Privacy and Security

How the FCC’s ISP Privacy Rule Focuses on the Wrong Thing

Comments Filed by the FTC and Industry Experts Reveal an Improper Focus which Should be Fatal to the Proposed Rule

In its quest to protect consumer privacy, the Federal Communications Commission has failed to do one thing: Focus on consumer privacy. Instead, it focused on the Internet Service Provider; it focused on the type of company handling the data.

Through comments recently filed by the Federal Trade Commission and other industry experts, the FCC’s improper focus, and its consequences, has become clear.

The FCC wants to create a multi-tiered scheme that essentially forces ISPs “to obtain opt-in consent from customers before using their personal information for nearly all activities.” The ultimate consequence of the scheme, in effect, will be to unduly interfere with ISP operations, which will, in turn, prevent ISPs from operating as customers expect.

Not only are these privacy regulations unduly burdensome, they are also unnecessary. Advances in technology already address many of the FCC’s concerns. Put simply, ISPs do not have access or the desire to misuse consumer data to the degree suggested by the FCC. Between the advances in technology, then, and the ISPs lack of desire to misuse consumer data, any rule should directly target actual, concrete harms to consumer privacy.

By focusing on the type of company handling the data rather than on the consumer, the FCC’s decision will lead to inconsistent handling of consumer data. The proposed rule, as evidenced by the comments, regulates ISPs while ignoring the role big data companies play in handling consumer data. On the one hand, ISPs will face strict controls regarding their collection and use of data. On the other hand, big data companies, or so-called edge providers, are exempt from the FCC’s regulations.

Because the FCC treats data collected by an ISP differently than data collected by an edge provider, consumers will likely become very confused regarding the new standards.

For example, what happens when consumers file complaints with the FCC regarding the misuse of data, thinking that Comcast, Verizon, or another ISP is to blame when the real entities collecting the data are Google, Yahoo, or another edge service provider? And what if the edge service provider was using the data in ways both disclosed and consistent with its terms of service?

These questions also illustrate a problem between the FCC’s approach and the Federal Trade Commission’s traditional enforcement jurisdiction. The FCC’s approach places the regulatory focus on the service provider—what type of services do they offer, whether the provider is a third party or an affiliate and so on—rather than placing the focus on consumer personal information.

The FTC has traditionally focused its enforcement authority on consumers, and their data. It exercises this authority by bringing specific cases against specific companies that abuse consumer data, misrepresent their data policies, or otherwise place consumer data at unreasonable risk.

The FTC’s approach to protecting consumer privacy is reactive, by design. Since it is reactive, the FTC’s approach provides innovators with broad leeway, yet it maintains a mechanism to keep innovators accountable when they step across particular lines.

The FCC’s approach, by contrast, is proactive and restrictive. It tells ISPs what they can, and cannot do with consumer data, whether or not the ISPs actually collect or use that data. It would tilt the online playing field in favor of companies engaged in the collection and dissemination of data, such as search engines and against providers of basic broadband services. In the FTC’s words, the FCC’s proposal

if implemented would impose a number of specific requirements on [ISPs] that would not generally apply to other services that collect and use significant amounts of consumer data. This outcome is not optimal.

The Federal Communications Commission has improperly focused on the type of company it wishes to regulate. It lost sight of the people it is supposed to protect. It has proposed regulations that are unnecessary, inconsistent, and more likely to harm the very consumers they are supposed to protect.

In Depth: Privacy and Security

A market environment is essential for future success of the Internet. A consumer and private-sector-driven approach to privacy via self-regulation avoids undue regulatory burden that would threaten a thriving electronic marketplace. The Internet has flourished due in large part to the unregulated environment in which it has developed and grown.

+ Privacy and Security In Depth