The Federal Communications Commission’s (FCC’s) 2015 Open Internet Order classified broadband Internet providers as common carriers, fundamentally altering how the federal government regulates the Internet. See In re Protecting & Promoting the Open Internet, GN Docket No. 14-28, 30 FCC Rcd 5601 (Open Internet Order) (Mar. 12, 2015); Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, 81 Fed. Reg. 23,330 (Apr. 20, 2016). Notably, the Order removed the Federal Trade Commission’s (FTC’s) authority to regulate broadband companies, and assigned the FCC practically exclusive federal consumer protection jurisdiction over those entities. The significance of this jurisdictional shift has become apparent in the FCC’s current rulemaking on broadband privacy. The FCC has initiated a regulatory turf war by taking over the FTC’s role as the chief federal regulator of privacy for broadband companies and proposing rules that diverge in substance from the FTC’s established approach to consumer privacy. Here, I outline three areas of controversy to watch as the privacy rulemaking proceeds:
i. Interagency tension between the FCC and the FTC;
ii. Asymmetric regulation of similarly situated Internet companies; and
iii. The outcome of US Telecom v. FCC, the legal challenge to the Open Internet Order.
Since the 1970’s, the FTC has been the preeminent federal regulator of consumer privacy. Pursuant to § 5 of the FTC Act, 15 U.S.C. §45(a)(2), the FTC is empowered to protect consumers from “unfair or deceptive” practices of commercial entities, including unfair or deceptive uses of private data. However, § 5 exempts certain entities from the FTC’s jurisdiction, including common carriers. By classifying broadband providers as common carriers, regulated under Title II of the federal Communications Act, the FCC’s Open Internet Order displaced the FTC’s authority over these companies.
To avoid a regulatory vacuum with respect to broadband providers’ privacy obligations, the Open Internet Order announced that the FCC would apply § 222 of the Communications Act, the federal privacy rules for telephone companies, to broadband providers. Section 222 precludes a company classified as a telecommunications service provider from illicit uses of “customer proprietary network information” (CPNI). CPNI refers to information related to a subscriber’s telephone usage, such as the services the customer buys, and the customer’s incoming and outgoing call logs. The CPNI rules were originally introduced under the Telecommunications Act of 1996—largely to prevent incumbent telephone companies from using their subscribers’ data to gain an unfair advantage in marketing long-distance and other telecommunications services. Given the different context in which the CPNI provisions were enacted, and the fact that the provisions have never been applied to broadband providers, the FCC voted to initiate a new rulemaking to tailor the § 222 provisions to the broadband context.
The notice of proposed rulemaking, issued on March 31, 2016, seeks to interpret § 222(a) as protecting a broadened category of customer proprietary information (customer PI). In re Protecting the Privacy of Broadband & other Telecomm. Servs., WC Docket No. 16-106, Notice of Proposed Rulemaking, FCC 16-39 (Apr. 1, 2016). Customer PI is to include an expanded CPNI category adapted to the broadband context, as well as a novel “personally identifiable information (PII)” category. The notice takes a sweeping approach to the latter category, defining PII as “any information that is linked or linkable to an individual,” including all data relating to a broadband subscriber’s internet activity.
The notice proposes requiring broadband providers to obtain opt-in consent before sharing customer PI with third parties, or using their subscribers’ personal information for any purposes other than marketing communications-related services. By limiting the sharing of subscriber data to such an extent, the opt-in consent requirement de facto prevents broadband providers from monetizing customer data through targeted advertising.
Mandatory opt-in consent for such a broad category of data is significantly more onerous than the FTC’s approach to privacy. Primarily an enforcement agency that lacks prescriptive privacy rules, the FTC protects customer data under its consumer protection authority to police “unfair or deceptive acts or practices.” 15 USC § 45(a)(1). Under the unfairness authority, a company is prohibited from acts or practices that cause substantial unavoidable injury to consumers, not outweighed by countervailing benefits to consumers or competition. Under the deception authority, a company is proscribed from making materially misleading statements or omissions. In applying these standards, the FTC has primarily sought to ensure that companies honor their privacy commitments to customers, and it occasionally required companies to provide an opportunity to opt out of certain data-sharing practices. However, the FTC has only required opt-in consent for a narrow subset of cases, such as when a company retroactively changes its privacy policies, or uses sensitive personal data like customers’ social security numbers or precise geo-location data.
By contrast, the FCC proposes to require opt-in consent for practically all sharing of consumer information with third parties, regardless of the sensitivity of the information or the presence of consumer harm. This proposal would subject broadband companies to a much higher privacy burden than the FTC standard.
i. Interagency tension between the FCC and the FTC
The Notice of Proposed Rulemaking argues that since broadband providers carry all of a user’s network traffic, they are the “most important and extensive conduits of consumer information” and therefore ought to be subject to tougher consent rules. While the FCC’s privacy rulemaking lauds the FTC’s leadership in consumer protection, it contends that the FTC’s failure to treat broadband providers differently from other companies creates a “gap” in privacy protection, forcing customers to choose between forgoing their privacy and forgoing Internet access.
