Redrawing the Battle Lines in the ISP Privacy Debate

As Americans spend more and more time online and on their devices, they also want to see increased privacy protections. Last year, the Federal Communications Commission made a move in that direction by enacting strong privacy rules giving broadband customers more control over data collected by their internet service providers. Unfortunately, on April 3, President Trump signed into law a repeal of these rules. This move rightly caused significant public outrage, but there are still some paths forward. The battle isn’t over—it’s just shifting. 

In October 2016, the FCC passed robust, clear broadband privacy rules focusing on consumer choice, data security, and transparency. Among other things, the rules required ISPs like Comcast, Verizon, and AT&T to protect by default information the FCC deemed “sensitive.” The rules protected web browsing and app usage history in addition to categories traditionally considered sensitive—such as information about health, finances, and Social Security Numbers. These increased protections likely would have helped prevent people’s private information from being used in unknown, intrusive, and harmful ways.

Consumers overwhelmingly favored the rules, most of which were scheduled to go into effect in December 2017. When Congress held votes to repeal the restrictions, the public inundated Congress with criticism and phone calls demanding legislators vote against the repeal. Recent polls showed that the objections were widespread. Despite the public’s response, Congress and the administration took a sledgehammer to the rules. They also hamstrung the FCC by preventing it from enacting “substantially similar” rules in the future.

The enormous public response had at least some effect on the congressional vote. The measure passed very narrowly in both the Senate (50–48) and House (215–205). Votes were cast mostly along party lines, but 15 House Republicans bucked their party leadership and voted against the repeal.

Congressional repeal of the rules has significantly confused the privacy landscape. Without clear rules, there is no explicit prohibition on ISPs, for instance, targeting individuals with advertisements based on sensitive information such as income level or health ailments. ISPs may also sell data (such as web browsing history) with some identifying information removed, but evidence shows that this data can easily be re-identified. While some carriers have “pledged” not to sell customer data, it is not clear whether the FCC will enforce those promises.

Moreover, the repeal did not shift authority back to the Federal Trade Commission, as some (including the FCC and FTC chairs) ultimately desire. While the FTC polices privacy practices in many industries, right now its authority does not include ISPs and other “common carrier” industries regulated by the FCC. (A “common carrier” is a business that transports goods to the public for a fee. Railroads and telephone providers are two examples. More on what “common carriers” have to do with all of this in a minute.)

Even if the FTC had authority over ISPs, it lacks the ability to write prescriptive rules. It relies almost exclusively on hard-to-predict, after-the-fact enforcement. Leaving the FTC—a “small agency with limited resources” as Acting Chair Maureen Ohlhausen has called it—alone in charge of enforcing privacy promises of ISPs is not exactly a great solution to the problem of protecting broadband privacy.

But Americans shouldn’t give up—we just have to get more creative. While having privacy protections at the federal level is the most effective way to protect consumers, some states have stepped up to fill the void left after the repeal. Two states, Minnesota and Nevada, already impose pro-consumer privacy requirements on ISPs. Minnesota’s existing law protects the personally identifiable information of all ISP customers. The Minnesota Senate just passed further ISP privacy protections in response to Congress’ vote to repeal the broadband privacy rules. Nevada protects “all information concerning a subscriber” except email address—though customers can choose to protect their email address as well. Other states have proposed similar bills, including Maryland and New York. But many state legislative sessions will soon come to a close, some until next year, so the window for action is narrow.

Additionally, the fight is not over in Congress. Massachusetts Sen. Ed Markey, a prominent privacy champion, has introduced legislation to codify the FCC’s privacy rules. Nevada Rep. Jacky Rosen also introduced a bill that would reverse the repeal. If you care about your privacy, tell your legislators that they should support these proposals. The more calls legislators receive and the more public outrage they see, the more likely it is that Congress could approve the bill.

Congress could also repeal the “common carrier” exemption I mentioned earlier. The common carrier exemption currently prevents the FTC from taking enforcement action against ISPs. Repealing it would allow both agencies to have authority over ISP privacy and could work more closely together to protect consumers. Repealing the common carrier exemption could put two complementary privacy cops on the beat for ISPs. As FTC Commissioner Terrell McSweeny testified in 2016, “[t]he FTC has decades of experience, and specific statutory tools such as consumer redress, that complement FCC oversight of common carriers. We have a long history of successfully working together with the FCC and look forward to continuing that tradition of shared jurisdiction.” McSweeny and New Jersey Rep. Frank Pallone Jr. similarly defended, in Future Tense, the FCC’s broadband privacy rules as a “historic” step in protecting consumer privacy.

In other words, the agencies play complementary roles, and can contribute their own expertise in protecting the privacy of ISP customers. For instance, the FCC has expertise on communications networks and technologies, while the FTC has experience with enforcing companies’ privacy promises. They often work together on issues such as mergers and “do not call” list enforcement. They also have a Memorandum of Understanding on consumer protection issues and they worked together extensively throughout the broadband privacy rulemaking process.

There is at least one additional reason to repeal the exemption. In a recent 9thU.S. Circuit Court of Appeals case, FTC v. AT&T Mobility, the court injected confusion into the common carrier exemption. The court held that AT&T Mobility, as an entity, was a common carrier because it provided telephone service (in addition to other non-common-carrier services). Thus, even non-common-carrier services provided by AT&T Mobility were swept up by the common carrier exemption and were thus outside the FTC’s authority. Now, it is unclear whether, for instance, a non-common-carrier like AOL is beyond the FTC’s authority because it is owned by Verizon, a common carrier, further complicating the question of who has authority over internet privacy.

But repealing the common carrier exemption is as far as Congress should go. For instance, some have argued the FCC should not have privacy authority at all because it lacks privacy “expertise, personnel, or understanding.” But Congress should not heed those arguments. The FCC has long protected the privacy of telephone customers and would use that expertise in enforcing broadband privacy. Nor should Congress attempt to gut the FTC’s authority by, for instance, capping the time period of consent decrees at eight years rather than the typical 20 years, which Congress has indicated it wants to do. The FTC has been an effective privacy protector for the past two decades in part because it has many tools to protect consumers. Congress would be making a mistake should it undermine either agency’s authority in the name of “protecting” consumer privacy.

Americans want and deserve better privacy protections—and they almost got them. Unfortunately, Congress and the president had different plans and have made it more difficult for consumers to protect their privacy. But there are still some paths forward, even if less optimal, to protect broadband privacy. The battle lines have been redrawn, and we have to adjust—quickly.

Future Tense is a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.