Public Comment on Protecting the Privacy of Customers of Broadband and Other Telecommunications Services

FCC

by J. Howard Beales III, Senior Scholar

May 27, 2016

Download the comment

RE: Docket No. 16-106, Protecting the Privacy of Customers of Broadband and Other Telecommunications Services

Dear Chairman Wheeler:

I am J. Howard Beales III, Professor of Strategic Management and Public Policy at the George Washington School of Business.[1] This comment is a public interest comment, submitted through the George Washington University Regulatory Studies Center.[2]  The Center improves regulatory policy through research, education, and outreach. As part of its mission, the Center conducts careful and independent analyses to assess rulemaking proposals from the perspective of the public interest. This comment does not represent the views of any particular affected party or special interest, but is designed to evaluate the effect of the FCC’s proposal on overall consumer welfare.

The FCC has proposed detailed rules governing privacy practices of broadband Internet access service (“BIAS”) providers. The rule would establish new, and different, privacy standards, beyond those that apply to other Internet companies (“edge” providers such as Facebook or ESPN that offer content).  It would regulate privacy practices for Customer proprietary network information (CPNI) (such as service plan information, geo-location, MAC addresses, and source and destination IP addresses) and customer proprietary information (CPI) (CPNI plus personally identifiable information acquired in connection with provision of BIAS).  Providers would have to disclose the types of CPI they collect, how they use and when they disclose this information, the categories of entities to whom it is disclosed and purposes for which those entities use the information.  Providers could use CPI without consent when necessary for providing services.  The rule would require “opt out” consent for marketing communications related services to their customers, and “opt in” consent for all other uses of CPI.  Thus, BIAS providers would have to obtain “opt in” consent for many uses of information for which other Internet companies either offer no choice or offer an “opt out” choice.  The rule includes specific requirements for notifications in the event of a data breach, and imposes information security standards.    It would prohibit certain practices, such as conditioning services on waiver of privacy rights or offering financial incentives for such waivers.

At present, BIAS providers are subject to the same privacy standards and requirements as every other company involved in the Internet economy, enforced by the Federal Trade Commission.  Companies post privacy policies identifying the information they collect, how they use it, how they share information and with whom, and offering consumers a degree of choice about certain uses of certain information.  For most information, most companies offer consumers the ability to “opt out” of some uses; a few require “opt in” consent to uses of sensitive information.  Practices inconsistent with those privacy promises are deceptive practices, subject to enforcement actions by the FTC.  In addition, the FTC has held that inadequate data security practices can constitute unfair practices, subject to enforcement actions even if there are no specific security promises.

The FTC’s approach to privacy regulation has worked well.  Importantly, it applies a uniform regulatory approach to different technologies and different business models.  It has largely avoided creating artificial barriers to either competition or innovation.  The FTC has brought numerous enforcement actions involving privacy and data security, but none have involved the provision of broadband Internet services.[3]

The FCC offers no evidence of any inadequacies in this privacy regime.  It notes that all of the largest broadband providers already have publicly available privacy policies, but it makes no substantive case at all as to why those policies are inadequate.  It identifies no adverse consequences to consumers that have resulted from broadband provider privacy practices.  It identifies no privacy problems that have resulted from either accidental or deliberate sharing of information by broadband provides.  It asserts there is a “gap” between traditional privacy practices that “must be closed,” but the only apparent “gaps” are the absence of a detailed and burdensome regulation, and the gap in legal authority created by the FCC’s reclassification of broadband services.  Rather than establishing a problem in need of a solution as the predicate for regulation, the rationale for the rule is succinctly stated in paragraph 7 of the notice: “the Commission is empowered to protect the private information,” and therefore it will, whether that information needs protection or not.  Instead, the FCC should forbear from creating a new regulatory framework for privacy practices, and defer to the successful FTC regime.

Data collection and analysis play an essential role in the modern economy.  The commercial use of information contributes to reducing the incidence of credit card fraud, democratizing the availability of consumer credit, and creating fraud detection tools to reduce the risk of identity theft.[4]  It is essential not only for the basic functioning of the Internet, but also in creating value for consumers by supporting advertising, which underwrites the cost of content and services, tailoring both commercial and non-commercial information to meet consumers’ specific preferences, and facilitating innovation by new and existing suppliers.   Consumer data and feedback also enables the increased customization and personalization of online experiences and offerings for consumers, which is helping to fuel growth in broadband usage and e-commerce.  The Commission should not risk undermining these numerous benefits without clear evidence of a problem that needs to be solved.

This comment argues first that the FCC’s rationales for treating BIAS providers differently are flawed.  Broadband providers do not pose a unique or more comprehensive privacy risk than other participants in the Internet ecosystem, they are unlikely to engage in harmful conduct, and they are not protected by uniquely high costs of switching that might justify different treatment.  Second, the proposed separate regulatory regime for broadband providers would inhibit innovation, reduce competition, and harm consumers.  Third, if it feels it must regulate, the FCC should adopt a functionality based approach to privacy regulation to maximize consumer welfare.

Continue reading


[1] I have an extensive career in government service, most recently as Director of the Bureau of Consumer Protection at the Federal Trade Commission from 2001-2004.  During my tenure, the Commission promulgated and implemented the National Do Not Call Registry.  I have published extensively on privacy and consumer protection regulation.

[2] This comment reflects the views of the author, and does not represent an official position of the GW Regulatory Studies Center or the George Washington University. The Center’s policy on research integrity is available at http://regulatorystudies.columbian.gwu.edu/policy-research-integrity.

[3] In Level 3 Communications LLC, the Commission challenged claims that an Internet service provider was a “current” participant in the U.S.-EU Safe Harbor program, when in fact its self-certification of compliance had lapsed.  The complaint alleges no substantive violations.  Level 3 Communications LLC, File No. 142 3028 (June 25, 2014), available at https://www.ftc.gov/enforcement/cases-proceedings/142-3028/level-3-communications-llc-matter.

[4] For an extended discussion, see e.g., J. Howard Beales, III and Timothy J. Muris, “Choice or Consequences:  Protecting Privacy in Commercial Information,” University of Chicago Law Review 75 (2008) 109-135, especially at 115-117.