US Federal Communications Commission proposing privacy protections on line

March 20, 2016 |

Privacy protection and regulation in the United States is regarded as being uniformly weak.  That is not correct.  A better description is that it is sectoral, strong in some areas, such as health, and extremely weak in others, such as with customer lists.  In the regulatory zone it is similarly a mixed report.  The Federal Trade Commission (the “FTC”) has been very active in taking action for privacy breaches, involving a claim of misleading and deceptive conduct.  Most recently the Federal Communications Commission is going to issue stringent, for the US at least, privacy protections which require strong privacy regulations on internet. 

The proposal is a particularly sensible document, albeit brief compare to guidelines issued by privacy regulators elsewhere, providing:

FCC Chairman Tom Wheeler has circulated for consideration by the full Commission a Notice of Proposed Rulemaking (NPRM) to ensure consumers have the tools they need to make informed choices about how and whether their data is used and shared by their broadband providers. The proposal would apply the privacy requirements of the Communications Act to the most significant communications technology of today: broadband Internet access service. When consumers sign up for Internet service, they shouldn’t have to sign away their right to privacy. The proposal will be voted on by the full Commission at the March 31 Open Meeting, and, if adopted, would be followed by a period of public comment.

Do Consumers Know What They Are Agreeing To When They Sign Up For Internet Service?

Every day, consumers hand over very personal information simply by using the residential or mobile broadband services they’ve paid for. Why? Because by carrying Internet traffic, ISPs can collect their customers’ personal and private information to create detailed profiles about their lives.

  • An ISP handles all of its customers’ network traffic, which means it has an unobstructed view of all of their unencrypted online activity – the websites they visit, the applications they use. If customers have a mobile device, their provider can track their physical and online activities throughout the day in real time.
  • Even when data is encrypted, broadband providers can still see the websites that a customer visits, how often they visit them, and the amount of time they spend on each website. Using this information, ISPs can piece together enormous amounts of information about their customers – including private information such as a chronic medical condition or financial problems.
  • A consumer’s relationship with her ISP is very different than the one she has with a website or app. Consumers can move instantaneously to a different website, search engine or application. But once they sign up for broadband service, consumers can scarcely avoid the network for which they are paying a monthly fee.

Whose Data Is It Anyway? Consumers Deserve Increased Choice, Transparency and Security Online

Consumers should have effective control over how their personal information is used and shared by their broadband service providers. Telephone networks have had clear, enforceable privacy rules for decades, but broadband networks currently do not. Chairman Wheeler’s proposal to protect consumer privacy is built on three core principles – choice, transparency and security

  • Choice: Consumers have the right to exercise meaningful and informed control over what personal data their broadband provider uses and under what circumstances it shares their personal information with third parties or affiliated companies.
  • Transparency: Consumers deserve to know what information is being collected about them, how it’s being used, and under what circumstances it will be shared with other entities. Broadband providers must provide accurate disclosures of their privacy practices in an easily understandable and accessible manner.
  • Security: Broadband providers have a responsibility to protect consumer data, both as they carry it across their networks and wherever it is stored.

Chairman Wheeler’s Proposal to Empower Consumers to Protect Their Privacy: It’s Your Data

To provide the tools consumers need to make smart choices about protecting their information – and enforce the broadband provider’s responsibility to do so – the Chairman’s proposal separates the use and sharing of information into three categories, and proposes adoption of clear guidance for both ISPs and customers about the transparency, choice and security requirements for that information.

  • Consent Inherent in Customer Decision to Purchase ISP’s Services: Under the Chairman’s proposal, customer data necessary to provide broadband services and for marketing the type of broadband service purchased by a customer would require no additional customer consent beyond the creation of the customer-broadband provider relationship. For example, your data can be used to bill you for telecommunications services and ensure your email arrives at its destination, and a broadband provider may use the fact that a consumer is streaming a lot of data to suggest the customer may want to upgrade to another speed tier of service.
  • Opt-out: Under the Chairman’s proposal, broadband providers would be allowed to use customer data for the purposes of marketing other communications-related services and to share customer data with their affiliates that provide communications-related services for the purposes of marketing such services unless the customer affirmatively opts out.
  • Opt-in: Under the Chairman’s proposal, all other uses and sharing of consumer data would require express, affirmative “opt-in” consent from customers.

Your ISP’s Duty to Keep Your Data Secure

Strong security protections are crucial to protecting consumers’ data from breaches and other vulnerabilities that undermine consumer trust and can put their health, financial and other sensitive personal information at risk. The Chairman’s proposal would put in place robust and flexible data security requirements for broadband providers, including an overarching data security standard.

