Whether broadband providers decide to challenge new rules policing their privacy practices will hinge on how closely the new rule aligns with how the Federal Communications Commission now enforces similar standards for telephone carriers.
The nation’s top telecommunications regulator is expected to pass the rules on Thursday. Once approved, they would require explicit consent from customers before companies can use many forms of data for marketing purposes.
The agency is permitted to regulate internet service providers as it does phone companies as a result of a 2015 net neutrality rule that reclassified ISPs as common carriers. While the net neutrality rule gives the regulator solid legal standing to issue rules for ISPs, industry giants such as AT&T Inc. have argued that the privacy rules still might not align with the FCC’s authority to regulate privacy under the 1996 Telecommunications Act.
If broadband providers decide to sue, that argument will likely be the one that they use, an industry source said.
The law prohibits phone carries from using a customer’s “proprietary” information, which includes the location, time, date, duration of phone calls, the type of network a consumer subscribes to, as well as any other information that a provider could obtain from a customer’s phone bill.
In a regulatory filing with the FCC, AT&T argued data such as web browsing and app usage can’t be proprietary if other web entities have access to it. As such, the agency can not “reasonably or constitutionally exercise that authority to subject ISPs to restrictions more burdensome than those that apply to other participants in the internet ecosystem.”
The FCC’s rules would require internet service providers to obtain express consumer consent before using web browsing and app usage history data, as well as Social Security numbers, financial, health, geolocation and children’s information.
Internet companies such as Google Inc. and Facebook Inc. are not required to get explicit consent before using web browsing and app usage history. Their privacy practices are regulated by the Federal Trade Commission.
AT&T argues that the browsing data collected by a non-internet service provider such as Google is not “proprietary” in any “relevant sense of the word” because the personal information is available to “any number of unregulated third parties.” Therefore, it isn’t confidential.
When an individual surfs the internet, the web browser, the search engine, the webpage, the delivery network that serves that webpage and data brokers all track user data and subsequently sell the information to others, AT&T argues. These entities “often” have a more comprehensive view of a customer’s online behavior than an internet service provider.
The industry has pressed for the FCC to take the FTC’s approach in its privacy rules, which requires user consent before a company can use “sensitive” data like financial or geolocation information.
Another industry source said the “major concern” about the new privacy rules is the FCC’s “broad” definition of “sensitive” information that would encompass all web and app traffic.
Consumer advocates argue that internet service providers obtain detailed pictures of Americans’ lives and interests because they are the “gatekeepers” to users’ internet access.
Eric Null, policy counsel at the New America Foundation’s Open Technology Institute said in an email the law “grants the FCC broad authority to protect ISP customer privacy, and the proposal outlined in the fact sheet appears to accomplish this goal.”