Do you believe that broadband internet access service (BIAS) providers, such as Comcast, AT&T, Cox, and Verizon, should be allowed to sell or use your browser history, e-mail addresses, and application usage data without asking for your permission? When Congress’s Joint Resolution (S.J. Res. 34) is likely signed into law in a few days, BIAS providers will have the power to use your personal information to generate revenue for the foreseeable future.
CONGRESS NULLIFIED FCC RULE REQUIRING BIAS AFFIRMATIVE OPT-IN
On March 28, 2017, Congress used its authority under the Congressional Review Act to nullify the Federal Communication Commission’s (FCC) December 2, 2016 rule that required BIAS providers to obtain customers’ affirmative “opt-in” consent before the BIAS providers could share their customers’ sensitive information. Under the new law, BIAS providers will be allowed to use and share customers’ personal information, including their browsing history, log-in and log-out times, IP addresses, and app usage with third parties unless a customer “opts-out.”
Congress used its Congressional Review Act authority to make this change, which will also prevent the FCC from passing future rules that are “substantially the same” to the December 2, 2016 rule without Congress passing additional legislation. Therefore, the FCC likely will not be allowed to implement new privacy and data security protections similar to the December 2, 2016 rule, even to address new technologies or remedy abusive changes in industry practices.
PROPONENTS CLAIMS RING HOLLOW
Proponents and their lobbyists of the bill claimed that the existing regulation departed from the technology-neutral framework for online privacy administered by the Federal Trade Commission. The bill’s supporters and lobbyists also claimed that BIAS providers would still be bound by their own privacy policies and FTC guidelines. As discussed below, these claims ring hollow.
First, the FTC has limited authority to enact proactive privacy protection rules. Rather, Congress directed the FCC to protect customers’ privacy pursuant to Section 222 of the Communications Act. While the FTC has outlined certain protections BIAS providers should take to shield customers’ sensitive information for disclosure, the FCC’s rule built upon the existing FTC privacy framework to include sensitive information such as browsing history, log-in and log-out times, IP addresses, and app usage.
Second, at least one federal appeals court has questioned the FTC’s jurisdiction to take regulatory action against “common carriers,” which include BIAS providers under current law, for “unfair and deceptive trade practices.” If other federal appeals courts reach similar conclusions, the FTC may be limited in its ability to pursue BIAS providers for misleading consumers about their privacy policies and misusing customers’ information.
POTENTIALLY LAYING LEGAL FOUNDATIONS TO REMOVE FTC AND FCC OVERSIGHT
According to Vernon Litigation Group attorney Jeffrey Haut, “Other pervasive economic drivers like the financial industry are subject to at least minimal government oversight and supervision through agencies like the Securities and Exchange Commission. Even in a free market, consumer protection principles are highly valued. Are we prepared to lay legal foundations that could potentially remove internet service providers from both FTC and FCC oversight?” Congress’s action just is one step in a series of dramatic rollbacks that have taken place in the past three months.
On March 2, 2017, the FCC Chairman temporarily stayed the provision of the December 2, 2016 rule that required BIAS providers to adopt “reasonable” data security measures, such as those outlined by the 2014 NIST Cybersecurity Framework, to mitigate the risks to consumers posed by data breaches and cyberattacks. Currently, BIAS providers adhere to largely voluntary data security and information privacy practices, including those outlined by the FTC. On February 23, 2017, the FCC adopted an order that exempted many broadband providers from the 2015 “Transparency Rule” that requires broadband providers to disclose accurate information about their network management practices, fees, rates, and other internet traffic statistics. Many viewed the transparency rule as a key component of the “Open Internet” rules adopted to protect free expression and innovation on the internet – also known as net neutrality.
“Our legislators and executive agencies will continue to face challenging policy questions surrounding the internet. Is access to the internet purely a consumer product that can be limited by a person’s ability to pay, or is it more like a utility such as electricity? Ultimately, preserving a free and open internet is in the best interest of our economy. Each time we erode net neutrality cornerstones such as preserving basic customer privacy protections, we risk stifling innovation and free expression,” Haut concluded.
ABOUT VERNON LITIGATION GROUP
Vernon Litigation Group is based in Naples, Florida, with additional offices in Orlando and Atlanta. One of Vernon Litigation Group’s missions is to assist in the recovery of client losses relating to cybersecurity and data privacy. Vernon Litigation Group handles cyber litigation cases including identity theft, negligence, financial fraud, misappropriation of identity, unauthorized transactions by employees, and civil penalties involving Florida’s Data Breach Notification law.