The National Broadband Plan (the “Plan”) adopts a relatively balanced approach to online data collection, advanced advertising and consumer privacy, recognizing that online data collection and digital profiling can enhance consumer value in gaining access to more relevant advertising and subsidized or free services. It calls for “transparency” regarding what broadband providers and purveyors of online goods/services do or wish to do with consumers’ personal data, “informed consent” for such uses, and continuing consumer “control” over the uses (particularly the disclosure) of such data, as well as enforcement mechanisms. But it does not make any explicit call for “opt-in” consents for the use of personal data. It recommends that Congress, the Federal Trade Commission (FTC) and the Federal Trade Commission (FCC) collaborate to clarify the relative control users have over their online profiles and personal data, and for the development of private sector companies that can help consumers manage their personal data, and that more resources be devoted to combating identity theft.
Recent privacy debates have been fueled by concerns over the growing ability to capture and process digital data about consumers in connection with Web searching, transactions, targeted advertising, location-based services, “smartphone” applications and other services in which consumer data may be in use. Although data collection is highly developed in the offline world, such practices in the online world have spawned vigorous debates. The Notice recapitulates concerns voiced over behavioral advertising and deep packet inspection, which have been at the center of the FTC’s development of Self-Regulatory Principles For Online Behavioral Advertising and various industry self-regulatory efforts, such as recent 4A guidelines. (Please see our July 2009 advisory.)
Under a new Democratic Chair, the FTC has grown increasingly disenchanted with current privacy rules and impatient with the pace and adequacy of self-regulation. Recent settlements and press statements have even indicated a willingness to employ current FTC rules against unfair and deceptive practices to business practices that the FTC considers insufficiently protective of consumer privacy expectations, without awaiting passage of any new privacy bill long promised by Congressmen Boucher and Stearns. A series of public roundtables now underway at the FTC is exploring privacy challenges posed by evolving technologies and business practices that collect and use consumer data.
The Plan builds on this debate, but in a relatively balanced manner. It recognizes the business of traditional offline data collection, profiling, and market segmentation to tailor products, services, and advertisements, and the consumer value that broadband equivalents can bring. The Plan recognizes that consumer “data and profiles are often so valuable for firms that they increasingly offer their products and services free of any monetary charges. Consumers gain access to a valuable service, and businesses gain valuable information.” But the Plan identifies the “challenge” of “enabl[ing] consumers to take advantage of [these benefits] while ensuring [ ] they can retain control of their personal data, protect their privacy and manage how the information collected on them is used.”
The Plan follows a balanced approach that is part of the ongoing privacy debate. It calls for “transparency” so that consumer’s consent is properly “informed,” and leaves “control” over the uses of such data with the consumer. But its avoids undermining advanced advertising models by avoiding any explicit call for “opt-in” consents. The Plan starts from the belief that consumers currently may have limited (or no) knowledge about how personal data are collected and used online, and that the responsibilities of those engaged in collection and use also are unclear. The Plan posits that existing legal protections—such as FTC unfair trade practice authority, privacy protections in the Communications Act applicable to video and telephony services (e.g., CPNI and cable privacy protections), Gramm-Leach-Bliley financial data safeguards, health privacy regulations, and the Electronic Communications Privacy Act’s wiretap, stored communication and computer fraud/abuse provisions—provide “only a partial solution.” In addition, as the FTC staff did last year, the Plan does not limit its vision of appropriate protections to data that is technically “personally identifiable information” or “PII,” but seeks protection for a broader set of data—such as data sets that may not be explicitly “identifiable” but can be subject to individual re-identification.
The Plan proposes that the FCC take a more active role in this arena, collaborating with the FTC, to develop such tools as Self-Regulatory Principles and joint privacy principles that require “informed consent” before broadband service providers share certain data with third parties. This would include customers’ account and usage information such as patterns of Internet access use and other PII. Under the Plan approach, consent could not be a prerequisite to receiving service.
The Plan also recommends that Congress, the FTC and the FCC consider clarifying the relationship between users and their online profiles, and in particular, the obligations firms that collect, analyze or monetize personal data have to consumers in terms of data sharing, collection, storage, safeguarding and accountability of the information. This includes recommending consideration of what, if any, new obligations firms should have to transparently disclose their use of, access to and retention of personal data, and how informed consent principles should apply in this context. However, the Plan offers no significant detail on how these questions should be answered, beyond emphasizing the transparency, control, and other precepts set forth above, though it does suggest Congress consider revising the current Privacy Act to increase consumer control over personal data and confidence in the security thereof (although the Plan does not indicate what revisions to the Act would accomplish this). It also does not, as do other facets of the Plan, propose specific FCC proceedings to answer these questions.
To assist consumers in managing their data in a manner that maximizes their desired privacy and security of the information, the Plan recommends that Congress consider helping spur development of trusted “identity providers,” and creating a regime to provide insurance to them (á la the Federal Deposit Insurance Corporation, FDIC), noting that standard safe harbor provisions could allow entities to be acknowledged as trusted intermediaries that properly safeguard information. The Plan further recommends that the federal government, led by the FTC, direct additional resources toward combating identity theft and fraud, help consumers to access and utilize those resources (e.g., bolstering the FTC’s “OnGuard Online” program), and expand consumer education efforts in this area.
In other privacy-related areas, the Plan recommends that the FCC’s own consumer online security efforts should support broader national online security policy, in coordination with the FTC, the White House Cyber Office and the Department of Homeland Security, and other federal agencies, all of which (including all those just named and all others) should connect their existing Web sites to OnGuard Online. The Plan supports federal government creation of an interagency working group to coordinate child online safety and literacy, and launching a national educational and outreach campaign involving governments, schools and caregivers. Finally, consumer privacy issues are also raised in our related advisory that focuses on Health Care and the Smart Grid.
The FCC will be releasing a series of notices to launch each of its future proceedings. Davis Wright Tremaine will be participating in those proceedings on behalf of our clients.