Future Shock? Uncertainty over Long-Term Effects of the FCC Privacy Rules Repeal

While the recent repeal of the Federal Communications Commissions' (FCC) broadband privacy rules have caused an uproar over what many may see as lagging federal data privacy protections, it does little to change how broadband Internet service providers (ISPs) handle their users' data.

The privacy rules, put forth in the waning days of the Obama Administration, placed several privacy and security obligations on broadband ISPs, among them the need to “obtain affirmative consent when offering financial incentives in exchange for the right to use a customer's confidential information,” and the requirement to more clearly provide privacy notices to their customers, according to the FCC.

Because the rules were scheduled to take effect in late 2017, the repeal “doesn't change anything immediately,” Behnam Dayanim, partner from Paul Hastings' Privacy practice, told our ALM sibling Legaltech News. But in the long term, their effect is far more significant. Since the rules “did provide some certainty” on how broadband ISPs can collect and sell their customer data, their repeal essentially leaves open the question of how to interpret the laws regulating such activity.

The uncertainty stems from the interpretation of Section 222 of the Communication Act of 1996. In 2015, the FCC classified broadband ISPs as “common carriers,” which placed broadband ISPs under the purview of Section 222, as well as made them exempt from FTC oversight and enforced network neutrality, the principle that ISPs should treat all Internet traffic and data equally.

Since 2015, Section 222 has allowed broadband ISPs to collect and sell their customers' aggregated data to third parties, but mandated that they protect the confidentiality of their customers, unless they received approval from a customer to disclose and sell such personal information.

But in absence of the Obama administration rules, it is far from clear what “approval” entails, Dayanim said. “Perhaps 'approval' means having an opt-out [notification] or perhaps that means something [passive] in the privacy statement. Because of the generality of the statue and the absence of a rule, the parameters of the required approval are unclear.”

Dayanim doesn't believe that the FCC is “in any hurry to take enforcement action against broadband providers” to better clarify what is required by “approval.” And it's difficult to see the issue being easily litigated in courts anytime soon.

“I don't believe there has been a lot of litigation under this statute, so there are no definitive answers there,” Dayanim said. He added that it also isn't clear if there is a private right of action under Section 222 either. Any legal challenge broadband ISPs face, therefore, would more likely be “predicated on some state law or some common law regarding deception or fraud.”

Still, even if such approval did not require affirmative consent, there is little risk of personal or confidential data being collected and sold given the legal and technological limitations ISPs face.

In the corporate world, for example, “larger companies have separately negotiated agreements with their ISPs that can potentially [give them] a higher level of security and anonymity,” than normal user agreements, said Jonathan H. Hill, dean of the Seidenberg School of Computer Science and Information Systems at Pace University.

And because of the wide use of web-based encryption, “there are real limitations to the type of data that ISP have access to, and it often tends to be less than people think,” added Doug Brake, a telecommunications policy analyst with the Information Technology and Innovation Foundation.

He explained that due to encryption, ISPs may only be able to “access to the sort of high level URL metadata of what website you are on, but don't have access to any of the content, or how you're actually interacting with that website.”

Darren Hayes, director of cybersecurity and an assistant professor at Pace University in New York, noted that data from ISPs are often much less valuable for advertising or business intelligence purposes than other data sources, such as mobile phones and social media platforms. “The kind of analytic information that you can get from smartphone far surpasses what someone can provide in terms of analytics from ISP data,” he said.

*****
Rhys Dipshan writes for Legaltech News, an ALM sibling publication of this newsletter in which this article also appeared.

While the recent repeal of the Federal Communications Commissions' (FCC) broadband privacy rules have caused an uproar over what many may see as lagging federal data privacy protections, it does little to change how broadband Internet service providers (ISPs) handle their users' data.

The privacy rules, put forth in the waning days of the Obama Administration, placed several privacy and security obligations on broadband ISPs, among them the need to “obtain affirmative consent when offering financial incentives in exchange for the right to use a customer's confidential information,” and the requirement to more clearly provide privacy notices to their customers, according to the FCC.

Because the rules were scheduled to take effect in late 2017, the repeal “doesn't change anything immediately,” Behnam Dayanim, partner from Paul Hastings' Privacy practice, told our ALM sibling Legaltech News. But in the long term, their effect is far more significant. Since the rules “did provide some certainty” on how broadband ISPs can collect and sell their customer data, their repeal essentially leaves open the question of how to interpret the laws regulating such activity.

The uncertainty stems from the interpretation of Section 222 of the Communication Act of 1996. In 2015, the FCC classified broadband ISPs as “common carriers,” which placed broadband ISPs under the purview of Section 222, as well as made them exempt from FTC oversight and enforced network neutrality, the principle that ISPs should treat all Internet traffic and data equally.

Since 2015, Section 222 has allowed broadband ISPs to collect and sell their customers' aggregated data to third parties, but mandated that they protect the confidentiality of their customers, unless they received approval from a customer to disclose and sell such personal information.

But in absence of the Obama administration rules, it is far from clear what “approval” entails, Dayanim said. “Perhaps 'approval' means having an opt-out [notification] or perhaps that means something [passive] in the privacy statement. Because of the generality of the statue and the absence of a rule, the parameters of the required approval are unclear.”

Dayanim doesn't believe that the FCC is “in any hurry to take enforcement action against broadband providers” to better clarify what is required by “approval.” And it's difficult to see the issue being easily litigated in courts anytime soon.

“I don't believe there has been a lot of litigation under this statute, so there are no definitive answers there,” Dayanim said. He added that it also isn't clear if there is a private right of action under Section 222 either. Any legal challenge broadband ISPs face, therefore, would more likely be “predicated on some state law or some common law regarding deception or fraud.”

Still, even if such approval did not require affirmative consent, there is little risk of personal or confidential data being collected and sold given the legal and technological limitations ISPs face.

In the corporate world, for example, “larger companies have separately negotiated agreements with their ISPs that can potentially [give them] a higher level of security and anonymity,” than normal user agreements, said Jonathan H. Hill, dean of the Seidenberg School of Computer Science and Information Systems at Pace University.

And because of the wide use of web-based encryption, “there are real limitations to the type of data that ISP have access to, and it often tends to be less than people think,” added Doug Brake, a telecommunications policy analyst with the Information Technology and Innovation Foundation.

He explained that due to encryption, ISPs may only be able to “access to the sort of high level URL metadata of what website you are on, but don't have access to any of the content, or how you're actually interacting with that website.”

Darren Hayes, director of cybersecurity and an assistant professor at Pace University in New York, noted that data from ISPs are often much less valuable for advertising or business intelligence purposes than other data sources, such as mobile phones and social media platforms. “The kind of analytic information that you can get from smartphone far surpasses what someone can provide in terms of analytics from ISP data,” he said.

*****
Rhys Dipshan writes for Legaltech News, an ALM sibling publication of this newsletter in which this article also appeared.