Last week, on a party-line vote, the Senate voted to repeal the Federal Communications Commission’s 2016 broadband privacy rules giving consumers the power to choose how their ISPs use and share their personal data. Tomorrow, the House of Representatives will vote, and if the House also votes to repeal the rules, the bill will go to President Trump, who is expected to sign it.
The consequences of repeal are simple: ISPs like Comcast, AT&T, and Charter will be free to sell your personal information to the highest bidder without your permission — and no one will be able to protect you. The Federal Trade Commission has no legal authority to oversee ISP practices, and the bill under consideration ensures that the FCC cannot adopt “substantially similar” rules. So unless the bill fails in the House, the nation’s strongest privacy protections will not only be eliminated, they cannot be revived by the FCC.
WHAT THE RULES DO
The Telecommunications Act of 1996 requires a “telecommunications carrier” to protect the privacy of their customers’ personal information. Customers of the telephone network have long had their personal information protected under strong FCC rules. When the FCC classified broadband internet access service as a telecommunications service as part of its 2015 net neutrality decision, it applied these privacy protections to ISPs as well.
Among other things, the FCC’s broadband privacy rules protect your personal information in four critical ways. ISPs are required to:
- Tell customers about what types of information they collect, how they use that information, and with whom they share that information
- Obtain affirmative permission (opt in) from customers to use and share sensitive information like financial and health information, Social Security numbers, web browsing, and application usage history. For non-sensitive information, customers must be allowed to opt out of use and sharing of that information at any time and with minimum effort
- Take reasonable measures to keep customers’ data secure
- Give customers timely notice of data breaches, and in the event of a larger breach, give notice to law enforcement officials.
In crafting these rules, the FCC borrowed generously from the privacy and data security enforcement standards of the FTC. But there’s a very important difference between the FTC’s enforcement powers and preventative FCC rules: the FCC’s rules have the power to protect consumers before they are harmed, while the FTC’s rules moderate industry behavior and give consumers the ability to enforce their rights after harm occurs. Harms from unauthorized and illegal use of personal information can be economic, social, and sometimes even physical.
THE RULES SERVE AS A BASELINE FOR THE ENTIRE INTERNET ECOSYSTEM
Broadband ISPs and their friends in Congress say that the FCC’s rules must fall because it is somehow unfair to subject ISPs to different privacy rules than so-called “edge” companies like Google and Facebook. But ISPs hold a unique position in the internet ecosystem: they have access to everything you do online. They know every website you visit, how long and during what hours of the day you visit websites, your location, and what device you are using. Edge companies, on the other hand, only see a small portion of any given consumer’s internet traffic.
There are other important differences between ISPs and edge companies. ISPs charge handsomely for their services, while most edge companies’ services are free, creating very different consumer expectations with regard to collection and use of data. Moreover, consumers can easily choose whether or not to use a particular edge provider and thus reveal information. By contrast, even in the instances where a consumer has a choice of broadband providers (and Americans in 78 percent of census blocks do not, according to a recent FCC report), high switching costs make changing providers a very unattractive option. You can decide you’re fed up with Google’s data policies and use another search engine easily; it’s much harder to do that with your ISP.
Despite these differences, I agree that one set of privacy rules for the internet ecosystem might be desirable. But why is Congress’ response to this alleged unlevel playing field removing the strongest privacy rules protecting consumers today?
As then-FCC chairman Tom Wheeler recognized when the privacy rules were adopted, the FCC does not have the legal power to regulate edge companies. But Congress has that power. Instead of repealing the only broadband privacy protections consumers currently have, Congress should instead pass a law requiring edge providers to meet the higher FCC standard that affords consumers more protection.