  • The proposal would require broadband providers to take reasonable steps to safeguard customer information from unauthorized use or disclosure.
  • And, at a minimum, it would require broadband providers to adopt risk management practices; institute personnel training practices; adopt strong customer authentication requirements; to identify a senior manager responsible for data security; and take responsibility for use and protection of customer information when shared with third parties.

Data Breach & Consumers’ Right to Know

Consumers have the right to know their data is being handled and maintained securely by their ISPs. They also have the right to know when their data has been compromised. In order to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information, the Chairman’s proposal includes common-sense data breach notification requirements. Specifically, in the event of a breach, providers would be required to notify:

  • Affected customers of breaches of their data no later than 10 days after discovery.
  • The Commission of any breach of customer data no later than 7 days after discovery.
  • The Federal Bureau of Investigation and the U.S. Secret Service of breaches affecting more than 5,000 customers no later than 7 days after discovery of the breach.

It’s about Permission and Protection, not Prohibition

  • The Chairman’s proposal does not prohibit ISPs from using or sharing customer data, for any purpose.
  • It simply proposes that consumers have choices – either to opt out in some instances or to require that the ISP first obtain customers’ permission before using and sharing the customer’s data in others.

The Scope of the Chairman’s Proposal Does Not Include

  • The privacy practices of web sites, like Twitter or Facebook, over which the Federal Trade Commission has authority.
  • Other types of services offered by a broadband provider, such as operation of a social media website.
  • Issues such as government surveillance, encryption or law enforcement.

The Proposal Seeks Public Comment on Other Ways of Providing Consumers with Increased Choice, Security and Transparency

  • While the Chairman’s proposal sets forth a clear path forward towards final rules, the NPRM would also seek comment on additional or alternative paths to achieve pro-consumer, pro-privacy goals
  • By seeking comment on a range of issues, the NPRM would ensure the development of a robust record upon which the Commission can rely in adopting final rules

This proposal is reported by Wire in The Feds Are Prepping Strict Rules to Protect Your Online Privacy  which provides:

Tom Wheeler, the chairman of the Federal Communications Commission, has proposed what could become the largest and most stringent set of privacy regulations on the US technology industry to date.

The rules, if passed, will prohibit Internet service providers from selling customer data without consumers’ prior consent and limit the kinds of products Internet providers can market to customers based their online activity. Wheeler’s announcement comes even as consumer privacy dominates the news with a courtroom battle over whether the government can compel Apple to help crack the encryption on a customer’s phone to advance a terrorism investigation.

Wheeler appears to think the government has a role to play in protecting user privacy, stating in a blogpost on Thursday that FCC regulations “limit your phone company’s ability to repurpose and resell what it learns about your phone activity. The same should be true for information collected by your ISP.”
New rules

According to the FCC’s fact sheet, the proposed rules will prohibit service providers from providing or selling user data to third parties like advertisers and data brokers without a customer’s explicit opt-in consent. Internet providers will, however, be allowed to leverage subscriber data “with their affiliates that provide communications-related services.” In other words, if you’re an AT&T broadband subscriber, the telecom could target you with advertising for AT&T affiliate mobile products, “unless the customer affirmatively opts out.” Just what that opt-in process looks like remains unclear. Right now companies routinely acquire consent by having users quickly agree to unread terms of service contracts.

“Internet providers have to collect some data to provide you Internet service,” says Gaurav Laroia, an attorney with the advocacy group Free Press. “They need to know the IP address of the sites you’re visiting in order to route that traffic. The rule that the FCC is proposing is going to be on the scope of the use of that data.”

AT&T, which sells subscriber data and rolled out a service at the beginning of 2015 that charges customers to opt-out of data tracking, opposes the new rules. “Given the realities of this complex market, there is no basis for treating ISP data as somehow ‘proprietary’ or subjecting ISPs to unique privacy requirements,” wrote Bob Quin, AT&T vice president of federal regulatory affairs in a blogpost opposing the proposal.
Tackling privacy

Data privacy is typically considered the domain of the Federal Trade Commission. Yet the FTC’s treatment of how companies handle or mishandle customer privacy has largely taken the shape of issuing fines for harming or misleading customers. That’s what the FCC had largely done in its forays into examining consumer privacy, too, until now. Now it wants to use its ability craft rules to address the issue more sustainably.

The FCC’s authority to regulate how Internet providers handle user data was clarified after the commission moved to reclassify the Internet under the same set of network neutrality rules that apply to legacy phone companies. That happened after it hosted a very public debate on the topic, during which a record breaking five million people commented on the agency’s official proceeding.

