When the 9th U.S. Circuit Court of Appeals ruled, in September 2016, that the Federal Trade Commission did not have the authority to regulate AT&T because it was a “common carrier,” which only the Federal Communications Commission can regulate, the decision created what many in privacy foresaw as a “regulatory doughnut hole.” Indeed, when the FCC, in repealing its broadband privacy rules, decided to hand over all privacy regulation of internet service providers to the FTC, the predicted situation came about: The courts said “common carriers” could only be regulated by the FCC, but the FCC says only the FTC should be regulating privacy.

So, was there no regulator to oversee a company like AT&T’s privacy practices?

Indeed, argued Gigi Sohn, formerly counsel to then-FCC Chair Tom Wheeler, “The new FCC/FTC relationship lets consumers know they’re getting screwed. But much beyond that, they don’t have any recourse.”

Now, things have changed once again. With an en banc decision, the 9th Circuit has reversed itself, saying, “the FTC Act’s common carrier exemption was activity-based,” not status-based, “and therefore the phrase ‘common carriers subject to the Acts to regulate commerce’ provided immunity from FTC regulation only to the extent that a common carrier was engaging in common carrier services.”

Previously, the 9th Circuit had decided just the opposite, that the exemption was “status-based,” and therefore all activities by that company would be exempt. This reversal of its previous decision by the 9th Circuit now allows the FTC to go forward with its case against AT&T and what it says were deceptive throttling practices, but it also now allows the FTC to once again regulate internet service providers’ data-handling and cybersecurity practices if they come in the context of activities that are outside their activities as common carriers.

Acting Federal Trade Commission Chairman Maureen Ohlhausen in a statement said she welcomed the decision of the en banc court “as good news for consumers. It ensures that the FTC can and will continue to play its vital role in safeguarding consumer interests including privacy protection, as well as stopping anti-competitive market behavior.”

Fellow FTC Commissioner Terrell McSweeney was more muted in her enthusiasm for the decision, via Twitter reply:

Agreed @mollywood. It is good a potentially gaping loophole in FTC jurisdiction is closed - for now. But this FTC throttling case involves ATT’s conduct from 7 years ago - which is like relying on dial up speed enforcement to protect #netneutrality. Clear rules are better. https://t.co/7YNCigZoJl

— Terrell McSweeny (@TMcSweenyFTC) Feb. 27, 2018

While some privacy advocates were hoping the FCC’s broadband privacy rules would stay in place, as the FCC’s rulemaking authority makes it a more powerful regulator than the FTC in some ways, this ruling ensures that ISPs are not “exempt” from privacy regulation.

As the majority opinion by Margaret McKeown reads, “Permitting the FTC to oversee unfair and deceptive non-common-carriage practices of telecommunications companies has practical ramifications. New technologies have spawned new regulatory challenges. A phone company is no longer just a phone company. The transformation of information services and the ubiquity of digital technology mean that telecommunications operators have expanded into website operation, video distribution, news and entertainment production, interactive entertainment services and devices, home security and more. Reaffirming FTC jurisdiction over activities that fall outside of common-carrier services avoids regulatory gaps and provides consistency and predictability in regulatory enforcement.”

Photo credit: sniggie Glazed donut, after via photopin (license)