January 3, 2017
Download: Privacy_PFR_01.03.17_lf_krs%20.pdf
So long as this Commission classifies broadband Internet access as a “common carrier service,” it should ensure technological neutrality and avoid consumer confusion by harmonizing its privacy regime with that of the Federal Trade Commission (FTC), under which most participants in the Internet ecosystem operate. The Order pays lip service to that objective but falls short, and this Commission should now grant reconsideration to align the two regimes. USTelecom is not challenging those elements of the Order that are consistent with the FTC’s privacy regime, such as the Commission’s decision to streamline outdated provisions of its legacy privacy rules.
The Order is arbitrary and capricious in a number of respects, but two basic errors stand out. First, on several critical issues, the Order dispenses with any cost-benefit analysis: it treats even the most ephemeral privacy interest as though it had infinite weight and simply disregards the economic costs of foreclosing productive uses of information. For example, the Order subjects ISPs to a burdensome opt-in regime for marketing uses of all web-browsing information on the theory that all such information is equally “sensitive.” In contrast, under the FTC’s regime, all other Internet companies enjoy much greater flexibility in their use of web-browsing data except where the underlying subject matter itself is sensitive, such as information that reveals medical conditions or personal finance. In rejecting that contextual approach, the Order ignores the substantial economic costs of overbroad opt-in requirements as well as the detailed economic analysis that USTelecom submitted on that very subject by former FTC Commissioner (and now Professor) Joshua Wright. As Professor Wright explains, those regulatory costs will exert upward pressure on consumer broadband prices if the Order is permitted to take effect.
Second, the Order ignores the record facts when it predicates this scheme of asymmetric regulation on the premise that ISPs are nearly omniscient and have greater visibility into consumer data than any other Internet company. That premise is false, as Commissioners Pai and O’Rielly and many commenters have explained. Given the recent rise of encryption and multiple ISP connections per user, any given ISP has rapidly declining visibility into the details of consumers’ Internet usage and, in some respects, less visibility than leading social media platforms, search engines, and data brokers. All Internet companies “see” the same types of customer data from different angles, and each has different advantages and limitations in making use of the data. The Order identifies no sound basis, and there is none, for treating ISPs differently from other major Internet actors or for hamstringing them from putting non-sensitive consumer data to productive use.
These two overarching errors led the Commission to adopt a number of ill-considered rules that it should now reverse. It should align its notice-and-choice rules—including those that apply to consumer data related to voice service—with the FTC’s regime. Such rules should distinguish between sensitive and non-sensitive web-browsing and app-usage data, should confine opt-in consent requirements to uses of genuinely sensitive data, should avoid placing unnecessary burdens on incentive-based offers, and should impose no notice-and-consent requirements for any first-party marketing where the relationship is clear. In addition, the Commission should eliminate notice-and-choice obstacles to the mere use of any customer data for internal analytics and service improvements.
To avoid costly administrative burdens, the Commission should also conform its definition of “data breach” to the definitions found in state laws and the FCC’s own consent orders, which confine that term to unauthorized disclosure of sensitive information or data that, in combination, would facilitate unauthorized access to an online account. The Commission should further confine any category of “personally identifiable data” to data that is reasonably linkable to actual persons and exclude data that is linkable only to devices but not persons. And the Commission should extend the business customer exemption to broadband Internet access services when purchased by businesses such as participants in the E-Rate program.
Although this petition focuses on the factual and policy-oriented shortcomings of the Order, USTelecom preserves all legal arguments that it and others have made. These include the arguments (1) that the Commission’s reclassification of broadband Internet access services under Title II was unlawful and that Section 222 is thus irrelevant to those services; (2) that the Commission lacks authority over many ISP privacy and data security practices even if broadband Internet access remains subject to Title II; and (3) that various aspects of the Order violate the Communications Act, the Administrative Procedure Act, and the First Amendment.