In a victory for internet service providers like Verizon, Comcast, and AT&T, the US Senate on Thursday voted to kill a set of Obama-era privacy regulations passed by the Federal Communication Commission last October.
The rules would have required ISPs to get explicit consent before sharing consumers’ web browsing data and other personal info with advertisers.
The vote passed 50 to 48, with most Republicans in favour of the repeal and most Democrats against.
The resolution was proposed via the Congressional Review Act (CRA), a seldom-used law that the GOP is more widely applying to repeal federal regulations they contested late in the Obama administration with a simple majority vote. Republicans have a majority in both chambers of Congress.
The resolution will now need to pass in the House of Representatives — where Rep. Marsha Blackburn (R-TN) proposed a similar resolution earlier this month — then be signed by President Donald Trump before going into effect.
Because the resolution uses the CRA, the FCC would be outlawed from creating similar privacy regulations if the repeal is passed.
The FCC’s privacy rules were passed in a party-line vote last October after months of contention between Democrats and Republicans at the agency.
The rules were something of a follow-up to the 2015 Open Internet Order, which famously classified the internet as a public utility. That set in place the current net-neutrality rules — which forbid ISPs from blocking, throttling, or prioritising sites as they see fit — but also left the FCC in charge of ISPs’ privacy regulations.
The privacy rules apply a set of guidelines to ISPs about how they treat consumer data, but the most notable bit would force them to obtain explicit consent before they’re able to share “sensitive” consumer information with advertisers.
In other words, ISPs would need you to opt-in to their data collection policies before they’re able to take that data and use it for targeted ads, instead of selling it by default and requiring you to manually opt-out. When people are given the explicit option, they are typically less likely to accept it. That means less potential revenue for ISPs.
Much of what the FCC deemed “sensitive” fell in line with looser, pre-net-neutrality privacy guidelines from the Federal Trade Commission — things like financial, health, and geo-location info — but the agency notably added Web browsing and app usage data to the list as well.
That specific provision is not scheduled to go into effect until later this December, however.
Even under these would-be privacy rules, which now appear doomed, ISPs would not be required to get opt-in consent for other bits of personal information like email addresses.
Current FCC chairman Ajit Pai has strongly opposed those privacy rules, and voted against them as a commissioner last October. Last month, he halted one part of the privacy rules that would have broadly required ISPs to “engage in reasonable data security practices.” Pai and GOP commissioner Michael O’Rielly currently have a 2-1 majority at the agency.
Pai feels the privacy rules unfairly target ISPs and give internet companies like Google and Facebook the ability to harvest more consumer data and dominate digital advertising. Google and Facebook are by far the two biggest players in the digital ad industry today.
Websites like Google and Facebook are still regulated by the FTC’s looser guidelines, and thus are not forced to obtain opt-in consent before they collect and sell your Web browsing and app usage data. This is partly why you may see ads personalised to your browsing history when you browse the Web.
ISPs aren’t happy about this discrepancy, and have petitioned the FCC to roll back the rules entirely. Telecom industry groups have said keeping the rules could limit ISPs’ ability to provide otherwise free or low-cost services. Wireless industry trade group CTIA also argued in a note to the FCC last week that Web browsing and app usage history are not “sensitive” information.
The debate comes at a time when ISPs like Verizon are increasingly interested in boosting their own digital advertising presence.
Despite the fact that internet companies are not covered here, they have also opposed the regulations, mainly because they do not want a precedent to be set that may apply to their data collection policies in the future. Groups representing Google, Facebook, and the like, urged Congress to repeal the privacy rules using the CRA this past January.
Another shot at the net-neutrality rules
Like many issues in Washington today, this is a heated debate drawn squarely along party lines.
Democrats and consumer advocacy groups argue that it is fair to apply more stringent privacy rules to ISPs because it is generally more difficult to switch internet providers than use different websites — particularly in rural and low-income areas with less choices between ISPs — and because ISPs are more easily capable of seeing everything you do over the internet connections they sell. (Though it’s worth noting that behemoths like Google and Facebook are able to reach beyond their own sites.)
They also note that many websites provide free services in exchange for their targeted ads, whereas ISPs still charge relatively high fees for access to internet service.
Republicans and other conservatives, meanwhile, call the privacy regulations an overreach of federal agency power.
“In reality, this is just yet another avenue designed to give the FCC more control over the Internet that should be open,” said David Williams, president of the right-leaning Taxpayers Protection Alliance, in a statement in favour of the act on Tuesday.
Pai wants to create a single framework for both ISPs and internet companies that allows them all to be regulated under guidelines similar to those from the FTC.
“All actors in the online space should be subject to the same rules, enforced by the same agency,” said Pai and acting FTC chairwoman Maureen Ohlhausen in a joint statement upon the FCC’s data security stay last month. “Until that happens, however, we will work together on harmonizing the FCC’s privacy rules for broadband providers with the FTC’s standards for other companies in the digital economy.”
If privacy enforcement of ISPs is eventually removed from the FCC, there are doubts over whether or not the FTC has the authority to regulate ISPs’ privacy practices at all. Apart from the restrictions set by the CRA, an appeals court decision last year said AT&T was exempt from FTC oversight because it was a “common carrier” — a title that was set for all internet providers through the 2015 net-neutrality order.
Pai says that, if the privacy rules are reversed, the FCC will still be able to regulate ISPs’ privacy policies using Title II, Section 222 of the Communications Act. Those regulations are less stringent than the Obama-era regulations, however, and do not cover Web browsing or app usage data.
Title II is the linchpin of the 2015 net-neutrality order, and the thing that gives the FCC much of its regulatory power over ISPs. But it’s also the thing Pai and other Republicans most wish to dismantle as part of a larger rollback of the net-neutrality rules. If that happens, as anticipated, it could further reduce any privacy-related oversight of ISPs.
Even if the net-neutrality order is undone, ISPs like Verizon and AT&T would retain “common carrier” status because they offer telephone services. Further action would be needed to expand FTC authority. That appears unlikely with deregulatory-minded Republicans in charge.
Democrats blasted Thursday’s vote as taking too much control of personal data out of consumers’ hands. “This is yet another repeal without a replace,” said Sen. Brian Schatz (D-HI), likening the vote to the ongoing healthcare debate.
“Let me be clear: This is the single biggest step back in online privacy in many years,” he continued.
A final rollback of the rules appears all-but-certain at this point, be it through the Congressional action here or an eventual FCC move. ISPs, advertisers, and internet companies can breathe a sigh of relief, but privacy advocates can consider it a missed opportunity.