FTC Privacy Comments Show Deep Divide With FCC, Observers Say

One big question that has emerged in light of filings on the FCC ISP privacy NPRM is to what extent the agency may incorporate FTC suggestions (see 1605270057) into its final rules. Industry observers say they expect the FCC to feel some pressure to modify its rules to harmonize them with those of the FTC, though maybe not enough to change course (see 1605270022).

What the FTC tried to do in its comments was say it agreed with the FCC’s goals more generally, “but at the ground level say to the FCC we totally disagree with you,” said a former senior FTC official who has concerns about the FCC's approach. The FTC seems particularly concerned about consistency and that the FCC would create an “extraordinarily large delta” between how ISPs and other data collectors are treated, the former official said. The FTC basically says the FCC’s approach on data security “is going to screw up existing law and it goes too far and it hasn’t been well thought out,” the former official said. There’s a “pretty meaningful schism” between the two agencies on the rules, the former official said. “I think you can see that in the details of the FTC’s submission.”

“FTC staff is mindful that the FCC’s proposed rules, if implemented, would impose a number of specific requirements on the provision of [broadband] services that would not generally apply to other services that collect and use significant amounts of consumer data,” the FTC said. “This outcome is not optimal.” The FTC said the FCC’s approach “does not reflect the different expectations and concerns that consumers have for sensitive and non-sensitive data. As a result, it could hamper beneficial uses of data that consumers may prefer, while failing to protect against practices that are more likely to be unwanted and potentially harmful.”

FTC Commissioner Maureen Ohlhausen zeroed in on the differences between the approaches of the two agencies. The FCC “focuses on whether the holder of the data is a [broadband] provider, an affiliate, or a third party,” she said in a separate statement. “It does not account for the sensitivity of the consumer data involved. Thus, the FCC would require opt-in consent for many uses of non-sensitive consumer data by [broadband] providers, yet would require no consent at all for certain uses of sensitive data by those providers.”

Ohlhausen slammed the FCC for proposing a ban on different costs structures, that would let some consumers pay more to protect their data from being used by an ISP. The FCC would prohibit “a consumer from trading some of her data for a price discount, even if the consumer is fully informed,” she said. “Would-be broadband subscribers cite high cost as more important than privacy concerns for the reason why they have not adopted broadband. Given that fact, such a ban may prohibit ad-supported broadband services and thereby eliminate a way to increase broadband adoption.”

"Harmonization of the FTC's and FCC's privacy rules has been one of the key issues at the heart of this newest privacy debate," said former FCC Commissioner Robert McDowell, now at Wiley Rein. "The FTC appears to be saying, politely, that the rules should be the same across all platforms in order to prevent consumer and industry confusion. This public filing appears to be a gentle but clear nudge."

“We greatly appreciate and respect the FTC’s commitment to consumer privacy as reflected in their decision to file comments and in the substance of their filings," an FCC spokesman said. "Their filing is an important part of the record.”

“The idea that the FCC can adopt FTC-style restrictions is absurd, both from a legal standpoint and a technical one,” said Public Knowledge Staff Attorney Meredith Rose. “The FCC is enacting a congressional mandate that includes a very specific kind of framework,” Rose said. “We can argue all day about whether Congress made a wise decision in choosing that structure, and many privacy advocates believe that it did, but the fact is, that’s what was enshrined in the law. Advocating for an FTC-style framework based on tiers of sensitivity would directly override the will of Congress, and would be the real agency overreach.”

The FTC’s proposal for “tiered sensitivity” also would be difficult to put in place on an engineering basis, Rose said. “Broadband providers handle huge volumes of data at any given time,” she said. “Any one of those packets could, or could not, contain data that meets the FTC’s definition of sensitive. The only way to know for sure, and to triage appropriately, would be to manually inspect the contents of each packet.”

Jeff Chester, Center for Digital Democracy executive director, disagreed with how some critics of the NPRM characterized the FTC’s filing. “The FTC largely blessed the FCC proposal, acknowledging the distinctive role of ISP providers,” Chester said. “We believe the FCC should implement its proposal, especially requiring opt-in rights for subscribers and their families. The FTC's framework was developed because it doesn't have the ability to issue regulations to protect privacy, except for children. Consequently the FTC has been constrained from proposing the same type of pro privacy safeguard as the FCC has done.” Developments in big data “have made passé the FTC approach on sensitive data, for example,” he said. "The FCC framework to empower consumers reflects a reasonable approach when dealing with ISP data practices.”

“The staff filing pretty clearly called out the FCC’s [personally identifiable information] definition as over-broad, and questioned how the proposal seems more concerned with limiting otherwise accepted business practices than tracking actual consumer expectations of privacy,” emailed Doug Brake, telecom policy analyst at the Information Technology and Innovation Foundation. “The FTC filing was as diplomatic as it had to be -- otherwise I’d say safe to count them among the broad ‘what are you doing?’ coalition. When a cross-section of academics, think tanks, virtually all of industry (edge companies and networks alike), and now the FTC itself all agree that the proposal needs to be scaled back, the FCC should be obliged to listen.”

“It’s impossible to read the FTC privacy framework alongside the FCC’s privacy NPRM without noticing glaring inconsistencies,” said Richard Bennett, free-market blogger and network architect. “The NPRM improperly defines CPNI [customer proprietary network information] in a way that vacuums up the kind of information that Internet users routinely share with websites, operating systems, and browsers. The FTC staff have made a valiant effort to harmonize privacy regulations in rational way. But I believe the FCC staff was aware of the inconsistencies and chose to take a discriminatory approach.”

"The FCC's apparent single-mindedness in wanting to impose unequal burdens on the ISPs in ways that make it more difficult for them to compete against edge providers rankled the FTC,” said Randolph May, president of the Free State Foundation. “The FTC is used to making decisions that are more data-driven, less obviously political than the FCC. You don't need to have a doctorate in government to know it doesn't make sense to have two widely disparate regulatory regimes for privacy regulation." FSF filed comments opposing the proposed rules, saying they would create disparate privacy regulatory regimes for ISPs and “edge providers” like Google and Amazon and would only confuse consumers.

A wireless industry lawyer said applying FTC rules to ISPs would be fairer than the FCC-proposed approach. “The 10 companies that currently control a 70 percent share of the online advertising market are not ISPs and thus will continue to operate under the FTC's rules, which offer a much better and flexible notice-and-choice framework providing companies with the freedom to innovate,” the lawyer said.