ISPs were beginning to weigh in on the FCC’s new broadband proposal taking a more nuanced approach by gauging its protection on the sensitivity of the data, though agency chairman Tom Wheeler’s proposal to categorize Web browsing histories and app histories as sensitive information was not sitting well with NCTA-The Internet & Television Association.
"The Chairman’s Fact Sheet describes a regime that departs from the FTC’s proven sensitivity-based approach to consumer privacy in several key respects," said NCTA. "Specifically, in its treatment of web browsing data and first party marketing of ISP services, the FCC departs from past FTC practice in ways that violate principles of fair competition and deny consumers the benefit of a consistent approach to online privacy protection. If the Chairman insists on advancing this approach, we would hope that his fellow commissioners would ‘opt-out’ and seek a result more faithful to the FTC’s proven framework of protecting consumers."
NCTA pushed for a more FTC-like model, but clearly this was not quite it. NCTA had a similar reaction to FCC Chairman Tom Wheeler's pivot on set-tops toward an app-based approach NCTA had proposed, which is while it looked like a pivot, it was not all it seemed.
The Information Technology & Innovation Foundation (ITIF) called it a faux compromise.
"The privacy framework announced today, like the Title II common carrier designation before it, sets a terrible precedent likely to reverberate throughout the Internet ecosystem for years to come," the group said.
"This proposed order represents one more slide down the slippery slope, away from the innovation-friendly world of flexible guidelines and effective oversight and towards a paternalist mother-may-I regime that will necessarily raise consumer costs and limit investment. Let’s be clear: This proposal is a vehement rejection of the type of U.S. regulatory oversight that has allowed U.S. businesses to thrive online and a sharp reversal from past claims that the U.S. government is committed to using multistakeholder processes for creating Internet-related policies. Instead, it would create a rigid regulatory regime and introduce a new collective action problem that would limit the use of virtually all data that can be put to economically beneficial uses.
"The FCC claims to hew more closely to the tried-and-true FTC privacy framework. It does only in that the FCC plans to base its data sharing consent requirements loosely around the sensitivity of the data involved, rather than placing heightened restrictions based solely on the company holding the data.
"But key departures from the FTC model negate most, if not all, of the advantages of this approach. First, the FTC offers guidelines, not regulatory mandates. The FCC’s class of 'sensitive' data requiring opt-in consent is absurdly large, effectively requiring ISPs to obtain opt-in consent for any uses of consumer data—a scenario that will chill investment and diminish competition by establishing disparate privacy rules for separate segments of industry.
"In addition, the FCC would force companies to ask for permission from the government before offering their broadband customers discounts for sharing of data. This paternalistic approach assumes that consumers are neither smart enough nor savvy enough to make their own choices about how to reduce their costs."
Telcos were a little more sanguine, though still with reservations.
“Consumers are best served when privacy rules are clear and consistent across the entire internet. We are pleased that the FCC has recognized the importance of providing consumers with a common expectation of privacy without regard to service or platform, and that the sensitive nature of the information being shared should be the determining factor in what is afforded increased protection," said USTelecom president Walter McCormick. "We are concerned, however, that the commission, which has no expertise with regard to determining the content of speech, is now attempting to redefine what consumers may regard as sensitive. In this regard, consumers would be better served if the FCC were to defer to the expertise of the FTC in this area, and the two agencies were to pursue a uniform approach.”
Verizon chief privacy officer Karen Zacharia said: "At Verizon, we are encouraged that the FCC appears to have taken seriously the input provided by a wide range of stakeholders and seems to be moving towards an approach that provides for more consistent standards across the internet ecosystem. We care deeply about our customers’ privacy, and understand that we have much at risk if we lose their trust. A consistent approach to privacy that gives consumers the same information and choices about the use of their data, regardless of the type of company they interact with online, is essential. Maintaining a consistent set of standards also will foster the competition and innovation that consumers love about the Internet.
"Where the FCC draws the line between sensitive and non-sensitive data will be important, but in general we agree that a sensitivity-based approach is more closely aligned with the Federal Trade Commissions’ choice framework and better for consumers," Zacharia added. "We think that this approach better reflects our customers’ expectations. In fact, at Verizon, we have long tailored choices for our customers based on data sensitivity.
"Verizon is much more than an ISP," she continued. "For a company like Verizon, which offers a diverse set of products and services across the Internet ecosystem, this movement towards a harmonized approach is particularly important."
The Association of National Advertisers sounded hopeful but concerned.
“We are just beginning to review Chairman Wheeler’s Broadband CPNI Fact Sheet, and are pleased that it now distinguishes between sensitive and non-sensitive information," ANA said in a statement. "This distinction is critically important and consistent with existing law and self-regulatory standards, like those of the Digital Advertising Alliance. While the Fact Sheet cites some examples of the information that will fall into each category, it will be crucially important that the definition of sensitive information is not overly broad or this approach will prove onerous both to business and consumers and counterproductive. We are also extremely concerned about some provisions, including the overly-burdensome data breach notification obligations that are inconsistent with state approaches to this issue in the U.S. This aspect of the proposal is highly likely to force companies often to have to prematurely notify a breach before all facts are at hand. We look forward to working with the FCC on these issues as this matter advances.”