April 19, 2016
An Explanation of the Newly Proposed FCC Privacy Rules
When the Federal Communications Commission (FCC) reclassified broadband services to become a more tightly regulated service last year, the agency temporarily refrained from applying older telephone-based data restrictions onto the new service. After continued lobbying from privacy advocates, the FCC proposed new privacy rules via a Notice of Proposed Rule Making (NPRM). Much like the reclassification order that preceded it, the FCC doesn’t consider the costs of the new regulations. Instead, the agency is gearing up for a more expansive role in regulating content. What follows is a short explanation of those rules, how we got here, and what this signals for the agency.
What did the FCC propose?
The FCC wants to more tightly control five basic kinds of data of broadband consumers:
- Service plan information, including type of service (e.g., cable, fiber, or mobile), service tier (e.g., speed), pricing, and capacity (e.g., information pertaining to data caps);
- Geo-location data;
- Media access control (MAC) addresses and other device identifiers that are unique for each wired or wireless device;
- Internet Protocol (IP) addresses and domain name information; and finally
- Internet traffic statistics.
The Commission has proposed a three-part regime to regulate these categories of data:
- For customer data that is used to provide broadband services, for example to ensure that a communication destined for a particular person reaches that destination, the rules will not generally limit transfer or sharing of information.
- The new rules would allow broadband providers themselves or through their affiliates to use customer information to market other communications-related services, but they would be subject to opt-out approval of the customer.
- Lastly, broadband providers will have to expressly receive an opt-in approval from their customers before it can share customer information with non-communications-related affiliates or third parties
What other changes are being proposed by the FCC?
The proposal is also asking for further information on a number of other related issues. While Congress has considered, but ultimately never passed, legislation outlining rules for consumer data breaches, the FCC is looking to implement their own data breach notification rules. Moreover, the Commission wants to know if more protection is needed for the content that flows over the Internet. In other words, the Commission is inviting comment on how to more broadly regulate content. For an agency that doesn’t have a dedicated bureau of economic analysis, is minimally staffed with Internet technologists, and isn’t required to conduct an empirical analysis of the rules, these open ended invitations are worrying.
Why is the FCC doing this now?
Since the FCC took the unprecedented step of reclassifying broadband, they are capitalizing on the opportunity by promulgating privacy rules that were never intended for the Internet. Had the agency not been unduly influenced by the Obama administration and continued with their original proposal for the Open Internet Order, then the current privacy rules would simply not be under consideration.
Why should you be worried about the effect these rules will have?
Even though the ink is barely dry on this proposal, the third opt-in requirement has already become a sticking point. As the agency admits, the market is moving towards a more complex ecosystem where content providers, social networks, and ad networks are integrated, so in their estimation an “opt-in approval is needed to protect the reasonable expectations of consumers.” This opt-in requirement will even apply to content providers, social networks, and ad networks owned by broadband providers, so sharing of data even within a company will be made much more difficult.
Opt-in mandates have a tumultuous history in data regulation in part because of the cost structure they impose on innovation. Consumer decision making under an opt-in regime is only partially informed because users lack experience with whatever benefit may come of that transaction, thus the benefits are underestimated. At the same time, opt-in regimes force the data holder to obtain permission for its use, thus adding cost. Together, opt-in decisions tilt the playing field towards a costlier system.
Economic analysis of privacy has become its own cottage industry, and the general tenor is that privacy rules do come with a cost. The effect of this law is hard to see as a consumer, but it does likely change the ecosystem. In another study, small firms and new firms were found to be the most adversely affected. In short, the unseen cost of this kind of regulation will likely be a reduction in upstarts. The data so far shows that the FCC’s action will alter the competitive landscape of the industry in the opposite direction than was intended.
Very little attention is paid to the costs of these rules, and the asymmetry that this regulation will create. Similar to previous AAF work, this new Notice makes it clear that the agency lacks the institutional structure to appropriately consider the costs and implementation of the proposal. Even the most litigious and ardent supporters of privacy have been wary, including the Electronic Privacy Information Center, which noted that the focus “is inconsistent with the reality of the online communications ecosystem, incorrectly frames the scope of communications privacy issues facing Americans today, and is counterproductive to consumer privacy.” What is especially worrying to anyone who cares about the vibrancy of the Internet is that especially onerous rules might have a deleterious effect on this important part of the economy in ways that cannot be easily measured.