New FCC Chairman Ajit Pai tried to calm panicked consumer advocates this week when he announced that he had not decided what, if anything, the Commission planned on doing about net neutrality. Pai stated that he is opposed to the current Title II common carrier classification for ISPs, but would study the issue further. This inaction makes sense since Pai is waiting to see if Congress can quickly “fix” net neutrality before the FCC is forced to address it again in a lengthy proceeding.

Of course net neutrality advocates should not be heartened by this news, since the FCC can effectively gut the FCC’s Open Internet Order by simply choosing not to enforce it. Thus, for the foreseeable future, expect the agency to ignore concerns about zero-rated data services and other potential complaints parties may have about ISP pricing. In the same vein, the Commission just extended the exemption for small ISPs from complying with the Open Internet transparency rules, which almost certainly would not have occurred under the previous FCC Chairman Tom Wheeler.

While action on net neutrality is unlikely in the short term, it appears likely that the new ISP privacy rules will be the first Wheeler pro-regulatory order under attack. On January 3, 2017 eleven parties filed Petitions for Reconsideration of the FCC’s November 2, 2016 ISP Privacy Order in Docket 16-106.

ISPs argued that the privacy rules unfairly targeted them while edge providers faced more lenient rules under authority of the Federal Trade Commission (FTC). The Petitioners requested the Commission to treat all Internet players the same. These requests would have been flatly rejected by the previous FCC, but under the new administration, they have an excellent chance to succeed.    

ISPs have gone a step further. On January 27, 2017, a Joint Petition for Stay of the Privacy Order was filed by the The American Cable Association (ACA), the Competitive Carriers Association (CCA), CTIA, ITTA – The Voice of Mid-Sized Communications Companies (ITTA), NCTA – The Internet & Television Association (NCTA), NTCA – The Rural Broadband Association, the United States Telecom Association (USTelecom), the Wireless Internet Service Providers Association (WISPA), and WTA – Advocates for Rural Broadband. The Petitioners requested the FCC to stay the Order until the Petitions for Reconsideration are resolved.

[T]he rules imposed in the Order governing ISP use and sharing of [Broadband Internet Access Service] BIAS customer data are unsound as a matter of both law and policy. Petitioners seek a stay in order to undo the Order’s dramatic departures from the FTC’s privacy framework, which effectively balances the twin objectives of providing consumers control over their personal information while preserving opportunities for beneficial uses of data that lead to innovation, new products and capabilities, customized services, and growth in the digital economy. Staying the Order would allow the Commission to consider the Petitions for Reconsideration without causing significant disruption to businesses and creating confusion for consumers. The Petitions aim to restore the proven and effective approach of protecting consumers’ privacy rights through the consistent and uniform application of a single set of privacy obligations applicable across the Internet to all companies that come into contact with broadband consumer data.  (FCC Docket 16-106, Joint Petition for Stay, filed January 27, 2017 at p. 3)

ISPs are acutely aware that even if their argument is correct and they should have the same privacy rules as edge providers, making the case for more equitable privacy rules is not good public relations. Therefore, as part of their Joint Petition, they cleverly listed several privacy principles they intended to follow regardless of the legal status of their Petition. Almost, all large ISPs including AT&T and Verizon intend to follow these principles. According to the ISPs:

We understand the importance of maintaining our customers’ trust. That is why we will continue to provide consumer privacy protections, while at the same time meeting consumers’ expectations for innovative new product solutions to enhance their online experiences. Regardless of the legal status of the FCC’s broadband privacy rules, we remain committed to protecting our customers’ privacy and safeguarding their information because we value their trust. As policymakers evaluate the issues, we will maintain consumer protections that include the following:  

Transparency - ISPs will continue to provide their broadband customers with a clear, comprehensible, accurate, and continuously available privacy notice that describes the customer information we collect, how we will use that information, and when we will share that information with third parties.

Consumer Choice - ISPs will continue to give broadband customers easy-to-understand privacy choices based on the sensitivity of their personal data and how it will be used or disclosed, consistent with the FTC’s privacy framework. In particular, ISPs will continue to: (i) follow the FTC’s guidance regarding opt-in consent for the use and sharing of sensitive information as defined by the FTC; (ii) offer an opt-out choice to use non-sensitive customer information for personalized third-party marketing; and (iii) rely on implied consent to use customer information in activities like service fulfillment and support, fraud prevention, market research, product development, network management and security, compliance with law, and first-party marketing. This is the same flexible choice approach used across the Internet ecosystem and is very familiar to consumers.

Data Security - ISPs will continue to take reasonable measures to protect customer information we collect from unauthorized use, disclosure, or access. Consistent with the FTC’s framework, precedent, and guidance, these measures will take into account the nature and scope of the ISP’s activities, the sensitivity of the data, the size of the ISP, and technical feasibility.

Data Breach Notifications - ISPs will continue to notify consumers of data breaches as appropriate, including complying with all applicable state data breach laws, which contain robust requirements to notify affected customers, regulators, law enforcement, and others, without unreasonable delay, when an unauthorized person acquires the customers’ sensitive personal information as defined in these laws. (Id., at Appendix A).

Of course, even if a stay is granted by the Commission, which is likely, it would not be the last word on Internet privacy. Any change in the rules for ISPs is likely to be appealed to the courts by consumer advocates. Moreover, the fate of the ISP rules is inexorably tied to net neutrality. If the Title II classification for broadband Internet access services providers is changed, ISPs would once again be information service providers and regulated by the FTC’s privacy rules. That is probably the ultimate outcome for this issue, but it is not likely to be finally decided without a major court battle.  

By Andy Regitsky, CCMI