The Federal Trade Commission wants the FCC to require opt in for some uses of customer proprietary network information (CPNI), whether it is by an ISP, an affiliate or a third party. It would also combine that with a more finessed view of information, setting the level of protection to the level of sensitivity.
As a "general matter," said FTC staff in comments to the FCC, it supports the FCC's focus on "transparency, consumer choice, and security," but has some specific tweaks, suggesting the FCC proposal would overprotect some information and under-protect other information.
For example, the FTC staff says that categorizing any information that is linkable to a person as personally identifiable information subject to the rules "could unnecessarily limit the use of data that does not pose a risk to consumers," adding: "[W]hile almost any piece of data could be linked to a consumer, it is appropriate to consider whether such a link is practical or likely in light of current technology. FTC staff thus recommends that the definition of PII only include information that is “reasonably” linkable to an individual."
The FTC would also make linking applicable to devices--cookies, static IP addresses--as well as people.
The FCC's approach to consumers opting in or out of the use of their information by ISPs, affiliates or third parties is divided into three categories: 1) uses for which consent is implied--billing-related and aggregated info that is not personally identifiable, 2) marketing of telecom services by ISPs and their affiliates, which would require consumers to opt out, and 3) sharing with third parties (potentially for targeted marketing purposes), which would require opt in.
The FTC would confine the opt-in requirement to "sensitive information" including the content of communications, Social Security numbers, or health, and financial info, information on kids or geolocation.
But it would make that applicable across the board. " Under the FCC’s proposal, BIAS providers could use content of communications for internal and affiliate marketing without obtaining consumers’ opt-in consent first," the FTC pointed out.
The FTC staff would instead require opt in for first-party and affiliate uses of the content of communications, which would include "contents of emails ; communications on social media, search terms, web site comments, items in shopping carts, inputs on web-based forms, and consumers’ documents, photos, videos, books read, movies watched."
"Although paragraph 49 of the NPRM notes that the FCC does not “think that providers should ever use or share the content of communications that they carry on their network without having sought and received express, affirmative consent for the use and sharing of content,” the text of the Proposed Rule does not appear to reflect this approach. FTC staff proposes that the Proposed Rule be revised to clearly require choice for the contents of consumer communications."
As to transparency, the FCC generally supports the FCC approach to clearly notifying customers about privacy policies. the FTC also says that names, addresses and phone numbers should all be considered PII.
On security, the FTC is generally supportive of the FCC approach, including a breach notification for ISPs.
The FTC commissioners voted unanimously in favor of the staff comments, but in a statement, Commissioner Maureen Ohlhausen to emphasize the differences between the FCC and FTC approaches and signal she thought the FCC should definately recalibrate its opt in and opt out regimes to the sensitivity of the date.
She also said the FCC should let consumers choose to make the tradeoff of sharing info for discounted broadband service. "A ban on discounts for ad-supported BIAS ]brodabnd Internet access service] prohibits a consumer from trading some of her data for a price discount, even if the consumer is fully informed," she wrote. She says that could preclude lowering prices or boosting broadband adoption, both consumer benefits she suggests consumers should be able to choose.
Having reclassified ISPs as common carriers under Title II, the FTC no longer had jurisdiction over broadband privacy because there is an exemption from its enforcement authority for common carriers. That means the FCC had to come up with its own privacy framework.