By: Brian J. Meli
As the smoke settles from the Federal Communications Commission’s recent decision to reclassify broadband service as a utility, and the tempest that is the net neutrality debate fades from the 24-hour news cycle, one could be forgiven for thinking it’s back to business as usual for broadband Internet service providers (ISPs). It’s also tempting to assume—what with net neutrality charting new highs in search volume, and Google News returning more than two million hits for the term—that everything worth writing about the subject has been written, several times over. But as we await the first lawsuits challenging the FCC’s authority to turn the broadband offerings of Comcast, Time Warner, AT&T & Co. into utility services, and the reinvigorated debate that comes with them, it’s important to understand that there’s more to this story than just making the Internet a more equal place. If you’re in the marketing or advertising business, a lot more. Because the FCC’s new Open Internet Order may soon bring changes to the way you do your job. Here’s how:
Not what, but how
It’s not the net neutrality principle itself that we’re talking about. (Whether you count yourself in the pro or anti camp doesn’t really matter). It’s how the FCC decided to go about enforcing the principle that matters. In what many have dubbed a regulatory sleight of hand, the FCC reversed more than 10 years of precedent (its own precedent, I should add) with one stroke of the pen when it stripped broadband ISPs of their favored ‘information provider’ classification and converted them to the more heavily scrutinized ‘common carrier’ status. That’s important, because a common carrier (a less auspicious term for a utility provider), is subject to more onerous oversight because it delivers services deemed essential; like electricity, water and phone service.
All of this you likely already know if you follow the news. But what you may not know, and what has not been widely discussed in the wake of the FCC’s decision to pursue such a path, is that some current ISP practices may run afoul of common carrier regulations. Specifically, those practices involving the collection and sharing of customer data.
Analytics is everything
Quantitative data, advertising metrics, behavioral analytics. Whatever your organization calls it these days, no one can deny that big data is big business, and analytics—from predictive scoring to mobile apps—have a profound and evolving role in helping advertisers better understand and connect with consumers. ISPs are well aware of the analytics phenomenon, and understand that when it comes to data, more is always more. So in a bid to compete with the heavyweight data aggregators like Google and Facebook, they’ve been collecting proprietary customer information themselves, employing ever newer and more controversial methods to assist advertisers in honing the relevancy and accuracy of their digital and mobile messages.
Whether they will be able to continue to do so now that they are common carriers is one of the big questions that industry insiders are wrapping their heads around. Right now the answer is TBD. But if it turns out to be ‘no’, then the ability of advertisers to collect and use ISP customer data may be greatly constrained going forward.
Changing of the guard?
The questions of what information ISPs can now collect, who they can collect it from, and how they can share it, isn’t answerable yet because it isn’t clear to whom they will ultimately be accountable. One reason ISPs were so adamantly opposed to their reclassification is because, among other things, it subjects them to a new, largely undefined regulatory scheme; one that is potentially more cumbersome than what they’re accustomed to. In the halcyon days of two months ago, when ISPs were still information providers, they needed to mainly concern themselves with the Federal Trade Commission (FTC) and its broad-based policy guidelines on privacy—guidelines that flowed from the FTC Act, the lead body of federal legislation for consumer protection, and one that is non-industry specific. Yes, as communication companies, ISPs were always subject to the general authority of the FCC, but because they were exempt from the more rigorous common carriage restrictions, consumer privacy, security and data protection became the province of the FTC, who as the de facto federal watchdog on digital security, filled any perceived enforcement gaps.
Now, as freshly minted common carriers, it’s doubtful that arrangement can last, because on its face, the FTC Act prohibits FTC oversight of common carriers. Under the principle of preemption, the Communications Act—from which the FCC draws its regulatory authority—would override any potential FTC enforcement of ISPs, shifting full responsibility for their regulation to the FCC. FTC Commissioner Maureen Ohlhausen stated as much in an interview last year when asked what effect a reclassification would have: “If an entity is a common carrier providing common carrier services, we [the FTC] can’t bring actions against them.” That sounds pretty straightforward.
What isn’t as straightforward is how the FCC plans to carry this torch once its passed. While the details of the reclassification are still being parsed by policy experts, the FCC has promised a “light-touch” regulatory approach which forbears (or exempts) ISPs from many of the traditional common carrier regulations. How this light-touch will relate to data privacy and security, and the FTC preemption issue, remains to be seen. But until further notice it’s safe to consider the FTC Act preempted. The question then becomes, because the FTC Act, a federal statute, may not be used to prosecute ISPs for the mishandling and misuse of customer data, does that also mean state consumer protection laws—so-called “mini-FTC Acts,” because they’re derived from the federal law—are also impliedly preempted; an outcome that would render ISPs immune from prosecution under stringent state consumer protection laws like California’s? To presume that they would be is to conclude that responsibility for regulating consumer data privacy and security issues among ISPs would fall squarely on the FCC’s shoulders alone.
