FCC Acts to Increase Consumer Privacy Choice

You’re reading the Benton Foundation’s Weekly Round-up, a recap of the biggest (or most overlooked) telecommunications stories of the week. The round-up is delivered via e-mail each Friday; to get your own copy, subscribe at www.benton.org/user/register

Robbie's Round-Up for the Week of October 24-28, 2016

In today's digital world, consumers deserve the ability to make informed choices about their online privacy. On October 27, 2016, the Federal Communications Commission adopted rules to ensure that broadband customers have meaningful choice, greater transparency, and strong security protections for their personal information collected by Internet service providers (ISPs). The rules give consumers greater control over their ISPs’ use and sharing of their personal information, and provide them with ways to easily adjust their privacy preferences over time. The rules are designed to evolve with changing technologies and encourage innovation.

The rules implement the privacy requirements of Section 222 of the Communications Act for broadband ISPs, giving broadband customers the tools they need to make informed decisions about how their information is used and shared by their ISPs. To provide consumers more control over the use of their personal information, the rules establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information. This approach is consistent with other privacy frameworks, including the Federal Trade Commission’s and the Administration’s Consumer Privacy Bill of Rights.

The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice, and security requirements for customers’ personal information:

  1. Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history, and the content of communications.
  2. Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive, and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.
  3. Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

In addition, the rules include:

  • Transparency requirements that require ISPs to provide customers with clear, conspicuous, and persistent notice about the information they collect, how it may be used, and with whom it may be shared, as well as how customers can change their privacy preferences;
  • A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.
  • Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information.

The rules prohibit “take-it-or-leave-it” offers, meaning that an ISP can’t refuse to serve customers who don’t consent to the use and sharing of their information for commercial purposes. But the rules do not ban controversial "pay-for-privacy" schemes that give customers less privacy unless they pay more. The most prominent example of such schemes was AT&T's Internet Preferences targeted ads program, which provided lower prices when customers agreed to have their Internet behavior tracked. (AT&T recently ended that program.) Though pay-for-privacy plans will be allowed, ISPs will have to follow "heightened disclosure" rules for those programs so that consumers know more about how their data is used. The FCC said it will also "determine on a case-by-case basis the legitimacy of programs that relate service price to privacy protections. Consumers should not be forced to choose between paying inflated prices and maintaining their privacy."

The scope of the rules is limited to broadband service providers and other telecommunications carriers. The rules do not apply to the privacy practices of web sites and other “edge services” over which the Federal Trade Commission has authority. The scope of the rules do not include other services of a broadband provider, such as the operation of a social media website, or issues such as government surveillance, encryption, or law enforcement.

How the Commissioners Explained Their Votes

Democratic Commissioners Jessica Rosenworcel, Mignon Clyburn and Tom Wheeler voted to adopt the new rules.

“There is a basic truth: It is the consumer’s information. It is not the information of the network the consumer hires to deliver that information. What this item does is to say that the consumer has the right to make a decision about how her or his information is used,” said FCC Chairman Tom Wheeler. “It's the consumers' information,” Wheeler added. “How it is used should be the consumers' choice. Not the choice of some corporate algorithm.”

FCC Commissioner Mignon Clyburn said the rules were justified by growing concerns about privacy, spurred in part by data breaches. “Consumers care deeply about their privacy, and so should we,” Commissioner Clyburn said.

Commissioner Jessica Rosenworcel suggested the government form an interagency council to work on harmonizing the current patchwork of rules. "Our digital footprints are no longer in sand, they are in wet cement," she said. "The monetization of data is big business. The market incentives to keep our data and slice and dice it to inform commercial activity are enormous."

Republicans on the FCC opposed the new rules, arguing that they singled out ISPs for tougher regulation without justification.

Commissioner Ajit Pai accused the FCC’s majority of “corporate favoritism” benefiting businesses such as Google. “Nothing in these rules will stop edge providers from harvesting and monetizing your data, whether it’s the websites you visit or the YouTube videos you watch or the emails you send or the search terms you enter on any of your devices,” Commissioner Pai said. “So if the FCC truly believes that these new rules are necessary to protect consumer privacy, then the government now must move forward to ensure uniform regulation of all companies in the internet ecosystem at the new baseline the FCC has set.”

