The FCC and Congress Must Preserve the Privacy Rights of Broadband Internet Customers!
Written by Katharina Kopp
After a long and fair rulemaking process during most of 2016, the Federal Communications Commission (FCC) adopted ground-breaking privacy rules last October protecting the personal information of broadband Internet service customers. Both industry—including powerful phone and cable companies that provide the majority of broadband connections—as well as consumer, civil rights, and privacy groups, had ample opportunity to make their case—which they did. Public-interest and grass-roots organizations used their limited resources to advocate for consumers' basic right to access and use the Internet (via Internet service providers—ISPs) in private, without having their information gathered. Industry and its allies tried to oppose or water down attempts to give their customers meaningful privacy protections. Despite a significant power imbalance between the parties, the process resulted in rules that give consumers and citizens legal rights that many assumed are already theirs to enjoy, but which they, in fact, had been denied until this historic broadband privacy rule making.
Prior to the Privacy Order, it was not since the 1998 Children's Online Privacy Protection Act that U.S. regulators affirmatively granted consumers meaningful online privacy rights on this scale. While the Federal Trade Commission has played an important role as the lead agency in protecting the privacy and data-security rights of U.S. consumers for a large section of the U.S. economy, it has not enacted any policy that that would restore the power imbalance between consumers and large corporations in our ever-growing commercial surveillance world. The FCC broadband privacy rule, however, aims to provide the public with some fairness and balance to the lopsided relationship between the average individual and data-insatiable powerful ISPs.
The FCC rules set limits on what Internet service providers may do with the highly sensitive data that they have already collected in the course of providing internet service (a service for which consumers already pay dearly with their pocket books). "Sensitive" information includes precise geo-location, financial information, health information, children's information, social security numbers, web browsing history, app usage history and the content of communications. The most important aspect of the rule requires Internet service providers to obtain an opt-in consent for the use or sharing of such information for purposes other than providing broadband service, such as billing. What this means is that unless you ask me and I give permission, what I do on the Internet is off-limits for ISPs to monetize.
The final rule emphasized the distinction between sensitive and non-sensitive data. The FCC felt it had to accommodate industry pressure to follow the FTC's framework, which is based on that agency's very limited authority to protect consumer privacy. Advocates and the FCC recognized that the distinction between sensitive and non-sensitive information is less and less meaningful in an age when companies can use data analytics and modeling to infer the most personal traits of an individual without ever collecting "sensitive data." What is particularly noteworthy is that the new FCC rule grappled with the concepts of what kinds of uses and sharing are permissible and which are not. The rule, in fact, makes it clear that it is precisely the unexpected and unrelated or secondary uses of data that a company must first obtain permission to use before it can do so. In other words, each of us has a right to control the collection, use, and exploitation of data about us.
This important and basic human right was finally made into a legal right with the 2016 FCC Privacy Order. It should stay that way, even with a new leadership at the Commission. The benefits that accrue to each of us individually and as members of a group, as well as to society at large, from this new policy safeguard, are manifold and invaluable to an equitable, just, and fair democracy and marketplace. Without an opt-in, there would be no limitations placed on how ISPs can use the data about us. As we all know too well, the existing individual privacy self-management model in the U.S., which typically offers only an opt-out, has proven to be ineffective in putting limits on corporate data uses and sharing, although the public expresses an increasing opposition to these corporate surveillance practices.
Not only do the FCC privacy rules affirm the basic individual right to have one's privacy protected and individual autonomy preserved, the requirement to obtain an affirmative consent prior to any secondary uses by ISPs is equally critical in guarding against profiling and group discrimination. The profiling of an individual, or the association of an individual with a class of people, requires very little information about the person who is being profiled. So, the less data collected about others like me, the less likely that I will be profiled. While not perfect, and just a small safeguard in this world of ubiquitous and constant data surveillance, this rule helps to guard us against the classifying and predictive analytics that often represent a biased, discriminatory, and entrenched inequality that incorporate past inequities into decisions about the future.
Given that the rule identifies information about children as sensitive data, it is also important in protecting the fundamental rights of children to enjoy privacy and freedom from age-inappropriate commercial exploitation. The use of data about us as consumers and citizens during the 2016 elections, moreover, should serve as an important reminder of how pervasive technologies of data surveillance analytics have become. Political campaigns and special interests have unfettered access to commercial data and marketing practices designed to influence how we think, act, and vote, but there are no regulations or corporate practices that aim to curtail these developments'—unless, that is, we hold onto the FCC broadband privacy rule now and build on it in the future.
Given the ominous start of Ajit Pai to his FCC chairmanship—he has already used his "delegated authority" to undermine important communications rights—we are now facing the very real likelihood that the new chairman will do away with the rule that was adopted by the previous FCC Commission. (CDD recently filed an Opposition to Petitions for a Stay of the Federal Communications Commission's Broadband Privacy Order in response to a filing by a coalition of industry associations and interests.) Similarly, there is a real risk that Congress might repeal the rule via the Congressional Review Act, which would prevent the FCC from revisiting broadband privacy rules at all in the future. But Americans want to have control over their lives and data, and want to be able to make decisions unencumbered by powerful corporate interests. Thus the FCC and Congress must preserve the privacy rights of broadband internet customers!
Written by Katharina Kopp, Deputy Director, Director of Policy for Center for Digital Democracy