Throughout 2016, I raised concerns about the consumer online privacy protections created by the Federal Communications Commission’s (FCC) well-intended but fundamentally flawed privacy rules covering Internet Service Providers (ISPs). The change in Administration --- regardless of one’s views --- has created an opportunity for Congress and the FCC to revisit the threshold issue of whether the FCC’s new ISP privacy rules should be implemented on March 2nd in their current formulation. Calling for this kind of careful reconsideration is a pro-consumer policy position, not partisan politics, and should be seen as such. I argue that if the rules go forward, they should not do so without significant revisions needed for uniform consumer privacy protections.
There is a very real possibility that this kind of careful reassessment can happen. FCC Chairman Ajit Pai is proposing a temporary stay of these rules; these rules were only adopted in October 2016 so postponing implementation does not undermine longstanding rules. Why is a stay helpful? Precisely because of the concerns that were raised during the 2016 discussions -- discussions that included comments filed by the Federal Trade Commission (FTC) recommending that the FCC modify its approach to be consistent with the FTC’s established privacy framework --- a balanced and flexible framework with strong consumer privacy protections, applicable to all providers in the Internet ecosystem that fosters innovation, investment and new services.
What are the privacy problems with the current FCC rules? A brief history of the FCC’s efforts is useful context. The most all-encompassing move came in 2015 with its reclassification of broadband ISPs as telecommunications services. That reclassification generated more FCC oversight- at the expense of the FTC, the established privacy cop on the beat - and a decision that it thus needed to create specific privacy rules for the ISPs under its newfound authority.
The FCC’s narrow focus on ISPs does nothing to advance a consistent, coherent and comprehensive framework for consumer online privacy. Instead, it poses the very real potential for conflicting rules resulting in privacy gaps and consumer confusion.
Websites and apps are excluded based on the FCC’s interpretation of its regulatory authority limits. However, the real limit the FCC has set is that this resulted in rules focusing only on the entity (i.e., ISP) and not the data itself. Why is this approach a problem? It creates different privacy rules for the same types of online data which ignores the reality of consumers’ online activities. Google, Twitter, Facebook, Amazon and myriad other websites and apps have access to, collect, use and share magnitudes of granular consumer information, often across multiple online platforms, used by billions globally. Excluding these and other websites and apps means that consumers’ expressed interest in more, not less, online privacy protection will go unaddressed. These consumer concerns were identified in a recent Pew Research survey (www.pewresearch.org/fact-tank/2016/09/21/the-state-of-privacy-in-america/).
As I’ve noted in prior articles, the very goal the FCC seeks with these privacy rules --enhanced consumer online privacy protection -- is jeopardized. Why? Websites and apps owned by an ISP will remain covered by the very effective FTC privacy framework. While that’s the good news, the bad news is that consumers could end up ping ponging between the FCC, the FTC and even other agencies as they try to figure out which agency has jurisdiction for their privacy issues. Consumer online protection should be consistent across the full range of online apps, websites and providers, not just on a handful of the latter. Congress, the FCC and the FTC should seize this opportunity to create a lasting, forward leaning set of privacy protections for all online.