The Federal Communication Commission’s (the “FCC”) landmark decision last year to reclassify Internet service providers (“ISPs”) as common carriers under Title II of the Communications Act of 1934 implicates policy issues that extend well beyond net neutrality. Perhaps chief among them is the treatment of customer proprietary network information (“CPNI”) by broadband access providers. The CPNI rules, which were adopted as part of the Telecommunications Act of 1996, were originally implemented to facilitate competition in the context of a landline telephone network, rather than address privacy concerns for broadband providers. Yet as part of the FCC’s Open Internet Order (which is currently under legal challenge), these rules apply to broadband as well.
The reclassification of broadband providers as common carriers arguably limits the Federal Trade Commission’s (the “FTC”) authority to regulate because Section 5 of the FTC Act does not include common carriers. The FCC and FTC recently signed a Memorandum of Understanding that delineates each agency’s enforcement authority and when it would be appropriate to engage in joint enforcement actions.
When the FCC decided to regulate broadband providers like traditional phone service common carriers, it left the FCC in a difficult position of applying privacy regulations for phone companies to broadband providers. To alleviate the textual strain this would impose, the FCC decided to temporarily forebear from applying Section 222 of the Communications Act (which contains CPNI provisions) to broadband providers and stated that it would undertake a separate rulemaking that would outline how broadband providers would have to protect CPNI. Although FCC Chairman Tom Wheeler has not yet floated a proposal, new proposed privacy regulations regarding this issue are expected soon. Until then, regulators have advised broadband providers to follow the “core tenets of basic privacy protections.” The FCC Enforcement Bureau will provide additional guidance as needed through other enforcement advisories.
Privacy advocates are especially concerned about the ability of ISPs to collect and exploit customer information given the unique position of ISPs as the gateway to the Internet. These companies can track which websites customers visit and their usage patterns, giving them a “comprehensive view of consumer behavior,” including their most sensitive information. Some ISPs inserted unique headers – a type of so-called “supercookie” – into all mobile traffic last year, initially without the ability to opt out of being tracked, and then used that information to compile profiles of users, which is a prime example of a wireless provider’s ability to collect and disseminate tracking data across their networks and expose it to additional third parties. Such anonymous behavioral tracking for the purpose of targeted advertising is already being deployed by the major e-commerce, online advertising and social media titans. Susan Grant of Consumer Federation of America wrote a letter to the FCC calling for data breach notices to be included in rules, and for broadband providers to be held accountable for any failure to take suitable precautions to protect personal data collected from users while requiring broadband providers to “clearly disclose their data collection practices to subscribers, and allow subscribers to ascertain to whom their data is disclosed.”
Yet those in the industry are keen to remind privacy advocates that this is not a zero-sum game, with carriers getting all the benefits at the expense of consumers. They argue that consumers can get direct benefits through lower-priced and more customized offerings, and society in general benefits from greater levels of efficiency in advertising.
The National Cable & Telecommunications Association, CTIA and other trade organizations insist that any new FCC privacy rules should be consistent with the FTC approach “to maintain a consistent privacy framework for the Internet” to “protect consumers and avoid entity-based regulation that would create consumer confusion and stifle innovation.” The organizations state, “To achieve parity across the Internet ecosystem, any FCC framework for Internet service providers should be reflective of the deception and unfairness standard, consistent with the existing protections consumers receive when they engage with other companies in the Internet ecosystem.”
Though privacy advocates seek rules that are considerably more extensive than the current FTC regulatory stance, there is some semblance of compromise. Katharina Kopp, director of privacy and data for the Center for Democracy & Technology, states the organization will urge the FCC to consider broadband regulations that are more flexible than the existing privacy rules governing telephone-service providers. This addresses arguments made by major trade associations that small providers with limited resources need flexibility in achieving privacy and security goals.
Ultimately, the FCC, in its rulemaking, will have to determine what data will be covered and how companies should be compelled to protect it, and what extent broadband providers will be permitted to use deep-packet inspection or similar technology to track user’s browsing histories for advertising purposes. Their decision will have a profound impact on broadband providers’ ability to serve targeted ads to subscribers, and given the value of marketing information, may impact a significant potential revenue stream for ISPs.