The Federal Communications Commission (FCC) Privacy and Data Security Rule for broadband internet access service (BIAS) providers (the Privacy Rule) is dead. As we discussed here, the new rule that was set to start phased implementation was recently put on hold. We detailed what the Privacy Rule would have required in prior blog posts available here and here.
On Monday night, President Trump signed the Senate Joint Resolution 34, effectively nullifying the Privacy Rule. The Privacy Rule was repealed under the Congressional Review Act, which prohibits the FCC from promulgating regulations of similar effect in the future. With this repeal, it is unlikely that anything less than a significantly toned down version of the Privacy Rule will be coming from the FCC anytime soon. This does not mean that the FCC cannot adopt any privacy rules, but any rules adopted would have to be substantially different from the nullified Privacy Rule, and likely would match the Federal Trade Commission (FTC) standards for internet privacy and data security.
The Privacy Rule would have been a drastically new approach to privacy and data protection over the approach historically and currently taken by the FTC, the principal privacy regulator in the US, applying the more stringent scheme to only the internet participants under the FTC’s jurisdiction, ISPs and other BIAS providers, and not publishers, social media platforms and ad networks. A key disparity between the two approaches is that FCC-regulated providers would have to get opt-in for interest-based advertising, while the rest of the digital advertising ecosystem operates on an opt-out basis, except where sensitive information is concerned. The FCC would have also expanded the concept of sensitive information from the FTC standard. In the joint statement announcing the earlier stay, available here, Maureen K. Ohlhausen (FTC) and Ajit Pai (FCC) recognized the disparity between the FTC and FCC regulations and noted, “Going forward, [the FTC and FCC] will work together to establish a technology-neutral privacy framework for the online world.”