The Federal Communications Commission (FCC) has imposed a record $100M forfeiture fine against a global telecommunications company for alleged deceptive data plan promotions. The FCC’s fine comes on the heels of revisions to its 2010 Open Internet rules that expanded its enforcement authority over “telecommunications service” providers to cover broadband Internet service providers (ISPs). Under this expanded authority the FCC is expected to continue to pursue enforcement actions against telecommunications service providers not only for deceptive business practices, but increasingly to enforce data privacy and security principles against telecommunications service providers that collect certain data on their customers, as illustrated by the $35M in aggregate fines issued by the FCC against TerraCom, Inc., YourTel America, Inc., and a global telecommunications company in the past year. Consumer groups are calling for the FCC’s authority to be expanded even further to those companies that offer services, products, and applications over broadband Internet service – “edge providers” – such as Facebook, Google, and Amazon. The expansion of the FCC’s enforcement authority to ISPs and potential expansion to edge providers, coupled with its ability to levy fines, suggests that the FCC has the potential to emerge as a major enforcer in the privacy and online consumer protection arena, usurping power traditionally reserved for the primary regulator of online advertising, privacy, and data security – the Federal Trade Commission (FTC).

FCC Expands Its Role

In its most recent and significant enforcement action, the FCC alleged that a global telecommunications company (“Company”) violated its 2010 Open Internet Transparency Rule by offering customers an “unlimited” mobile broadband data plan without clearly disclosing that connection speed would be reduced by up to 20 times its normal speed if the customer used more than 5 GB of data in a billing cycle. The FCC found the Company’s disclosures were deceptive and inadequate to allow customers to make an informed decision and imposed a $100M forfeiture on the Company “as a deterrent to future violations.” At a minimum, the fine evidences the FCC’s most important power that is distinct from that of the FTC – a broader ability to levy fines.

The FCC brings this power to levy fines as it moves beyond regulating deception claims and expands its authority under Title II of the Communications Act to regulate the data privacy practices of ISPs as part of designating them as telecommunications service providers. This designation effectively removes these entities from regulation by the FTC since as telecommunications service providers they are now considered “common carriers” and outside of the FTC’s purview. As telecommunications service providers, ISPs are now subject to several provisions of Title II of the Communications Act, including section 201, which prohibits unjust and unreasonable practices (and provides part of the basis for the Open Internet Transparency Rule), and Section 222, which governs data privacy practices as they relate to the use of “customer proprietary network information” (“CPNI”) for marketing purposes. The FCC has been active in bringing enforcement actions for allegedly lax data privacy and security practices and policies, issuing fines of $10M against TerraCom and YourTel America and $25M against a global telecommunications company as well as entering into a settlement for $7.4M in the past year with another global telecommunications company. Although the current definition of CPNI captures only a sliver of the spectrum of personal information protected in the data privacy realm, such as customer call information and subscription services, subsequent rulemaking by the FCC could expand the type of personal information considered to be CPNI to include other forms of personal information generated in the course of providing broadband service, such as Web-browsing history.

Consumers Seek Added Protection

Consumer groups are now calling for an additional expansion of the FCC’s authority to regulate the data privacy practices of online service providers other than ISPs, such as Google, YouTube, and Facebook, called “edge providers” – website and mobile application publishers that provide Internet content or services and that track user activities and collect personal information. Consumer groups argue that the expansion of the FCC’s authority to edge providers is permissible as they are “information services” providers under Title I of the Communications Act. Consumer Watchdog recently filed a petition with the FCC to initiate rulemaking to require edge providers to honor consumers “do not track” requests.

An expansion of FCC authority over website and mobile application publishers could infringe, in part, on what has traditionally been the FTC’s jurisdictional authority. Consumer groups seek this radical change because the FCC’s enforcement authority over service providers found to violate privacy and data security standards under its jurisdiction is greater than the FTC’s jurisdictional authority.

The FCC’s recent activity suggests a willingness to bring enforcement actions against companies it regulates for their data privacy practices. And the FCC appears unafraid of issuing substantial fines should the companies’ practices be deemed deceptive, unfair, or unreasonable. As the FCC seeks to define its authority to regulate data privacy practices of ISPs and considers expanding its authority beyond ISPs to edge providers, it should do so within the confines of its authority as set forth under the Communications Act and should not exceed that authority without clear direction from Congress. Mobile and online application publishers should keep a close watch on this issue.