As the gateway to the internet, broadband providers have access to massive amounts of data about internet users’ browsing activities, communications, and preferences. This data can reveal sensitive personal information, including lifestyle and habits, medical conditions, sexual orientation, and financial status. Connecting to the internet requires entrusting internet service providers with sensitive personal data, and consumers rarely have a choice among providers. This puts consumers at a big disadvantage if they want to shop on privacy.
The Federal Communications Commission (FCC) is considering rules that would fill a critical gap in the patchwork of U.S. privacy laws by giving consumers meaningful control over the ways in which their data can be used and disclosed by broadband internet service providers. The FCC’s proposed rules would require customers to opt-in to most uses of their data that are not directly related to the services to which they have subscribed.
The FCC has proposed a strong set of rules that will allow for innovation while giving consumers necessary and meaningful choice as to how their information is used.
These rules are needed now more than ever: in August, the Ninth Circuit held in FTC v. AT&T Mobility LLC that the Federal Trade Commission (FTC), which has historically been the primary agency protecting consumer privacy online, does not have the authority to enforce its rules against providers that are classified as common carriers. If this ruling stands, broadband providers could be immune to the FTC’s enforcement against unfair and deceptive practices relating to the collection, use, and disclosure of data. This authority now falls to the FCC. Industry groups have argued that FCC privacy rules are unnecessary because the FTC’s enforcement regime is sufficient to protect broadband customers. These claims are directly contradicted by the Ninth Circuit decision. Absent FCC or Congressional action, broadband providers will not be held accountable for engaging in practices that violate their customers’ privacy and security.
The FCC has proposed a strong set of rules that will allow for innovation while giving consumers necessary and meaningful choice as to how their information is used. However, two issues in particular threaten to weaken these rules: (1) a lack of clarity around de-identification requirements and (2) calls from industry groups to limit protections to “sensitive” data.
The role of aggregation and de-identification
A key component of the FCC’s proposed broadband privacy rules is that they apply only to customer information that is “linked or linkable to an individual.” The rules allow broadband providers to share aggregated customer data as long as the aggregated information “is not reasonably linkable to a specific individual.” Information collected from and linkable to individuals over broadband networks is inherently sensitive because of its capacity to reveal personal and sometimes intimate details.
Though we support this approach, the FCC’s final rules should avoid conflating aggregation (combining individual data points into more generalized data points) with de-identification (removing individual customer identities and characteristics from data). While aggregation can sometimes result in de-identified data, it’s not a certainty. For example, if a broadband provider collects customers’ location information and video streaming activity, then aggregates the data to count the number of people in each ZIP code who stream a certain TV show, individuals who live within a small ZIP code could still potentially be identified.
Effective de-identification is a crucial component of protecting broadband customers’ privacy. The process of re-identifying data using publicly available databases is surprisingly easy. The FCC’s proposed rules place the burden on broadband providers to ensure that aggregated data are not reasonably linkable to individuals and to monitor re-identification efforts. CDT has also suggested that the FCC release guidelines about what technologies and methods could be used to enforce real-time monitoring of possible re-identification efforts.
Defining sensitive data
In reply comments filed in July, CDT urged the FCC not to weaken its rules by carving out unnecessary and vague exceptions for certain categories of data. Some commenters proposed that the FCC protect only “sensitive,” and not “non-sensitive,” information, but this is a distinction without meaning. The sensitivity of information is highly context-dependent. For example, some consumers do not view their video streaming preferences as sensitive, while others deem this information extremely sensitive because it can be used to infer personal details such as sexual orientation. Moreover, certain pieces of information may not be sensitive in and of themselves but become sensitive when combined with others. For example, a single piece of location data may not reveal sensitive information, but when combined, multiple location data points can reveal a person’s movements from place to place and provide insight into lifestyle, habits, and other personal information. It should not be up to broadband providers to decide what information about individual users is “sensitive” and “non-sensitive,” nor should they be tasked with sifting through data to separate the two.
The FCC’s common-sense proposal for protecting broadband customers’ privacy and freedom of choice should not be watered down with exceptions that would swallow the rules. The Commission should enact an effective privacy enforcement regime that will provide certainty for broadband customers, providers, and innovators.