This week the US House of Representatives passed a Congressional Review Act (CRA) resolution of disapproval of the US Federal Communications Commission (FCC) broadband privacy rules that were approved by the FCC in a straight partisan vote at the end of the Obama Administration, but have not yet taken effect. The Senate passed an identical resolution last week. President Trump has signaled that he will sign the resolution, which means that the FCC is prohibited by the CRA from imposing “substantially similar”, privacy regulations on broadband ISPs in the future.
The broadband privacy rules would have imposed an opt-in consent requirement for use of web browsing activity by ISPs for marketing or advertising and a 7 day breach notification deadline. They would have applied only to ISPs and not to any other businesses in the Internet ecosystem. Interestingly, the rules were opposed by not only ISPs but also by a broad swath of Internet and technology companies, and were subject to criticism for imposing confusing disparate regulation on select companies based upon siloed regulatory classifications. As a result of the CRA resolution, privacy regulation of broadband ISPS, which was to be more demanding than regulation of other Internet companies, will become similar again.
Although the current FCC Chairman Ajit Pai opposes the rules and could have chosen to forebear from enforcing them or could have amended the rules through the rulemaking process, a future FCC could have reversed that decision, and Congressional passage of the CRA resolution provides long term certainty.
Although selective, more aggressive privacy requirements for ISPs will be foreclosed, the CRA essentially puts the US privacy framework back where it was before November 2016, and does not create a regulatory loophole for ISPs to sell customer information, as some advocates have charged. In January, more than 15 ISPs announced that they would adhere to a voluntary set of privacy and data security principles that are consistent with the flexible US Federal Trade Commission (FTC) framework, which applies to the rest of the Internet. The principles include specific policies on transparency, consumer choice, security and data breach notification.
- The transparency principle confirms that ISPs will continue to provide customers with comprehensive, accurate, and continuously available notice of collection, use, and sharing of customer information.
- Under the choice principle, ISPs will continue to give customers choice over use or disclosure of their data consistent with the FTC’s framework. Choice will vary depending upon the sensitivity of the information. Sharing of sensitive information will require opt-in choice, non-sensitive information will require opt-out choice, and uses such as fraud prevention, product development, market research, network management and security, compliance with law, and marketing by the ISP will be subject to implied consent.
- Under the data security principle, ISPs will continue to protect customer information collected by the ISP using reasonable security measures taking into account the nature of the ISPs activities, sensitivity of data, size of the ISP, and technical feasibility.
- The data breach principle provides that ISPs will continue to notify customers of data breaches where there is unauthorized acquisition of customers’ sensitive personal information.
The FTC will enforce these privacy and security commitments, as can many state Attorneys General. At the moment, the FTC cannot bring enforcement actions against telecomm carriers in the Ninth Circuit (in the western US), where litigation is pending on whether the common carrier exemption to the FTC Act exempts telecomm carriers from FTC regulation. However, it can bring enforcement actions against all ISPs outside the 9th Circuit and against ISPs that are not common carriers there. What is more, the FCC will continue to have the authority over the privacy of telecomm usage information as well as to enforce broadband privacy. FCC, as opposed to FTC, privacy enforcement authority could change if the FCC or Congress overturns the FCC’s reclassification under the Open Internet Order of broadband providers as common carriers under Title II of the Communications Act. While both Chairman Pai and leaders of the Congressional committees with jurisdiction over the FCC are on record as supporting this change, this reversal of the underpinnings of broadband regulation is a longer term and more complicated policy objective.
One immediate effect of the CRA is likely to legislative activity in several states to impose opt-in consent requirements at the state level. Already, legislators have added a written opt-in consent requirement for information collection by ISPs to Minnesota’s budget bill. The long term effect is likely to be to focus more attention on giving the US FTC clearer authority over privacy and security practices of businesses in many sectors in order to create clear and uniform requirements across those sectors in the US.