With breaches of consumer data occurring all too frequently, who could be against proposals to improve privacy on the Internet?
Well, a broad swath of the e-commerce sector, ranging from CTIA-The Wireless Association to USTelecom and the National Retail Federation, is strongly opposed to a recent proposal from the Federal Communications Commission to regulate privacy. These groups aren't against privacy protection, per se -- they just don't like the FCC approach.
Normally, such administrative proposals gain attention only from dedicated attorneys and policy wonks.
However, the proposal appears to be moving into a much more visible forum, with the active engagement of congressional committees and a potential for controversy similar to that of the FCC's Net neutrality policy.
The FCC proposal focuses on Internet service providers. It wants to ensure that ISPs will be subject to federal regulation regarding the protection of consumer data, with the authority for enforcing that regulation resting with the commission.
ISPs and other e-commerce entities claim that the FCC is exceeding its legal authority, and that the e-commerce privacy regulation regime already established by the Federal Trade Commission is sufficient. They not only have submitted critical comments to the FCC, but also have taken their case to Congress.
The result is that Congress could intervene with legislative action that would modify or even cancel the FCC's move to regulate ISP privacy. The emerging involvement of Congress has surfaced in several ways:
House Energy and Commerce Committee: A subcommittee last month conducted a hearing titled "FCC Overreach: Examining the Proposed Privacy Rules."
That title, "aptly sums up" the opinion of some committee members, "but fails to convey the scope of the damage the commission's actions could have on the Internet and on consumers," warned subcommittee chairman Rep. Greg Walden, R-Ore.
Two of the three witnesses at the hearing were critical of the FCC approach.
Walden called upon the FCC to "engage in thoughtful discussions with industry to develop flexible and consistent rules" that mirror the Federal Trade Commission Internet privacy regulation framework "that has proven successful in today's digital marketplace."
Senate Judiciary Committee: A subcommittee in May conducted a hearing on the proposal with two members of the FTC and two FCC commissioners. FCC chairman Tom Wheeler defended the commission's ability to regulate ISPs under the Communications Act.
The FCC has "started down a path that will provide clear guidance to Internet Service Providers and their customers about how the privacy requirements of the Communications Act apply to the most significant communications technology of today," he noted.
FTC Chairwoman Edith Ramirez recounted several positive joint efforts with the FCC and noted the agency would file specific comments to the commission.
Building a Record: Internet service providers critical of the FCC proposal have submitted comments to the commission, as have supporters of the rulemaking, such as the Electronic Privacy Information Center.
In addition to participating in the FCC process, both supporters and critics see congressional attention as important, and have filed comments with the House committee. ISPs in particular have pointed to the potential for Congress to act.
The FCC in 2015 essentially changed the status of ISPs, making it possible for the commission to regulate them as common carriers. Using its self-granted authority, the FCC earlier this year issued a Notice of Proposed Rulemaking covering ISP privacy.
As common carriers, ISPs could continue using some customer information for marketing ISP services, the commission said, but for any uses beyond that narrow scope, various customer opt-in or opt-out regulations would apply.
ISPs also would be required to provide customers with certain types of notification regarding the use of data by third parties. The regulations would not apply to social media Internet entities known as "edge providers," which also gain access to significant amounts of customer data.
The FCC's classification of ISPs as common carriers akin to basic telecom connectors is beyond the scope of FCC law, critics have said.
Exempting edge providers results in an uneven approach to regulation, they have argued. Further, because the FCC proposal is at variance with existing FTC regulations, it would create confusion between two regulatory approaches.
"The proposed restrictions are both unnecessary and far more burdensome than the flexible privacy safeguards the FTC has long placed on the Internet ecosystem. Worse yet, they would do nothing to advance the cause of privacy because Internet companies other than ISPs -- Google to Amazon to Acxiom -- will go on collecting and using all of the same consumer data, regardless of what the Commission does in this proceeding," AT&T said in comments filed with the FCC.
One result of the FCC proposal would be "less competition for the advertising juggernauts at work in the internet today," noted AT&T Senior Vice President Bob Quinn.
USTelecom also criticized the FCC's approach, noting that the commission failed to differentiate between protecting sensitive and nonsensitive data.
The opt-in and opt-out provisions stand as a "radical departure" from the FTC approach, USTelecom said in comments filed with the FCC. "The Commission's proposal to impose data security control requirements on one sector of the Internet ecosystem is misguided and will only produce a false sense of security among the customers it hopes to protect."
Importantly, FTC Chairman Ramirez appeared to invite legislative action in responding to a query from Senator Orrin Hatch, R-Utah.
"The FTC has long supported federal legislation that will address data security and breach notification that would apply to all companies, including telecommunications carriers," she said.
Enactment of such legislation "would allow the FTC to protect consumers against unfair and deceptive practices committed in the provision of common carrier service, which involves access to large amounts of consumer data and which competes with other services that are subject to the FTC's enforcement authority," Ramirez added.
"However, because legislation has not been enacted in these areas, the FTC currently lacks jurisdiction over common carriers when they are engaged in common carrier activity, and cannot take action when such entities fail to maintain reasonable security during those activities," she explained.
The industry has recognized the potential for congressional intervention.
"We continue to look at all options on the Hill and at the FCC to stress the point that there needs to be a consistent set of privacy rules for consumers," USTelecom SVP for Communications Anne Veigle told the E-Commerce Times.
One consumer advocacy group takes a dim view of potential congressional involvement, however.
"Protecting the privacy of ISP subscribers and their families is in the hands of the FCC and its Democratic majority. Some in Congress can rant and threaten, but the FCC has the authority to move forward -- now effectively bolstered by the recent Network neutrality decision," said Jeff Chester, executive director of the Center for Digital Democracy.
"ISPs don't have a right to monitor and monetize a subscriber's data and actions in order to generate additional revenues. They are in the business of network connections and management. The FCC must ensure that the broadband network respects the privacy of those who pay for service each month," he told the E-Commerce Times.
"Cable and phone giants will seek legislation and court action -- but they will lose in the court of public opinion if they seek gathering our personal information without informed, prior (opt-in) consent," Chester maintained. "ISPs have created a forcible data collection apparatus that undermines privacy. The FCC needs to ensure the public is fairly treated."