On March 31st, the Federal Communications Commission (FCC) adopted Chairman Tom Wheeler's proposal to create new privacy rules for broadband Internet Service Providers (ISPs). This proposal, while well-intended, has limitations that could adversely impact consumers.
The FCC's proposed rule making provides an opportunity for a wider, and yes, bolder approach--- an approach that could admittedly take longer but could result in stronger consumer online protections. I have identified three overarching questions that should be part of such an approach. Failing to fully discuss these questions could create unintended downstream consequences --confusing and conflicting, not complementary, consumer online privacy protections.
Some brief context. The proposal's genesis is the FCC's 2015 reclassification of broadband ISPs as telecommunications services. This change generated more FCC oversight and a decision that it needed to create specific privacy rules for the manner in which broadband-ISPs protect their customers' online activities and information.
The questions I raise below are underscored by the Pew Research Center's January 2016 report (Privacy and Information Sharing; www.pewresearch.org)(Pew Report).The Pew Report analyzed over two years of surveys from U.S. adults about their opinions about privacy and surveillance issues. What did they find? Briefly, that respondents want more control over their personal information; that they believe they've lost control over the amount of their personal information collected and used by companies; and that current U.S. laws do not sufficiently protect their online privacy (Pew Report).
That brings me to the three overarching questions whose deliberation could promote enhanced consumer online privacy protections.
What kind of privacy framework would advance online consumer protections?
Such a framework would recognize the kinds of consumer concerns supported by the Pew Report's findings. Those concerns will only grow given the reality of the "Internet of Things."
Why are those concerns important to crafting a robust privacy framework? Because it's likely that many consumers aren't thinking about whether they're connecting with their broadband ISP when logging onto the Internet. They log on, go to a website and start roaming ---from a particular business site then maybe to Facebook or Google or Amazon. It's no secret that companies and sites plan on expanding, not contracting, their consumer data collection since it's such a rich source for multiple commercial purposes.
The short answer: there should be consistent, across the board rules for collecting and using consumer data. More, not less, consumer control (opt in, not opt out) withno distinction between broadband-ISPs and non-broadband online entities.
Could the new FCC rules unintentionally create consumer confusion and coverage gaps?
First, the FCC's goal is stronger online consumer privacy protections --no one in the discussions to date has voiced a view other than supportive of this goal. That, however, begs the question of the extent of the potential problems.
And here's where the "who's on first?" scenario gets joined for consumers. The FCC's now greater broadband-ISP oversight means the Federal Trade Commission (FTC) no longer has its prior authority for broadband-ISP privacy issues. These jurisdictional distinctions might be understandable for policy makers and regulated entities but create unneeded consumer complexity.
The short answer: the new rules shouldn't create the possibility where consumers ping pong between the FCC and the FTC while trying to figure out which of them can answer a privacy problem. Or worse, the new FCC's increased privacy scope coupled with the FTC's decreased privacy scope could create a coverage gap --a consumer problem which neither can address.
Finally, what would make the FCC's privacy rules stronger and advance consistent consumer online protections?
The FCC's new rules will address privacy protections for the means by which consumers access the Internt. A narrow focus on just the broadband-ISPs is short sighted given the multiplicity of devices consumers use and will be using.
The short answer: the U.S. already has specific privacy laws for categories of personal information (e.g., health, financial). The FTC's privacy principles are strong and established. So, at a minimum, the FCC should build off these existing privacy frameworks and not create entirely new rules that will create confusion and gaps.
Here's the bolder part of this answer: the FCC's authority should cover non-broadband ISPs -- the Googles, Amazons, Facebooks and future entities that will surely be forthcoming. Consumers want and deserve online protection. A piecemeal approach will not achieve that goal no matter how laudable the FCC's end goal.