Telecommunications and Internet Service Providers

On April 4, 2017, President Trump signed legislation repealing the Federal Communications Commission’s (FCC) privacy protections adopted in October 2016. The regulations, set to go into effect later this year, would have required internet service providers (ISPs) to adopt stricter consumer privacy protections than websites like Google and Facebook. Among other things, the regulations would have required ISPs to obtain consent before sharing sensitive customer proprietary information, take reasonable measures to secure customer proprietary information, provide notification to customers, the FCC and law enforcement in the event of data breaches, and not condition provision of service on the surrender of privacy rights.

The regulations were opposed by many ISPs who felt that they would be at a disadvantage to companies like Amazon, Google and Facebook, who are regulated by the Federal Trade Commission (FTC). Because these companies offer internet services, and do not provide internet connection, they are subject to the less restrictive FTC regulations. While many ISPs have promised not to sell proprietary customer information, these promises are voluntary. President Trump’s repeal leaves the states as the only real possible enforcer of ISP privacy regulations.

Vintage toned Wall Street at sunset, NYC.

Today, acting FTC Chairman Maureen K. Ohlhausen and FCC Chairman Ajit Pai issued a joint statement on the FCC’s issuance of a temporary stay of a data security regulation for broadband providers scheduled to take effect on March 2.  In their statement, they advocate for a “comprehensive and consistent framework”, so that Americans do not have to “figure out if their information is protected differently depending on which part of the Internet holds it.”

The Chairmen stated that for this reason, they disagreed with the FCC’s 2015 unilateral decision to strip the FTC of its authority over broadband provider’s privacy and data security practices, and believed that jurisdiction over broadband providers’ privacy and data security practices should be returned to the FTC, thus subjecting “all actors in the online space” to the same rules.

Until then, the joint statement provides, the two chairmen “will work together on harmonizing the FCC’s privacy rules for broadband provider with the FTC’s standards for other companies in the digital economy.”  The statement provides that the FCC order was inconsistent with the FTC’s privacy framework. The stay will remain in place only until the FCC is able to rule on a petition for reconsideration of its privacy rules.

In response to concerns that the temporary delay of a rule not yet in effect will leave consumers unprotected, the Chairmen agree that it is vital to fill the consumer protection gap, but that “how that gap is filled matters” – it does not serve consumer’s interests to create two separate and distinct frameworks – one for Internet service providers and another for all other online companies.

Going forward, the statement says, the FTC and the FCC will work together to establish a uniform and technology-neutral privacy framework for the online world.

To view the joint FTC and FCC statement, click here.

To view the FCC Order staying the regulation, click here.

Today, Vizio, Inc., agreed to pay $2.2 million to settle charges by the FTC and the New Jersey Attorney General that it installed software on its Smart TGVS to collect viewing data on 11 million consumer televisions without the consumers’ knowledge or consent. The $2.2 million payment includes a $1.5 million payment to the FTC, and a $1 million payment to the New Jersey Division of Consumer Affairs, although $300,000 will be suspended and vacated after 5 years upon compliance with the order.   In a concurring statement, Commission Ohlhausen supported the order, but questioned the FTC’s allegation that individualized television viewing activity falls within the definition of sensitive information.

The 2014 complaint alleged that Vizio and an affiliate company manufactures smart TVs that capture second-by-second information about video displayed on the Smart TV, including video from consumer cable, broadband, set-top box, DVD, over-the-air broadcasts, and streaming devices.  In addition, Vizio facilitated the integration of specific demographic information (e.g., sex, age, income, marital status, household size, educational level, home ownership, household value, etc.) to the viewing data.  Vizio then sold the information to third parties, who used it for various purposes, including targeted advertising to consumers across devices.

According to the complaint, Vizio touted its “Smart Interactivity” features that “enables program offers and suggestions”, but failed to inform consumers that the settings also enabled the collection of consumer’s viewing data. The complaint alleges that Vizio’s data tracking, – which occurred without viewer’s informed consent – was unfair and deceptive. The Complaint charges that the Defendants participated in deceptive and unfair acts in violation of Section 5 of the FTC act, and similar charges under the New Jersey Consumer Fraud Act, in connection with the unfair collection and sharing of consumers’ Viewing Data and deception concerning their “Smart Interactivity” features.

As part of the settlement, Vizio stipulated to a federal court order that:

  • Requires Vizio to prominently disclose and obtain affirmative express consent of its data collection and sharing practices;
  • prohibits misrepresentations about the privacy, security, or confidentiality of consumer information they collect;
  • requires Vizio to delete data collected before March 1, 2016; and
  • requires Vizio to implement (and review biennially) a comprehensive data privacy program.

In a concurring statement, Commissioner Ohlhausen supported Count II of the complaint, alleging that Vizio deceptively omitted information about its data collection and sharing program.  However, she expressed concern about the implications of Count I, which alleged that granular (household or individual) television viewing activity is sensitive information, and that sharing this viewing information without consent causes or is likely to cause  a “substantial injury” under Section 5 of the FTC Act.  Although Commissioner Ohlhausen acknowledged that there may be good policy reasons to consider such information, she states that the statute does not allow the FTC to find a practice unfair based primarily on public policy, and that this case demonstrates “the need for the FTC to examine more rigorously what constitutes ‘substantial injury” in the context of information about consumers. Ohlhausen indicated that she will launch an effort in the coming weeks to examine this issue further.

To view the stipulated order, click here.

To view Commissioner Ohlhausen’s concurring statement click here.

 

Fiber Optic cables and UTP Network cablesOn October 27, 2016, the FCC released rules to “empower consumers to decide how data are used and shared by broadband providers.”  In the order, the FCC defines information protected under Section 222 for telecommunications carriers as “customer proprietary information (customer PI)”, to include the following: (1) individually identifiable Customer Proprietary Network Information (CPNI), (2) personally identifiable information (PII) and (3) content of communications.  The FCC also adopts and explains its multi-part approach to determining whether data has been properly de-identified and is therefore not subject to the customer choice regime adopted by the FCC for customer PI. Much of the rules are modeled after FTC best practices and the White House Administration’s Consumer Privacy Bill of Rights. Continue Reading FCC Adopts Privacy Rules Protecting Broadband and other Telecommunications Customers