Thursday, October 13, 2016

The FCC’s Privacy Proposal Would Still Harm Consumers

In March 2016 the FCC adopted a Notice of Proposed Rulemaking (NPRM) purporting to protect “the privacy of customers of broadband and other telecommunications services.” The Commission is scheduled to vote on this item at the open meeting on October 26, 2016. FSF scholars submitted comments to the FCC in May 2016 explaining the reasons why the proposal would adversely impact consumers.

On October 6, 2016, FCC Chairman Tom Wheeler circulated a new proposal supposedly narrowing the regulatory reach of the opt-in requirement for only sensitive information. However, the definition of “sensitive information” in the FCC’s Fact Sheet is far too broad, including even all web browsing and app usage history. As Free State Foundation President Randolph May said regarding the Chairman’s new proposal in a Communications Daily report:

The latest revision to the privacy proposal seemingly may be a step in the right direction on a purely conceptual level, but it is not very helpful as a matter of reality. The categories of information requiring opt-in are much broader than necessary to protect consumer choice and, as importantly, broader than the framework the [Federal Trade Commission] FTC applies. This will lead to inequitable regulation and consumer confusion. And, to boot, the FCC lacks authority to go as far as it proposes.

Thus, the FCC’s proposed privacy regulation remains fatally flawed.

This proceeding originates, in an oddly circuitous way, out of the FCC’s Open Internet Order. The FCC reclassified broadband as a telecommunication service, imposing public utility-like regulation on Internet service providers (ISPs). The FCC failed to find evidence of a market failure, other than claiming that ISPs are “gatekeepers.” And although the Commission makes this unsupported “gatekeeper” claim when proposing regulations, it recently found in its Nineteenth Mobile Wireless Competition Report that competition in the mobile wireless industry has led to “lower prices and higher quality for American consumers, and [is] producing innovation and investment in wireless networks, devices, and services.” But as I suggested in a February 2016 blog, the FCC likely will continue to use its “gatekeeper theory” to impose additional regulations on ISPs.

FSF scholars went into further detail in their May 2016 comments to the FCC:

The Commission mistakenly relies on a factually unsupportable “gatekeeper theory” of competition and incentives in the broadband market as a basis for its proposed privacy regulations. The Commission now apparently relies on a “gatekeeper” claim as a regulatory prop of last resort when traditional market power analysis fails to support its expansive regulatory designs. The switching costs rationale upon which the Commission bases its proposed regulations is undermined by data demonstrating pro-competitive, pro-choice marketplace trends – documented in the Eighteenth Wireless Competition Report – favoring easier ability and incentives to switch providers.

The FCC’s privacy proposal would severely restrict the manner in which ISPs can collect and use consumer information. But as FSF scholars stated in their May 2016 comments, ISPs’ data collection practices do not pose a consequential threat to consumer privacy, and certainly not on the order of the large Internet content companies:

[A]s Peter Swire and his colleagues estimate in their paper, “Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others,” 70% of Internet traffic will be encrypted by the end of 2016. That means ISPs will, at best, only have access to roughly 30% of consumer data. Leading operating systems, web browsers, and video applications will have primary access to consumer personal information.

By subjecting ISPs to privacy regulations in the way it has proposed to do, the FCC is creating disparate regulations in the Internet ecosystem, confusing consumers as to the relevant applicable privacy policies because consumers do not distinguish between the two different categories of providers based on regulatory classifications, especially newly-adopted ones. Moreover, many large Internet companies have access to more information and a wider range of user information than ISPs. (See this FSF infographic.) For example, Google has access to 64% of online searches and holds over 61% of the mobile operating system market, allowing it to collect data on subscribers' location and app use.

FSF scholars explained further in their May 2016 comments:

By proposing to subject only broadband ISPs to its new privacy regulations, the Commission runs afoul of the rule of law principle that laws should be applied equally to all. Service providers that collect consumer personal information should be subject to the same rules unless clear reasons exist for treating them differently. The Commission fails to offer any reasons to justify the disparate treatment of ISPs embodied in its proposed regulations. The Commission should not adopt any privacy policy reflecting that degree of regulatory favoritism.

The Federal Trade Commission, the expert agency with jurisdiction over privacy violations within the entire Internet ecosystem, addresses consumer complaints on a case-by-case basis and focuses “on whether the collection and use of information is consistent with the context of a consumer’s interaction with a company and the consumer’s reasonable expectations.” Therefore, it should be no surprise that the former FTC Chairman Jon Leibowitz opposes the FCC’s NPRM. Additionally, it should be acknowledged that consumers have different preferences regarding how and if they want their data collected, and ISPs often update their settings to adjust to consumer trends. At the 2016 Advertising and Privacy Law Summit in June, FTC Commissioner Maureen Ohlhausen said:

Beneficial uses of consumer data go far beyond targeted advertising, of course. In the ISP context, such benefits could include lower prices and improved security and services. Regulatory restrictions on use of consumer data may foreclose these benefits, imposing significant costs on consumers – a fact often overlooked by advocates who may have different privacy preferences than average consumers.

Despite the fact that ISPs do not have access to the amount of data to which non-ISPs have access, ISPs still can use consumer data to offer targeted benefits. (See my August 2016 Perspectives from FSF Scholars entitled “FCC Privacy Rules Would Harm Consumers by Creating Barriers for Advertising.”) Many ISPs and edge providers incorporate advertising into their business model. Instead of consumers paying subscription fees for access to online information, consumers send personal non-sensitive information, which the ISP or edge provider then uses to sell targeted advertisements. If the FCC’s proposal is adopted, ISPs would be restricted with regard to the manner in which they use the advertising business model. This potentially could stifle the implementation of “free” data programs or other innovative services which use consumer information to develop such targeted offerings.

As the FSF scholars’ May 2016 comments explained:

If imposed, the nearly ubiquitous “opt-in” requirements regarding PII risk would discourage ISPs from offering consumers targeted marketing deals, selling advertisements to personally design consumer experiences, or offering sponsored data as well as free data or zero-rated plans – all of which potentially could benefit them. The Commission’s contemplation of a ban on certain ‘financial inducement practices, such as offering discounts for use of PII, would deprive consumers of their choice to enjoy free or inexpensive services. Consumers are competent to decide for themselves what form of ‘payment – whether in the form of the exchange of personal information or money – that they are willing to make for services.

An alternative approach to privacy that would benefit consumers was proposed:

Instead of imposing uneven, sector-specific, choice-limiting regulations, the better policy approach to protecting consumer privacy on the Internet is to establish common standards under the jurisdiction of a common enforcer. The digital privacy framework proposed by the White House in 2012 offers a realistic means of establishing a set of common rules with a common enforcer. Under this approach, privacy codes of conduct are to be established through a voluntary multi-stakeholder process. The Federal Trade Commission (FTC) would have authority to enforce those codes against providers who agree to abide by them but fail to do so in practice. Significant efforts have already been expended in that process. Obviously, the proposed regulations effectively would doom the prospects of the multi-stakeholder process for establishing consumer privacy protections for ISP subscribers. The far better approach for protecting consumer privacy is to refocus resources and attention on the multi-stakeholder process in order to forge a common set of rules and a common enforcer to protect consumer privacy on the Internet.

With a vote now scheduled for the October open meeting, it is important that the Commission recognizes how the FCC’s proposal would harm and confuse consumers by creating disparate – and overly restrictive – regulations within the Internet ecosystem.