by Mark MacCarthy

FCC’s leap into Internet privacy poses big risks for tech

May 23, 2016

The FCC should use a sensible approach that would not disrupt the current technology landscape and would allow consumers to make their own decisions on privacy

The Federal Communications Commission (FCC) has pushed itself into the thorny issue of Internet privacy with a new regulatory plan aimed ISPs. And while the FCC may have a legitimate role to play, its current approach could disrupt the entire technology landscape.

Internet privacy was never an FCC issue, but the agency gave itself new powers with last year’s Net neutrality rules that reclassified broadband service as a regulated communications service. Before this, privacy regulation fell under the Federal Trade Commission’s “unfair and deceptive practices” authority. The FTC regulated all services, except for traditional financial services and communications services.

Now, the FCC is advancing a plan to use its new jurisdiction to create three tiers of consent-based Internet privacy regulation. The first level requires no additional consumer consent for a range of core services, including picking up and delivering messages, billing, emergency services, and protection against cyber security threats. These activities are so closely tied to the broadband service itself that consumer consent is implied.

A second tier requires opt-out consent when broadband companies make offers of communications-related services, such as triple-play bundles of video, wireless, and Internet. The third tier requires affirmative, opt-in consent if providers want to share customer information with unaffiliated third parties or use it for marketing or other purposes unrelated to the provision of communications services.

In addition, the FCC wants to entirely ban certain practices, including discounts for customers in exchange for allowing a provider to use their information for marketing purposes. 

This plan should sound alarms across the tech industry, not only because it’s a severe approach, but also because the new privacy rules could be applied beyond broadband providers.

The FCC argues the new rules are needed because ISPs have a strong hold on their customers, are uniquely situated with the people they serve, and are in a position to gather comprehensive information about their activities. The FCC says that these companies should therefore face stringent privacy rules and shouldn’t be able to force anyone, especially low income people, to pay for privacy.

But the FCC has gone too far in requiring an affirmative opt-in for information uses other than normal operations or marketing of communications related services. A convenient opt-out is entirely sufficient to protect consumer privacy. The FTC discovered this in its 2003 Do Not Call rule, which had no prohibitions and no affirmative opt-ins.

But 200 million people put their phone numbers on the Do Not Call list. Such a strong consumer response to the opportunity to end what they saw as a genuine abuse demonstrated the effectiveness of this approach.

The FCC should use this opt-out model for broadband privacy, secure in the knowledge that consumers are in the best position to assess the impact of an ISP’s information practices on them — and will act if they feel aggrieved. 

The ban on exchanges involving information use is also excessive. In all parts of their lives — whether watching network television, receiving loyalty discounts at supermarkets, using free websites or email services, and more — consumers trade their time, attention or personal information for discounted or free services. The idea that consumers cannot be trusted to make the right decisions on privacy, and that regulators should therefore make choices for them, is both paternalistic and damaging to the business models that give consumers unfettered access to incredible amounts of information.

Beyond their immediate impact on ISPs, the proposed rules also present a terrible model for other service providers who routinely offer “take it or leave it” information practices along with their service.  Edge providers who use broadband to offer their own independent services simply don’t have the same relationship with, or access to the personal information of, their customers.  And while the FCC has made it clear that its current plan applies only to broadband providers, other agencies and policymakers might be tempted to extend it.  

The entire tech community should be wary of a bait-and-switch argument that can be seen coming. To move the rules through the FCC, advocates argue that this is all about the unique position of broadband providers with their customers. It’s entirely possible, however, that regulators will seek to extend the rules, perhaps at the Federal Trade Commission, to edge providers. They will argue that providers are not so different after all, and regulatory parity and comprehensive consumer protection require edge providers and broadband providers to live under the same set of privacy rules.

If the FCC believes it must insert itself into the complex question of consumer privacy, it should take a more sensible approach — one that recognizes both the intelligence of consumers and the value they receive. And more importantly, the Commission and other privacy regulators must fully acknowledge that ISPs are different from edge providers, and under no circumstances extend these rules further into the tech industry.