Recently, Congress voted to overturn new FCC rules that regulated the privacy of broadband Internet Service Providers (ISPs). The rules implemented the Communications Act, 47 U.S.C. § 222 to ISPs, requiring opt in for sharing sensitive customer data, opt out for sharing non-sensitive customer data, as well as transparency requirements. Sensitive data includes precise geo-location, children’s information, health information, financial information, Social Security Numbers, Web browsing history, app usage history, and the contents of communications. The rules required reasonable data security protections as well as data breach notification.
This development is a setback in Internet privacy protection, but it doesn’t mean that Internet privacy is doomed. There are many other regulators and sources of privacy law to fill the void.
Pro-industry advocates often decry much privacy regulation and cheer the death of rules such as the FCC rules. They advocate for rolling back the jurisdiction and power of regulatory agencies like the FCC and FTC.
Ironically, efforts to weaken the FTC and FCC probably won’t lead to more freedom for industry. In the short term after regulation is weakened or killed, there is a void, so this seems like a nice freer zone for companies.. But nature abhors a vacuum. Other regulators will fill the void, and typically it is regulators who are most passionate about protecting privacy such as California and the EU. They are far more likely to regulate privacy even more stringently than the FCC or FTC.
In the absence of federal regulation, many states pass laws that create a complicated patchwork of inconsistent regulation. This is what happened with data security regulation and data breach notification. Way back in 2005, after the ChoicePoint breach captured national headlines, Congress was considering enacting a law. But it failed to act. Instead, the vast majority of states passed data breach notification statutes, and many states passed data security laws. Instead of having to comply with one law, companies must navigate laws in many states. The most common strategy for companies operating in all states is to try to follow the strictest state law, Thus, the de facto rule is the law of the state with the most strict protections.
Already, even before the blood has dried from the carcass of the FCC rules, Minnesota is jumping into the fray and considering regulation to restrict the sale of Internet use data. I think more states will follow.
A few years ago, Wyndham Worldwide, a hotel chain company, challenged the jurisdiction of the FTC over data security. It lost. But I often wonder what the company envisioned would happen if it had won. After vanquishing the FTC, would Wyndham have cast off the yoke of regulation? In the long run, the void would have been filled. Many states have their own consumer protection laws patterned after the FTC Act, and some states would likely have stepped up their enforcement. European Union (EU) policymakers would have become even more skeptical about the adequacy of US privacy law. Various methods of data transfer between the US and EU would have been thrown into question — as they are on shaky ground already. EU regulators might have decided to enforce more vigorously because of the weakened FTC.
Consider one more example: In the late 1990s, when there was talk of having a broad general baseline regulation of privacy, many in industry vigorously opposed it. They liked the US sectoral approach, filled with fragmented laws, lots of gaps and crevices where there was no regulation. What happened was that not many new federal privacy laws got passed in the 2000s, and there was no omnibus law. Into the void came the states and the FTC, FCC, the EU, and other regulators. Industries have shifted away from the traditional sectoral lines, and many companies now are regulated not by just one law and by one regulator, but by many. Despite this, US privacy law is still viewed as weak by the EU. US privacy law can actually be quite vigorous in regulating many companies, yet the US gets no credit. And, If we were to pass an omnibus privacy law today, it would be much stricter and more protective than such a law would have been had it been passed in 2000.
Some think just one chess move ahead. Go ahead, take the pawn, but three moves later, you might lose your queen. The FCC ISP privacy rules had many reasonable protections. Judging from the extensive media attention and negative public reaction, it strikes many people as creepy and wrong for ISPs to share their browsing history or health information without affirmative consent. Given these sentiments, I don’t think that repealing the FCC rules will be the last move.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 4-7, 2017 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter (2x per month).
TWITTER: Follow Professor Solove on Twitter.