Communications the only act in town
So what does an FCC with suddenly expanded authority and responsibility to regulate ISPs look like? For a preview we can turn to the Communications Act. Under Section 222 of the Act, common carriers have a strict duty to safeguard the confidentiality of proprietary information of customers by taking “just and reasonable” protection measures. This section is the reason your phone company can’t sell your phone records to third parties, or give your cellphone number to telemarketers. Information like the phone numbers you call, when you call them, and the particular services you use, known as Customer Proprietary Network Information (CPNI), is collected by phone companies for billing purposes, but cannot be disclosed to third parties without a customer’s express permission. Since the kind of information included in CPNI is also captured by ISPs, it isn’t an extreme stretch to see how Section 222 will be applied to them.
Failure to uphold the common carrier confidentiality duty with just and reasonable protection measures can draw stiff FCC penalties. Just ask TerraCom and YourTel, two common carriers who had to fork over $10 million to the FCC last year for failing to protect the privacy of their customers’ personal information. The companies were charged under the Communications Act with failing to properly protect the confidentiality of consumers’ proprietary information, failing to employ reasonable data security practices, and engaging in deceptive and misleading practices by representing that they employed appropriate technologies to protect proprietary information when they did not. These charges echo both a willingness and an ability on the part of the FCC to take the consumer protection reins from the FTC.
FTC vs. FCC
Citing the TerraCom/YourTel case, many argue that the FCC is better equipped and more focused than the FTC to implement and enforce ISP data privacy and security regulations. Their main argument is that the FCC possess the technological knowledge and specific industry experience to create a much more circumscribed and proactive regulatory framework than the FTC can. They assert that the FCC has the ability to outright ban certain practices, and to set baseline standards for which data collection practices are permissible, and which are not. The FTC, on the other hand, is primarily reactive, they argue, bringing actions only after a defendant has done something unfair or deceptive. Just by having and adhering to clear privacy policies, many would-be defendants can escape FTC liability. But not so under FCC regulation, they maintain.
Those who disagree, including officials within the FTC itself, point to the FTC’s long history and vast experience with consumer protection matters, as well as the disparity between the two agency’s enforcement budgets (the FCC’s $47 million is less than half the FTC’s $130 million). As Jessica Rich, director of the FTC’s Bureau of Consumer Protection put it, the FCC’s decision “takes an experienced cop off the beat in this important area.”
A cloud of uncertainty
Regardless of which point of view turns out to be more correct, the transition from the oversight of one government regulator to another will no doubt cause headaches for ISPs. Under the FTCs watch, ISPs had decades of enforcement precedent and policy statements to derive guidance from. Questions like what constitutes personally identifiable information, and what exactly a company is prohibited from doing with it, had quick, if general answers. But no such guidance from the FCC exists yet, and it’s uncertain how quickly it will come. Given the level of confusion that ISPs will likely experience, it’s safe to assume that until further clarity arrives they will proceed cautiously in how they collect, protect and share customer data.
This uncertainty, and the likely reluctance to engage in information gathering and sharing, is sure to be felt by advertisers who rely heavily on ISPs for data. Depending on how long it takes the FCC to get its footing and establish regulatory ground rules for ISPs—and depending on how strict those rules are interpreted to be—advertisers may soon find their access to analytics harder to come by, affecting their ability to quickly and effectively reach consumers, and potentially changing the way they conduct research into online behavior.
But an even bigger threat to advertiser’s current way of doing business is the prospect that the reclassification of ISPs could eventually lead to other players, operating at different levels of the Internet ecosystem, being branded common carriers by the FCC. If broadband ISPs are now common carriers, why not the web browsers, or websites themselves, for instance? Both could seemingly fit the definition of facilitating the transmission of information between points specified by a user without changing its form or content. And it’s no secret that both collect and share data—lots of data. If a world in which ISPs no longer share their user information sounds daunting, imagine one in which Google and Facebook don’t. While the consumer in you might welcome such a world, the marketing professional in you must surely have some misgivings.
The content of this blog is intended for informational purposes only. The information provided in this blog is not intended to and does not constitute legal advice, and your use of this blog does not create an attorney-client relationship between you and attorney Brian J. Meli. Under the rules of certain jurisdictions, the material included in this blog may constitute attorney advertising. Prior results do not guarantee a similar outcome. Every case is different and the results obtained in your case may be different.
Legalmatter 