Broadband Internet service providers are wary of a government plan to impose consumer privacy
protection regulations on the sector.
The Federal Communications Commission likely will issue the proposed regulations by Friday. It will
accept public comment on the proposal before taking final action.
The program would require ISPs to meet consumer privacy protection standards similar to the
regulations that cover telephone service companies. ISPs currently are exempt from such requirements.
“The information collected by the phone company about your telephone usage has long been protected
information. FCC regulations currently limit your phone company’s ability to repurpose and resell what
it learns about your phone activity without your consent. The same should be true for information
collected by your ISP,” FCC chairman Tom Wheeler said at a recent Georgetown University conference.
While consumers generally are aware that social media and website hosts collect a wealth of personal
data from users and visitors, few are aware that the vehicle for such contacts — the ISPs — also track
personal information, he said.
FCC Reveals Ability to Collect Consumer Data
“Your ISP handles all of your network traffic. That means it has a broad view of all of your unencrypted
online activity — when you are online, the websites you visit, and the apps you use,” Wheeler said.
“If you have a mobile device, your provider can track your physical location. Even when data is
encrypted, your broadband provider can piece together significant amounts of information about you —
including private information such as a chronic medical condition or financial problems — based on your
online activity,” he added.
The regulations would address the use and protection of consumer data generated through ISP
operations, according to a draft of the proposal.
Privacy: ISPs would retain the authority to use customer data for billing and marketing their own
broadband services. However, the proposed rules “mandate that customers be given a choice as to
whether an ISP can use customer data for other purposes,” according to a summary of the draft
compiled by Dee Dee Fischer, a partner at Akerman.
For example, customers will have the right to opt out of permitting ISPs to use their data for marketing
services other than broadband, or sharing data for marketing purposes with affiliates that provide
communication services. Additionally, ISPs would be prohibited from sharing customer data for any
other purpose, such as targeted advertising, unless the customer opts in, according to the summary.
Security: The FCC program will impose “robust and flexible data security requirements” on broadband
providers, Fischer noted. ISPs will be required to take reasonable steps to safeguard customer
information from unauthorized use or disclosure, including adoption of risk management practices,
training of personnel, and use of customer authentication measures. ISPs must designate a senior
manager for data security and take responsibility for the use and protection of customer information
when shared with third parties. Breaches would have to be reported to consumers and the government
within certain time frames.
“These new rules, if passed into law, will represent the first time that the FCC has imposed data privacy
rules on ISPs, and would constitute some of the strongest privacy regulations of any segment of the
technology and telecommunications industry,” Fischer said.
The regulations would affect a wide range of broadband companies, including AT&T, Comcast, Cox
Communications, Time Warner Cable and Verizon.
Operators Challenge FCC Authority
Permanent adoption of the FCC proposal could face significant legal hurdles, however. A key factor is
whether the commission has the legal authority to regulate ISPs at all.
In 2015, it decided to classify ISPs as telecommunications entities subject to the same type of regulation
as telephone utilities. That empowered the commission to issue the proposed privacy regulations for
Broadband operators challenged the decision in a case pending before the U.S. Court of Appeals for the
District of Colombia. They contend that under the Telecommunications Act, ISPs are information
services and as such cannot be regulated in the same fashion as telecommunications providers.
The technology and engineering associated with ISP connections is inherently different from the direct
service to consumers provided by regulated telephone utilities, the ISPs argue. The FCC’s jurisdiction
extends only to telephone utility data defined by law as consumer proprietary network information and
does not cover the tiered ISP structure enabled by router-based connectivity.
ISPs Favor Flexible Regulation
Even if the FCC prevails and retains regulatory jurisdiction over ISPs, members of the broadband
community have taken issue with its approach to regulating ISPs.
The rules for ISPs are at odds with the requirements for other online entities, according to the National
Cable & Telecommunications Association. The FCC should work to ensure consistency in consumer
privacy protection and fair competition.
The commission should embrace the approach taken by the Federal Trade Commission, which protects
consumers while allowing IT providers flexibility in meeting privacy goals, CTIA urged. The FTC focuses
on potentially deceptive activities by e-commerce providers in failing to inform consumers of privacy
impacts, as well as prosecuting unfair practices in the delivery of services.
“There should be one set of rules that cover wireless operators, apps and over-the-top providers so that
consumers know what, if anything, is happening to their information, regardless of which company
holds it,” said Debbie Matties, vice president for privacy at CTIA.
“If the FCC does have jurisdiction over this issue, it should follow the FTC model that has resulted in
innovation throughout the Internet while protecting consumers. Establishing a different set of rules for a
limited subset of the industry will only confuse customers,” she told the E-Commerce Times.
Consumer advocates strongly endorse the proposal.
“The FCC is not just legally authorized to take action — it is imperative for the agency to issue a broad
rule-making that addresses the full range of communications privacy issues facing U.S. consumers,” said
Claire Gartland, consumer protection counsel at the Electronic Privacy Information Center.
“Because the U.S. currently lacks comprehensive privacy legislation or an agency dedicated to privacy
protection, there are very few legal constraints on business practices that impact the privacy of American
consumers. The FCC has the opportunity to fill this void,” she told the E-Commerce Times.
Groups Cite FCC Powers
Unlike the FCC, the FTC does not have rule-making authority to issue regulations on e-commerce,
except in limited circumstances, Gartland noted.
“Fundamentally, the FTC is not a data protection agency. Without regulatory authority, the FTC is
limited to reactive, after-the-fact enforcement actions that largely focus on whether companies honored
their own privacy promises,” she said.
“Broadband Internet access system providers act as critical gatekeepers in the broadband ecosystem,
and their data collection is detailed and captures much of a consumer’s online activity. Therefore, the
FCC’s proposed actions are important, and it is good to see the FCC seize this rare and important
opportunity to protect the privacy of broadband consumers,” said Katharina Kopp, director of privacy
and data at the Center for Democracy and Technology.
“CDT believes that promoting innovation is not incompatible with protecting the fundamental right to
privacy,” she told the E-Commerce Times. “Giving individuals the opportunity to affirmatively consent
to uses of their broadband data for purposes unrelated to providing communications services is fair and
will give them some much needed control. This will build trust in the process, in the economic
marketplace and in further innovation.”