Who Should be in Charge of Privacy in the 21st Century?

An effort is underway to significantly set back even the limited amount of government privacy oversight that currently takes place over commercial privacy in the United States. Tuesday the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade held a hearing titled Federal Trade Commission Review and Outlook. At the hearing, FTC Commissioner Maureen Ohlhausen argued for the repeal of the communications common carrier exemption which would transfer regulatory power of telecommunications networks from the Federal Communications Commission (FCC) to the FTC. While this might sound innocuous enough, the rework could have serious implications for consumer privacy protections.

This proposal is not new; the transfer of regulatory authority is being pushed by a new lobbying group called “The 21st Century Privacy Coalition.” This group has been spearheaded by major telecommunications providers and headed by Washington insiders, including former chairman of the FTC Jon Leibowitz and former US Representative Mary Bono. Members include AT&T, Verizon, DirecTV, Comcast, Time Warner Cable, and CIT-The Wireless Association. The Coalition has suggested that internet privacy rules need to be simplified, and thus that a single regulatory agency should be responsible for all telecommunications oversight. The FTC would assume a role the FCC has traditionally held, namely providing oversight of telecommunications network intermediaries such as the phone, internet and cable providers the Coalition represents.

Sensitive information like call information and viewing habits already have strong protection from misuse by commercial providers (not to be confused with misuse by the NSA). Those protections should be modernized and extended to new areas like search term results, websites visited and other type of internet records. The danger is that instead the existing protections will be weakened under a sole FTC jurisdiction. A brief overview of the FCC’s and the FTC’s existing authority helps explain why.

Currently, under 47 U.S.C. § 222 of the Telecommunications Act of 1996, telecommunications carriers, including phone and internet service providers, have a duty to protect consumers’ sensitive personal information (such as who customers call) to which they have access as a result of their position as network operators. This “customer proprietary network information” (“CPNI”) can only be disclosed with a customer’s express consent (opt-in). Prior to this law’s passage, telecommunications companies were able to sell this data to third party companies for marketing purposes. This law also enabled the FCC to impose security requirements on carriers’ disclosure of CPNI to customers over the telephone and online, whereby both law enforcement and the customers themselves must be notified of any security breaches involving CPNI.

Similarly, the subscriber privacy provisions of The Cable Communications Policy Act of 1984 (“The Cable Act”) established a highly protective notice and consent scheme, permitting cable television subscribers to know what a cable operator’s practices are and providing them an opportunity to limit the data collections and disclosures that the operator may make. Providers must again obtain opt-in consent and must also grant subscribers the right to inspect and correct errors in such data. Police must obtain a court order to access data and the law authorizes damages for companies that violate these provisions.

In contrast, as the FTC itself has acknowledged, its privacy-related authority in the area of telecommunications is somewhat limited. It primarily involves monitoring internet companies’ privacy policies to make sure the companies keep any promises they make to users regarding when and where personal information and data will be shared, sold or otherwise exploited.

The FTC’s privacy policy paradigm (which is set forth in 15 U.S.C. §45) is familiar to all of us: internet companies post statements detailing their privacy practices and terms and conditions, and then, by visiting and using the site, the user either implicitly or explicitly agrees to the terms of the site. These privacy policies are often written in ways that allow the company to make broad use of the data, most recently demonstrated by Facebook’s newest round of changes to its privacy policy, which make clear that a condition of using the service is that users must grant the company wide permission to use their personal information in advertising. As long as a company doesn’t make any promises that it doesn’t keep, the FTC has no way to safeguard consumer data on the web. That is why the FTC has urged Congress to “consider enacting baseline privacy legislation,” as “self-regulation has not gone far enough” to protect consumer data privacy from abusive data use practices online.

In short, if we transfer regulatory authority and telecommunications oversight from the FCC to the FTC, we will likely see an effort to treat the telecommunications companies in the same way as technology companies like Google and Facebook. The result would be the loss of a number of substantive protections in the process.

If changes are to be considered, they should be part of a discussion of a comprehensive overhaul of the data collection system. For example, we endorse network data protective legislation modeled on the Obama administration’s “Consumer Privacy Bill of Rights,” which was released in February 2013. The tenets of this report would provide a good foundation for improving consumers’ privacy safeguards online by making sure that the important goals of transparency, security, focused collection, and accountability are extended, not eliminated.