Proposed FCC Privacy Rules Would Harm Innovation

As AAF has previously explained, the Federal Communications Commission (FCC) is considering privacy rules for Internet service providers (ISPs). The agency recently took the unprecedented step to reclassify Internet service, and in doing so, nullified the Federal Trade Commission’s (FTC) oversight on privacy because the FTC is limited in bringing actions against common carriers. Under the proposed privacy rules, ISPs would have to expressly receive an opt-in approval from their customers before it can share customer information with non-communications-related affiliates or third parties. On the other hand, for marketing related to communications services, ISPs would have to give consumers the ability to opt-out. Even though the FCC admits most consumers already have privacy protections and the ability to opt-out of information sharing, they still want to implement costly rules. Instead of enhancing consumer protections, the new regime would change the default preferences, putting a heavy burden on innovation.

For one, only broadband providers will be subject to these rules, and not their content counterparts who run search engines, apps, operating systems that also deal with massive amounts of data. Thus, the imposition of both opt-out and opt-in rules will create a regulatory imbalance within the sector.

Second, these rules would implement the most burdensome data privacy regime that has yet been devised without precedent either in the FTC or the US legal structure. In the U.S., mandates requiring companies to allow consumers opt-out or opt-in of information sharing is limited to specific sectors where Congress has determined that there is a strong case harm could come from inadvertent sharing. The data that the FCC has outlined for concern doesn’t rise to this level. The FTC’s privacy framework also doesn’t call for the blanket opt-in regime, but makes the case that some opt-out mandates might be necessary under some conditions. While there might be some cases where leaked information in concert with other types of information could be compromising to an individual, there is nothing particularly unique about the data that is being set aside by the FCC for additional rules. Others have access to this information as well.

Moreover, companies that have integrated vertically will be split internally. Both Verizon and Comcast have both a communications related service in the form of a broadband service and non-communications service in the form of a content company. Under these rules, information sharing would be split among these activities. For what it’s worth, the FTC doesn’t make such a distinction and treats affiliates as first parties when the relationship is clear to consumers.

Here is what an opt-in regime for those non-communications-related services would look like in practice. Sprint recently inked a deal with Amazon to offer their customers the Amazon Prime service. Under the proposed rules, Sprint would have to get explicit approval from every customer before it could tell them about this deal. Similarly, Verizon might not be able to send their own consumers information about iPhone cases in their corporate stores. AT&T is betting big on home automation services. By all accounts, this change in policy would limit them from cross company deals and telling consumers about new products. And what about the growing Internet of Things market? Would companies that provide service for your online connected thermostat or washer also be precluded from sharing information across its entities? Considering how the rules have been proposed, this is likely, which would impose a huge unseen cost to innovation in this space.

Opt-in regimes present three big hurdles for consumers as decision makers. First, consumers have substantially less information about decisions they make. Before any additional service can be provided by the ISP, consumers will have to imagine all of the potential benefits, which will be difficult if not impossible. Second, consumers will think that that defaults are suggestions by the company. In other words, they will assume that it is a recommended action, even though they are mandated choices by the government. Lastly, these defaults will become the status quo. Any further change from this baseline will require significant effort by the ISP and will be understood by the decision maker as a trade-off, as psychologists have found.

Opt-in defaults show markedly lower participation rates to opt-out defaults even though the good or service is exactly the same. The classic example is organ donation. Although there is widespread support for organ donation, only about 28 percent actually volunteer to be donors, despite the fact that around 85 percent claim to want to be donors. Some countries automatically enroll everyone for organ donation and then allow for opting out, which results in participation rates of 85 percent and higher.

Below is a compendium of studies testing these defaults. Even though consumer options and protections are the same, the default changes participation rates dramatically.

Subject Area Opt-In Participation Rate Opt-Out Participation Rate
An on-line survey asking participants if they want to be contacted further about health surveys 48.2 percent 96.3 percent (source)
Organ donation in Austria 99.98 percent (source)
Organ donation in Belgium 98 percent (source)
Organ donation in Denmark 4.25 percent (source)
Organ donation in France 99.9 percent (source)
Organ donation in Germany 12 percent (source)
Organ donation in Hungary 99.9 percent (source)
Organ donation in Netherlands 27.5 percent (source)
Organ donation in Poland 99.5 percent (source)
Organ donation in Portugal 99.6 percent (source)
Organ donation in Sweden 85.9 percent (source)
Organ donation in the United Kingdom 17.2 percent (source)
401(k) enrollment 37 percent 85.9 percent (source)

The FCC has previously foisted these rules on the industry before, losing in federal court and in the court of opinion. In a court case with US West, a telephone company that is now part of CenturyLink, it was revealed that obtaining permission cost between $21 and $34 per consumer. By their own internal calculations, US West had to make 4.8 calls to each customer household before they reached an adult who could grant consent to share information. In one-third of households called, U.S. West never reached the customer. Altogether, customers received more calls from the opt-in regime than in an opt-out system even though many weren’t able to enjoy the benefits of new services.

In other industries where opt-in regimes have been imposed, studies have found higher costs and slowed innovation. A 2000 Ernst & Young study of financial institutions found that these mandates cost the entire industry $56 billion. For charities, the cost of compliance with an opt-in privacy law would have been nearly 21% of their total revenue. In Europe, the implementation of restricted information sharing rules decreased the efficacy of advertising by 65 percent relative to the rest of the world, cutting off the lifeblood of Internet startups. The cost of privacy regulation is one of the reasons why Europe lags in startups. And the FCC wants to pile on those costs.

In spite of the overwhelming evidence of harm, the FCC is hell bent in applying new burdens for ISPs. The costs will be unseen, hidden in the default that changes pref. For those of us who haven’t given up on American innovation and who care about consumers, these proposed rules represent the absolute wrong way forward.

AAF has also filed regulatory comments in this proceeding.