Don’t Spy on Me, ISPs: New Law Rolls Back Internet Privacy Rules

On April 3, 2017, President Trump officially signed into law a controversial new bill that repeals the Internet privacy rules adopted by the Federal Communications Commission (“FCC”) in late 2016 (the “FCC Rules”).  The FCC rules, which were set to go into effect in late 2017, required Internet service providers (“ISPs”), such as Verizon, AT&T, and Comcast, to obtain permission from their customers (i.e., obtain “opt-in” consent) before selling or sharing certain sensitive information about such customers’ Internet usage to third parties, including web browsing history, geo-location data, health, child and financial information, social security numbers, app usage history, and the content of emails and other digital messages.  The FCC Rules also required ISPs to take more substantial measures to protect against, and notify customers of, data breaches.  Under the new law, the FCC is also now prohibited from passing any additional privacy restrictions related to the use of customer data.

As expected, the enactment of this new law has been met with strong reactions on both sides of the issue.  Those in favor of passing the law and repealing the FCC Rules argue that the FCC Rules made it confusing for customers to understand who could actually see their browsing data, and placed unfair restrictions on ISPs because these rules did not apply generally to Internet companies that regularly track and sell this type of customer information, such as Google and Facebook.  Given that ISPs have actively begun to expand their advertising businesses (both by using customer data to provide and sell direct targeted advertising and by selling customer data to third-party advertisers), those in favor of the new law also claimed that by placing these types of restrictions on ISPs only, Internet companies received an unfair competitive advantage since they could collect and use this type of customer information more freely than ISPs.  Additionally, proponents reasoned that since 2012 the Federal Trade Commission, and not the FCC, has been the agency designated to oversee and enforce consumer online privacy rights, and so the FCC had no jurisdiction to pass the FCC Rules in the first place (even though the FCC remains the agency in charge of regulating ISP practices).  Finally, since the FCC Rules were not set to actually go into effect until later this year, many in favor of repealing these rules contend that this new law simply preserves the status quo since ISPs have historically been able to sell this type of customer data anyways and were simply losing permission to keep doing this without explicit customer consent.

On the other hand, privacy advocates and consumers who oppose the law have been quick to point out that ISPs provide the fundamental pathways to the Internet and therefore should not be treated the same as ordinary Internet companies, and should be subject to stricter customer privacy regulations.  Unlike with ordinary Internet companies, such as Google and Facebook, where a customer who does not agree with a particular privacy policy can simply choose not to use the offered service, it is nearly impossible to simply abandon a particular ISP; the alternative in most cases would be to move to a competitor ISP whose policies would likely be no different, or to simply remain offline (especially because most customers only have the option of one or two ISPs servicing the area in which they live).  Additionally, opponents of repealing the FCC Rules have argued that there is a fundamental difference in the manner and degree in which an ISP is able to track its customers, compared to ordinary Internet companies, in light of an ISP’s ability to track its customers’ entire internet-browsing history and usage across the entire web, rather than just across certain websites.  Finally, because the new law did not establish any replacement rules (and bars the FCC from implementing any itself), those against the repeal have further argued that the FCC is now left without any firm regulations to police ISPs, leaving room for ISPs to engage in overreaching activity without much consequence.

While it remains to be seen what measurable impact the President’s repeal of the FCC Rules will have on consumer Internet privacy, for now, in an effort to ease some of the concerns and quell the backlash following the passage of the law, most ISPs have released fairly strong statements indicating that they have no plans to sell or share consumers’ personal web browsing history.  However, for those customers who remain skeptical or who are otherwise concerned about their privacy, the use of a virtual private network (“VPN”), which anonymizes Internet activity by routing it through another hub, is probably the best option.  Nonetheless, it is still important to keep in mind that VPNs may also log or track users’ activity, so one must carefully choose a service that explicitly states that it does not do so.