The virtue of consistency in privacy protection
When multiple federal agencies regulate the same industry, it’s critically important that their rules and standards complement, rather than conflict, with one another. This principle is all the more important when consumer privacy in the ever-expanding world of broadband use is at stake.
Unfortunately, the Federal Communications Commission’s (FCC) pending privacy rulemaking threatens to sacrifice the virtues of consistent protection and put it out of sync with the Federal Trade Commission.
{mosads}The challenge arises following the FCC’s action to adopt net neutrality rules.
As a senior member of the House Energy and Commerce Committee, which oversees these policy areas, I strongly supported net neutrality. However, one unfortunate consequence of the FCC’s decision to classify Internet Service Providers (ISPs) as common carriers was that it eliminated the FTC’s longstanding authority to police the privacy practices of ISPs.
While I agree it’s necessary to fix this problem, it’s not a reason to go overboard. The FCC’s efforts to restore important privacy protections that previously applied to the data practices of ISPs are laudable. But the approach outlined in its current privacy rulemaking goes well beyond that task in ways that stray from past practice and undermine consistency in consumer protection.
What it means is that consumers’ private data collected online will be protected by one set of standards when collected by an ISP and different standard when collected online by other internet parties, such as Google, Amazon and Facebook.
The problem with the FCC’s action isn’t its assertion of regulatory authority, but its departure from the FTC’s effective approach that pegs the level of privacy protection to the sensitivity of consumer data. The FTC gives the highest protection to sensitive data like health, finances, anything to do with children, and social security numbers, permitting them to be used only with affirmative customer “opt-in” approval. At the same time, non-sensitive data can be used for ordinary commercial purposes – like targeting ads or offering discounts to existing customers – based on the customer’s implied consent or if consumers are given appropriate disclosures and the chance to “opt out.”
By contrast, the FCC proposes a sweeping default opt-in regime that would undermine beneficial uses of data most consumers expect and are comfortable with. The FTC itself characterized the FCC’s approach as “not optimal” and in conflict with the “different expectations and concerns that consumers have for sensitive and non-sensitive data.”
This disparate treatment could result in tangible competitive and consumer harm. An ISP might find it practically impossible to market its own digital services to existing customers because of new restrictions, while non-ISP service providers are permitted to do so without any constraint.
This is especially problematic given a recent survey by the Progressive Policy Institute finding that over 90 percent of online users expect their data to be treated the same by different parties across the Internet. That survey also found that by a seven-to-one margin, consumers believe their online privacy should be protected based on the sensitivity of their online data rather than by the type of Internet company that uses their data.
There is also a serious risk that if the FCC does not change course, its proposal will be struck down by the courts, reopening the very gap in Internet privacy protection that the agency is trying to fill. Indeed, as Harvard Law Professor Laurence Tribe has concluded, the original rules would “run … afoul of fundamental First Amendment limits on the FCC’s authority to regulate customer information” due to the lack of technological neutrality between the treatment of ISPs and edge providers and the absence of any legitimate reason to regulate ISPs’ use of data more stringently than everyone else’s online.
Fortunately, the FCC appears to be giving serious consideration to the input provided by the FTC and moving in a positive direction, with Chairman Tom Wheeler telling a Senate panel earlier this month that the Commission was “embracing” the FTC’s recommendations and that the two agencies were involved in an ongoing dialogue. That’s encouraging.
There is no need for the FCC to reinvent the wheel here. By synchronizing its final regulations with the FTC’s successful privacy framework – including vital details like what information the FTC counts as sensitive and what kinds of data uses will still require opt-in consent – the FCC can protect consumers’ privacy online in a lasting, durable and consistent way.
Henry Waxman spent 40 years serving in the House of Representatives. He currently serves as Chairman of Waxman Strategies where he represents both technology companies and broadband providers.
The views expressed by authors are their own and not the views of The Hill.
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. Regular the hill posts