The FCC’s proposed privacy regime comes at the cost of removing the FTC’s consumer protection authority over broadband companies and has resulted in considerable tension between the two agencies. FTC officials have publicly criticized the FCC’s arrogation of authority, pointing out that the FTC has over 15 years’ experience bringing privacy enforcement actions against companies. According to Director of the FTC’s Bureau of Consumer Protection Jessica Rich, removal of the FTC’s authority “takes an experienced cop off the beat in this important area.” Thomas B. Norton, Internet Privacy Enforcement After Net Neutrality, 26 Fordham Intell . Prop. Media & Ent. L.J. 225 (Fall 2015). FTC Commissioner Maureen Olhausen has further contended that the FTC’s role as an enforcement body—relying on “common-law-like” ex post decisionmaking— to address actual harms and real disputes—makes it institutionally better suited to constantly-changing technologies and business models of the Internet economy, compared to the FCC’s modus operandi of crafting categorical ex ante rules. Hon. Maureen K. Olhausen, The FCC’s Knowledge Problem: How to Protect Consumers Online, 67 Fed. Comm. L.J. 203 (April 2015).
FTC officials have also criticized the substance of the FCC’s proposals. In a March speech, Commissioner Olhausen argued that the FCC’s excessively low threshold for opt-in consent is overbroad, “impos[ing] the preferences of the few on the many,” and ultimately leaving consumers worse off. By contrast, the FTC is primarily concerned about what consumers actually want, and ensuring that the practices the FTC deems unfair “match practices that consumers generally reject.” At a panel in April, Former FTC Commissioner Joshua Wright further argued that whereas the FTC relies on a team of economists to evaluate costs and benefits, the FCC notice is “noneconomic altogether” and devoid of data to justify the stricter rules.
Tension between the two agencies over the privacy rulemaking may lead to legal battles. Notwithstanding the FCC’s reclassification of broadband as a common carrier, the FTC could argue that it possesses concurrent jurisdiction over broadband privacy. According to the FTC’s activity-based interpretation of the common carrier exemption, which was accepted in FTC v. AT&T Mobility LLC, 87 F. Supp. 3d 1087 (N.D.Cal. 2015), a business can have both common carrier and non-common carrier components, and the FTC may regulate a common carrier so long as the regulation is limited to the entity’s non-common carriage services. One can imagine the FTC bringing a privacy enforcement action against a broadband company, arguing that despite the reclassification of broadband providers as common carriers by the FCC, the management of subscriber information by broadband companies is not a common carriage service, and therefore remains under the FTC’s authority. The question of whether the FCC’s classification of broadband providers dictates the FTC’s authority, or whether the FTC’s interpretation of common carriage would prevail, might need judicial resolution.
i. Asymmetric regulation of similarly situated Internet companies
One of the main criticisms of the FCC’s proposed rule is that it treats broadband providers differently from their competitors in the internet industry: namely, edge providers like Google and Facebook, which remain under the FTC’s more flexible authority. By creating a more onerous regime for broadband providers, the FCC subjects them to a competitive disadvantage, creating artificial winners and losers in the Internet industry.
The FCC privacy rulemaking justifies its asymmetric regulation on the grounds that unlike other components of the Internet, broadband companies have unique and comprehensive access to user activity data. However, according to a study led by Professor Peter Swire, who served as a privacy advisor for both the Clinton and Obama administrations, broadband provider access to user data is neither comprehensive nor unique. Internet users commonly use multiple broadband providers, Wi-Fi networks, and devices over the course of the day, precluding a single broadband provider from gaining a comprehensive picture of a user’s online activity. Broadband providers’ access to data is further limited by the increasing prevalence of website encryption, and the use of virtual private networks. Peter Swire, Justin Hemmings & Alana Kirkland, Online Privacy & ISPS: ISP Access to Consumer Data Is Limited and Often Less than Access by Others, A Working Paper of the Institute for Information Security & Privacy at Georgia Tech (Feb. 29, 2016).
Moreover, according to Swire, broadband companies are by no means the leading sellers of targeted advertising. Rather, social networks and search engines are privy to “the most commercially valuable information about online users.” The Electronic Privacy Information Center echoes Swire, pointing out that broadband companies are not “the only so-called gatekeepers to the Internet who have extensive and detailed views of consumers’ online activities” and that “many of the largest email, search, and social media companies exceed the scope and data collection activities of the ISPs.” Memorandum re: FCC Communications Privacy Rulemaking, Electronic Privacy Information Center (Mar. 18, 2016).
The FCC might attempt to correct this regulatory asymmetry by extending the privacy rulemaking to edge providers as well. Although edge providers are not currently considered common carriers, and therefore do not fall within the jurisdiction of § 222, the FCC would not necessarily consider itself foreclosed from regulating them. After all, until the Open Internet Order, broadband service providers were not considered common carriers either. Moreover, the FCC has used § 706 of the Telecommunications Act of 1996, which directs the FCC to promote the deployment of broadband, as an expansive source of regulatory authority. Whether or not that provision was enacted as an independent grant of authority to regulate the Internet—Republican FCC Commissioners Ajit Pai and Michael O’Reilly have argued that it was not—the D.C. Circuit has deferred under Chevron to the FCC’s interpretation of § 706 as a source of rulemaking power, including the authority to regulate entities that fall outside the FCC’s core jurisdiction over common carriers. Verizon v. FCC, 740 F.3d 623, 637–40 (D.C. Cir. 2014). The FCC could thus very well seek to extend the same stringent privacy rules to edge providers ostensibly pursuant to § 706.
