Good news Internet users – the FCC is proposing to adopt new rules that it claims will give you more control over how your data is collected and used when you’re on the Web. The soundbites sound great – now you can be sure that your privacy preferences will be honored wherever your surfing takes you. Except, not so much. What they don’t tell you is that any privacy choices you make under the proposed rules will apply only to the first entity you encounter on the Internet – your broadband provider. For everything else you do on the Web (use a browser or the operating system on your mobile device, query a search engine, check into social media sites, and access any website) a completely different set of privacy rules will apply.
If it sounds confusing, that’s because it is. Consumers will have to keep track not only of the type of data they are transmitting, but the identity of the entities with access to that data, in order to know what kind of privacy rules apply. And not only will the FCC’s proposal create consumer confusion, it will inhibit competition and stifle innovation, all without increasing the protection of consumer privacy one iota.
The FCC could have avoided all this by simply harmonizing its rules with the FTC’s long-standing and well-tested privacy framework. The FTC model requires transparency and tells businesses to give consumers choice in the use of their data based on the context of their interaction with the company. It tells companies to build privacy standards into every stage of product development (privacy by design) and focuses on preventing harm to consumers. It means if you tell consumers one thing with respect to their personal information and do another you will be held accountable. In a dynamic, fast-changing online marketplace, where consumer preferences evolve and change, this is the right approach.
Under the FCC’s senseless departure from the FTC’s proposal, consumers can prepare themselves for a barrage of opt-in authorizations for everyday practices that currently take place without interruption. For example, under the FCC’s proposal, commonplace acts such as transmitting an email from an ISP account could become subject to the opt-in requirements, while transmission of the identical email from a web-based account like Gmail would not require a consumer election.
“Under the FCC’s senseless departure from the FTC’s proposal, consumers can prepare themselves for a barrage of opt-in authorizations for everyday practices that currently take place without interruption.”
Though nuisances such as this will be written off by some, it’s impossible to ignore the fact that inconsistent rules applied across the Internet would be a big mistake. Consumers do not expect their basic privacy protections to vary based on the company they are interacting with. This confusion would heighten privacy and security risks for consumers, many of whom will mistakenly assume that the withholding of opt-in consent in one context restricts use of their data throughout the Internet. In a survey released last week by the Progressive Policy Institute, an overwhelming 94 percent of Internet users surveyed agreed that “All companies collecting data online should follow the same consumer privacy rules so that consumers can be assured that their personal data is protected regardless of the company that collects or uses it.”
In our comments, we also explain that when the FCC rejects the FTC’s flexible framework and instead imposes a whole new set of obligations, they’re also making it difficult for ISPs to innovate and adapt to new markets and technologies. The Internet has thrived under the FTC’s technology-neutral rules up until now, which have governed ISPs and non-ISPs alike.
To justify its disparate treatment of ISPs, the FCC tries to argue that broadband providers have “unique” access to their customers’ data, but this simply isn’t true. In fact, privacy experts and researchers have demonstrated that broadband providers have no more access, and in many cases far less access, to customer data than do other Internet entities. The FCC is also wrong to claim that customers are unable to switch between ISPs. In fact, as the Technology Policy Institute demonstrates, the vast majority of people access the Internet through a variety of ISPs over the course of a day, from home broadband connections, to Wi-Fi hotspots, to cellular networks, to school and office broadband sources. So no single ISP has as much access to your information as, say, your social media site or search engine of choice, which you would access from every broadband provider you use.
So what’s the solution? A coalition of industry organizations proposed a framework that reflects the FTC’s well-established privacy standards that already apply to other companies on the Internet. A consistent framework would not only avoid consumer confusion, it would also give ISPs the necessary flexibility to adjust their privacy and data security practices to adapt to changing consumer needs and preferences and preserve their ability to provide data-driven customized services in the same manner as all other Internet entities. The FTC framework has successfully served to protect consumers’ interests for decades. The FCC should rethink its misguided proposal.