Consumer Electronics Daily was a Warren News publication.
'Tough One'

Privacy Advocates Seek Sharper FCC Focus on Consumer Protection

Industry experts say it’s not clear what will come next as a result of FCC letters asking wireless providers about their data collection practices. The letters, which Chairwoman Jessica Rosenworcel sent to providers last month, delve into data sharing and retention practices of providers (see 2207200064). They ask that responses be emailed directly to Rosenworcel. Industry lobbyists said the letters also could tie back to a broader Biden administration focus on data privacy in light of the Supreme Court decision in Dobbs v. Jackson, which overturned Roe v. Wade.

Rosenworcel's letters cite a 2021 FTC report that found wireless providers collect more data than is necessary to provide services, and more data than consumers expect. “Given the highly sensitive nature of this data, especially when location data is combined with other types of data, the ways in which this data is stored and shared with third parties is of utmost importance to consumer safety and privacy,” the letters note.

Carriers are asked to describe “in detail” the geolocation data they collect and retain about current and former subscribers, and about safeguards providers use to protect the data. “Please explain the reasons geolocation data is retained for both current and former subscribers,” how long it’s retained, and in which countries the data is stored, the letters say. “Please share whether and how you disclose your data retention policies to subscribers,” the FCC asks: What's your data deletion policy for current and former subscribers and how do you delete geolocation data? Can subscribers opt out, and if not, why not? the agency asks.

A second section on data sharing is shorter and asks about processes and policies for sharing geolocation data with law enforcement. “Describe the arrangements, agreements and circumstances” in which data is shared with third parties that aren’t law enforcement, the letters ask. The letters ask questions about opt-out provisions and whether subscribers are notified of sharing with non-law enforcement third parties.

The letters were sent as the House Commerce Committee tackled bipartisan privacy legislation (see 2207200061). The FTC also recently sought comment on privacy rules (see 2208110068). Concerns have been raised about whether carriers are improperly commingling customer proprietary network information with mobile broadband data, industry observers said. Tech companies face pressure on their data practices in light of the Dobbs ruling (see 2207220053).

A year ago, T-Mobile revealed a data breach that included information from about 7.8 million current T-Mobile postpaid customer accounts and the records of more than 40 million former or prospective customers (see 2108180062). In 2020, the FCC cited the then four national wireless carriers for failing to safeguard data on their customers' real-time locations, and faced proposed fines of $200 million (see 2002280065).

The July letters could show the FCC “flexing its muscles” as Congress looks at whether to shift primary oversight responsibility for privacy to the FTC, said Alan Butler, president of the Electronic Privacy Information Center, in an interview. “It’s notable that the mobile location” notices “are still outstanding,” he said. “Even those fines haven’t actually come to fruition or been enforced,” he said. The new letters could be a “potential precursor to a subsequent investigation,” he said: “It’s a good sign that they’re interested. … I certainly hope that the FCC makes use of all its authorities.”

It seems the FCC is taking the privacy concerns very seriously,” said Public Knowledge Senior Vice President Harold Feld. Geolocation data is probably “the most sensitive data collected by carriers on a regular basis,” he said: “The Dobbs decision, and recent actions by aggressive states eager to prosecute women seeking a safe means of terminating an unwanted pregnancy, made Americans aware of how geolocation data, particularly the highly precise geolocation data collected by carriers, can be abused. The FCC has a responsibility to monitor the carrier industry and to make sure this data is not abused.”

Lawyers who represent carriers said they don’t see major concerns among the providers since they already face requirements to protect their customers’ data.

This will be a tough one for the FCC,” emailed Digital Progress Institute President Joel Thayer. “There are already legal barriers to its oversight, so this strikes me as a strict information gathering venture,” he said: “At this point, it’s unclear what role the FCC has at all or if it can even promulgate rules to any effect. This is especially concerning for the FCC in light of the West Virginia v. EPA case because such a proceeding will most likely be viewed by the courts as a major question. These two factors significantly complicate any privacy action coming out of the FCC.” The West Virginia case raised new questions about the deference courts should pay regulatory agencies absent specific direction from Congress (see 2206300066). Major carriers and the FCC didn’t comment.

We see the FTC rushing into” a rulemaking “on fairly comprehensive privacy reforms at exactly the moment that Congress is contemplating a big privacy bill,” said Kristian Stout, International Center for Law & Economics director-innovation policy: “It seems strange for the FCC to also rush into this space right now.”

If current rules aren’t sufficient, “the FCC should adopt new rules that will adequately protect people's geolocation information,” Feld said. The FCC has political cover to act now, he said: “The FTC has launched a privacy rulemaking. Congress is considering comprehensive privacy legislation, which would strip the FCC of its privacy authority. This is an opportunity for the FCC to show how its work is complementary to the FTC, and display the tools it has to protect telephone consumers.” FCC actions could include a report from the Wireline Bureau “on practices to shame carriers into behaving properly” or a declaratory ruling interpreting existing rules or the "industry standards" for data collection and storage under the 2007 pretexting order (see 0707110105), he said. “If a majority of the commission agree, the full commission could issue a declaratory ruling” or NPRM, he said.