Redressing the Privacy Balance for Internet Consumers

In a world of converging technology, consumers should have confidence in the fact that our nation’s broadband privacy rules are uniform and consistently applied across the internet. Just as internet usage should be seamless, so should privacy rights.

Consumers have expectations regarding their privacy while online; they expect that the law of the digital land will be easy to understand and that it will apply no matter where they are on the net. After all, the higher the level of consumer confidence that online privacy is protected, the more people will use the internet for electronic commerce and other functions where financial information is employed in the transactions.

But to achieve that clarity and uniformity, a clear rule is necessary, and that’s where Congress needs to step in.

Today’s privacy rules are anything but clear. Internet content providers like Google, Facebook and Amazon are regulated for privacy by the Federal Trade Commission, the historic internet-privacy protection body. Internet-service providers that link consumers to the network, such as Verizon Communications, AT&T and Comcast, were also regulated for privacy by the FTC until 2015, when the Federal Communications Commission classified internet access as a telecommunications service, stripping the FTC of that authority.

In 2016, the FCC imposed privacy rules on ISPs, different and far more onerous than the rules the FTC oversaw for internet content providers. Earlier this year, Congress abrogated the FCC’s privacy rules, but ISPs remain subject to FCC jurisdiction for privacy. No new ISP privacy rules have been forthcoming, leaving the current privacy regime for ISPs in a gray area of uncertainty.

Against that background, it’s little wonder consumers are confused. Different regulatory agencies have authority depending on where the consumer resides on the internet continuum. Those agencies do not impose the same privacy protection requirements.

Some continue to advocate for imposing privacy rules on ISPs different from those for internet content providers, yet logic suggests the need for a level playing field.

A uniform privacy framework applied across the internet ecosystem is the best solution, with the FTC maintaining its historic role in overseeing internet privacy. The FTC employs a long-used consumer “opt out” approach for most online activity, with an exception for highly sensitive personal information, such as Social Security numbers, drivers’ license numbers or financial and medical information. That sensitive information remains protected unless the consumer affirmatively consents (“opts in”) to the information being used.

Privacy is too important to be left to the whims of regulatory agencies. Instead, Congress should consider taking an approach akin to the Browser Act (HR 2520), sponsored by Rep. Marsha Blackburn (R-Tenn.), that would unify privacy rules across the internet under the FTC, from operating systems to browsers to ISPs to edge content providers.

Why should Congress act? In addition to placing all internet privacy jurisdiction under a single regulator, a statute could empower the FTC with direct rulemaking authority over privacy, which it currently lacks. Today, the FTC regulates internet privacy under Section 5 of the Federal Trade Act, which limits the agency’s enforcement authority to actions aimed against unfair trade practices. Under that authority, the FTC can only act if a company holds itself out as offering a certain set of privacy protections and then fails to meet its promise.

If the FTC had direct statutory authority to craft privacy regulations, it could specify with far greater precision the kinds of privacy protections to which companies must adhere. At the same time, a new law could provide that the agency use the historic “opt out” approach, except for narrow and defined categories of personally sensitive information, for which affirmative consumer consent (“opt in”) would be required.

This balance between opt out and opt in would enable the internet advertising model — that has kept internet content free or minimally priced — to continue while giving consumers a calibrated level of control over information collection and use.

The next critical step is for Congress to decide to move on privacy. Action is needed to assure that consumers continue to have confidence in their web use, regardless of where they are in the digital universe.

Rick Boucher was a Democratic member of the U.S. House of Representatives from Virginia for 28 years and chaired the House Energy and Commerce Committee's Subcommittee on Communications and the Internet. He is honorary chairman of the Internet Innovation Alliance (IIA) and head of the government strategies practice at law firm Sidley Austin.