Skip to Content

Privacy & Data

FTC Regains Some Oversight of ISPs, but Consumers Still Lack Strong Privacy Protections

Last week the U.S. Court of Appeals for the Ninth Circuit delivered some good news to the Federal Trade Commission (FTC): in an en banc decision, the court reversed a September 2016 panel opinion that gave common carriers – companies that provide telecommunications services such as mobile and landline phone service – a get out of jail free card from the FTC’s enforcement authority.

The case, FTC v. AT&T Mobility, has been a nail-biter for many advocates because it determined the scope of the FTC’s authority to protect consumers from unfair and deceptive practices by companies under Section 5 of the FTC Act; specifically at issue was how the agency should interpret an exemption under Section 5 for common carriers. The decision also implicated net neutrality, because the Federal Communications Commission (FCC) partially rationalized its 2017 repeal of the net neutrality rules by insisting that the FTC would be able to regulate promises made by ISPs under Section 5.

While the FTC has long called for Congress to repeal the outdated common carrier exception, it has also argued that the exception only applies to common carriers to the extent they are acting as common carriers. The FTC conceded that AT&T was a common carrier for purposes of its phone and mobile voice services, but it contended that AT&T shouldn’t be safe from FTC enforcement with respect to its non-common carrier activities. AT&T disagreed, claiming the legal exception bestowed the company with common carrier status, exempting all of its corporate activities from FTC authority.  CDT joined other groups in filing an amicus brief in support of the FTC.

While the Ninth Circuit correctly re-affirmed the FTC’s ability to protect promises to individuals in the digital marketplace, it’s not enough.

Last year, a panel of three Ninth Circuit judges agreed with AT&T, holding that common carriers cannot be covered by Section 5 “even as to non-common carrier activities.”  Under this decision, the FTC would not be allowed to bring an enforcement action against a digital service like Yahoo for deceptive privacy practices simply because it is owned by Verizon, a company with common carrier status. As telecoms race to acquire data-rich companies to compete with data-driven online platforms, this decision effectively de-fanged the FTC and blew open a potentially enormous gap in consumer protection. The broadband privacy rules, on the other hand, repealed through the Congressional Review Act last spring, would have provided real protections for internet users, prohibiting ISPs from selling, sharing or using information about a person’s browsing history and app usage without express permission from them.

The ruling this week returns the FTC’s ability to bring actions against businesses when they are not acting as common carriers. As Judge M. Margaret McKeown acknowledged, “[a] phone company is no longer just a phone company” and cited the need for regulatory consistency.

However, while the Ninth Circuit’s decision does restore some consistency and close a potential regulatory gap, it does not address the fact that ISPs are no longer considered common carriers because of the net neutrality repeal nor does it address foundational weaknesses in the FTC’s oversight and enforcement authority. As CDT has explained, the FTC is hamstrung by a number of factors, including limited rulemaking and fining authority, inadequate resources and staff capacity, and after-the-fact enforcement constraints. While it’s a positive for individuals that the FTC can now police the promises internet service providers make to their customers, the agency still has little to no telecommunications enforcement expertise nor does it have rules regarding net neutrality. Despite what the FTC or FCC may say about the ruling ensuring that ISPs engage in fair network and data practices, this decision will primarily serve as political window dressing.

While the Ninth Circuit correctly re-affirmed the FTC’s ability to protect promises to individuals in the digital marketplace, it’s not enough. ISPs have unique access to sensitive customer information, like web browsing and media viewing history, and the rise of internet-connected devices in homes will increase the amount and types of sensitive data, underscoring the need for meaningful enforcement and regulation.

In the shadow of a potential appeal by AT&T to the Supreme Court, which could remove all oversight from ISPs, there’s no excuse for Congress not to give the FTC strong rulemaking authority, as they have with many other federal regulatory agencies with equally critical consumer protection mandates such as the Securities and Exchange Commission and the National Labor Relations Board. Consumer protection laws and agencies should  safeguard core democratic values like privacy and fair competition, not function as political or regulatory pawns.