The Federal Communications Commission’s (“FCC”) net neutrality proceeding culminated this month with the release of an Order reclassifying broadband Internet access service as a common carrier Telecommunications Service subject to regulation under Title II of the Communications Act. Previously, the FCC classified broadband service as a lightly regulated Title I Information Service, while Title II was primarily used to regulate telephone service. This decision by the FCC has two major privacy implications for broadband customers and Internet Service Providers (“ISPs”).
First, as previously reported on this blog, the FCC’s reclassification decision puts in flux the federal agency that has authority to enforce ISP’s privacy policies. Until now, the Federal Trade Commission (“FTC”) has asserted its Section 5 authority over “unfair or deceptive” practices to bring enforcement actions against companies that violate their own privacy policies or fail to adequately safeguard customer data. The FTC has brought dozens of actions over privacy policy violations, and previously declared that it has the authority to do so specifically against broadband providers that violate their published policies. In fact, though not a privacy allegation, the FTC recently used its Section 5 authority to bring an enforcement action against AT&T in its capacity as an ISP for allegedly “throttling” data throughput even when a customer signed up for an unlimited data plan.
But Section 5 of the FTC Act exempts common carriers from FTC oversight of “unfair methods of competition… and unfair or deceptive acts or practices.” With broadband service soon to be regulated as common carriage in light of the FCC’s Order, and broadband ISPs regulatedas common carriers, the FTC will likely lose its enforcement authority over that service to the FCC. In the fall of 2014, FTC Commissioner Maureen Ohlhausen expressed concern over the FTC’s continued ability to protect consumers should the FCC decide to pursue reclassification, and FTC officials, including FTC Chairwoman Edith Ramirez and Consumer Protection Director Jessica Rich, recently reiterated those concerns and called on Congress to eliminate the common carrier exemption. One data security and breach notification bill currently before the House Subcommittee on Commerce, Manufacturing, and Trade would do just that in the limited context of privacy.
Second, broadband service is now subject to the privacy provisions of Title II that protect Customer Proprietary Network Information (“CPNI”) – which includes information related to the quantity, location, and amount of use of a telecommunications service. However, the FCC’s rules implementing those provisions are mostly inapplicable to broadband service as they specifically focus on protecting information related to telephone calls, such as phone numbers dialed and the duration of calls. To resolve this dilemma, the FCC’s Order applies Section 222 of the Communications Act to broadband providers, which prohibits carriers from using or disclosing individually identifiable CPNI without consent except as needed for providing service, but forbears from applying the FCC’s current implementing rules pending further proceedings to adopt new rules that apply specifically to broadband.