This week, Alamo Broadband and USTelecom each sued to block the Federal Communications Commission from enforcing its February order reclassifying broadband providers as “common carriers," or a public utility of sorts, and therefore subject to the same rules that regulate telecommunications companies. The suits exemplify a panicked stakeholder reaction to a potentially disruptive change: Some personal data Internet service providers currently use to generate revenue is now considered Consumer Proprietary Network Information (CPNI) under FCC rules, meaning its uses will be regulated in ways it hadn’t been before.
That's a big deal to companies, like internet service providers, who supplement revenue from user fees in a variety of ways by trafficking in user data.
“Regardless of whether it’s good policy or bad policy, the implication is serious for ISPs,” said Al Gidari, an attorney at Perkins Coie. “The world is going to change for them a lot ... What is and isn’t CPNI is going to be a big, difficult, long, litigated slog through new privacy rules for the Internet."
Hogan Lovells’ Mark Brennan said the FCC decision has a broad reach, potentially affecting companies “at all layers of the broadband ecosystem, including ISPs, cloud providers, content and app developers, equipment manufacturers and more."
So, in addition to the common carriers themselves, the third-parties that partner with ISPs and rely on the customer data they collect will feel the heat of this. For example, Gidari said, situations that occurred with companies like now-defunct NebuAd, the ad-tracking platform that partnered with ISPs in the past to see where consumers went online, wouldn't happen because there would be laws regulating the use of information from ISPs about where customers travel online. The URLs customers travel to would now be considered CPNI. While in the past, a privacy policy that told users what a company was doing with user data would ostensibly suffice, that will no longer be the case.
“Now, we’re going to have rules,” Gidari said. “We’re going to have rules that say, ‘You may not disclose that without customer consent, by law.'”
To be sure, the FCC will hold a rulemaking workshop in coming months, and it’s expected that stakeholders will argue for special rules to apply to CPNI in the case of broadband companies. Their dependence on customer data for things like online tracking and behavioral advertising is somewhat different than the traditional analog telecommunications companies for whom the law was originally written, and so, they'll argue, the old rules should bend to accommodate the online economy.
Besides concerns about what is or is not CPNI, the FCC’s move has been controversial in that it’s seen by some as a power grab of sorts, Gidari explained.
FCC v. FTC?
“The FTC has owned this field for a long time and has established itself as the Internet’s regulator,” Gidari said, comparing the FCC to the proverbial “second cousin” who’s perpetually trying to get some attention of its own. But with Travis LeBlanc at the helm now, it seems the FCC’s historically soft-touch style of enforcement, at least compared with the FTC, may be yesterday’s approach.
LeBlanc himself acknowledges there is a change afoot.
“I do see privacy in the broadband space as a trend in enforcement in the near future. I think that’s going to be an issue,” LeBlanc said. “With convergence and with this new rulemaking there are a lot of companies that are crossing into the FCC space, and they just need to be careful to make sure they know our rules.”
But he said the FCC’s aim isn’t to swoop in on the FTC’s enforcement regime. He sees the agencies as partners and expects that relationship to only grow stronger.
“The FTC is a sister federal agency, and our commissions have a long history of working together on lots of different issues, not just privacy,” he said. “I’ve worked hard since arriving at the commission last year to increase our enforcement collaborations.”
That effort was evidenced by settlements reached collectively by the FTC, FCC, state’s Attorneys General with AT&T and T-Mobile, he said.
“We will certainly look to the FTC’s jurisprudence on privacy as we think about the privacy actions we take here at the FCC,” he said. “But we have on our books separate promulgated rules and laws that apply, and it’s important to have the ability to continue to keep those rules updated, to make sure we’re enforcing them and also it’s important, as a deterrent, to have the ability to fine for conduct that’s unlawful.”
In fact, in some instances, it's possible that only the FCC could enforce privacy issues. In a separate case involving data throttling from October 2014, AT&T claims because of its status as a common carrier, the FTC—under a "common carrier exemption" in the FTC Act—doesn't have jurisdiction to regulate them at all. The FCC does.
But FTC Commissioner Maureen Ohlhausen said applying rules meant for telecommunications companies to the broadband space “may not be a good fit.” Her position is sort of, why mess with a good thing?
She said the FTC has a very strong track record in the online privacy space, but some of the actions it’s taken would be much more challenging to bring now that the FCC has reclassified “such a large and amorphous part of broadband.”
For its part, the FTC has built decades’-worth of Section 5 case law, she said. It’s a well-oiled privacy enforcement machine at this point, with entire staff divisions dedicated to investigations, evidence-gathering and monitoring how companies adhere to consent orders. And, it’s got a Bureau of Economics, which reviews the agency’s settlement actions to make sure “we’re drawing the line in the right place,” she said.
She went on to say that the FTC’s statute is flexible and driven by analysis and so when it’s brought cases against companies in the name of consumer protection, it’s been able to do so in a way that didn’t cripple innovation. And that’s important in a marketplace of constantly emerging technologies and previously unimagined uses for data.
“Our statue isn’t very siloed, where the FCC’s is,” she said. “We’ve been able to draw the lines pretty well to protect consumers’ interests but not shut off new developments just because they weren’t contemplated,” she said, adding that as opposed to fines or penalties, the FTC is more prone to settlements, which often put money back in injured consumers' hands. She points to the FTC's settlement with TracFone, which put $40 million back in the hands of consumers who'd allegedly been deceived by the company.
Her colleague, Commissioner Julie Brill, isn’t as troubled by the FCC’s new rule, but she’s got concerns as well.
“I’m optimistic that if done right, it could protect consumers in a way that, absent of Congressional action, we may not be able to,” Brill said.
But she will admit there’s a benefit to having one entity doing enforcement in that all the players understand the agency’s position; they’ve seen it evolve over time.
But she said if the FCC does it right and the FCC and FTC share jurisdiction over activities that are truly common-carrier activities, that is, the enforcement is based on activity and not a company’s “status,” the enforcement system could be robust.
“Sometimes collaboration can lead to better results because you can draw on a larger set of potential tools,” she said.
The Devil’s In the Details
What concerns her is how the CPNI rules will apply to broadband companies. The details will matter.
"How do you translate CPNI into the broadband world?," Brill wondered. "Do they mean deep packet inspection will be subject to the rules? What type of information that broadband providers have or could have would be subject to notice and choice and other kinds of privacy protections?”
“I think right now there’s a lot of uncertainty that’s been interjected into an area where the FTC has made a lot of inroads,” Ohlhausen said. “And I would just hate for that to reduce the protections that are available to consumers.”
Gidari said this is just the beginning, though, and it’s going to be some time before anything is settled.
To prepare, Brennan says ISPs should take inventory now, before the FCC’s rulemaking.
“Depending on what rules the FCC proposes, providers may be asked to justify various forms of collection, use, and sharing,” he said, adding it’ll be “critical to understand thoroughly the purposes for which individually identifiable data is collected, as well as how and why it is used, shared with affiliates, and shared with joint venture partners and other unaffiliated third parties.”
For now, all eyes are on the FCC and its rulemaking workshop later this year. Until then, and maybe even for months afterward, broadband providers and their partners are waiting with baited breath.