Why the FTC Shouldn’t Be the Only “Cop On the Beat”

CDT is committed to protecting the open internet. This post is part of a series that explores the implications of FCC Chairman Ajit Pai’s proposal to roll back net neutrality protections.

We live in an era when technology frequently evolves ahead of the law. With each technological advance, we are forced to re-evaluate our understanding of privacy. For instance, in Katz v. United States, the Supreme Court held that individuals have a reasonable expectation of privacy when they make phone calls, citing the “role that the…telephone has come to play in private communication.” And in United States v. Warshak, the 6th Circuit Court of Appeals traced the Fourth Amendment right to privacy in the content of letters through phone calls and applied it to the more modern context of emails. However, the relationship between the government and the public is only one dimension of the debate. As the internet has become more ubiquitous and users generate more valuable data, we have been forced to consider a different aspect of the debate: how much privacy are we entitled to from private parties like internet service providers (ISPs)?

Under former Chairman Tom Wheeler, the FCC answered this question through the Broadband Privacy Order in October 2016. Using its authority under Title II of the Communications Act, the FCC adopted a set of protections (based largely on FTC guidelines) that would require ISPs to provide notice and obtain consent for the use of sensitive consumer information. But the order was recently repealed, and FCC Chairman Ajit Pai has suggested completely ceding oversight of consumer privacy to the FTC in his Notice of Proposed Rulemaking (NPRM). CDT has stated its opposition to previous efforts to roll back consumer privacy protections, and in this post, we will outline the basis for some of our concerns.

First, the FTC has more limited authority to protect the sensitive information of consumers than the FCC. The authority of the FTC to protect consumers stems from Section 5 of the FTC Act, which allows the agency to investigate “unfair and deceptive acts and practices in or affecting commerce.” More specifically, this means that the FTC can pursue violations on a case-by-case basis (1) when a company’s practices cause a substantial and unavoidable injury to consumers that is not outweighed by other benefits or (2) when companies mislead consumers and fail to abide by their own privacy policies.

While these provisions provide some degree of consumer protection, they also reflect a more narrow perspective on breaches of privacy. For example, to show that an action taken by an ISP is unfair, the FTC must not only show that there was an injury, but also that the injury is not outweighed by a competitive or consumer benefit. In this context, privacy is seemingly a commodity to be balanced against other considerations, rather than a fundamental right.

…In this context, privacy is seemingly a commodity to be balanced against other considerations, rather than a fundamental right.

In comparison, under FCC oversight, it is ISPs that have had the burden of protecting sensitive consumer information. Under Section 222 of Title II, ISPs have a “duty to protect the confidentiality of proprietary information of…customers” and can only disclose such information under carefully limited circumstances. By establishing an affirmative duty to protect personal information for ISPs, these provisions also help establish the idea of privacy as a fundamental right for internet users and allow for corresponding protections. But under the rules proposed by Chairman Pai, the FTC instead will be forced to justify the value of personal privacy for internet users.

Moreover, it is still not clear that the FTC has the authority to oversee the privacy practices of ISPs. Under Section 5, the FTC is not permitted to regulate common carriers like telephone companies. And in theory, once ISPs are reclassified from common carriers to information service providers under the NPRM, the FTC will be able to provide appropriate oversight. But in AT&T Mobility v. FTC, the 9th Circuit Court of Appeals extended the common carrier exemption to include all services of a company with a common carrier component. While the case is being appealed, if the decision is upheld, it would mean that the FTC may not be able to provide any sort of meaningful protection of consumer privacy from ISPs that also provide landline or mobile phone service.

Second, the ex ante enforcement of the FCC provides internet users with a more complete form of protection than the ex post enforcement of the FTC.  As previously discussed, Section 222 gives the FCC authority to regulate the practices of telecommunications providers like ISPs to protect the confidentiality of their customers’ “proprietary information” (PI).  The rules adopted by the FCC last year based on this authority would have provided a strong preventative baseline of protection against unwanted sharing or selling of information that ISPs gather about their customers’ preferences and habits.  

If the FCC succeeds in giving away its role in protecting consumer privacy, leaving the FTC to do the job on its own, consumers will lose the benefit of preemptive protection.  As FTC Commissioner Terrell McSweeny points out, because the FTC lacks the rulemaking authority of the FCC, the FTC can really only address privacy harms that are already occurring. Given how many subscribers each of the big ISPs has, this means that millions of people will likely be subject to privacy harms before the FTC takes action. Even then, the agency can only correct the specific practices of the offending entity. On top of the potentially massive scale, the nature of invasions of privacy makes them particularly difficult to repair; once lost, regaining control of sensitive information is nearly impossible.

Because the FTC lacks the rulemaking authority of the FCC, the FTC can really only address privacy harms that are already occurring.

Those in favor of consolidating privacy regulation under the FTC argue that ISPs should be subject to the same rules as edge providers and that privacy protections under Title II prevent them from competing with edge providers for advertising revenue. Although this argument ignores a few key differences between ISPs and edge providers (like your ability to choose which provider you share information with and what information you choose to share), it also pushes consumer protections in the wrong direction, toward weaker, not stronger protections. We don’t disagree with the notion of applying consistent standards of protection; but raising the bar, even one part at a time, is better than lowering it.

Finally, the FTC is not as well-equipped as the FCC to handle many of the network engineering issues that will accompany its new oversight role. Under Section 5, the FTC has the general authority to provide some form of consumer protection across many different industries. But as Commissioner McSweeny has noted, the agency also has limited staff and lacks the subject matter expertise of the FCC. As a result, the NPRM would shift oversight of internet users’ privacy from a specialized agency with deep expertise in telecommunications policy to an agency with greater constraints on staff resources and limited experience in the same field.

The Open Meeting to discuss the net neutrality repeal is on May 18, 2017. Currently, the FCC is observing a sunshine period during which submitted comments will not be a part of the official record. This period will end after the Open Meeting, and CDT encourages you to make your voice heard then through the FCC comment process [here, then click + Express] to help protect consumer privacy.