Proposed FCC Privacy Rule Takes Unauthorized Aim at ISPs and the First Amendment

FCC*Jared McClain, WLF staff attorney, contributed to this post.

On March 31, 2016, the Federal Communications Commission (FCC) issued a Notice of Proposed Rulemaking (NPRM) purporting to bring “clarity, choice, and security” to the broadband industry. In the name of accomplishing those seemingly worthwhile and innocuous goals, the Commission released a 147-page document that details a complex scheme to curtail Internet Service Providers’ (ISPs) right to use the data they lawfully collect on customer behavior. WLF filed comments last week laying out a number of commonsense, statutory, and constitutional arguments against the Proposed Rule in its current form.

The Proposed Rule effectively outlaws ISPs’ use of commercial data for most marketing purposes. Reaching far beyond simply requiring ISPs to secure customer data and provide consumers with privacy notices, FCC proposes an elaborate number of mandates: risk-management assessments; employee-training programs; appointment of a corporate officer in charge of due diligence; customer right-to-access protocols, including robust customer-authentication requirements; limitations and constraints on the collection, retention, and disposal of data; and data-breach notification requirements, including notification to both consumers and the government. Even more troubling than its vast and burdensome compliance regulations, the Proposed Rule also restricts ISPs’ right to market de-identified aggregate customer data and requires ISPs to allow customers to opt in or opt out of various standard industry uses of that data. The rule’s strictures stretch to cover information not found in the governing statute by expansively interpreting the statutory definition of “Customer Proprietary Network Information” (CPNI) in a way that enlarges the Commission’s jurisdiction over aggregate customer information.

The NPRM is the next step to implementing FCC’s Open Internet Order, in which the Commission, for the first time, claimed jurisdiction to regulate ISPs as common-carrier telecommunications companies. Regardless of the appropriateness or legality of that decision, it created an inconsistency that bedevils the Proposed Rule.  By now, most consumers reasonably understand that Internet companies track customer-usage data and employ that data to market products to individual consumers in a targeted fashion. Few Internet users could think it a mere coincidence that the last product or online retailer they searched for online just happens to appear in a banner advertisement on the next website they visit. While all consumers may not have a concrete understanding of exactly how these companies de-identify and aggregate their data, there’s at least some basic understanding that by using the Internet, customers are participating in a larger marketplace.

The trail of information that customers create when accessing the Internet is valuable and helps shape the customers’ future online interactions and transactions. Eliminating the sale of consumer data to advertisers is the Proposed Rule’s main focus. Two types of companies are in the business of collecting this data and analyzing it for their own use and to sell to third-party advertisers: ISPs and edge providers. The former supply access to the Internet, while the latter supply the actual content consumers access online. FCC’s problem lies in the fact that its privacy regime regulates only ISPs but not edge providers. This means that edge providers will continue to be able to collect and market consumer data to advertisers, but that ISPs will no longer be able to do so. And while the Commission purports to offer consumers greater clarity, choice, and security over their data, the regulation does not cover edge providers.

Some commentators, including former Commissioner Harold Furchtgott-Roth, argue that this privacy façade is, at its worst, more dangerous for consumers, because it keeps “consumers in the dark as to their actual privacy vulnerabilities.”  At best, it’s simply inefficient, ineffective, and imbalanced. If a private entity were to tout the benefits FCC propounds in this rule while leaving out any mention of excluding edge providers, FCC would likely go after that entity for false advertising.

Of course, the Proposed Rule will also prove extremely costly to ISPs, which in turn will pass that cost on to consumers. This result contravenes Congress’s express statutory mandate to the Commission. Section 706 of the Telecommunications Act and its preamble instruct FCC to enact policies that deregulate the industry to encourage and accelerate the deployment of telecommunications throughout the country. As recently as 2014, the U.S. Court of Appeals for the D.C. Circuit warned that this limiting principle was “far from meaningless,” and FCC conceded that this required the Commission to “remove barriers to infrastructure investment.” Yet here we are. The Proposed Rule will inarguably increase costs to consumers—not just through its vast and demanding compliance regime, but by depleting ISPs’ crucial stream of revenue, thereby leading providers to raise prices to maintain their margins. Disadvantaging ISPs is no way to encourage future investment.

And it gets even worse. The Proposed Rule also advocates prohibiting ISPs from targeting their price increases to those customers who decline to opt in to the advertising programs. ISPs will thus have to raise prices across the board, requiring customers who are not interested in FCC’s sham-privacy to subsidize the added costs for those who are. Unfortunately, this latter category of customers will likely include two unintended groups: (1) those who have no current privacy concerns but will be unwilling to take the affirmative step of opting back in; and (2) those who did not think they should be concerned until FCC led them to believe there was a problem to which the Proposed Rule offers a supposed solution.

Perhaps aware that its Proposed Rule has no basis in § 706, FCC offers no fewer than four other statutory provisions as its source of statutory authority, none of which provides FCC the sweeping power it now claims. While federal agencies can interpret ambiguities in their governing statutes, any ambiguities here only exist because FCC created them in order to then re-interpret them. For instance, § 222, on which FCC in part bases its authority, has a preliminary section entitled “In General,” and FCC takes its general description of the terms to be used in subsequent subsections as a specific, free-standing grant of authority. Section 222 also includes a Definitions section, which, one would think, already defines the terms as Congress intended them. But FCC offers new definitions of these defined terms. This is not statutory interpretation—it’s ersatz legislating.

Finally, and fatally, the Proposed Rule violates the First Amendment. By singling out the use of consumer data in advertising, but not for any other purpose, FCC’s decision to discriminate against a single type of speech cannot survive heightened judicial scrutiny. The Proposed Rule likewise discriminates against ISPs by exempting ISPs’ many competitors from the Rule’s regulatory reach. The same speech that is deemed dangerous by one group—sharing consumer data in advertising—is deemed entirely permissible when spoken by another. This is ipso facto speaker-based discrimination. Recently, the US Supreme Court made clear in Sorrell v. IMS Health Inc. that businesses have a constitutional right to convey truthful, non-misleading commercial information. A recent WLF Legal Backgrounder by a counsel to IMS Health in Sorrell elaborates on this point. Any burden placed specifically on a business’s ability to engage in truthful marketing of data is an unconstitutional, content-based restriction of speech unless the Government can show that its law is narrowly tailored to meet a compelling governmental interest.

Because the Proposed Rule is unauthorized by statute, runs afoul of the First Amendment, contradicts an express congressional mandate, and makes little economical or practical sense, observers can reasonably expect that it will be tied up in the courts for years.

Also published by Forbes.com on WLF’s contributor site.

One thought on “Proposed FCC Privacy Rule Takes Unauthorized Aim at ISPs and the First Amendment

  1. Pingback: Telecom Regulation Experts Question FCC’s Conformity to Law, Constitution at WLF Briefing – The WLF Legal Pulse

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s