Consumer Federation of America, an advocacy group says. "When Congress voted to take these rights away, there was a swift and angry reaction across the country and political spectrum. Americans saw, correctly, that those who voted for repeal were siding with the big cable and telephone companies, the main internet service providers, instead of with the people."
But opponents to the FCC rule contend privacy protections exist with opt-out, and ISPs should be treated the same as other internet companies, such as Google and Facebook, that would not have been affected the FFC rule.
ISPs Speak Out
Yet, some major ISPs who opposed the FCC regulation say their privacy policies require customer approval before they would sell private information.
Though the new law would allow ISPs to sell private information unless consumers opt out, Comcast Chief Privacy Officer Gerald Lewis says opt-in has been, and will continue to be, the company's default policy. Existing privacy principles commit Comcast to refrain from sharing its customers' sensitive information, including data about banking and health information, unless first obtaining customers' affirmative consent, he says.
Verizon Chief Privacy Officer Karen Zacharia noted: "Let's set the record straight. Verizon does not sell the personal web browsing history of our customers. We don't do it, and that's the bottom line."
Privacy attorney Ron Raether of Troutman Sanders sees certain ISPs' decisions to have customers opt in to sharing their private data as proof that the marketplace will safeguard customer privacy. "Sound cybersecurity should be a part of a consumer's analysis and decision to choose one provider over another," Raether says. "These market forces will likely do more to make sure that all consumers are satisfied with their choices. Moreover, these market pressures will do more to effectuate positive change. As the FTC has recognized, consumer education is a key factor in these issues."