Privacy’s Rookie Cop on the Beat

The Federal Communications Commission (FCC) approval on February 26, 2015, of the Open Internet Order did more than just place the Internet under Title II of the Communications Act of 1934.  It also gave the FCC the right to regulate online consumer privacy protection, despite the fact that such power duplicates the authority long held by the Federal Trade Commission (FTC).  Always the zealot when it comes to controlling all aspects of communications, on March 31, 2016, the FCC issued a notice of proposed rulemaking (NPRM) for consumer privacy protections solely related to Internet service providers (ISPs).    

The FTC’s jurisdiction over all aspects of consumer privacy is derived from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace.  The agency has the authority to enforce a variety of sector specific laws, including those that emerge with the development of new technologies and business models, such as the Internet.

For example, the FTC was given the power by Congress to enforce the provisions of the Children’s Online Privacy Protection Act (COPPA), which imposes special privacy protections for children on companies with an online presence.  This law led some companies, like Facebook, to place age restrictions into their terms of service prohibiting anyone younger than 13 from creating profiles on their sites.  In addition to COPPA, other areas of privacy enforcement by the FTC include general privacy, data security, credit reporting and financial privacy, U.S.-EU Safe Harbor, and the Do Not Call system.  In other words, pretty much everything possible related to consumer privacy.

Since 2000, the FTC has brought enforcement actions that include more than 130 spam and spyware cases, at least 50 general privacy lawsuits, almost 60 cases for practices placing consumers’ personal data at risk, and more than 20 COPPA cases.  Since 1996, the FTC has held more than 35 meetings with stakeholders to discuss emerging issues in consumer privacy and security in order to remain up-to-date on the latest challenges to violations of privacy.

Despite the preponderance of privacy and data security experience at the FTC and its broad mandate and expertise, the reclassification of the Internet as a Title II telecommunications service gave the FCC the opportunity to stick its meddling nose into another agency’s business.  On March 30, 2016, FTC Commissioner Maureen Ohlhausen called the provisions of the FCC’s NPRM “overly broad,” suggesting that the rules would add confusion to privacy protections that the FTC already handles on a case-by-case basis.  Ohlhausen further noted that the FCC “uses a wide variety of terms for data, including information, personal information, data and personal data.”

The FTC has long worked to keep consumer’s personal data from being compromised and stringently enforced violations through hefty fines and other actions.  Now, the FCC is completely reinventing the wheel in order to try figure out how to do what the FTC has already been doing extremely well.  The FCC’s proposed rule makes an assumption that an ISP holds an inordinate amount of consumer data, and attempts to reconfigure the law to make it conform to today’s communications infrastructure.  Both of the republican FCC commissioners have dissented from this NPRM, arguing that it is unnecessary, flawed, and “slanted.” 

According to a February 29, 2016 working paper from the Institute for Information Security & Privacy at Georgia Tech, non-ISP services often have access to more user information than ISPs, and such material can often be used for targeted advertising and other purposes.  The FCC’s proposal would impose restrictive rules only on ISPs, which would create a double standard for privacy protection.  

The NPRM from the ruling junta that wants total control of everything associated with telecommunications is likely to be approved, like everything else that FCC Chairman Tom Wheeler has proposed.  The warnings from the minority members at the FCC are well thought out, once again correct, and as usual written in vain.  Even the obvious waste of money by creating a second cop on the beat, and a severely undertrained one at that, seems to make no difference to the FCC.