- Reuters/Henry Romero
In a victory for internet service providers like Verizon, Comcast, and AT&T, the US Senate on Thursday voted to kill a set of Obama-era privacy regulations passed by the Federal Communication Commission in October.
The most notable part of the rules, which has not taken effect, would require ISPs to get explicit consent before sharing consumers’ web-browsing data and other personal information with advertisers.
The vote passed 50 to 48 along party lines, with Republicans in favor of the repeal and Democrats against.
They were voting on a resolution proposed earlier this month by Republican Sen. Jeff Flake of Arizona and cosponsored by 24 other Republicans that broadly calls for the FCC’s privacy rules to “have no force or effect.”
The resolution was proposed via the Congressional Review Act, a seldom-used law that the GOP is more widely applying to repeal federal regulations they contested late in the Obama administration with a simple majority vote. Republicans have a majority in both chambers of Congress.
The resolution will now need to pass in the House of Representatives – where Republican Rep. Marsha Blackburn of Tennessee proposed a similar resolution earlier this month – then be signed by President Donald Trump before going into effect.
Because the resolution uses the CRA, the FCC would be outlawed from creating similar privacy regulations if the repeal is signed by Trump.
The FCC’s privacy rules were passed in a party-line vote in October after months of contention between Democrats and Republicans at the agency.
The rules were something of a follow-up to the 2015 Open Internet Order, the high-profile regulations that classified the internet as a public utility. That set in place today’s net-neutrality rules – which forbid ISPs from blocking, throttling, or prioritizing sites as they see fit – but also left the FCC in charge of ISPs’ privacy regulations.
- Getty/Chip Somodevilla
The privacy rules apply a range of guidelines to ISPs about how they treat consumer data, but the most notable bit would force them to obtain explicit consent before they’re able to share “sensitive” consumer information with advertisers.
In other words, ISPs would need you to opt in to their data-collection policies before they’re able to take that sensitive data and use it for targeted ads. When people are given that explicit option, they are typically less likely to accept it. That means less potential revenue for ISPs.
Much of what the FCC deemed “sensitive” fell in line with looser, pre-net-neutrality privacy guidelines from the Federal Trade Commission – things like financial, health, and geolocation info – but the agency notably added web-browsing and app-usage data to the list.
That specific provision is not scheduled to go into effect until later this December, however.
Even under the would-be privacy rules, which now appear doomed, ISPs would not be required to get opt-in consent for other bits of personal information like email addresses.
The FCC chairman, Ajit Pai, has strongly opposed the privacy rules, and voted against them as a commissioner last October. Last month he halted one part of the privacy rules that would’ve broadly required ISPs to “engage in reasonable data security practices.” Pai and GOP commissioner Michael O’Rielly have a 2-1 majority at the agency.
- Reuters/Brian Snyder
Pai feels the privacy rules unfairly target ISPs and give internet companies like Google and Facebook the ability to harvest more consumer data and dominate digital advertising. Google and Facebook are by far the two biggest players in the digital ad industry.
Websites like Google and Facebook are still regulated by the FTC’s looser guidelines and thus are not forced to obtain opt-in consent before they collect and sell your web-browsing and app-usage data. This is partly why you may see ads personalized to your browsing history when you browse the web.
ISPs aren’t happy about this discrepancy, and they have petitioned the FCC to roll back the rules entirely. Telecom industry groups have said keeping the rules could limit ISPs’ ability to provide otherwise free or low-cost services. The wireless-industry trade group CTIA also argued in a note to the FCC last week that web-browsing and app-usage history were not “sensitive” information.
The debate comes at a time when ISPs like Verizon are increasingly interested in boosting their digital advertising presence.
Even though internet companies are not covered here, they have also opposed the regulations, mainly because they do not want a precedent to be set that may apply to their data-collection policies in the future. Groups representing Google, Facebook, and the like urged Congress to repeal the privacy rules using the CRA this past January.
Another shot at the net-neutrality rules
Like many issues in Washington, this is a heated debate drawn squarely along party lines.
Democrats and consumer-advocacy groups argue that it is fair to apply more stringent privacy rules to ISPs because it is generally more difficult to switch internet providers than it is to use different websites – particularly in rural and low-income areas with fewer choices of ISPs – and because ISPs are more easily capable of seeing everything you do over the internet connections they sell. (Though it’s worth noting that behemoths like Google and Facebook are able to reach beyond their own sites.)
They also note that many websites provide free services in exchange for their targeted ads, whereas ISPs still charge relatively high fees for access to internet service.
Republicans and other conservatives, however, call the privacy regulations an overreach by a federal agency.
“In reality, this is just yet another avenue designed to give the FCC more control over the internet that should be open,” David Williams, the president of the right-leaning Taxpayers Protection Alliance, said Tuesday in a statement in favor of the act.
Pai ultimately wants to return ISP privacy regulation to the FTC, as was the case prior to the net-neutrality order. Until that’s possible, though, he has called for a privacy framework that allows ISPs to be regulated under guidelines similar to those from the FTC, putting them back in line with how internet companies are enforced.
“All actors in the online space should be subject to the same rules, enforced by the same agency,” Pai and the acting FTC chairwoman, Maureen Ohlhausen, said in a joint statement upon the FCC’s data-security stay last month. “Until that happens, however, we will work together on harmonizing the FCC’s privacy rules for broadband providers with the FTC’s standards for other companies in the digital economy.”
But if privacy enforcement of ISPs is eventually removed from the FCC, there are doubts over whether the FTC has the authority to regulate ISPs’ privacy practices at all. Apart from the restriction on future regulations set by the CRA, an appeals-court decision last year said AT&T was exempt from FTC oversight because it is a “common carrier” – a title that was set for all internet providers through the 2015 net-neutrality order.
Pai says that, if the privacy rules are reversed, the FCC will still be able to regulate ISPs’ privacy policies using Title II, Section 222 of the Communications Act. Those regulations are less stringent than the Obama-era regulations, however, and do not cover web-browsing or app-usage data.
- Reuters/Yuri Gripas
Title II is the linchpin of the 2015 net-neutrality order, and it is what gives the FCC much of its regulatory power over ISPs. But it is also what Pai and other Republicans most wish to dismantle as part of a larger rollback of the net-neutrality rules. If that happens, as expected, it could further reduce any privacy-related oversight of ISPs.
Even if the net-neutrality order is undone, ISPs like Verizon and AT&T would retain “common carrier” status because they offer telephone services. That could create a situation in which no agency has clear regulatory authority over certain ISPs’ privacy practices, and thus require further action to expand FTC authority. That may be unlikely with the deregulatory-minded GOP in charge. It’d also make it unclear if internet providers would be forced to give opt-in or opt-out options before selling web-browsing or app-usage data.
Democrats blasted Thursday’s vote as taking too much control of personal data out of consumers’ hands. “This is yet another repeal without a replace,” said Democratic Sen. Brian Schatz of Hawaii, likening the vote to the ongoing healthcare debate.
“Let me be clear: This is the single biggest step back in online privacy in many years,” he continued.
Consumer advocacy groups were similarly opposed.
“What I can say with confidence is Congress is handing a gift to the lawyers for the cable and telephone industry to be able to fight back against privacy law enforcement and putting consumers at a disadvantage to have their rights protected,” said Ernesto Falcon, legislative counsel at the left-leaning Electronic Frontier Foundation.
A final rollback of the rules appears all but certain at this point, be it through the congressional action here or an eventual FCC move. ISPs, advertisers, and internet companies can breathe a sigh of relief, but privacy advocates can consider it a missed opportunity.