The Bottom Line
- Last fall, the FCC and FTC both hailed the FCC privacy rules. After the change in administrations, the FCC and FTC both agreed to rescind such rules.
- Therefore, it remains to be seen how privacy and data security will be regulated going forward. Companies in all industries should keep abreast of developments.
Congress has voted to overturn the customer privacy rules adopted last year by the Federal Communications Commission (FCC) for wireless and home broadband internet service providers (ISPs) and other telecommunications carriers, thereby opening the door to more expansive and aggressive uses of customer data.
Background
Last October 27, the FCC adopted rules establishing a framework of customer consent for ISPs such as AT&T and Comcast to be able to use and share their customers’ personal information. The Federal Trade Commission (FTC) had previously regulated the privacy practices of broadband providers until a change in its jurisdiction in 2015.
The FCC rules separated the use and sharing of information into three categories and included guidance for both ISPs and customers about the transparency, choice, and security requirements for customers’ personal information. In particular, the rules:
- Required ISPs to obtain affirmative “opt-in” consent from consumers to use and share sensitive information, including precise geolocation, financial information, health information, children’s information, Social Security numbers, web browsing history, app usage history, and the content of communications.
- Allowed ISPs to use and share non-sensitive information unless a customer “opted-out.” Under the FCC’s rules, individually identifiable customer information such as email addresses or service tier information was considered non-sensitive and the use and sharing of that information was subject to opt-out consent, which the FCC suggested was consistent with consumer expectations.
- Permitted ISPs to infer customer consent for certain purposes, including the provision of broadband service or billing and collection.
The rules also required ISPs to provide customers with clear, conspicuous, and persistent notice about information they collected, how it might be used, and with whom it might be shared, as well as how customers could change their privacy preferences. Additionally, the rules required that broadband providers engage in “reasonable data security practices” and contained guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data.
Congress Acts – and May Continue Acting
New FCC Commissioner Pai had earlier issued a stay of the rule shortly before it was to take effect, explaining that the rules were inconsistent with the FTC’s established approach to privacy and data security. Then, on March 23, the Senate voted 50-to-48 to formally overturn the FCC’s rules. A few days later, the House of Representatives agreed, by a vote of 215-to-205. And, the President signed the resolution on April 3.
The Trump Administration had indicated in a statement before the House vote that it “strongly” supported House passage of the measure, reasoning that the FCC’s rules departed from the “technology-neutral framework for online privacy administered by the Federal Trade Commission.” The FCC’s rules, the statement added, resulted in rules that applied “very different regulatory regimes based on the identity of the online actor.”
The speed with which Congress acted on the FCC’s rules suggests that it may alter other rules affecting the telecommunications industry that were adopted by the Obama Administration, including net neutrality rules prohibiting ISPs from slowing down internet access for some providers while affording faster access to other providers.