CDT Files Comments in the FCC Rulemaking to Protect Broadband Customer Privacy
Written by Alex Bradshaw
Today, CDT filed comments in response to the FCC’s notice of proposed rulemaking (NPRM) to protect the privacy of broadband customers. CDT commends the Commission’s efforts to protect consumer privacy through adapting Title II’s consumer protection provisions to broadband internet access service (BIAS).
The internet’s multitude of benefits would not be possible without its users. Individuals’ activities while online — exchanging ideas, simplifying business and personal transactions, collaborating and socializing — are what make the internet the most significant communications network in history. People should be able to contribute to the online ecosystem without concern that their contributions will be intercepted, analyzed, or shared in unexpected ways. Therefore, strong data use and sharing standards must be a component of any internet law framework. Broadband internet access service (BIAS) providers are uniquely positioned to not only enable widespread adoption of internet but also to steward responsible use of consumers’ data. The present rulemaking is a remarkable opportunity for the Commission to ensure BIAS providers fulfill this role.
The transformative power of data should not overshadow increasingly prevalent concerns about unchecked use of consumers’ personal information.
This is an exciting time for data driven innovation. Online data collection and use has revolutionized industries, public services, and the economy. In addition to actually building and maintaining the physical infrastructure through which we access the internet, BIAS providers are contributing to the digital revolution and data analysis in a number of meaningful ways. However, the transformative power of data should not overshadow increasingly prevalent concerns about unchecked use of consumers’ personal information. These concerns are not restricted to BIAS, and BIAS providers certainly are not alone in their data monetization efforts. Edge providers have charted the path for data collection and sharing techniques and a large portion of edge services’ profits come from data monetization. Device manufacturers are increasingly designing ways to monetize their customers’ data as well—often through partnerships with edge services and advertisers.
Unfortunately, a strong consumer privacy framework does not accompany this robust data market. Despite how critical privacy protections are to the continued health of the internet, the United States lacks a comprehensive consumer privacy law. Instead, American consumers face a patchwork of privacy standards that leave some personal information unprotected in surprising ways, and a general purpose consumer protection law enforced by the Federal Trade Commission (FTC) that maps imperfectly onto privacy rights. For these reasons, CDT has long argued for simple, flexible baseline consumer privacy legislation that would protect consumers from inappropriate collection and misuse of their personal information. In principle, such legislation would codify the Fair Information Practice Principles: requiring transparency and notice of data collection practices, providing consumers with meaningful choice regarding the use and disclosure of that information, allowing consumers reasonable access to the personal information they have provided, providing remedies for misuse or unauthorized access, and setting standards to limit data collection and ensure data security.
Title II and the larger patchwork of U.S. privacy laws cannot (and are not intended to) set standards for every industry. CDT therefore encourages Congress to swiftly pass baseline privacy legislation so that individuals gain more control over their data, regardless of where that information originates and who collects it. Nevertheless, absent Congressional action to pass such a law, the Commission has a statutory obligation and specialized expertise to protect the privacy of broadband customers now through its Title II authority. Our comment argues that the Commission can embrace this opportunity by implementing the following proposals in its rules:
Customer Proprietary Information should include Personally Identifiable Information.
CDT agrees that “proprietary information of, and relating to . . . customers” described in Section 222(a) should be interpreted broadly. Specifically, it must include a broader set of information than that encompassed by 222’s definition of Customer Proprietary Network Information (CPNI). The statute generally requires carriers to protect the confidentiality of customers’ proprietary information (customer PI), but sets out the conditions under which a subset of that information, CPNI, may be used and shared. The remainder of customer PI, which should include personally identifiable information (PII), must generally be kept confidential absent customer approval to use or disclose it.
Customer Proprietary Network Information should include packet metadata.
In the broadband context, information that “relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service” can be found in the metadata of the layered headers enveloping internet protocol (IP) packets. Even a limited collection of this metadata can provide information about a customer’s whereabouts and their online activity. Over time, the analysis of these data points can reveal patterns of behavior and details about customers’ personal lives that, while commercially valuable, warrant a greater degree of customer control over its use.
Customer opt-in should be required for most secondary uses of customer PI.
CDT supports the Commission’s proposal to generally require customer opt-in for use and sharing of customer data for marketing services unrelated to the service a customer has purchased. There are many legitimate uses for the customer information BIAS providers may collect. Some of these uses are necessary to maintain a functional, efficient network and require no consent. Others help carriers market relevant communications offerings. Customer opt-in should not be required in these cases since the privacy risks are lower and customers expect carriers to use their information for such purposes. However, customer opt-in should be required for all unaffiliated third-party use of customer PI for marketing and first-party or affiliate use of customer PI for marketing services that are not “communications-related.”
The disclosure of customer PI to third parties often places that information outside the control of the carrier and in the hands of third parties that may not be subject to any privacy standards under the Communications Act. Therefore, the risk of data loss is greater and the Commission will have more difficulty addressing entities responsible for the loss. Requiring opt-in for most secondary uses of customer PI is also important because this gives customers more meaningful control over the use of their information. Even where opt-in is required, BIAS providers should still have flexibility under the rules to encourage customer opt-in, including offering monetary rewards in exchange for customer opt-in. However, because such inducements to consent raise serious public policy concerns, these programs must be transparent and must not be coercive.
Customer opt-out should be allowed for first-party and affiliate use of customer PI to market “communications-related services.”
Customer opt-out would be sufficient for first-party and affiliate use and sharing of customer PI to market “communications-related services.” “Communications-related services” should be limited to entities subject to privacy protection under the Communications Act; particularly voice, internet and cable services. Sharing customer PI with these entities would not significantly increase the risk of loss of customer data; the carrier would be likely to maintain control of the data once it is shared and the entity receiving the data would be subject to privacy protections under the Communications Act.