Commissioner Michael O'Rielly expects “extensive” legal challenges to the rules. He also added the rules may have “unintended consequences.” For example, he said, it is unclear how the FCC's privacy regulations will address a burgeoning Internet of Things — the name for a growing class of connected devices such as thermostats, refrigerators, and even automobiles. How Internet providers can use and share the data generated by those appliances will remain an open question, Commissioner O'Rielly said.

The Reaction

Consumer advocates generally supported the new plan.

“This rule represents a significant step forward in protecting internet users, who have no choice but to expose massive amounts of information to broadband providers. It reflects the reality that where we go online is private and the people we pay to carry our communications should treat them as private,” said Chris Calabrese, CDT’s Vice President of Policy.

“The FCC’s decision on privacy isn’t perfect,” said Free Press Policy Counsel Gaurav Laroia, “but it takes tremendous strides forward. It gives internet users far more control over how their personal information may be used by AT&T, Comcast and other carriers. That’s because under any sensible interpretation of the communications laws that govern the FCC, the companies that carry all of our speech online have no business profiting from all the information they gather without our consent.”

“This marks a significant step forward in protecting consumer privacy,” said Public Knowledge Policy Fellow Dallas Harris. “For the first time, Internet service providers will be required to get consumer consent prior to using the sensitive information they collect. While much remains to be done to protect consumers online writ large, the Commission’s rules establish a baseline level of protection for all.”

“The privacy rules adopted by the FCC today implement a thoughtful framework grounded in transparency and with an emphasis on consumer choice. Importantly, the rules afford consumers’ web browsing and app usage data—and their functional equivalents—the highest level of protection by requiring internet service providers to obtain opt-in consent before sharing that data with third parties. The rules also take a critical stance on so-called ‘pay-for-privacy’ regimes that are particularly harmful for low-income users. Today’s vote ensures that consumers do not have to trade basic privacy protections for broadband access,” said Sarah Morris, Director of Open Internet Policy for New America’s Open Technology Institute.

"Strong privacy protections increase user confidence and are essential to ensuring that the full promise of the internet can be realized," said Linda Sherry, Director of National Priorities at Consumer Action.

Jonathan Schwantes, Senior Telecom Policy Counsel for Consumers Union, said, “As the Internet has become ubiquitous, broadband providers have gained a unique, all-encompassing window into our daily lives. Consumers deserve to know – and have a say in – who is collecting certain information about them and how it’s used. We think these new rules are strong, fair and necessary as we live more and more of our lives online. We’re also pleased that the Commission has committed to addressing arbitration clauses across telecommunications products in the coming year, and we look forward to working with them on this important consumer issue.”

“This is an important victory for internet users in the United States. Customers pay for access to the internet, but broadband providers have capitalized on the lack of rules to collect personal data and then sell it to make a second profit off their users. These new rules put the people back in control of their data and force the broadband providers to be more transparent about their use of data,” said Nathan White, Senior Legislative Manager at Access Now. “This victory in the United States is just the first step in protecting users around the world.”

“The Federal Communications Commission, led by Chairman Tom Wheeler, delivered a very early Christmas present to Americans today,” said Jeff Chester, Executive Director, Center for Digital Democracy. “For the first time, the public will be guaranteed that when they use broadband to connect to the Internet, whether on a mobile device or personal computer, they will have the ability to decide whether and how much of their information can be gathered and used by Internet service providers (ISPs) without first getting their consent. This is a tremendous public interest breakthrough for privacy rights in the U.S., which lags behind nearly every other democracy when it comes to protecting online privacy.”

Benton Foundation Director of Policy Amina Fazlullah said, “The Benton Foundation welcomes the FCC’s move to guarantee broadband subscribers the privacy protections that traditional telephone subscribers have relied upon. As technology moves forward, consumers must retain key protections that ensure a fair and safe experience. All Americans know privacy is important in their daily lives. The FCC’s broadband privacy protections will provide vulnerable communities with increased confidence as they go online, ensuring every American has access to the full promise of the Internet.”

