By Daniel Lyons
American Enterprise Institute
On Tuesday, the House of Representatives joined the Senate in passing a joint resolution disapproving of the Tom Wheeler-era FCC’s privacy rules. The debate prompted an unusual amount of sturm und drang in the blogosphere, much of which is misleading. As with many tech issues, understanding what’s really at stake requires more nuance than one can generally fit into a 140-character call to action. In the interests of separating myth from reality, this Intelligence Brief explores the privacy issue in greater depth, as part of what’s unfortunately becoming a regular series in dispelling misconceptions in tech policy.
Myth: Congress stripped Americans of their privacy rights!
Reality: You have the same rights today as you did yesterday.
The joint resolution repealed an FCC order passed during the final days of the Obama administration. The rules would have created a new, more stringent privacy regime that would have applied to broadband providers but not to internet-based companies such as Google and Facebook. The rules were not scheduled to take effect until later this year. By repealing the rules, Congress has preserved the status quo. Consumers should see no difference in their internet activity because the law today is the same as it was last week and has been since at least 2015.
Myth: Companies can collect my information and sell it to the highest bidder without telling me!
Reality: Consumers ultimately control what is collected about them and how it is used.
Federal Trade Commission (FTC) guidelines have long required each company to notify consumers regarding what information it collects about them and how that information is to be used and to give consumers the power to “opt out” of such collection efforts. These rules governed the entire internet ecosystem until 2015 when, as part of its effort to adopt strong net neutrality rules, the FCC reclassified broadband providers as common carriers and, in the process, stripped the FTC of jurisdiction over them. Having inadvertently created a privacy law “gap,” the FCC then doubled down on its error by trying to fill that gap with a potentially more stringent opt-in rule, rather than by mirroring the FTC’s opt-out rules.
Thus, the difference between the proposed FCC approach and the FTC approach is not a choice between privacy and no privacy. Both approaches require notice to consumers, and both give consumers ultimate decision-making authority. The difference is the default rule: having given customers notice, can companies collect information unless the customer says no, or should they be prohibited from collecting information unless the customer affirmatively consents? There are strong policy arguments on both sides. But the battle is not about whether consumers should have privacy rights; rather, it’s merely about how consumers can enforce those rights.
FCC Chairman Ajit Pai and FTC Acting Chairman Maureen Ohlhausen recently released a joint statement proposing to re-harmonize privacy law under the FTC rules, as existed prior to reclassification. Congress’s joint resolution was the first step toward that ultimate goal. Having repealed the proposed opt-in rules, the FCC is now free to take action that would subject broadband providers to the same rules that govern the rest of the internet ecosystem.
Critics are right that, until the FCC acts, there is a gap in broadband privacy law — the gap the FCC created in 2015. But that gap is not as large as one might expect. First, under Section 222 of the Communications Act, common carriers cannot share “customer proprietary network information” without permission. In the telephone context, this covers information such as what numbers a customer calls, with what frequency, and how long such calls are connected. After reclassification, the same restrictions govern broadband CPNI — though to be fair, the FCC has not defined clearly what falls into this category. Second, all major broadband providers have incorporated the FTC procedures into their privacy policies voluntarily.
(The Ninth Circuit recently created another potential wrinkle in the FTC’s privacy law. But I am not terribly worried about this yet.)
Myth: But Congress has prevented the FCC from passing new privacy rules!
Reality: The FCC may pass any rules that are not “substantially the same” as the repealed rules, which should include rules that mimic the FTC approach.
Under the Congressional Review Act, the FCC may not “reissue” a repealed rule “in substantially the same form” or pass a “new rule that is substantially the same” as the repealed rule. Privacy advocates suggest that this language prohibits the FCC from passing any privacy rules going forward. But, this is highly unlikely.
While courts have never interpreted this provision — the CRA has only been successfully used once prior to the Trump transition — the purpose of this provision is to prevent agencies from getting into an unending pass-repeal cycle with Congress. A new FCC privacy rule adopting the FTC’s opt-out legal framework would impose different obligations on providers than the repealed rules and therefore is unlikely to be considered “substantially the same.” The CRA is a law designed to allow Congressional oversight of agencies, and courts should interpret it to allow this type of iterative dialogue between the two.
Myth: ISPs are worse than Google!
Reality: ISPs know less about you than leading edge providers.
The FCC justified imposing a higher privacy burden on broadband providers because they occupy a “privileged place” in the network, able to see all traffic through a connection.
This is misleading. First, my home broadband provider can only gather information on my activity at home, while Google can capture all my activity while logged into my Google account whether at home, at work, or on mobile networks (on a phone powered by a Google operating system). Second, as Professor Christopher Yoo [of the University of Pennsylvania Law School and Founding Director of the Center for Technology, Innovation, and Competition] notes, edge providers like Google can capture content, while ISPs can only see metadata and traffic flow information (unless they engage in deep packet inspection, which would raise concerns under the Electronic Communications Privacy Act).
Moreover, broadband providers have been late to the digital advertising game. It is estimated that Google and Facebook collect two of every three dollars spent in digital advertising. ISPs are the insurgents in this market. Saddling only them with restrictive opt-in rules not only distorts competition, it entrenches incumbents.
Myth: There’s nothing I can do!
Reality: You have options to protect your data.
Ultimately, consumer privacy should not be discussed in a vacuum. Rather, the question of opt-out vs. opt-in should be answered against the backdrop of the role that consumer information plays as the lifeblood of the internet ecosystem. The dirty little secret of the internet economy is that your information is routinely collected by many companies.
It was recently noted that visiting The Verge’s online article condemning Congress’s repeal of the privacy rules would result in your information being shared with 49 trackers. This is not necessarily problematic. Monetization of consumer data is what helps make Google’s Gmail, Facebook, and YouTube free — and might someday bring broadband prices down as well.
We cannot consider rules affecting the availability of that information without considering the consequences such rules will have on the broader internet experience.
Daniel Lyons is a Visiting Scholar with the American Enterprise Institute’s Center for Internet, Communications and Technology Policy and an associate professor at Boston College Law School, where he specializes in telecommunications and internet regulation, as well as administrative law. He has written on technology convergence and the need to redefine the boundary between federal and state jurisdiction over telecommunications; the relationship between net neutrality and traditional common carriage; and the importance of allowing pricing innovation in broadband markets. This column originally appeared March 31 at the AEI’s TechPolicyDaily.com blog.