Most of those comments were negative, which led the commission to rewrite its proposal to be more in line with public opinion. “This time around I don’t know if millions of people will write in, but as with SOPA and with net neutrality, the reason we got so many people active is that we were actually losing at first,” said Matt Wood, legal counsel at Free Press. “It seems that they’re starting at a much better place then they were on net neutrality.”

The proposed privacy rules will be released at the open commission meeting on March 31, after which the FCC will solicit public opinion on the proposal. If they are as strong as Wheeler suggests they will be, the agency may very well enact the strongest consumer privacy protections in the U.S. since the Snowden disclosures in 2013.

It is also reported by CNN with FCC wants to clamp down on Internet privacy.

The FCC Chief of Staff, Ruth Milkman gave a speech at the protecting broadband privacy forum on 15 March 2016 which provides:

Thank you to New America for hosting today’s forum.

Also, thank you to New America’s Open Technology Institute for your research on the topic of broadband privacy. The paper you released in January offers valuable insight into the privacy issues that we at the Commission are preparing to address.

As I have been thinking about the topic of privacy, I find myself thinking of the teaching of Hillel: “If I am not for myself, then who will be for me? But if I am only for myself, then who am I? And if not now, when?”

I will explain.

The first part of the teaching is this: If I am not for myself, then who will be for me?

The data used and shared by providers of broadband Internet access service is my data. It can be used to paint a detailed picture of my life. When am I awake and when asleep? How many people are in my household at what times of the year? What health concerns do I have? What is my financial situation?

If it’s my data, then I should have the ability to make sure it is protected. U.S. consumers say they want control of their data, and that they are worried about how that data is being used. According to a Pew Research Center May 2015 survey, 93 percent of adults say that being in control of who can get information about them is important. Ninety percent say that controlling what information is collected about them is important.

The goal of Section 222 of the Communications Act is to give consumers control, through notice and choice mechanisms, over how their data is used.

The second question is: But if I am only for myself, then who am I?

One reason that customers need control is that broadband providers have the incentive and the ability to monetize customer data. Providers want to take data they receive from consumers in the context of providing service, sometimes combine it with other consumer data, and use it or share it for the purpose of targeted advertising. And that can be a very good thing – as long as consumers have the ability to control the use and sharing of their information.

But here’s the rub: when it comes to protecting the privacy of the personal information customers share with their broadband providers, U.S. consumers cannot “be for me” if they lack the necessary tools and protections.

It has been just over a year since the reclassification of Broadband Internet Access Service, which recognized that, in light of the statutory text and the facts on the ground, broadband access is a “telecommunications service” under the Communications Act. Because Congress has limited the ability of the Federal Trade Commission to regulate common carriers, however, a gap was created – a gap that needs to be filled with specific guidance for consumers and broadband providers. Today, broadband providers can make use of consumers’ data in ways that consumers (a) don’t know about; and (b) might not permit if they were aware of what is going on.

That is why, last week, Chairman Wheeler circulated a proposal to establish baseline privacy standards for broadband providers.

Let me talk for a moment about why the FCC is well-positioned to tackle this issue.

The United States has multiple privacy laws, both at the federal and state level, and these laws have different functions that together serve to protect consumers. For example, FTC Commissioner Julie Brill refers to the multiple strands at the federal and state level as forming the “strong fabric” of U.S. privacy law.

Under its Section 5 authority, the FTC has a mandate to address unfair or deceptive acts or practices, a general protection mandate that the FTC has used successfully to bring many privacy-related and data security actions. These decisions have set important precedents for the Internet ecosystem. Beyond its case-by-case work, the FTC has offered best practices guidelines and the Administration has offered a Consumer Privacy Bill of Rights.

Over time, Congress has enacted sector-specific privacy protections, including with respect to financial institutions, schools and other educational institutions, healthcare providers, and credit reporting agencies. And communications networks. It is within that construct of sector-specific privacy regulation that we find Section 222 of the Communications Act, captioned “Privacy of Customer Information.” In Section 222, in addition to Section 631, which covers cable providers, and Section 338, which covers satellite providers, Congress has found that certain information used and shared by communications networks requires particular protections and expert agency oversight.

All of these federal statutes, FTC case law and guidance, as well the Consumer Privacy Bill of Rights, draw heavily on the Fair Information Practices Principles. In the Chairman’s proposed rules, we didn’t seek to reinvent the wheel. We’ve placed our proposed rules within the existing fabric of U.S. privacy laws.

