On October 7th, the Federal Communications Commission's (FCC) issued a fact sheet from and blog by the FCC Commissioner Tom Wheeler outlining the revisions made in its prior proposal for privacy rules covering Internet Service Providers (ISPs). The proposal was revised based on public, industry and Federal Trade Commission (FTC) comments and will be voted on by the full Commission on October 27th.
While the revised proposal is better than the original, it still has fundamental flaws that will undermine its laudable purpose. The proposed privacy rules will only cover ISPs and not websites and apps such as Google, Twitter, Facebook and Amazon. It also does not advance a consistent, coherent and comprehensive framework for consumer online privacy.
Websites and apps are being excluded based on the FCC's interpretation of its regulatory authority limits. Commissioner Wheeler sites the FTC's regulatory authority over, and privacy framework for, websites and apps to counter arguments that their exclusion could harm consumer privacy protections. Yet that very exclusion creates the very real potential for conflicting rules and gaps in online privacy protections for consumers.
I discuss these issues in more detail below but first, briefly, what has changed from the original proposal to this revised version?
The fundamental change is the revised proposal's change from a focus on the ways in which a consumer's information would be used to a focus on the sensitivity of the consumer's information. Under the revision, consumers would have to affirmatively agree (opt-in) before ISPs could use and share sensitive information defined as covering "geo-location, children's information, health information, financial information, Social Security Numbers, web browsing history, app usage history and the content of communication".
However, consumers will have to be pro-active (opt-out) if they don't want non-sensitive information to be used and shared by their respective ISPs (FACT SHEET: CHAIRMAN WHEELER'S PROPOSAL TO GIVE BROADBAND CONSUMERS INCREASED CHOICE OVER THEIR PERSONAL INFORMATION; October 7, 2016). But even the new focus raises issues as there is a strong argument to be made that some of the non-sensitive information might include online activities that consumers would not want used or shared without their affirmative consent.
More importantly, the revised proposal does not reflect the reality of the scope of consumers current and future online activities. While Commissioner Wheeler contends that a consumer's "...ISP handles all of your network traffic[.]" (Commissioner Wheeler's October 7, 2016 blog) what neither he nor the proposal acknowledge is that Google, Twitter, Facebook, Amazon and myriad other websites and apps have access to, collect, use and share extensive, granular consumer information.
Here are just a few facts underscoring that reality:
Google's Display Network "...spans over two million websites that reach over 90% of people on the Internet[.]" giving businesses the ability "...to connect with customers with a variety of ad formats across the digital universe" (https://support.google.com/adwords/answer/2404190?hl-en;
At least 75% of the world's 500 most popular websites contain web trackers with Google's DoubleClick appearing on over 15% of all sites (www.usatoday.com/story/tech/news/2016/08/16/web-trackers-cookies-third-party-doubleclick-google-university-of-washington/88864172);
Facebook's Analytics for Apps has been used by over 800,000 unique apps since being launched in 2015 and is being integrated directly into Facebook's pixel, which is a tool that helps advertisers target ad campaigns to specific audiences (http://www.zdnet.com/article/facebook-adds-cross-platform-metric-to-its-free-analytics-tool); and
Facebook's Like Button (a cookie-based tracking device) is its most popular social plug-in and is present on 32% of the top 10,000 sites -- sites that include almost every type of website including health and government websites (Facebook Tracking Through Social Plug-ins, Technical Report Prepared for the Belgian Privacy Commission, June 24, 2015, https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf).
Excluding those, and other, websites and apps not only doesn't reach a significant amount of consumer information. Moreover, the proposal will produce rules resulting in unintended downstream consequences --confusing and conflicting, not complementary, consumer online privacy protections.
Why? In part, due to the very reason that Commissioner Wheeler sites as a safety net for consumer privacy protection. Websites and apps that are owned by an ISP will remain covered by the FTC's privacy frameworks. Consumers could end up ping ponging between and among the FCC and the FTC and who knows how many other agencies as they try to figure out which agency has jurisdiction for their privacy problem. Or worse even, the Commission's expanded privacy scope coupled with the FTC's decreased privacy scope could create a coverage gap --a consumer problem which neither can address.
Consumers need and deserve to have a consistent set of privacy rules for their online activities, regardless of the means by which they access and use the Internet.