Consumers Deserve More Privacy Protections, Not Less
Opt-Out is a Cop-Out
“Few rights are so fundamental as the right to privacy in our daily lives, yet few are under such frontal assault.”
I penned those words 14 years ago, when I and my colleagues on the Federal Communications Commission (FCC) were considering how best to protect telephone customers from expansive snooping and intrusive marketing practices. Today, I must reiterate this sentiment, and urge the FCC to immediately pass strong new rules to protect the privacy of broadband customers.
Broadband privacy is important for many of the same reasons that the FCC has ensured the privacy of telephone customers for decades. Broadband internet service providers (ISPs) collect extensive information about all of their customers, including location, web browsing and app use history, when and with whom they communicate, and even the content of those communications.
In short, nearly everything a consumer does online is visible to his or her ISP. ISPs need some of that information to provide service, but they also can exploit private details for profit, primarily through marketing.
The FCC recently released a fact sheet on broadband privacy, and while it is a significant step forward, there remains the possibility that that intra-agency negotiations might consider alterations that would water-down the privacy regime and leave consumers without needed protections. The need of the hour is to strengthen, not weaken, the pending proposal. The FCC should adopt opt-in rules that more closely hew to Congress’s direction in Section 222 of the Communications Act that make clear telecommunications carriers have a duty to protect confidentiality of the proprietary information of their customers.
An opt-in regime is best for consumers
Consumers are better protected under an opt-in regime, which can be thought of as a default response of “no” to questions about privacy-invasive practices. Under an opt-in framework, an ISP may not use personal information about its customers for marketing purposes unless and until those customers affirmatively agree. This makes sense. Rarely do we presume consent — or equate silence with consent — in other circumstances.
An opt-in requirement also would give ISPs an incentive to make a case to customers that sharing their information is beneficial. For instance, opponents of the FCC’s privacy proposal have argued that consumers often do not mind giving away their data in return for certain services or other advantages. That may well be the case, but decisions about sharing data should be made by consumers, not made for them by when they sign up for Internet access.
In contrast, an opt-out regime provides no such protections. Most importantly, opt-out is contrary to Congress’s mandate that the FCC protect the “confidentiality” of consumers’ private data; instead, it requires consumers to protect themselves. Even worse, opt-out discourages ISP transparency data practices. So under an opt-out framework, ISPs may obscure their data practices, afraid that further information might embolden consumers to take actions to protect their data — and thus cost the ISP revenue.
I would prefer to require opt-in consent for every marketing use of consumer data. But the FCC is splitting data, establishing an opt-in standard for some data categories and opt-out for others. “Sensitive” data — including a user’s geolocation and health information — are opt-in, but other data are opt-out. From an historical perspective, the FCC has long protected the privacy of telephone customers without drawing distinctions based on the subjective sensitivity of telephone data. If the Commission insists on moving forward with a sensitivities-based approach for broadband, it should do so in the most thoughtful, expansive, and consumer-focused manner to define what should really count as “sensitive.” For example, “sensitive” data should include which websites consumers visit, along with which apps and devices they use, including connected devices in the growing “Internet of Things.”
To reiterate, a default opt-out approach would not ensure, as the statute requires, the confidentiality of ISP consumer data. It actually ensures the opposite. A default position that allows ISPs to share and sell customer data unless the customer opts out actually ensures the dissemination of this data, directly contrary to the statute. And it seriously undermines a free and open internet. I hope the FCC will opt for real opt-in.