In particular, we’ve sought to have a framework that is complementary to the FTC’s precedents and guidance because we are dealing with closely related industry segments. The FCC has a history of coordinating closely with the FTC, including on privacy and data security, and the staff of the two agencies adopted a Memorandum of Understanding last year to memorialize that coordination, and to ensure that it continues as protection of consumer data becomes ever more important.

That history, along with our expertise on the operation of communications networks, are reasons that the FCC is well-suited to help consumers protect the information collected by their broadband providers. So what are we proposing?

The Chairman’s proposal is built on three core principles –transparency, choice and security. The proposal has three goals: first, to enable every broadband consumer to know what information is being collected and how it is used; second, to enable every broadband consumer to choose how their information bits are used and shared; and third, to give every consumer confidence that their information is being securely protected.

Not surprisingly, this proposal has generated a lot of interest and questions. Let me now address a couple of hot topics.

First, we are not regulating the edge. The FCC has jurisdiction over Broadband Internet Access Service because it’s a telecommunications service. We do not have jurisdiction over edge providers like Weather.com, Yahoo and Facebook. The Commission said that clearly in the Open Internet Order, and we’ll say it again in the context of privacy. The Chairman’s proposal will not regulate the privacy practices of edge providers. Moreover, the Chairman’s proposal will not limit the ability of broadband providers to offer separate services, for example, through ownership of social media sites, or online advertising platforms.

Second, we recognize that broadband providers want to monetize data, and we think that means there should be rules of the road. The argument that broadband providers must be treated exactly like edge providers makes me think of one of my favorite books on child rearing: “It’s Not Fair, Jeremy Spencer’s Parents Let Him Stay Up All Night!”

So if you are a parent (or were a child) you probably think the following: I doubt Jeremy Spencer’s parents let him stay up all night – most likely they have rules and supervision. Edge providers are subject to FTC oversight and enforcement, and often state oversight as well. Not to mention that some of the biggest edge providers are subject to 20-year consent decrees with the FTC, with very specific terms and conditions.

Of course, ISPs are not edge providers. An Internet Service provider handles all of its customers’ network traffic. Once signed up, a customer cannot avoid her Internet Service provider the way she can move between search engines or apps or websites. It’s just not practical.

In addition, ISPs have the capacity to capture more information about consumers than any single website or search engine. Even when data is encrypted, broadband providers can still see the websites that a customer visits, how often the customer visits, and how much time is spent on each website.

The proposed framework of transparency, choice and security – this is not a news flash. These are well-established privacy principles, and are used by the FTC, and other federal and state agencies when analyzing privacy issues.

As I mentioned earlier, privacy in the United States has focused on sector-specific laws and regulations. For example, HIPAA, implemented and enforced by HHS, applies to health care. The Gramm-Leach-Bliley Act applies to financial information, and is enforced by a range of agencies that include the FTC, the CFPB, the CFTC, the SEC and the Bank Regulatory agencies like the Office of Thrift Supervision. The Department of Education oversees privacy regulations with respect to education data. And the FCC is responsible for implementing the Communications Act, which applies to communications networks. This is our area of expertise.

And let me be clear – the Chairman’s proposal does not prohibit ISPs from using and sharing customer data. It simply proposes that ISPs first obtain customers’ permission. There is room for innovation.

The Chairman is committed to making sure that consumers have the benefits of transparency, choice and security. Industry groups have also embraced these three principles. Given that there is broad agreement that these are the right goals, we look forward to engaging with all stakeholders about how best to provide clear guidance for the benefit of consumers and their broadband providers.

Let me close where I started, with the words of Hillel, notably the last four words of the passage I used to open my remarks, “If not now, when?”

The Internet creates myriad opportunities for innovation and improvements in our quality of life. To seize these opportunities, consumers need to trust that their personal information is safe and secure.

When 91 percent of Americans say they have lost control over how their personal information is being used, now is the time to do better.

When the majority of Americans say they are NOT confident that cable and wireless companies are protecting their information, now is the time to do better.    

When six in ten Americans say they would like to do more to protect the privacy of their personal information online, now is the time to do better.

When consumers sign up for Internet service, they shouldn’t have to sign away their right to privacy. We should empower consumers with the tools they need to make informed choices about how and whether their data is used and shared by broadband providers. It’s the right thing to do. And now is the right time to do it.

One Response to “US Federal Communications Commission proposing privacy protections on line”

  1. US Federal Communications Commission proposing privacy protections on line | Australian Law Blogs

    […] US Federal Communications Commission proposing privacy protections on line […]

Leave a Reply