Written by Sydney White and Jim Halpert

This week the US House of Representatives passed a Congressional Review Act (CRA) resolution of disapproval of the US Federal Communications Commission (FCC) broadband privacy rules that were approved by the FCC in a straight partisan vote at the end of the Obama Administration, but have not yet taken effect.  The Senate passed an identical resolution last week.  President Trump has signaled that he will sign the resolution, which means that the FCC is prohibited by the CRA from imposing “substantially similar” privacy regulations on broadband ISPs in the future.

The broadband privacy rules would have imposed an opt-in consent requirement for use of web browsing activity by ISPs for marketing or advertising and a 7 day breach notification deadline.   They would have applied only to ISPs and not to any other businesses in the Internet ecosystem.   Interestingly, the rules were opposed not only by ISPs but also by a wide range of other Internet and advertising companies, and were subject to criticism for imposing confusing disparate regulation on select companies based upon siloed regulatory classifications.  As a result of the CRA resolution, privacy regulation of broadband ISPS, which was to be more demanding than regulation of other Internet companies, will become similar again.

Although the current FCC Chairman Ajit Pai opposes the broadband privacy rules and could have chosen to forebear from enforcing them or could have amended the rules through the rulemaking process, a future FCC could have reversed that decision. Congressional passage of the CRA resolution provides long term certainty.

Although selective, more aggressive privacy requirements for ISPs will be foreclosed, the CRA essentially puts the US privacy framework back where it was before November 2016, and does not create a regulatory loophole for ISPs to sell customer information, as some advocates have charged. The FCC will continue to have the authority over the privacy of telecomm usage information as well as to enforce unreasonable broadband privacy and security practices.

In January, more than 15 ISPs announced that they would adhere to a voluntary set of privacy and data security principles that are consistent with the more flexible US Federal Trade Commission (FTC) framework, which applies to the rest of the Internet.  The principles include specific policies on transparency, consumer choice, security and data breach notification.

  • The transparency principle confirms that ISPs will continue to provide customers with comprehensive, accurate, and continuously available notice of collection, use, and sharing of customer information.
  • Under the choice principle, ISPs will continue to give customers choice over use or disclosure of their data consistent with the FTC’s framework.  Choice will vary depending upon the sensitivity of the information.  Sharing of sensitive information will require opt-in choice, non-sensitive information will require opt-out choice, and uses such as fraud prevention, product development, market research, network management and security, compliance with law, and marketing by the ISP will be subject to implied consent.
  • Under the data security principle, ISPs will continue to protect customer information collected by the ISP using reasonable security measures taking into account the nature of the ISPs activities, sensitivity of data, size of the ISP, and technical feasibility.
  • The data breach principle provides that ISPs will continue to notify customers of data breaches where there is unauthorized acquisition of customers’ sensitive personal information.

State Attorneys General can enforce these ISP privacy and security commitments in addition to existing state privacy, data security, and data breach laws that have protected and will continue to protect consumers.

Both FCC and FTC privacy enforcement authority over ISPs could change if the FCC or Congress overturns the FCC’s reclassification under the Open Internet Order of broadband providers as common carriers under Title II of the Communications Act. Congressional or FCC action to overturn that order would restore FTC authority over ISP privacy and security practices.  While both Chairman Pai and leaders of the Congressional committees with jurisdiction over the FCC and FTC are on record as supporting this change, this reversal of the underpinnings of broadband regulation is a longer term and more complicated policy objective.

One immediate effect of the CRA is likely to be legislative activity in several states to impose opt-in consent requirements at the state level. Already, legislators have added a written opt-in consent requirement for information collection by ISPs to Minnesota’s budget bill. The long term effect is likely to be to focus more attention on giving the US FTC clearer authority over privacy and security practices of businesses in many sectors in order to create clear and uniform privacy and security requirements across those sectors.