President Trump signed a Congressional Review Act (CRA) resolution on April 3, 2017 that nullified the Federal Communication Commission’s (FCC) privacy rule aimed at Internet Service Providers (ISPs). As discussed in the WLF Legal Pulse’s reading list for FCC regulators last month, the Commission adopted the rule just before the 2016 election over the opposition of two Commissioners (including one who has since become FCC Chairman). WLF filed comments last May opposing the proposed rule. Many media commentators and self-styled consumer advocates proclaimed that the proverbial sky was falling due to the nullification. Such ideologically-fueled Chicken-Little rhetoric, however, does not reflect reality.
Post-nullification analyses bemoaned ISPs’ collection of consumers’ “personal information” and the ability of these companies to sell such information to expand their businesses. Nay-sayers’ complaints essentially boiled down to the bromide offered in the Washington Post: the CRA resolution “wipe[d] away landmark privacy protections for Internet users.”
The protections were “landmark” in the sense that no other federal agency had imposed the specific requirements FCC had through the rule. FCC did so, however, by relying upon an unprecedented interpretation of its own authority under the Communications Act, a legal transgression WLF discussed at length in its comments and a recently published Working Paper. The agency also leaped into a federal privacy regulation space that had long been occupied by the Federal Trade Commission (FTC). The October 2016 rule may have sought to protect consumers, but it did so at the cost of violating the rule of law and federal agency comity.
The October 2016 rule provided very few, if any, actual benefits for consumers. In fact, the compliance activities the rule required of ISPs would have imposed new costs, which service providers would invariably pass on to consumers. ISPs’ reduced ability and incentive to collect consumer data—data which has been de-identified and aggregated—would impede internet customers’ shopping and other experiences.
The rule was also based upon the flawed assumption that ISPs harvest consumer data in order to profit from it—through sales to third parties. As FCC Chairman Ajit Pai and FTC Acting Chair Maureen Ohlhausen recently noted in a co-authored op-ed, “That’s simply not how online advertising works. And doing so would violate ISPs’ privacy promises.”
In addition, the rule created different permission standards for businesses that collect and use online consumer data. Data collection by ISPs required formal consumer opt-in under FCC’s rule. Collection of the same data by so-called edge providers—other internet businesses such as search engines and social-media platforms—remained subject to FTC oversight, which mandates no opt-in. As Chairman Pai and Acting Chair Ohlhausen noted in their op-ed, “The FCC’s regulations weren’t about protecting consumers’ privacy. They were about government picking winners and losers in the marketplace. If two online companies have access to the same data about your Internet usage, why should the federal government give one company greater leeway to use it than the other?”
FCC’s now-nullified rule offered consumers a false sense of online privacy. Instead of marshalling the many online privacy-protection devices and solutions available, and utilizing common sense, consumers would have instead let down their guard and relied upon government, a risky proposition at best. WLF Legal Policy Advisory Board member and former FCC Commissioner Harold Furchtgott-Roth and his Hudson Institute colleague (and author of the Working Paper mentioned above) Arielle Roth argued similarly last year at Forbes.com that because the internet is made up of so many entities, “it is naïve to think that any single company or government agency can offer comprehensive [privacy] protection.”