Federal Trade Commission should establish privacy rules against ISP data collection, experts say: Broadband Breakfast

WASHINGTON, November 302021 – Privacy experts are calling on the Federal Trade Commission to begin the process of empowering itself to penalize internet service providers who collect unnecessary data from their customers to serve targeted ads.

While discussions of privacy issues have overwhelmingly focused on big tech companies and how they use customer data, experts at a Federal Communications Bar Association privacy symposium Nov. said ISPs should be on the radar of federal regulators.

Specifically, according to Alan Butlerpresident of the Electronic Privacy Information Center, the collection of unnecessary data from ISPs “requires action” by the FTC.

“The current situation is that Internet service providers fall under the jurisdiction of the FTC and the FTC should act” and not wait for other federal players to initiate ISP consumer privacy rules, Butler said. In 2017, Congress voted to prohibit the Federal Communications Commission, which regulates the telecommunications space, from regulating ISP consumer privacy, leaving the door open for the FTC to regulate privacy practices. providers.

But there is a wrinkle. Although the agency can investigate and sanction “unfair” and “deceptive” business practices, according to the Federal Trade Commission Act, the FTC cannot enact its own federal privacy rules under its current consumer protection authority. To do this, the FTC should initiate a policy development process whereby the agency develops and issues regulations, which can then become federal policy.

Some experts believe that the FTC would be the best entity to develop such rules and should initiate the process, while others believe that the FTC’s regulatory process was not designed to give the agency its own authority in matters of confidentiality.

A separate federal agency for privacy regulation

Given that the FTC may receive funding to create a privacy office as part of the House of Representatives reconciliation bill, Butler left open the question of whether the FTC should proceed by issuing sweeping regulations on confidentiality or whether it should be “analyzed” in specific questions. .

“The FTC must adopt rules that establish fair data practices and seek to protect secondary uses of data and sensitive data,” such as customer biometrics and demographics, he said. Butler said the FTC’s privacy regulations would be a “temporary solution,” but that there needs to be a separate federal agency that regulates privacy in the United States. “Funding an FTC privacy office in the reconciliation bill is an important step forward,” he said.

The Law at Stake for an FTC Privacy Authority

The FTC’s ability to regulate privacy would be governed by the Magnuson-Moss Warranty-Federal Trade Commission Improvement Act. The Magnuson-Moss Act is known for adding several steps beyond the normal federal policy-making process, including a requirement that the FTC must conclude that problematic conduct is “prevalent” in the marketplace.

“Magnuson-Moss was designed to stifle the FTC’s ability to engage in rulemaking,” the Georgetown law professor said. David Vladeck. Issuing privacy rules from the FTC would be difficult, he says, because the FTC must clear significant hurdles before it can enforce privacy rules. “There’s a clear implication that the FTC is unable to promulgate a rule unless it can prove to a court after the rule is made that the intrusive conduct is ‘widespread.’ Congress doesn’t define “prevail,” he added.

Butler argued that determining the prevalence of data abuse would not be difficult. “The FTC would have no trouble finding problems endemic to the industry,” he said. “The [agency] is able to find that its widespread use of location data unrelated to service usage is widespread in the marketplace and online behavioral tracking. Thus, according to Butler, the FTC would be able to prove that data abuse significantly harms consumers and uses its data correctly. [proposed] power to enforce privacy rules against technology companies.

Earlier this year, FTC Chairman Lina Kahn approved revisions to its Magnuson-Moss procedures, which facilitate the FTC’s conduct of its process of developing and publishing privacy rules. The rules grant the chair the power to act as chief chair of the rule-making hearing process, grant the commission the power to control the conduct of informal hearings, and eliminate a rule requiring commission staff to publish a report analyzing the final rule. before it was established as official agency policy.

Kahn said the changes to the rule-making process will remove “unnecessary and onerous procedures” that only delay the publication of FTC rules.

The FTC Process Could “Surface” Issues

Despite the difficulty of issuing privacy regulations, Vladeck said it might be useful to initiate the process anyway, including “to highlight issues” with privacy and data collection by ISPs.

Vladeck pointed to “illegal dark patterns” as an example of a narrow issue the FTC can address. The FTC characterizes “dark patterns” as methods companies use to keep consumers trapped in subscription services.

“The FTC is the only policeman on this beat,” Vladeck said, adding that it could act as an effective enforcement regime against data abuses that affect consumers.

Aurora J. William