Last week Congress officially overturned the FCC’s privacy rules for ISPs after the U.S. House of Representatives voted 215-205 and the Senate voted 50-48 to pass the resolution. President Trump signed the bill into law on Monday. Despite media reports to the contrary, however, this vote does not mean that ISPs are free to use their customers’ data however they like. In fact, the FCC’s privacy rules never even went into effect, and the FCC has been regulating ISPs’ privacy and security practices since 2015 without them. Overturning the rules simply maintains the status quo and reinforces the idea of a single, uniform set of privacy obligations governing consumer data.
The rules laid out standards for how ISPs collect and use their customers’ information, but had drawn criticism from industry, including CompTIA, for diverging from the FTC’s time-tested case-by-case approach to privacy regulation. They ultimately placed prescriptive restrictions on ISPs’ ability to collect and use data that were out-of-step with the rules used to govern the rest of the tech sector. CompTIA, and others in the tech sector, had simply argued that one set of rules should apply to the entire tech industry, regardless of who is collecting the data.
To place this in context, it is important to know that in February, 2015, the FCC passed their Open Internet Order which, amongst other things, implemented the well-known net neutrality rules. Prior to the Order, the Federal Trade Commission (FTC) regulated the data security and privacy practices of ISPs. To ensure the net neutrality rules had proper legal grounding, the FCC reclassified broadband internet access service (BIAS) from an information service to a telecommunications service. Telecommunications services are considered “common carriers” under the Communications Act, and the FTC is forbidden from regulating common carriers under Section 5 of the FTC Act. Thus, authority to regulate ISPs’ data privacy and security practices switched from the FTC to the FCC in 2015 with the passage of the Open Internet Order.
The FCC rooted their authority to pass the privacy rules in sec. 222 of the Communications Act, which says that telecommunications carriers must protect their customers’ “proprietary information,” and places restrictions on how telecommunications carriers use “customer proprietary network information” or CPNI. The Open Internet Order showed clear intent to use sec. 222 to cover information ISPs collect from their customers. While there is debate about what information falls into the definition of CPNI, sec. 222 remains in place even after Congress’ actions this week, and thus there is still a law on the books requiring ISPs to protect customer information and regulating how they use that information. This has been the status quo since the Open Internet Order was passed in 2015. The privacy rules were only passed last fall and were not set to go into effect until the end of 2017. Sec. 222 remains the law of the land today as it has been for the last two years. Additionally, Sec. 201(b) broadly prohibits unjust and unreasonable practices by ISPs, and could be used as a basis for a case involving misuse of consumer information.
Further, most, if not all, ISPs have privacy policies in place that clearly lay out how they use customer data. They cannot, as some have reported, sell your browser history to the highest bidder simply because the privacy rules have been overturned. That would violate their own privacy policies and thus likely violate sec. 201’s prohibition on unjust and unreasonable practices. And ISPs can’t change their privacy policies without their customers’ permission for the same reason. Additionally, most ISPs also allow their customers to opt out of some types of data collection and have a say in how their data can be used.
It is important to know exactly what impact last week’s vote had on consumer privacy. Yes, the FCC won’t implement its recently-passed privacy rules at the end of the year. But there are still laws on the books protecting ISPs’ customers’ privacy, and there are self-imposed limits on what ISPs can do with the data they collect.