Even if the FCC were to refrain from regulating edge providers, the disparity in treatment of edge providers may put pressure on the FTC to correct regulatory asymmetry and conform to the FCC’s stricter rules in enforcing its own § 5 authority. Even though the FTC has expressed substantive disagreement with the privacy rulemaking, it has held that “any privacy framework should be technology neutral,” recognizing that broadband providers “are just one type of large platform provider that may have access to all or nearly all of a consumer’s online activity.” Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses & Policymakers. FTC Report (Mar. 2012). To the extent that the FTC’s mandate is to promote competition, the anti-competitive effects of the FCC’s proposed rules can perhaps only be mitigated by the FTC’s extending the same stringent rules to edge providers. However, responding to regulatory asymmetry in such a way would require the FTC to abandon its long-held principles about the best approach to consumer privacy protection.
ii. The future of US Telecom v. FCC
As explained, the FCC’s privacy rulemaking is grounded in its reclassification of broadband providers as common carriers in the 2015 Open Internet Order. However, the validity of the reclassification depends on the ultimate outcome of U.S. Telecom Association v. FCC, No. 15-1063 (D.C. Cir.), the legal challenge to the order. Although the D.C. Circuit upheld the FCC order on June 14, 2016, the challengers will likely seek en banc rehearing from the Court of Appeals and/or certiorari from the Supreme Court. The potential for continued litigation leaves the vitality of the privacy rule uncertain.
The D.C. Circuit’s panel opinion, authored jointly by Judges David Tatel and Sri Srinivasan, rejected the panoply of procedural and substantive challenges to the Open Internet Order advanced by the challengers. Finding that the Supreme Court’s opinion in National Cable & Telecommunications Association v. Brand X Internet Services, 545 U.S. 967, 986 (2005), established the Communications Act’s ambiguity as to the proper classification of broadband Internet, and rejecting arguments that the agency failed to provide sufficient notice of the final order, the majority held that the FCC properly exercised its discretion to reclassify broadband Internet as a telecommunications service. But Judge Stephen Williams, a well-recognized authority on administrative law, dissented in large part, arguing that even if reclassification were permissible as a matter of statutory interpretation, the FCC failed to provide adequate empirical grounds for the change, rendering the reclassification arbitrary and capricious. This disagreement among the panel members on such a significant case signals that further judicial review may be forthcoming.
To the extent that the en banc D.C. Circuit or Supreme Court agrees with Judge Williams that the FCC’s reasons for reclassification were inadequate, any subsequent attempt at reclassification would require a new rulemaking. Because the extant privacy rule is beholden to the Open Internet Order’s reclassification of broadband Internet, a do-over would place the broadband privacy matter in limbo. Furthermore, the outcome of a revamped network neutrality rulemaking may depend on the outcome of the 2016 election and whether the FCC remains under Democratic control or becomes majority Republican. Given Republican FCC Commissioners Pai and O’Reilly’s vigorous dissents to the Open Internet Order, it is unlikely that a Republican-controlled FCC would re-issue the same substantive rules—let alone reclassify broadband Internet as a public utility.
Alternatively, a reviewing court might pursue a compromise position, and uphold the reclassification of wireline broadband as a common carriage service, but still strike down the reclassification of wireless broadband providers. After all, the treatment of wireless providers was viewed as the most vulnerable aspect of the Open Internet Order and many expected it to be invalidated. According to a white paper by Cellular Telephone Industries Association, among the petitioners in the US Telecom case, subsections 332(c) and (d) of the Communications Act plainly state that wireless providers not interconnected with the public switched telephone network cannot be classified as common carriers. However, such a compromise would leave wireline and wireless broadband providers subject to different rules, creating additional disparities in the treatment of similarly situated Internet entities, and further highlighting criticism relating to asymmetric regulation and the proposed rules’ anti-competitive distortions.
In short, the legal challenge to the Open Internet Order is far from over—and the FCC’s broadband privacy rulemaking continues to hang in the balance.
The FCC’s privacy rulemaking highlights the implications of reclassifying broadband Internet as a common carrier service. From a turf war between two federal agencies, to the apparent struggle among industry players to triumph in the targeted advertising market, the implementation of the Open Internet Order’s privacy components has been fraught with controversy. With the fate of the Open Internet Order far from resolved, it is still not clear which agency will prevail as the primary regulator of broadband privacy, and whether the proposals in the FCC rulemaking will earn legitimacy. One thing for certain is that the FCC’s proposed privacy rules will remain in contention for a long time.
Copyright 2016 © by the American Bar Association. Reprinted with permission. All rights reserved. This information or any or portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.