America’s FCC-FTC Privacy Divide

[Note: This was submitted to the FCC for Reply Comments on the Title II Privacy NPRM]

The FCC’s Open Internet order and proposed Title II privacy rules divided what was unified.

For privacy, it broke what was working. Confused what was clear. Complicated what was simple. Unprotected what they sought to protect. Created more costs than benefits.

Since the Internet’s beginning the FTC has had privacy authority over information services.

For the decade since the FCC classified cable, wireless, and DSL broadband as an information service, and for the entire smartphone era where consumers became familiar with online privacy issues and regulation, the FTC was the sole unified regulator for protecting American consumers’ privacy.

In a 2014 filing to the FCC, the FTC explained why the FTC was better positioned to protect consumer privacy and data security than the FCC, because the FTC had national direct statutory authority to protect all consumers under: Section 5 -- that proscribes “deceptive” or “unfair” business practices; the Fair Credit Reporting Act (FCRA); and the Children’s Online Privacy Protection Act, (COPPA).

In November 2014, the FTC and FCC entered a Memorandum of Understanding MOUto avoid duplicative, redundant, or inconsistent oversight” of common carriers.   

In the FTC’s May 2016 comments to the FCC on the proposed CPNI privacy rules, the FTC criticized the FCC’s approach as “not optimal” to the extent it “would impose a number of specific requirements on the provision of BIAS services that would not generally apply to other services that collect and use significant amounts of consumer data.”

FTC Commissioner Ohlhausen’s comments to the FCC went further in spotlighting: “The FTC has built its privacy program on the long-established legal principles of unfairness and deception. This framework focuses on the sensitivity of consumer data and particular promises made about data collection and use, rather than on what type of entity collects or uses that data. By contrast, the FCC’s three-tiered “implied consent / opt-out / opt-in” framework focuses on whether the holder of the data is a BIAS provider, an affiliate, or a third party. It does not account for the sensitivity of the consumer data involved. … The FTC approach reflects the fact that consumer privacy preferences differ greatly depending on the type of data and its use.  … If a [FCC] regulation imposes defaults that do not match consumer preferences, it imposes costs on consumers without improving consumer outcomes.”

In a nutshell, the FTC’s public analysis displays a substantial FTC-FCC privacy divide for American consumers. The FTC approach focuses on what consumers care about concerning privacy while the FCC’s approach ignores what consumers care about privacy.

The FCC-FTC privacy divide is much worse than just that.

Before the FCC reclassified broadband as a telephone utility, and before it did not forbear from asserting telephone privacy jurisdiction temporarily until the FCC could devise operative privacy rules, American broadband consumers for the last 16 months have not had any operative federal privacy protection regulation.

That purposeful indefensible lapse in consumer privacy protection suggests that the FCC cares much more about increasing their regulatory authority than protecting American consumers’ privacy and data security.  

Before there was no clamor that the FCC had more comprehensive or better privacy authority than the FTC because the FCC’s authority is demonstrably narrower and less effective than the FTC’s in that it can’t protect consumers’ private network information from commercial exploitation on the Internet, it can only decide that a broadband ISP cannot use it for advertising without a consumer’s explicit permission.

Before a consumer did not have to know the practically unknowable, which is what the FCC now expects a consumer to understand – i.e. which of their Internet bits from which type of device, offered by which type of entity, in which direction, are protected or not protected by the FCC now, and in which manner?

Simply, there is no clear way for the FCC to explain to the average consumer how they are better off with the FCC doing selectively, narrowly, and complexly what the FTC did comprehensively and simply before.    

In sum, the FCC did not think this through.

The FCC also did not do a cost-benefit analysis as the President’s 2011 Executive Order 13563 required. The FCC was supposed to use “the least burdensome tools for achieving regulatory ends,” and to “adopt a regulation only upon a reasoned determination that its benefits justify its costs.”

If the FCC simply followed the President’s 2011 Executive Order as required, the FCC and the American consumer would not be in the lose-lose position of creating lots more costs, confusion and complexity than before, without material and effective offsetting benefits for American consumers’ privacy.

Sadly, the American consumer looks to be worse off now, than if the FCC did not assert partial jurisdiction over consumer privacy at all.