Five Myths of the Broadband Privacy CRA

With the passage of a Congressional Review Act (CRA) repeal, privacy rules stemming from the previous Federal Communications Commission (FCC) were reversed. There has been a lot of misinformation about what would and wouldn’t be achieved with the rules. To clear up the confusion, here are the top five myths of broadband privacy CRA.

Myth 1: ISPs want to sell your browsing history to advertisers

Many have framed CRA passage along misleading lines that Internet service providers (ISP) can now sell your browsing data. This isn’t the business model that they have been pursuing, or said they want to pursue. Neither Google nor Facebook sell your data and could be taken to court if they did. The same applies to ISPs. Selling your data would run afoul of a number of laws. When ISPs say that they want to compete with these Internet giants, they want to replicate their income streams. Selling information is the information broker model. Selling ads is the ad platform model. While many rightfully get ginned up that their data is being sold in a digital bazaar, the online ad platform model is literally the exact opposite.

As AAF explained before, the rules would have required ISPs to get your permission before using data for marketing purposes instead of allowing you to opt-out, the current baseline. This is what all of it is about. The shift from an opt-out to opt-in privacy regime engendered negative reactions from countless players, including well-respected privacy scholars, current Federal Trade Commission (FTC) Chairman Maureen K. Ohlhausen, and even Google.

Myth 2: Consumers just lost privacy protections

The FCC’s rules were largely about changing privacy defaults. More importantly though, the largest ISPs have committed to protecting consumer privacy and have written protections into their privacy policies limiting them from sharing information to third parties. Violations would put them at the mercy of FCC action. What the CRA did was rid the books of specific rules, but not the broad authority, so the agency can still address harmful ISP behavior through Section 201(b) of the Communications Act. In short, the agency still has the power to act.

Myth 3: Privacy for the entire Internet ecosystem just took a hit

There is a hidden upside in clawing back specific rules. The US privacy regime, compared to Europe, creates productive ambiguity. Agency authority without specific rules means that companies will strain to follow the spirit of the law. Indeed, this is what sets the US apart from those on the other side of the pond. What results is a more robust privacy ecosystem, as two researchers explained, typified by, “the emergence of the Federal Trade Commission as a privacy regulator, the increasing influence of privacy advocates, market and media pressures for privacy protection, and the rise of privacy professionals,” which “supplement[s] a privacy debate largely focused on processes (such as notice and consent mechanisms) with a growing emphasis on substance: preventing violations of consumers’ expectations of privacy.”

Myth 4: ISPs have unprecedented access to your data

While ISPs do play an important part of the Internet ecosystem, their access to your browsing habits are limited. For a number of reasons, web sites are moving towards secure transmission protocols. When a website like Facebook has the “https” at the beginning of the address, then you are using these protocols. Effectively then, ISPs cannot access the content you are transmitting, which is important to advertising. Over half of all traffic on the Internet is now encrypted this way.

Moreover, countless players in the Internet ecosystem track your online movements, but it isn’t nefarious. Social networks, search engines, messaging services, operating systems, mobile apps, and browsers all collect the kind of information that the FCC wanted to limit. Even some of the most ardent supporters of the privacy rules in Congress themselves maintain trackers on their web sites that funnel data to these companies.

Myth 5: Congress overstepped its bounds by passing this CRA 

When the FCC pushed these rules, as well as the reclassification of broadband service under Title II, they created this mess. The FTC, not the FCC, has long been the policeman for privacy. The FTC is by far the world’s most active protector of consumer privacy with more than 150 Internet-related privacy and data security cases on the books. Under Chairman Wheeler, the FCC took aggressive steps to expand into new territory and privacy was one of the most contentious. Undoing these rules is a smart step to reign in mission creep at the FCC.