Posted By: Emily Weiss
In late March of 2017, the Senate voted to prevent a set of privacy rules from the Federal Communications Commission from going into effect. Privacy and Internet enthusiasts criticized the vote, and one Virtual Private Network service provider ran a full-page advertisement in the New York Times that named the 50 senators that “voted to monitor your Internet activity for financial gain.”
All of this might seem like the death of Internet privacy. The effect of the Senate vote appeared just turned certain regulatory authority over to the Federal Trade Commission (FTC) from the Federal Communications Commission (FCC). Internet service providers and other industry players welcomed the rule repeal, and have argued for consistency between the FTC and FCC privacy rules. Under the FTC rules, ISPs now have far more latitude to sell browsing data from its users to advertisers in order to provide more targeted advertising, just like online service providers, like Google, already can.
With this in mind, is the end of the FCC’s rule the beginning of the end for Internet privacy, and to an extent, net neutrality?
The FTC and the Internet of Things
The Federal Trade Commission’s mission is to protect consumers and promote competition by regulating things like deceptive advertising and antitrust enforcement. Most of FTC’s involvement with the Internet has to do with online advertising and marketing along with the Internet of Things.
The Internet of Things is a relatively new concept. It refers to the proliferation of consumer devices that can now connect to the Internet and communicate with other devices and the consumer. This communication network is becoming another Internet, in that multiple devices can connect and communicate with each other like a network. Such devices have sparked concerns about privacy and the potential for consumer harm. As a result, the FTC has begun to throw their weight into the Internet of Things arena.
The FTC has tried to focus on the potential data breaches and security flaws that such devices may have. Consumer information may be readily accessed from something like a computer car or Internet-enabled television far more easily than something like an encrypted WiFi connection. The FTC recommended to Congress “strong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach” to help better combat the proliferation of such data breaches. FTC also reiterated their concerns about privacy from their 2012 Privacy Report, which set out best practices for companies about consumer data collection and disclosure.
The privacy framework set out in the 2012 report focused on three main categories. First, the framework’s scope included “all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device … [but] does not apply to companies that collect only non-sensitive data from fewer than 5,000 consumers a year, provided they do not share the data with third parties.” To the extent that data can be “reasonably linked” to consumers, the framework recognized the increased likelihood that data could be considered as such and provided criteria in order for companies to remove data from that category. Data is not reasonably linked to consumers if it is 1) reasonably de-identified, 2) the company publicly commits to not re-identify it, and 3) the company stops downstream users of such data from re-identifying the data as well.
Second, the framework contemplated when to require companies give customers the choice to refuse collection of their data. According to the 2012 report, “companies do not need to provide choice before collecting and using consumers’ data for practices that are consistent with the context of the transaction, consistent with the company’s relationship with the consumer, or as required or specifically authorized by law.” The report goes on to explain that general practices will most likely conform to this standard, including first-party advertising, but that there may be some exceptions.
Third and finally, the report recommended that Congress pass legislation to allow consumers to know what kinds of data were being collected about them. The report went on to suggest that “companies provide consumers with reasonable access to the data the companies maintain about them, proportionate to the sensitivity of the data and the nature of its use.” It should be noted that no part of this framework contemplated requirements companies had to meet before selling such data to third parties, at least not explicitly.
The FTC is far more concerned with regulating the Internet of Things than the general Internet. In early February 2017, the FTC fined VIZIO $2.2 million after it collected data about the television viewing habits of the users of Internet-connected televisions. The FTC required VIZIO to obtain express consent from consumers in order to collect this data. This different treatment of the Internet of Things and the data collection of the mundane Internet can be explained by the second prong of the privacy framework. This is not “general practices,” but cookies that track your browsing history, and logs of internet browsing histories, might be.
It should be noted that this isn’t really about Net Neutrality insofar as the FTC has not shown much concern over ISP’s ability to engage in discriminated service or selective provision of service. Due to the unsettled nature of this area of law, there is bound to be a lot of overlap when it comes to which agencies have power over the regulation of the Internet. The agency most concerned with net neutrality is the FCC, not the FTC.
The FCC and Net Neutrality
The Federal Communications Commission has been aggressive about promoting an open Internet since 2005. In 2010, the FCC issued an Open Order that required three things of ISPs: transparency, no blocking, and no unreasonable discrimination. This order was issued after the Court of Appeals in the District of Columbia ruled against the FCC in Comcast Corp. v. FCC, where the court held that the FCC could not regulate Comcast’s conduct in regards to peer-to-peer sharing because the FCC defined Comcast and ISPs as “information services” and not “telecommunications services.” This meant that FCC could not regulate Comcast and other ISPs under the Telecommunications Act of 1996.
Shortly after the open order was released, Verizon sued the FCC, arguing that the order exceeded Congress’ authorization. The Court of Appeals agreed, and vacated the blocking and discrimination parts of the order. The Court held that unless the FCC classified ISPs as common carriers, it had no authority to regulate them in such a way. However, the court allowed the FCC to continue to regulate transparency.
Without a different kind of classification, it seems that the FCC cannot regulate net neutrality in the way it desired under the Obama administration. However, transparency and privacy is still fair game, and the FCC promulgated recent rules that would have required ISPs to obtain explicit consent from their consumers before disclosing or selling their data. Notice that this most likely is in conflict with the FTC’s position on consumer data.
It is with this context we should regard the Senate’s recent vote to disregard the FCC’s new privacy rules. Instead of directly opposing privacy, it could be argued that the vote was to prevent two different standards of regulation. By making the regulation lie entirely with the FTC, it is easier for industry to comply, but FTC may require the permission FCC wanted to codify – though this is unlikely, since FTC has never been as aggressive about net neutrality and privacy as FCC has.
But even the FCC may be backing down from its historic pro-net neutrality stance. Ajit Pai, the new administration’s FCC commissioner, “delayed implementation of the new privacy rules” that were eventually voted down by the Senate. Perhaps the new FCC will be willing to pass more authority off to the FTC, or be more lenient to ISPs when it comes to net neutrality.
The law is not well settled in this area, and as a result, many agencies have overlapping or no clear understanding of how far their authority may go. Without further Congressional or judicial rules on the matter, this area of administrative lawmaking will continue to be murky. But it is far from clear that either net neutrality is dead, nor that it is very far from being completely out danger.