Double Trouble: Why Two Internet Privacy Enforcement Agencies Are Not Better Than One for Businesses or Consumers.

• Date: 01 May 2018
• Author: Cheperdak, Alison M.

TABLE OF CONTENTS I. INTRODUCTION 263 II. BACKGROUND 265 A. Components of the Internet 265 B. FTC's Strong History of Internet Privacy Regulation 265 C. The FCC's New Role in Internet Privacy Regulation 267 D. The Major Impacts of Differing Consumer Consent Models and Privacy Definitions 269 E. The FCC and FTC Differ in Internet Privacy Enforcement Practices 272 F. The FTC's Internet Privacy Regulation Stems From its Longtime Leadership in Consumer Protection 274 G. Despite Apparent Intent, the FCC's Privacy Order Stifles Innovation and Economic Growth, Ultimately Harming Consumers 277 1. The Evolution of the Open Internet Order and its Impact on ISP Privacy Rules 280 2. The FTC has Long Been the Nation's Premier Privacy and Data Security Enforcement Agency 281 3. The Privacy Order Demonstrated the Expanded Scope of the FCC's New Privacy Authority, Including a Broader Definition of the Types of Data Needing Special Protections 282 4. The Privacy Order Sets New Transparency and Notice to Consumer Requirements for ISPs 283 H. The Privacy Order Sets New Customer Choice and Consent Rules, which Includes a Three-tiered Approach: Opt-in, Opt-out, and Inferred Consent 284 I. The Most Significant Difference Between the FCC's Three-tiered Consent Framework and the FTC's Existing Privacy and Data Security Guidelines is the Privacy Order's Treatment of Web Browsing and Application Usage History 284 1. The FTC's Online Privacy Rules are Designed to Minimize the Burden on Consumers and Business, Whereas the FCC's Approach Needlessly Creates a Burden 286 III. ANALYSIS 288 A. The FCC's Privacy Order Creates Confusion for Customers 289 B. The FCC's Privacy Order is Unfair to Businesses 290 C. The FCC's Privacy Order is Not Helpful to Consumers 293 D. The FCC's Privacy Order is Significantly Costly to Businesses and Consumers 296 E. Appropriate Changes to Existing Privacy Regulation Frameworks 297 IV. CONCLUSION 302 I. INTRODUCTION

In 1890, a formative Harvard Law Review article developed "the basic principle of American privacy law" that privacy is the "right to be let alone." (1) Samuel D. Warren and Louis D. Brandeis' The Right to Privacy was published "in response to invasions of personal privacy caused by the technological [advances] of newspapers and photographs". (2) Much has changed since Warren and Brandeis' article influenced American privacy common law jurisprudence. (3) In the digital era, the right to privacy may be more appropriately characterized as "knowing what data is being collected and what is happening to it, having choices about how it is collected and used, and being confident that it is secure." (4) Given the ubiquitous nature of collection, retention, and dissemination of data in the digital age, appropriate privacy regulations are required. (5)

The Internet is critical to virtually all aspects of life throughout the U.S., especially economically and socially. (6) For instance, through the use of networked technologies, people are able to express themselves in infinite ways, establish "social connections, transact business, and organize politically." (7) "An abundance of data, inexpensive processing power, and increasingly sophisticated analytical techniques drive innovation in our increasingly networked society." (8) The U.S. government has two strong interests in establishing and enforcing appropriate privacy policies; (9) privacy is important to Americans and they expect their privacy to be protected from intrusion by the government or private entities, (10) and strong privacy protections are essential to sustaining the trust necessary for Internet commerce, which consequentially fosters innovation and economic growth. (11)

Consumers should not have to be a lawyer or a network engineer to understand whether the information they provide via the Internet will or will not be protected. (12) However, the current rules and regulations governing Internet data security are just that--needlessly complex and confusing. (13) The current Internet data security legal landscape is complicated primarily because "there is no comprehensive federal privacy statute that protects personal information." (14) Instead, federal privacy rules are disjointed; both the FTC and the FCC have authority to regulate different parts of the Internet, and states also have authority to enact and enforce their own privacy laws despite the inherently interstate elements of online transactions. (15)

Significantly, the FTC and the FCC's frameworks differ in that the FTC's priority is security, whereas the FCC's priority is privacy. (16) The FTC appropriately focuses more on security, including personally identifiable information (PII), whereas the FCC focuses more on privacy, (17) which is considerably more subjective and personal versus security which is primarily about safety.

