Early Signs Wheeler Privacy Proposal Will Meet With Major Industry Pushback

Early signs are that the industry attack on draft ISP privacy rules will center on the FCC’s determination of what kind of data is considered “sensitive” information requiring opt-in consent before it can be used or shared. USTelecom and NCTA already raised concerns the draft rules include eight categories of sensitive data, a broader definition than under the FTC’s privacy framework (see 1610060031).

FCC officials said Thursday they developed the categories based on the extensive record and the categories reflect the unique relationship between ISPs and their customers. Critics of the approach, including some who generally favor less regulation, said Friday Chairman Tom Wheeler likely attracted few industry supporters for the rules by modifying the agency’s approach to move closer to the FTC.

“The FCC's new definition of ‘sensitive data’ is a Trojan Horse that betrays the promise of anything even close to harmonization with the FTC or the White House,” said Larry Downes, project director of the Georgetown Center for Business and Public Policy. “Requiring opt-in for use of web browsing history or app usage history, in particular, effectively takes us back to a strict opt-in regime, whatever the chairman wants to call it.” The draft rules appear to be “a major break with long-standing FTC practice. ISPs will be subject to much more extensive regulation through ex ante rules, period,” he said. “There is no harmony with other key privacy frameworks and principles.”

“The FTC emphasizes the importance of context," an FCC spokeswoman said Friday. "When we apply the FTC framework, we also look at the context of the customer-ISP relationship. And that context is that the ISP can see every web domain you visit and every app you use as well as a tremendous amount of personal information. This is a different relationship than the one consumers have with a website or app that they can choose to use -- or not use -- on a minute-by-minute basis. Chairman Wheeler’s proposed rules give consumers meaningful control over their privacy -- and the privacy of their children.”

The agency fact sheet portrays the rules as narrower than those initially proposed on sensitive information and customer opt-in. “If true, that's already a minor victory for industry,” said Daniel Lyons, associate professor at Boston College Law School. The rule “still appears to be broader than the rules the FTC has adopted for the rest of the Internet ecosystem, and I expect broadband providers will continue to press on the competitive imbalance this created between FCC-regulated and FTC-regulated entities,” Lyons told us. “I would expect that distinction to be raised on appeal, meaning that to survive judicial review, the FCC will have to explain why it is acting more cautiously than its sister agency, though it's worth noting that the appellate bar is fairly low, showing merely that the agency's decision is not arbitrary or capricious." Industry also could file a related challenge of how well the eight categories are defined, he said: “No matter what's included in the bucket, regulated entities need clear lines so they know what not to collect without permission.”

The draft rules are “one of the most significant deviations from the successful multi-stakeholder, consensus-driven approach to Internet governance, and one of the most impactful changes to privacy policy in years,” said Doug Brake, telecom policy analyst at the Information Technology and Innovation Foundation. “The FCC styles this as an alignment with the FTC approach, but in reality, these regulations go far beyond the FTC guidelines, which are themselves simply guidelines, not regulations. Ex ante rules, combined with rigid, overly-broad categories of sensitive information make this proposal a far cry from the FTC model.” Brake said he hopes other commissioners will move Wheeler closer to the FTC model of “flexible oversight.”

“The latest revision to the privacy proposal seemingly may be a step in the right direction on a purely conceptual level, but it is not very helpful as a matter of reality,” said Randolph May, president of the Free State Foundation. “The categories of information requiring opt-in are much broader than necessary to protect consumer choice and, as importantly, broader than the framework the FTC applies. This will lead to inequitable regulation and consumer confusion. And, to boot, the FCC lacks authority to go as far as it proposes.”

Commissioner Jessica Rosenworcel likely will understand the problems with the draft, May said. “I’d like to see her take a stand and show her independence,” May said. “I applauded Commissioner Rosenworcel last week when she took a stand on the agency’s set-top box item, and I’d sure welcome the opportunity to do so again."

Proposal critics are "nothing more than supporters of invading the privacy and undermining the rights of American consumers," emailed Jeff Chester, executive director of the Center for Digital Democracy. "They are digital data collection enablers. The growing cross device tracking and targeting of subscribers and their families by ISPs enables our broadband network providers to engage in ongoing pervasive surveillance. The FCCs revised proposal is a framework that draws on the FTC but does so in ways that reflect 21st Century data gathering practices by ISPs." The FCC net neutrality order requires strong privacy protection "to fulfill both its democratic and marketplace role," Chester said. "Those ISPs and their supporters really want an internet under their control where they can spy on Americans and monetize our personal information without regard to either privacy or responsible corporate social responsibility. They risk a huge consumer backlash as more Americans learn about their business bad behaviors."

Public Knowledge Senior Vice President Harold Feld also fired back at industry critics of the FCC proposal. Industry’s position is similar to where it was on net neutrality a few years ago, he emailed. “They recognize that ‘no rules’ is unacceptable to the general public and the administration, so they want rules as weak as possible,” Feld said. “The obvious way to get there is to cherry pick FTC precedent, ignore everything the FTC has said and done since 2012, and push to undermine the basic protections in the order, notably around tracking users online.”

Industry wants the FCC to decide browser history and app history aren’t covered, Feld said. “It's important to understand that classing ‘browser history’ as ‘non-sensitive’ means that ISPs can track everything you do online and classing ‘application history’ as ‘non-sensitive’ means everything any device you own does online,” he said. “If you thought Verizon Supercookie was the kind of useful innovation we should encourage by relieving carriers of the need to ask permission first, then you want to make sure ‘browser history’ is classed as ‘non-sensitive.’"