Just days before the Federal Communications Commission’s controversial data security rule was set to take effect, the agency voted two-to-one to issue a stay.
Part of an Order passed last year along party lines under former Chairman Tom Wheeler established privacy regulations that required Internet service providers to obtain opt-in consent before sensitive data (defined to include browsing and app usage history) can be collected and used for ad targeting purposes.
The new rule caused much consternation in the advertising industry, with groups calling it “unprecedented, misguided, counterproductive, and potentially extremely harmful.” After the change in administration, the groups requested that the Commission’s new leadership reconsider and/or rescind the rule.
Others joined the pushback, and a total of eleven separate petitions to reconsider the Order and a motion to stay the rule were filed by trade associations in the cable industry. On March 1, the FCC granted the motion to stay.
“[W]e determine that it is in the public interest for the Commission to address and resolve, prior to the rule taking effect, the parties’ claims that the data security requirements need to be clarified or reconsidered, so that (1) consumers are not subject to two different privacy regimes, vitiating their uniform expectation of online privacy, and (2) [broadband Internet access service, or BIAS] providers and other telecommunications carriers do not incur substantial and unnecessary compliance costs while the possibility of changes to the requirements still exist,” the Commission wrote.
A majority of the three-member Commission agreed with the petitioners that the new rule would cause uncertainty for covered entities, particularly in terms of how the “reasonable measures” standard used by the FCC would interact with the Federal Trade Commission’s data security oversight. In addition, requiring companies to incur costs and allocate resources toward implementing the rules was “wasteful and counterproductive to the public interest,” the Commission added.
Commissioner Michael O’Rielly authored a statement supporting the decision to stay the Order while Commissioner Mignon L. Clyburn issued a scathing dissent.
She noted that the Commission announced its decision to stay the rule on the same day a major content distribution network revealed that the private data of millions of users from thousands of websites had been exposed for several months. The “irony here is inescapable,” she wrote. “With a stroke of the proverbial pen, the Federal Communications Commission—the same agency that should be the ‘cop on the beat’ when it comes to ensuring appropriate consumer protections—is leaving broadband customers without assurances that their providers will keep their data secure.”
Acting Chair of the Federal Trade Commission Maureen K. Ohlhausen voiced her support for the stay in a joint statement with FCC Chair Ajit Pai. “The FTC has a long track record of protecting consumers’ privacy and security throughout the Internet ecosystem,” the regulators said. “It did not serve consumers’ interests to abandon this longstanding, bipartisan, successful approach.”
Calling the rule “not consistent with the FTC’s privacy framework,” Pai and Ohlhausen said the stay will remain in place “until the FCC rules on a petition for reconsideration of its privacy rules,” and the agencies work together on “harmonizing” the FCC’s privacy rules with the FTC’s standards. “Americans care about the overall privacy of their information when they use the Internet, and they shouldn’t have to be lawyers or engineers to figure out if their information is protected differently depending on which part of the Internet it is,” the regulators said.
To read the FCC Order, click here.
Why it matters: Although the stay was decried by privacy advocates and consumers groups, it appears to be the first step towards rescinding the data security rule entirely or significantly reworking it.