On Monday, April 3, President Trump signed a bill repealing the privacy and security rules introduced in the FCC’s October 2016 Order. Under the terms of the Congressional Review Act (CRA), those rules have now been entirely repealed, the FCC is restricted from implementing “substantially similar” rules in the future, and the congressional action is not subject to judicial review.
The move was expected: Republican hostility to the rules was evident both in Congress and at the new FCC. As we have previously reported, the new FCC majority has made no secret of its intentions to undo the 2016 Order, which was passed on a 3-2 vote in the waning days of the Wheeler chairmanship. New FCC Chairman Pai indicated that he favored replacing the 2016 rules in favor of a regime that replicates the FTC’s privacy framework. The new law clears the way for the FCC to do so.
The vast majority of the rules had not yet gone into effect, with some rules pending OMB approval and others stayed pending the FCC’s review of multiple petitions for reconsideration. Congressional action under the CRA obviates a decision by the FCC on those petitions and takes us back to the rules that were in effect prior to the 2016 Order.
The new law will help clear out the confusing thicket of old and new rule provisions that have been in effect during the rollout of the 2016 rules and keep ISPs more competitive with other online service providers. Democrats and consumer advocates have expressed outrage, and have gone so far as to make completely false statements that the repeal allows ISPs to now sell customer browsing information to third parties. In reality, existing federal and state laws – including the authorizing statute that enabled the 2016 rules – still exist and prevent ISPs from selling customers browsing histories obtained from their provision of the service. Moreover, the ISPs have publicly committed not to sell or share that information without obtaining a customer’s opt-in consent.
Unfortunately, this “sky is falling” hyperbole has pushed state legislators to introduce legislation that would not only restrict the use and disclosure of such information without a customer’s opt-in consent, but also the collection of such information. Some proposed legislation, such as the bill proposed in Minnesota, would prohibit ISPs from denying service if a customer prohibited the collection of information, but fails to take into consideration the fact that ISPs must collect information in order to provide the service, and additionally are required to disclose such information pursuant to valid legal requests.
Things are definitely moving quickly – stay tuned for additional analysis over the course of the next few days …