When the Federal Trade Commission (FTC) issued a staff report in late October on the privacy and data collection practices of six large internet service providers (ISPs), the commission’s chair Lina Khan called the findings “striking.” Her own remarks are striking too.
After flagging structural issues in the marketplace, Khan asserted that “the Federal Communications Commission (FCC) has the clearest legal authority and expertise to fully oversee [ISPs],” and called for the FCC to reassert authority over ISPs “and once again put in place the nondiscrimination rules, privacy protections, and other basic requirements needed to create a healthier market.” Khan’s position was shared by FTC Commissioner Rebecca Kelly Slaughter, who wrote: “I hope the FCC is able to return ISPs to their proper classification as telecom services under Title II and to provide appropriate protections for these essential services.”
It’s not common for a regulator to disclaim authority. Regulatory humility can be a useful trait, but it is misplaced in this instance. For several reasons, it makes sense for the FTC to regulate ISPs with regard to privacy.
First, insofar as possible, a single set of privacy rules should apply to all sectors at the federal level, rather than add more patches to the crazy quilt of federal privacy regulation that exists in America today. It is confusing for consumers to have different privacy protections from businesses depending on their respective sectors—one law for financial services, another for communications companies, still another for health care, and no specific privacy law for most others. It is even more confusing for consumers if two directly competing services—such as location-based services offered by both “over the top” providers, like Hulu and Netflix, and ISPs—are subject to separate privacy regimes from multiple regulatory agencies. And it creates uncertainty or conflicting regulation for the ISPs themselves, many of which provide not only broadband internet access and other regulated communications services but also other services that are clearly subject to FTC jurisdiction, such as entertainment, content, advertising, and alarm services and other home automation.
A unified legal regime for privacy across sectors would be desirable, but very difficult to overlay onto existing regimes. This is why the report and draft legislative language I co-wrote with other Brookings scholars recommended that federal privacy legislation establish a federal commission to review existing laws and subsequently make recommendations to Congress “about how federal laws addressing privacy and data security may be harmonized.” In the meantime, it makes sense to avoid further fragmentation of federal privacy law.
Over the past two decades, the FTC has brought approximately 80 cases based on the handling of personal data against companies across a range of sizes and sectors: from Facebook and Google, to brick-and-mortar businesses, to small app providers and marketing companies. This caseload reflects that privacy has become a major focus of the FTC’s work in the 21st century digital economy. Just last week, the agency proposed a rulemaking process to impose stronger privacy and security protections for businesses, as well as prevent discrimination resulting from automated decision-making. While privacy has been a steady diet at the FTC, it has been only occasional fare at the FCC. The FCC has brought cases against common carriers and telephone marketers based on narrow laws that regulate telecommunications calling data, cable television subscriber records, and telephone marketing, though these recently resulted in a $200 million fine to Verizon, AT&T, T-Mobile, and Sprint for selling customers’ location information without proper security measures or consent. The FCC undertook broad rulemaking to apply privacy laws to ISPs following the adoption of the 2015 Open Internet Order, which subjected them to public service obligations applicable to communications common carriers under Title II of the 1934 Communications Act, as amended by the 1996 Telecommunications Act. But, Congress voted to override these privacy rules in March 2017, and so the FCC never carried out this broadened enforcement role.
Third, the views of Commissioners Khan and Slaughter do not reflect the significant progress toward comprehensive federal privacy legislation since 2016 and the prevailing thrust of the resulting legislative proposals to expand FTC authority. Federal bills or draft proposals—in particular, those from leadership on both sides of the aisle within the Commerce Committees in both houses of Congress that are the most likely vehicles for enactment of a federal law—predominantly place federal enforcement in the hands of the FTC. Senator Roger Wicker’s (R-MS) SAFE DATA Act would authorize $100 million for the FTC to exercise this authority. In addition, the $1.8 trillion economic reconciliation package, as passed by the House, includes a provision for $1 billion to establish and staff a new data protection bureau within the FTC.
Moreover, several privacy bills, including the SAFE DATA Act (but not Senator Maria Cantwell’s (D-WA) Consumer Online Privacy Rights Act), would override an exemption from the 1914 FTC Act to give the agency jurisdiction to enforce privacy violations by communications common carriers and non-profits. So long as that exemption is in place, there is some basis to Chair Khan’s contention that the FCC has clearer jurisdiction to monitor ISPs—if they are classified as communications common carriers, at least. However, that Title II classification remains uncertain. The congressional override of FCC broadband privacy rules, the subsequent repeal of the 2015 Open Internet Order by the Republican-majority FCC in 2017, the absence of a new net neutrality bill so far in the 117th Congress, and delays in confirming a third Democratic commissioner to the current FCC could prevent or delay a new net neutrality initiative and FCC rulemaking.
Even if the current Congress, or a new Democratic majority at the FCC, pursues a new net neutrality order in due course, net neutrality is fundamentally about competition, not privacy; it is aimed at preventing ISPs from discriminating against competing service providers, such as online video service competitors like Netflix or YouTube. The FCC’s 2016 privacy regulations were an incidental effect of bringing ISPs under rules for common carriers, which was also aligned with the existing net neutrality provisions. The latter includes Section 222 of the Communications Act, which limits communications carriers’ use of “customer proprietary network information.” As a result, once the FCC deemed ISPs to be common carriers, the agency needed to address the application of Section 222 to ISPs, which protects the confidentiality of “customer proprietary network information” such as call records.
Congress can obviate this issue by giving the FTC jurisdiction over privacy for communications carriers—thus clarifying the FTC’s leading role on privacy. It is the path of least resistance toward enactment of comprehensive privacy legislation and a simpler, clearer way of protecting individual privacy.
Facebook, Google, T-Mobile, and Verizon are general, unrestricted donors to the Brookings Institution. The findings, interpretations, and conclusions posted in this piece are solely those of the author and not influenced by any donation.