The FCC's Authority to Regulate Internet Privacy

Abstract

As the first and last mile conduit, mobile and fixed broadband Internet access service providers (ISPs) play an important role for consumers to access an array of information, services, and applications. As the FCC has taken new steps to preserve an open Internet within the network neutrality debate, concerns nevertheless arise over what extent user privacy is protected by broadband ISPs, social media sites and apps providers. Thus far, most digital privacy rights that consumers enjoy are guided by terms of service or use conditions that define the extent to which their information is collected and shared. Within this realm, typically consumers willingly agree to broad terms of service agreements that facilitate the big data market, including the first step they take to access the rest of the Internet.

The FCC’s 2015 Open Internet order was significant in its reclassification of broadband as a telecommunications service, in effect relegating ISPs to fall under Title II common carriage regulation. The Commission used this authority, buttressed by Section 706 and Title III (wireless) to prohibit blocking, paid prioritization and throttling and enhance transparency requirements but noted important concerns still arise over ISP privacy and data use policies. For the time being, the FCC exercised forbearance to apply the existing customers proprietary network information (CPNI) rules under Section 222. The Commission found that broadband ISPs are “necessary conduit for information passing between an Internet user and Internet sites or other Internet users, and are in a position to obtain vast amounts or personal and proprietary information about their customers.” The Commission acknowledged that user data privacy is a legitimate concern and is set to launch a separate rulemaking proceeding that will address specifically how CPNI applies to broadband ISPs.

Concerns over consumer privacy and data use is nothing new within telecommunications policy. In years prior, the FCC has used CPNI rules to protect the confidentiality and disclosure of consumer calling records that apply to wired and wireless telephone and VoIP providers. The Commission has also enforced the 1984 Cable Communications Privacy Act to restrict cable television subscriber privacy records, requiring cable operators to refrain from collecting personally identifiable subscriber information without prior consent or to share such information to third parties. However broadband Internet is arguably an entirely different category in terms of the amount of information that may be collected and shared, moving well beyond telephone numbers and television programming selections to the so-called “Internet of things” ecosystem. This paper sets for the following main research questions: What existing regulatory authority does the FCC possess to specifically regulate data use and privacy policies among broadband ISPs? To explore these questions, this paper will use legal research and analysis to explore the degree to which Section 222 as well as Section 706 may apply to broadband ISP data use and privacy policies. The paper will also examine data use and privacy policies within several broadband ISPs terms of service to help determine the degree of information that is collected and shared internally as well as with third parties. In conclusion, this paper will provide policy recommendations to help protect consumer privacy as it applies to broadband ISPs.