Regulatory requirements should not create artificial distinctions between competing firms, technologies, or business models. Doing so inevitably distorts competition, inhibits innovation, and harms consumers. Unfortunately, that is precisely what the Federal Communications Commission’s proposed rules governing privacy practices of broadband Internet access service (“BIAS”) providers would do.
At present, all companies in the Internet economy are subject to the same privacy regime, administered and enforced by the Federal Trade Commission. Companies say in their privacy policies how they will use information about consumers, and if they break those promises, the FTC can and does bring enforcement actions. Even without privacy promises, failure to protect sensitive information from breaches can constitute an unfair practice, and the FTC can stop it.
No Evidence of Inadequacies in the Privacy Regime
The FCC offers no evidence of any inadequacies in this privacy regime. It notes that all of the largest broadband providers already have publicly available privacy policies, but it makes no substantive case at all as to why those policies are inadequate. It identifies no adverse consequences to consumers that have resulted from broadband provider privacy practices. It identifies no privacy problems that have resulted from either accidental or deliberate sharing of information by broadband providers. It asserts there is a “gap” between traditional privacy practices that “must be closed,” but the only apparent “gaps” are the absence of a detailed and burdensome regulation, and the gap in legal authority created by the FCC’s reclassification of broadband services. Rather than articulating a problem in need of a solution, the Commission notes that it “is empowered to protect the private information,” and therefore it will, whether that information needs protection or not.
Restricting Broadband Internet Only
The proposed rules would apply to BIAS providers, and only to BIAS providers. Other companies collecting the same information about consumers would not be regulated, regardless of how they are using the information. Broadband providers would have to disclose the types of information they collect, how they use and when they disclose this information, the categories of entities to whom it is disclosed and purposes for which those entities use the information. The rule would require “opt out” consent for marketing communications related services to their customers, and “opt in” consent for all other uses. Thus, BIAS providers would have to obtain “opt in” consent for many uses of information for which other Internet companies either offer no choice or offer an “opt out” choice. The rule includes specific requirements for notifications in the event of a data breach, and imposes information security standards. It would prohibit certain practices, such as conditioning services on waiver of privacy rights or offering financial incentives for such waivers.
The FCC offers two rationales for rules that discriminate against BIAS providers, but neither has a firm foundation in fact. First, the FCC argues that a broadband provider somehow has a more “comprehensive” view of a consumer’s online behavior. But consumers browse the web using multiple devices from multiple locations, on multiple networks. Increasingly, traffic is encrypted, sharply limiting what a service provider can see. If anyone has a “comprehensive” view of behavior, it is most likely a sign-in service like Facebook or Google, which can easily track their members across all of the different ways they access the web. Second, the FCC argues that switching broadband providers is more difficult than switching among other Internet services. But switching costs are ubiquitous throughout the Internet economy. They do not appear to be especially high for broadband providers. Indeed, FCC data show that the four major wireless carriers lose 14 to 27 percent of their customers every year – far higher than the roughly 5% of customers who switch their smartphone operating system each year. Even changing email providers has its own set of costs, including the inevitable missed mail and the costs of telling everyone your new address.
Data collection and analysis play an essential role in the modern economy. The commercial use of information contributes to reducing the incidence of credit card fraud, democratizing the availability of consumer credit, and creating fraud detection tools to reduce the risk of identity theft. It is essential not only for the basic functioning of the Internet, but also in tailoring both commercial and non-commercial information to meet consumers’ specific preferences, and facilitating innovation by new and existing suppliers. In turn, customization and personalization of online experiences and offerings help to fuel growth in broadband usage and e-commerce. The Commission should not risk undermining these numerous benefits without clear evidence of a problem that needs to be solved.
One particularly important use of information is for serving advertising that is more likely to be of interest to the consumer who receives it. Even a little information can go a long way: studies find that advertising slots for a computer with a tracking cookie sell for 3 to 7 times more than if there is no cookie. And, just like in radio and television broadcasting, advertising revenue provides the resources to create the Internet content that consumers love. There is no apparent reason why broadband providers should be effectively precluded from this market.
Putting Consumers First
Privacy protection should put consumers first. Its goal should be to avoid the adverse consequences to consumers than can result from data breaches or information misuse. Consequences, however, arise from uses of information, and not from the mere fact that information is collected. Nor do the consequences depend on the business model of the entity collecting the information. Information uses with more potential for harm, such as using visits to auto racing websites to set insurance rates, should be subject to greater oversight. But it hardly matters to the consumer whether the source of that information was the broadband provider that transmitted the webpage, the publisher who posted the page, or any of the information intermediaries who may also know about the visit.
The FCC’s rule offers consumers nothing. The broadband provider cannot use the information, but everyone else can. Regulation that singles out BIAS providers for special requirements that do not apply to their competitors is, quite simply, biased.
Public Comment on Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, by J. Howard Beales, III