This Note explores the ways in which the FCC's Broadband Privacy Order is harmful to both businesses and consumers, and the ways in which the regulations that apply to Edge Service Providers (ESPs) and Internet Service Providers (ISPs) can be legally harmonized. The Note begins with a discussion of the harms the uneven privacy models of the FCC and the FTC impose on customers and businesses, including confusion and increased transactional costs. Next, the Note discusses how the FCC failed to adequately explain why it chose not to follow the FTC's preexisting and successful approach to data security, including an analysis of the numerous ways in which the FCC needlessly diverged from the FTC's reasonable model. While the FTC is the ideal enforcer of Internet data security because of its long history of providing consumer protection and online data security, the FTC must provide a clearer description of what BIAS and ESPs must do to adequately protect consumers' privacy and security. Finally, the Note will explain the ways in which ESP and ISP privacy regulations can be legally harmonized after the Privacy Order's recent repeal.

2. BACKGROUND

   1. Components of the Internet

      The Internet is comprised of four major actors: "end users, broadband providers [(also known as ISPs)], backbone networks, and edge [service] providers [(ESPs)]." (18) Many customers, also known as end users, access the Internet "using an ISP, which delivers high-speed Internet access using technologies, such as cable modem service, digital subscriber line (DSL) service, and fiber optics." (19) ISPs "interconnect with backbone networks," which are the "long-haul fiber-optic links and high-speed routers" that transmit "vast amounts of data." (20) ESPs are content, "application, service, and device" providers, and their name comes from the position that they operate "at the edge of the network rather than the core of the network." (21) Examples of ESPs include Netflix, Google, and Amazon. (22) Under the current privacy legal landscape, the FTC has authority over ESPs, and the FCC has authority over ISPs. (23)

   2. FTC's Strong History of Internet Privacy Regulation

      The FTC derives its authority for enforcement actions against ESPs under The Federal Trade Commission Act 15 U.S.C. [section] 45(a) (FTC Act), which prohibits "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." (24) The FTC Act does not provide industry-specific duties, but instead applies a technology-neutral approach. (25) However, while the FTC Act does not provide specific duties for ESPs (or any other type of company that falls under its jurisdiction), the FTC's 2012 report, Protecting Consumer Privacy in an Era of Rapid Change (FTC Report), provides more specific recommendations for Internet businesses and policymakers. (26) The FTC Report set forth a final privacy framework after taking into consideration more than 450 public comments from stakeholders. (27) Although the FTC Report by its nature does not consist of binding rules, it urges companies to implement "best practices" to protect consumers' private information immediately, such as "making privacy the 'default setting' for commercial data practices" and increasing "consumers' control over the collection and use of their personal" information. (28) The FTC Report also stipulates that "companies should view the comprehensive privacy programs mandated by consent orders as a roadmap as they implement privacy by design in their own organizations." (29) Perhaps most importantly, the FTC's "proposed framework is not a one size fits all model for consumer choice mechanisms." (30) Instead, the FTC urges companies to offer "clear and concise choice mechanisms that are [both] easy to use and delivered at a time and context that is relevant to the consumer's decision about whether to allow data collection or use." (31)

      The FTC, which regulates ESPs, "has brought numerous legal actions against organizations that have violated consumers' privacy rights, or misled [consumers] by failing to maintain security for [their] sensitive information." (32) In most of these cases, "the FTC has charged the defendant with violating Section 5 of the FTC Act," which prohibits "unfair and deceptive acts and practices in or affecting commerce." (33) For example, the FTC "brought enforcement actions against mobile applications that violated the Children's Online Privacy Protection Act, (34) as well as against entities that sold consumer lists to marketers in violation of the Fair Credit Reporting Act" (FCRA). (35) During the first 40 years of the FTC's enforcement of the FCRA, "the FTC brought 87 enforcement actions against [consumer reporting agencies] (CRAs)." (36)

   3. The FCC's New Role in Internet Privacy Regulation

      The Privacy Order establishing the FCC's privacy enforcement power was passed in 2016 during the final year of the Obama Administration. (37) However, on April 3, 2017, President Donald J. Trump signed a joint resolution that repealed the FCC's Privacy Order. (38) The passage of S.J. Res. 34 came less than...