On March 10, The Federal Communications Commission (FCC) announced a proposal for privacy rules for Internet service providers (ISP) that would see the agency regulate how Internet service providers handle user privacy. The agency is looking to restrict ISPs ability to share with advertisers and other third parties the information they collect about what their customers do online. The proposal sets forth new rules that would require ISPs to obtain affirmative opt-in consent for the use and sharing of data that has not been specifically collected for the purpose of providing communications-related services. ISPs must also take reasonable steps to protect that information and notify affected customers within 10 days of discovering a data breach.
The proposal would create some of the strongest privacy regulations for any segment of the technology and telecommunications industries and could have significant impact on how ISPs compete and do business. Such a significant change in their business model will in turn effectuate changes throughout the business of the Internet. Profits will no doubt shrink for ISPs thereby putting pressure on providers to increase fees for users. Because not all Internet sites will be treated as ISPs, there will be an inequity in the treatment of different Internet business entities resulting in a power shift away from ISPs, which will likely compel service providers to exercise legal action in order to revoke the new rules.
The privacy rules proposal stems directly from the FCC’s new so-called “net neutrality,” or Open Internet, rules, which expanded the agency’s authority over Internet service providers. After issuing the Open Internet rules, the FCC began drafting broadband-specific privacy rules. The FCC has taken the position that after it reclassified broadband providers as utilities, it was compelled by law to create privacy rules.
The FCC ISP proposal creates new rules for ISPs regarding collection, disclosure, consent and use of user data in the Internet context. It is very likely that a business that relies on or uses tracking software to gather data on consumer Internet traffic or behavior in any way (e.g., customized ad buys, cookies, big data algorithms, mobile payments processing), will be affected by the proposal either directly as an ISP or an entity that has a business relationship with and ISP.
The inclusion of an opt-in standard for certain data uses is significant. Traditionally in the U.S., privacy guidelines require only that users opt-out of data uses such as ad targeting based on behavioral data. The new FCC rules for ISPs will require that users opt-in for most uses of their data including but not limited to providing this information to marketing and advertising companies.
The proposal will likely significantly impact ISP business models and companies that have formed relationships with ISPs to source user data. These companies will need to look elsewhere for consumer data which will reduce revenue for ISPs as well as reduce their power by virtue of growth and innovation. The non-regulated entities will become more powerful as sources of data will become more rare.. This drop in revenue will likely lead to price increases for users. Ultimately the bottom line must remain at a certain level or greater and as such the cost shifting effect of the new FCC rules will bear directly on end users. It remains to be seen, however, how many users will opt-in, and therefore difficult to predict the impact of the FCC proposal on the cost of doing business on the Internet.
Also, not all Internet entities are covered by the new FCC rules. The rules affect only companies that connect users to the Internet including Comcast, Verizon and Sprint. The new rules do not apply to Internet companies that have huge advertising businesses based on customer data, such as Facebook or Google. Those companies are regulated by the Federal Trade Commission (FTC). The result of the FCC’s new rules will be a revenue and power shift away from ISPs towards already Internet behemoths
Historically, the FCC has had to litigate to defend most of its new rules and regulations. In this instance it is no different, and may in fact be even more litigious. After passing the Open Internet Order in 2015, the FCC found itself defending its regulations in almost a dozen lawsuits by IPS and Telecom companies. Currently the remaining cases are before the U.S. Court of Appeals in Washington, D.C..
Even if the court rules in the FCC’s favor, the FCC’s new net neutrality proposal is not final. The Telecom companies and ISPs can appeal to the Supreme Court, and the House is already working to include anti-network neutrality riders in future spending bills which would put a kibosh on the FCC’s new rules for ISPs.
Some view the reclassification of broadband providers as utilities coupled with the new ISP regulatory proposal as a power grab by the FCC to ensure its relevance in an ever expanding cyber world. Regardless of the motivation, the FCC regulating ISPs is likely to take hold as long as the reclassification is upheld in the courts. The question then becomes how will ISPs and consumers adjust to these new rules of the information highway?
John F. Stephens is a Partner in the Los Angeles office of Sedgwick LLP and Chair of the firm’s chair of Cybersecurity and Privacy practice group.
Filed Under: Industry regulations