On April 3, 2017, President Trump officially signed into law a controversial new bill that repeals the Internet privacy rules adopted by the Federal Communications Commission (“FCC”) in late 2016 (the “FCC Rules”). The FCC rules, which were set to go into effect in late 2017, required Internet service providers (“ISPs”), such as Verizon, AT&T, and Comcast, to obtain permission from their customers (i.e., obtain “opt-in” consent) before selling or sharing certain sensitive information about such customers’ Internet usage to third parties, including web browsing history, geo-location data, health, child and financial information, social security numbers, app usage history, and the content of emails and other digital messages. The FCC Rules also required ISPs to take more substantial measures to protect against, and notify customers of, data breaches. Under the new law, the FCC is also now prohibited from passing any additional privacy restrictions related to the use of customer data.
As expected, the enactment of this new law has been met with strong reactions on both sides of the issue. Those in favor of passing the law and repealing the FCC Rules argue that the FCC Rules made it confusing for customers to understand who could actually see their browsing data, and placed unfair restrictions on ISPs because these rules did not apply generally to Internet companies that regularly track and sell this type of customer information, such as Google and Facebook. Given that ISPs have actively begun to expand their advertising businesses (both by using customer data to provide and sell direct targeted advertising and by selling customer data to third-party advertisers), those in favor of the new law also claimed that by placing these types of restrictions on ISPs only, Internet companies received an unfair competitive advantage since they could collect and use this type of customer information more freely than ISPs. Additionally, proponents reasoned that since 2012 the Federal Trade Commission, and not the FCC, has been the agency designated to oversee and enforce consumer online privacy rights, and so the FCC had no jurisdiction to pass the FCC Rules in the first place (even though the FCC remains the agency in charge of regulating ISP practices). Finally, since the FCC Rules were not set to actually go into effect until later this year, many in favor of repealing these rules contend that this new law simply preserves the status quo since ISPs have historically been able to sell this type of customer data anyways and were simply losing permission to keep doing this without explicit customer consent.
While it remains to be seen what measurable impact the President’s repeal of the FCC Rules will have on consumer Internet privacy, for now, in an effort to ease some of the concerns and quell the backlash following the passage of the law, most ISPs have released fairly strong statements indicating that they have no plans to sell or share consumers’ personal web browsing history. However, for those customers who remain skeptical or who are otherwise concerned about their privacy, the use of a virtual private network (“VPN”), which anonymizes Internet activity by routing it through another hub, is probably the best option. Nonetheless, it is still important to keep in mind that VPNs may also log or track users’ activity, so one must carefully choose a service that explicitly states that it does not do so.