A three-step plan to promote consumer privacy
Congress’ decision to use the little-utilized Congressional Review Act to repeal broadband privacy regulations the Federal Communications Commission handed down in October has been met with less than universal approval. Bills to increase user control over online privacy have since been introduced by members of both parties, and in both chambers of Congress.
There is much to like in these bills, but each misses the mark in one way or another. Congress should be commended for trying to bolster Americans’ privacy, but it’s important to strike the appropriate balance. The wrong approach could fundamentally disrupt the internet ecosystem, which relies on advertising-supported business models to deliver countless benefits to consumers free of charge.
Nonetheless, there are steps Congress can and should take to improve consumer privacy. Here are three big ones.
First, Congress should repeal the common-carrier exemption. Historically, consumer-privacy regulation has been almost entirely the domain of the Federal Trade Commission. In the online space, all that changed when the FCC moved to reclassify broadband as a “common carrier” service in 2015. The FTC lost its jurisdiction, leaving broadband providers subject to different rules than the rest of the internet ecosystem.
This is untenable. It warps the playing field by giving some internet companies a leg up over others. Moreover, the lines between those two sets of companies are becoming increasingly blurred. We need a privacy regime that can protect consumers regardless what part of the internet ecosystem they’re interacting with.
The FCC appears ready to undo the 2015 reclassification, but that will take months and may not hold up, either in court or through the next change in administration. Congress should step in now to close the jurisdictional gap between the two agencies by repealing the common-carrier exemption in the Federal Trade Commission Act and granting the FTC privacy authority across the board.
Second, Congress should pre-empt the current patchwork of state privacy laws by setting a single standard to govern consumer privacy throughout the country. Federalism is an important principle in American government, but internet services are inherently interstate commerce. The balance struck by the framers of the Constitution dictates that uniform federal rules should prevail in cases like this. Congress can better protect consumers and reduce compliance costs for industry by declaring the FTC’s regime for regulating privacy and consumer protection online the ultimate law of the land.
Third, Congress should direct the FTC to update its current privacy regime and reconsider which types of data are sensitive. The recent privacy backlash focused mostly on metadata, like one’s history of browsing the web or using various apps. The contents of communications and other personal information like birthdays and Social Security numbers long have been deemed sensitive because exposure of that information can cause real harm to consumers – either reputational damage like public embarrassment or financial damage like identity theft.
Metadata historically weren’t deemed sensitive. In the analog era, exposure of such data carried little risk of harm. However, many now feel such information shouldn’t be shared without a user’s affirmative opt-in consent. Internet companies and data brokers increasingly can cobble together and analyze metadata to learn very personal things about users, which means exposure of such data carries greater risk in the digital era. For a potent example, one need look only to the reputational harms suffered by visitors to the Ashley Madison website when they were publicly outed two years ago.
Several recent congressional bills would affirmatively declare such metadata to be sensitive, but legislating that particular outcome could be a mistake. Strong privacy protections are good, but defining sensitivity too broadly can do real harm, and defining it too narrowly can leave consumers unprotected. For example, a privacy bill passed 10 years ago might have covered web browsing but not applications, which are increasingly how consumers engage online.
The FTC, as the expert agency, should be in charge of deciding what types of data are sensitive and what forms of notice and choice are required for different types of data. Congress should simply tell the FTC to adjust its approach to better reflect the current privacy landscape. This could be done through a congressional policy statement or a limited grant of rulemaking authority governing access to consumer metadata. Either approach would be vastly superior to the bills that have been put forward thus far.
