FTC Staff Tackle FCC Privacy Rules in Public Comment

FTC Staff Tackle FCC Privacy Rules in Public Comment

Blog WilmerHale Privacy and Cybersecurity Law Blog

As the Federal Communications Commission sifts through over 50,000 comments received in response to its proposed broadband privacy rules, the Federal Trade Commission’s comments are likely to stand as a highlight. In a 36-page document, FTC staff outline the FTC’s past privacy work and respond to a number of specific issues in the proposed rulemaking, including how personally identifiable information is defined, the structure of privacy notices, the role of consumer notice and choice in various business practices, and the proposed regulations on data security and breach notification.

The major headline from the FTC’s comments is the continued recognition that the proposed rules would impose a number of specific requirements to Internet service providers—or “broadband Internet access services” (“BIAS”) providers—that would not apply to other members of the Internet ecosystem. “This outcome is not optimal,” the comments declare, calling once again for Congress to pass baseline privacy, data security, and data breach notification laws that would apply across industries.

Nevertheless, the FTC staff’s comments generally support the FCC’s proposed rules and commend its “focus on transparency, consumer choice, and data security.” The staff’s comments present an array of recommendations intended to address these three core issues and to otherwise strengthen the privacy protections envisioned by the FCC. These recommendations include:

  • Defining “Personally Identifiable Information” (“PII”): Due to “advances in technology [that] provide companies with the ability to identify consumers by combining disparate pieces of data,” the FTC staff agrees that the FCC’s definition of PII should “not be confined to information that is already linked to an individual.” However, the comments note that the proposal to include any and all data that is “linkable” to a consumer could unnecessarily limit the use of data that does not pose a risk to consumers. “[I]t is appropriate to consider whether such a link is practical or likely in light of current technology,” the comments state, recommending that the FCC define PII to only include information that is “reasonably” linkable to an individual. The FTC staff further recommends that the FCC consider tying “reasonable linkability” to both individuals and their devices to better capture persistent identifiers like cookies, IP addresses, MAC addresses, and unique device identifiers.
  • Promoting Better Privacy Notices: The FTC staff suggests that developing a standardized or “model” notice could help to achieve the FCC’s goals of clarity, brevity, and comparability in BIAS privacy notices. The comments cite not just the inter-agency development of the model privacy form under the Gramm-Leach-Bliley Act but also the FCC’s approach to developing broadband pricing labels to support this approach.
  • Offering Choice to Consumers: The FTC staff note that the proposed rules make it unclear whether BIAS providers must offer consumer choices “at the time of sign-up, at a point when the consumer first goes online, or at a point when the BIAS provider shares a consumer’s data with an affiliate or third party.” The comments recommend that consumers be presented choices “at sign-up” in a way that is “unavoidable, short and simple, on their own separate screen, and easy to exercise.”
  • Requiring an Opt-In for Sensitive Information: The comments emphasize that the FTC’s longstanding approach to consumer choice has focused on collection and use consistent with the context of a consumer’s interaction with a company and the consumer’s reasonable expectations, and as a result, the FTC supports the use of opt-in for sensitive information such as: (1) content of communications and (2) Social Security numbers or health, financial, children’s, or precise geolocation data.
  • Distinguishing Between First-party and Affiliate Marketing of Communications-related Services and Other First-party Use and Third-party Sharing: While the FTC concedes that this approach establishes a “bright line” rule for industry compliance, the staff’s comments argue that the FCC’s approach “does not reflect the different expectations and concerns that consumers have for sensitive and non-sensitive data.” The FTC staff further recommends that the FCC treat affiliates like third parties “unless the affiliate relationship is clear to consumers.”
  • Ensuring Reasonable Data Security: The FTC staff is largely supportive of the approach to data security set forth in the proposed rules, though the staff cautions that the proposed rule text would impose strict liability on BIAS providers for “ensuring” security. The comments propose modifying the language in the proposed rules to require companies to “ensure the reasonable security, confidentiality, and integrity of all customer PII.”

In a statement supporting the FTC staff’s comments, FTC Commissioner Maureen Ohlhausen wrote separately to “emphasize the differences between the FTC’s approach and the proposed FCC approach to consumer privacy and to warn that the FCC’s approach may not best serve consumers’ interests.”

She argues that the FTC’s approach to privacy focuses on the sensitivity of consumer data, while the FCC’s proposed framework emphasizes what type of entity collects or uses data such as BIAS providers, affiliates, or third parties. According to Commissioner Ohlhausen, defaults “should match typical consumer preferences, which means they impose the time and effort of making an active decision on those who value the choice most highly.” She pegs this calculus to the sensitivity of information, arguing that advertising generally would suggest an opt-out approach while uses of sensitive data would require an opt-in choice, and argues that FCC’s current three-tiered “implied consent / opt-out / opt-in” approach would require opt-in consent for many uses of non-sensitive information and “would require no consent at all for certain uses of sensitive data.”

Finally, Commissioner Ohlhausen states that FCC’s proposed rule “mischaracterizes” the FTC’s findings with respect to discounts or “financial inducement practices.” She rejects the notion that the FTC’s January 2016 Big Data Report supports the argument that certain advertising-based business models can unfairly disadvantage low income or other vulnerable populations. Instead, she writes, bans on ad-supported broadband services prohibit even fully informed consumers from trading their data for a price discount and may harm broadband adoption.