FCC's Proposed ISP Privacy Rules May Harm Competition, FTC's Ohlhausen Says

The FCC's proposed ISP privacy rules expected to be voted on Thursday may hurt competition between ISPs and edge providers, may not permit beneficial uses of data and may not accommodate consumers' varying privacy preferences, said FTC Commissioner Maureen Ohlhausen, speaking Wednesday at George Mason University Law School. She said she has seen only the fact sheet released by FCC Chairman Tom Wheeler several weeks ago (see 1603100019), but the proposed privacy rules for ISPs "appear to be more restrictive than the rules for other players in the Internet ecosystem."

The fact sheet is unclear about what types of data are covered, whether it's personally identifiable data or sensitive data such as financial and location data or whether it's all data that crosses an ISP's network, said Ohlhausen. Part of the problem is the fact sheet uses a wide variety of terms, and the NPRM may shed some light on this, she said.

The FCC's proposal divides potential ISP data uses into three categories, said Ohlhausen. The first deals with first-party use of data for providing broadband services so ISPs don't need to provide customer notice, she said. The second is marketing of communications related services in which ISPs must provide an opt-out option for customers. The third category, or "catchall" of the proposal, includes data uses not in the first two categories and that would require consumers to opt in, she said. "Thus, the FCC’s proposal appears to prohibit any data use except for the two uses covered by the two previous prongs absent express consumer consent and this opt-in requirement appears to go beyond the obligations faced by other companies in the Internet ecosystem," she said.

While some privacy advocates "applaud the FCC's precautionary approach to data use," Ohlhausen said "baseline privacy rules ought to reflect the preferences of the many, not the few. And where customer preferences vary greatly any rule should promote a wide range of options rather than a single solution." She also said privacy advocates want stricter privacy obligations across the Internet and the FCC's proposed rules "could eventually expand to cover edge providers."

The proposal could be biased against future uses of data, Ohlhausen said. She supports mandatory opt-in consent for use of certain types of sensitive data such as Social Security numbers and data that may reflect customer preferences, but she said if mandates are applied to nonsensitive data "the inherent biases of such frameworks against future uses likely will reduce future benefits."

This approach is more "tilted against future data uses by ISPs" than what other Internet companies face, she said. "Economists and common sense tell us that if different sets of rules govern competitors, companies subject to the more onerous or unpredictable regime are disadvantaged compared to those outside that regime," Ohlhausen said. "This may also damage competition or artificially distort the market as companies seek to avoid the more onerous regime." She said the FCC proposal appears to impose stricter rules on ISPs than Google, Yahoo and Facebook operate under, and some privacy advocates have said it makes sense for the rules to differ. But the claim ISPs are "uniquely situated" to collect consumer information because their communications travel over an ISP network isn't true today, citing Georgia Tech professor Peter Swire's recent research showing that ISPs don't see as much data as thought (see 1602290047).

"At its core, protecting consumer privacy ought to be about effectuating consumers’ preferences," said Ohlhausen. "If privacy rules don’t accommodate consumers' varying privacy preferences, consumers’ choice will be limited and consumers will be worse off. If privacy rules prevent beneficial uses of data, innovation will suffer. And if privacy rules hamper one group of competitors to the benefit of another group competition will be reduced."

Swire's research lacked context and was outdated in some security aspects said Public Knowledge staff attorney Meredith Rose during a later panel. For example, she said he didn't talk about de-identified data that can be later re-identified. But the larger point, she said, is that consumers should have a choice in how their data is used, accessed and sold to third parties, and about ads that are sent to them.

University of Nebraska Law professor Gus Hurwitz said he worried the FCC is adopting rules for ISPs because they can, and there needs to be a more comprehensive approach. He said the agency needs to take a step back and see what harms arise and develop rules on a case by case basis similar to the FTC's enforcement approach.