FCC’s Online Privacy Rules Could Reshape Tech Industry

The Federal Communications Commission is expected to begin drafting privacy regulations for internet service providers soon. The expectation that the agency will wade into a new role as privacy cop has set off a public relations tug of war among tech firms and consumer groups.

Large tech firms are pressing for a light regulatory touch that would basically reflect existing government rules. Consumer advocacy groups are lobbying for bolder and stronger rules they say will protect the open internet.

The impact of new FCC rules on the industry could be huge, requiring it to configure new ways of defending against legal liabilities from a new agency. The Federal Trade Commission already takes action against internet service providers for untoward privacy practices. Civil rights and open internet advocates are pressing for the FCC to take a stronger stance than the FTC. Industry voices are wary of a set of rules that stray from what’s in place because they fear it could create confusion for companies and alter the way internet service providers behave in the future.

Even before the commission puts pen to paper, the industry groups are trying to influence their thinking. Five lobbying groups representing major broadband providers such as Comcast Corp. and Verizon Communications are pressing the FCC to develop rules that follow the privacy framework previously laid out by the FTC. They explained their vision in a letter sent to FCC Chairman Tom Wheeler on March 1.

The industry says the FCC should harmonize its rules with those already in place. The rules should focus on transparency, respect for context and consumer choice, data security and data breach notification. The FTC’s longstanding framework would continue to impact internet service providers, they argue. The new FCC rules need to gel with the existing regulations.

The FTC has historically played the role of punishing internet service providers when they violate privacy rules. But once the FCC reclassified broadband providers as common carriers as part of its controversial net neutrality rule, it gave itself jurisdiction to police those ISPs.

Civil rights group say that the net neutrality rule gives the FCC the power to establish strong standards that protect against intrusive data collection from providers. Twelve advocacy groups, including the American Civil Liberties Union and the Electronic Privacy Information Center, outlined that argument in their own letter to Wheeler. The letter, published Monday, urges the FCC to take up rules that would protect internet users from the “increased interest” of broadband providers in collecting information on individuals. They then sell that data to marketers, the advocates say.

Even though encryption protects user content as it travels across the internet, broadband service providers are still able to collect and monetize large swaths of “metadata” on individuals’ online behavior. This includes time and location of messages.

Broadband companies are fighting that allegation. CTIA — The Wireless Association released a statement Monday refuting this claim, saying internet service providers don’t have the ability to access metadata to make money. (Companies providing those services, however, do have that ability.)

“Different rules for ISPs would only confuse consumers and is not supported by the facts,” Debbie Matties, vice president of Privacy at CTIA said in a statement. Matties has some sway in the regulatory space. She is a former senior attorney advisor for consumer protection at the FTC.

The consumer groups say the FTC’s rules don’t matter. They aren’t effective anyway, and the agency just doesn’t have the resources needed to enforce its own standards. For example, the FTC relies on companies to report their practices, which tend to rely on disclaimers for users. Consumer advocates say that’s not an effective tactic because customers rarely read terms and conditions, and they often find them difficult to understand if they do. They also accuse the FTC agency of settling with tech firms instead of fully prosecuting on behalf of consumers.

“Fundamentally, the FTC is not a data protection agency,” the civil rights letter said. “Without regulatory authority, the FTC is limited to reactive, after-the-fact enforcement actions that largely focus on whether companies honored their own privacy promises.”

As such, the advocates say, the FCC is perfectly primed to take up a new and necessary privacy cop role.

But that after-the-fact style isn’t all bad. It could be more conducive to allowing companies to develop new technologies, according to Doug Brake, telecom policy analyst at the Information Technology and Innovation Foundation.

“Presumably companies want to follow the law, and so as the case law develops, we over time figure out the proper conduct. What’s fair and reasonable for companies in this privacy space?” Brake said in an interview. “It’s a little bit messier process, as it unfolds over time, but we think that it’s much better suited to preserve the flexibility for industry to innovate.”

The alternative, he said, is “running everything by compliance and trying to figure out whether or not it’s the risk.”

For these reasons, Brake and his colleagues at ITIF put out a paper last week that argues the FTC is best suited to handle privacy issues.

CTIA and USTelecom, who represent wireless carriers, understandably are pushing back against the idea of coping with extra regulations from a new agency. “Since its inception, the Federal Trade Commission’s privacy framework has applied uniformly across the internet, including to broadband providers,” said USTelecom spokeswoman Anne Veigel. “A consistent approach to privacy matters to consumers.”

Veigel said what consumer groups want “will not give consumers the clear and consistent protections they should have and will only harm competition and innovation on the internet.”

Matties concurred. If the FCC weighs in, the only way to stop regulatory chaos is to harmonize its rules with the FTC’s. That “will effectively protect consumers through a consistent approach for all companies and all data based on the well-established and successful FTC model.”

Privacy advocates might see this as the best opportunity to get stricter privacy rules because Congress has failed to act on what they want, according to Brake. “The real hardcore privacy advocates see this as a real opportunity because it’s an industry that is not politically well liked. Everyone loves to hate their cable company,” he said.