Earlier this month, Federal Communications Commission (FCC) Chairman Tom Wheeler released a “fact sheet” describing his proposal to have the FCC regulate the privacy policies of broadband Internet service providers (ISPs). Chairman Wheeler’s detailed proposal will be embodied in a Notice of Proposed Rulemaking (NPRM) that the FCC may take up as early as March 31. The FCC instead should shelve this problematic initiative and leave broadband privacy regulation (to the extent it is warranted) to the Federal Trade Commission (FTC).
In a March 23 speech before the Free State Foundation, FTC Commissioner Maureen Ohlhausen ably summarized the negative economic implications of the NPRM, contrasting the FCC’s proposal with the FTC’s approach to privacy-related enforcement (citations omitted):
The FCC’s proposal differs significantly from the choice architecture the FTC has established under its deception authority. Our [FTC] deception authority enforces the promises companies make to consumers. But companies are not required under our deception authority to make such privacy promises. This is as it should be. As I’ve already described, unfairness authority sets a baseline by prohibiting practices the vast majority of consumers would not embrace. Mandating practices above this baseline reduces consumer welfare because it denies some consumers options that best match their preferences. Consumer demand and competitive forces spur companies to make privacy promises. In fact, nearly all legitimate companies currently make detailed promises about their privacy practices. This demonstrates a market demand for, and supply of, transparency about company uses of data. Indeed, recent research . . . shows that broadband ISPs in particular already make strong privacy promises to consumers.
In contrast to the choice framework of the FTC, the FCC’s proposal, according to the recent [Wheeler] fact sheet, seeks to mandate that broadband ISPs adopt a specific opt in / opt-out regime. The fact sheet repeatedly insists that this is about consumer choice. But, in fact, opt in mandates unavoidably reduce consumer choice. First, one subtle way in which a privacy baseline might be set too high is if the default opt in condition does not match the average consumer preference. If the FCC mandates opt in for a specific data collection, but a majority of consumers already prefer to share that information, the mandate unnecessarily raises costs to companies and consumers. Second, opt in mandates prevent unanticipated beneficial uses of data. An effective and transparent opt-in regime requires that companies know at the time of collection how they will use the collected information. Yet data, including non-sensitive data, often yields significantconsumer benefits from uses that could not be known at the time of collection. Ignoring this, the fact sheet proposes to ban all but a very few uses unless consumers opt in. This proposed opt in regime would prohibit unforeseeable future uses of collected data, regardless of what consumers would prefer. This approach is stricter and more limiting than the requirements that other internet companies face. Now, I agree such mandates may be appropriate for certain types of sensitive data such as credit card numbers or SSNs, but they likely will reduce consumer options if applied to non-sensitive data.
If the FCC wished to be consistent with the FTC’s approach of using prohibitions only for widely held consumer preferences, it would take a different approach and simply require opt in for specific, sensitive uses. . . .
[Furthermore,] [h]ere, the FCC proposes, for the first time ever, to apply a statute created for telephone lines to broadband ISPs. That raises some significant statutory authority issues that the FCC may ultimately need to look to Congress to clarify. . . .
[In addition,] the current FCC proposal appears to reflect the preferences of privacy lobbyists who are frustrated with the lax privacy preferences of average American consumers. Furthermore, the proposal doesn’t appear to have the support of the minority FCC Commissioners or Congress.
[Also,] the FCC proposal applies to just one segment of the internet ecosystem broadband ISPs, even though there is good evidence that ISPs are not uniquely privy to your data. . . .
[In conclusion,] [a]t its core, protecting consumer privacy ought to be about effectuating consumers’ preferences. If privacy rules impose the preferences of the few on the many, consumers will not be better off. Therefore, prescriptive baseline privacy mandates like the FCC’s proposal should be reserved for practices that consumers overwhelmingly disfavor. Otherwise, consumers should remain free to exercise their privacy preferences in the marketplace, and companies should be held to the promises they make. This approach, which is a time-tested, emergent result of the FTC’s case-by-case application of its statutory authority, offers a good template for the FCC.
Commissioner Ohlhausen’s presentation comports with my May 2015 Heritage Foundation Legal Memorandum, which explained that the FTC’s highly structured, analytic, fact-based approach, combined with its vast experience in privacy and data security investigations, make it a far better candidate than the FCC to address competition and consumer protection problems in the area of broadband.
Regrettably, there is little reason to believe that the FCC, acting on its own, will heed Commissioner Ohlhausen’s call to focus on consumer preferences in evaluating broadband ISP privacy practices. What’s worse, the FTC’s ability to act at all in this area is in doubt. The FCC’s current regulation requiring broadband ISP “net neutrality,” and its proposed regulation of ISP privacy practices, are premised on the dubious reclassification of broadband as a “common carrier” service – and the FTC has no authority over common carriers. If the D.C. Circuit fails to overturn the FCC’s broadband rule, Congress should carefully consider whether to strip the FCC of regulatory authority in this area (including, of course, privacy practices) and reassign it to the FTC.