Some argue the rules deal a blow to AT&T, Verizon Communications, and others that rely on such information for their advertising businesses. Cecilia Kang writes in the New York Times,

The decision hurts companies including Comcast, Verizon and AT&T, that rely on user data to create profiles on subscribers for ads tailored to an individual’s preferences. 

It also takes some air out of the goals of AT&T’s $85.4 billion bid for Time Warner, even before the ink on that deal has dried. The companies said they wanted to combine resources to move more forcefully into targeted advertising. Crucial to that ambition is information about AT&T’s wireless and home broadband users, combined with Time Warner’s viewer data and its huge audience. That would help the merged companies serve up, say, a tailored promotion for Gap Kids in downtown Atlanta.

“Let’s be clear,” said Information Technology and Innovation Foundation Telecom Policy Analyst Doug Brake. “This order is a vehement rejection of the type of U.S. regulatory oversight that has allowed U.S. businesses to thrive online and a sharp reversal from past claims that the U.S. government is committed to using multi-stakeholder processes for creating Internet-related policies. Instead, it would create a rigid regulatory regime that would limit the use of virtually all data that can be put to economically beneficial uses.”

Federal Trade Commission Chairwoman Edith Ramirez said she's "pleased that the Federal Communications Commission has adopted rules that will protect the privacy of millions of broadband users. The rules will provide robust privacy protections, including protecting sensitive information such as consumers’ social security numbers, precise geolocation data, and content of communications, and requiring reasonable data security practices. We look forward to continuing to work with the FCC to protect the privacy of American consumers."

USTelecom President Walter McCormick said that the FCC’s argument that broadband providers have unique access to consumer information compared to other Internet firms is “simply wrong.” The lobbying group prefers the Federal Trade Commission’s framework. “Fully harmonizing privacy rules around the tested and successful FTC approach would best serve the future of an internet responsive to consumer expectations,” McCormick said.

“The Commission’s decision to break with the FTC’s proven privacy framework in favor of a cobbled-together approach that abandons principles of fair competition is profoundly disappointing,” NCTA – The Internet & Television Association said. “Instead of creating a consistent and uniform approach to privacy that consumers can easily understand, today’s result speaks more to regulatory opportunism than reasoned policy. We strongly agree with the bipartisan Commissioners’ comments that the federal government should develop a common approach to online privacy, as there is no lawful, factual or sound policy basis to justify a discriminatory approach that treats ISPs differently from some of the largest companies in the Internet ecosystem that engage in similar practices but operate under different regulatory standards.”

Joan Marsh, AT&T’s Senior Vice President of Federal Regulatory Policy, said the company was pleased that the FCC’s rules more closely resemble those of the FTC. But she said it was “illogical” that the FCC determined that sensitive data should include web browsing and app history data. “In this regard, the FCC’s order falls short of recognizing that consumers want their information protected based on the sensitivity of the information collected, not the entity collecting it,” she said. The agency’s “divergent approach will ultimately serve only to confuse consumers, who will continue to see ads based on their web browsing history” from Internet companies, Marsh said.

Verizon’s Kathy Grillo said the company “cares deeply about our customers’ privacy.”

Election 2016

Quick Bits

Weekend Reads (resist tl;dr)
coffee iconHow Your Internet Provider Restricts Your Rights (Sen Franken, FCC Commissioner Clyburn op-ed)
coffee iconForging the Fiber Future (Todd O’Boyle op-ed)
coffee iconOne Last Growl for F.C.C.’s Sharp-Toothed Watchdog (New York Times)
coffee iconRemarks of NTIA Assistant Sec Larry Strickling on Internet Transition (NTIA)

Events Calendar for Oct 31 - Nov 4, 2016
Nov 4 -- Direct Video Calling Showcase, FCC

ICYMI from Benton
benton logoWhat Do We Mean When We Say ‘Digital Equity’ and ‘Digital Inclusion’?, Angela Siefer
benton logoA Telecom/Broadband/TV/Wireless/(and now) Entertainment Behemoth: AT&T Buys Time Warner, Robbie McBeath
benton logoBroadband Infrastructure Policy and Community Anchor Institutions, Tom Koutsky
benton logoThe FCC’s Important Move for Online Privacy, Paul Ohm
benton logoThe Future of Local Internet Choice, Gigi Sohn


By Robbie McBeath.