FCC Stays ISP Privacy and Cybersecurity Rules in Favor of FTC Approach to Privacy Regulation

Last October, in a vote split along party lines, the Federal Communications Commission (FCC) under then-chairman Tom Wheeler approved a new regulatory regime staking the FCC’s claim to aggressive privacy and cybersecurity regulation of Internet service providers (ISPs). The privacy and cybersecurity rules followed the FCC’s 2015 decision in the Open Internet Order (known as net neutrality) to classify broadband Internet access service as a telecommunications service under Title II of the Communications Act.

One effect of the FCC’s 2015 Open Internet Order was to remove the Federal Trade Commission’s (FTC) oversight of ISPs by classifying them as common carriers exempted from Section 5 of the FTC Act. The FCC’s new privacy regime thus sought to fill the privacy gap left by the agency’s classification decision, but the FCC’s privacy rules went far beyond the guidelines established by the FTC. The FCC’s rules would firmly establish the FCC as the toughest privacy regulator in the Internet ecosystem by imposing significantly more onerous and restrictive requirements for use and collection of consumer data on ISPs than the FTC imposed on their non-ISP competitors who also collect, use, and share consumer data.

The FCC’s privacy rules share some characteristics with the FTC’s longstanding regulation in this space, including requiring fixed ISPs and mobile data carriers that offer broadband services to obtain affirmative opt-in consent from consumers prior to using, sharing, or selling sensitive information. The FCC’s definition of sensitive information, however, is far more expansive than the FTC’s definition and includes geolocation information, web browsing, and app usage history in addition to the health and financial information considered sensitive by the FTC. Under the FCC’s rules, consumers would be entitled to opt out and prevent ISPs from using and sharing on sensitive individually identifiable customer information as well. The FCC rules also require ISPs to provide customers with information about their collection, use, and sharing of consumer data to comply with additional protocols, protect consumer information, and adhere to new notification protocols in the event of a data breach that includes consumer information.

The FCC’s rules are on the books now, with the substantive requirements scheduled to take effect in stages over the course of 2017. Several parties have filed petitions for reconsideration that are currently pending before the agency.

Following the change in administration and the ascendancy of new FCC chairman, Ajit Pai, the status of the FCC’s new privacy regime (and the agency’s decision to classify ISPs as common carriers under Title II) is in question. On March 1, 2017, the FCC entered an interim stay of the new rules related to data security, which were set to take effect on March 2, 2017, pending the agency’s resolution of the petitions for reconsideration. The FCC did not stay other aspects of the new rules, which have not yet taken effect. The same day, Chairman Pai and acting FTC Chairman Maureen Ohlhausen released a joint statement announcing their belief that the FTC should be restored as the privacy regulator for ISPs (which would require reclassifying ISPs as non-common carriers) and that, in the meantime, the FCC’s privacy rules should be harmonized with the FTC’s standards applicable to other companies in the Internet ecosystem.

It remains to be seen whether and how the FCC ultimately will revise its privacy and cybersecurity rules to align with the FTC’s standards. To the extent it is able to do so, the FCC’s approach could prove a useful template for other agencies seeking to harmonize their privacy and cybersecurity regulations with the FTC’s standards. The FCC’s approach also could serve as a valuable compass for other industries hoping for clear and uniform privacy and cybersecurity requirements across their various federal regulators.