Recently, the Federal Communications Commission proposed privacy rules for your broadband Internet Service Provider (ISP). This sounds like a good thing for consumers. After all, who doesn’t want more privacy protection? Yet, for information, as for most things, some types need more protection than others do. For example, I guard my social security number but display my street address on my porch. The FCC’s rules, though well intentioned, provide too little protection for some sensitive information while overprotecting some non-sensitive information.
How do we know what is sensitive and non-sensitive information? At the Federal Trade Commission (where I am a Commissioner), we look to consumers for the answers. The FTC is the world’s most active protector of consumer privacy and data security, with more than 150 Internet-related privacy and data security cases over the past decade and a half, many against the biggest online players. Through that experience, the FTC has developed a privacy framework that reflects consumer expectations for how companies (ISPs and non-ISPs alike) will use data about them. Consumers want to be asked expressly to “opt-in” before a company uses sensitive data, such as health or financial information, for advertising or other unexpected follow-on uses. For non-sensitive data, such as the amount of daily broadband traffic, most consumers are satisfied with an “opt-out” choice. The FTC’s framework reflects these preferences. And for all uses of consumers’ personal data, sensitive and non-sensitive, the FTC holds companies to the promises they make. The FTC’s framework for privacy thereby respects a consumer’s autonomy and her choices about her personal data.
The FTC framework not only reflects consumers’ preferences when companies seek to use different types of personal data, it also preserves choice for those consumers with less common inclinations. The defaults – opt-in for sensitive data and opt-out for non-sensitive data – reflect common consumer preferences yet still allow those with less common predilections to share or to shield more information.
The FTC approach also benefits consumers in other important ways. First, it reduces the need for annoying check-the-box “choices” for commonplace uses of data. Second, it allows companies to use non-sensitive data for advertising or new services (unless the consumer opts out), thereby preserving the existing Internet marketplace with its hallmarks of free content, fierce competition, and rapid innovation.
The FCC’s privacy rules, as currently proposed, would supplant this successful privacy framework for broadband ISPs. Unlike the FTC’s approach, the FCC’s privacy rules would ignore data’s sensitivity. Under the FCC’s rules, an ISP could in some cases use highly sensitive information without express permission. At the same time, the rules would hinder ISPs’ use of non-sensitive data, even though other companies like Google and Facebook can use that same data to offer innovative – and often free – services.
Some have argued that the FCC should treat all data collected by ISPs as sensitive because it is too difficult to write rules differentiating between sensitive and non-sensitive data. But many established privacy frameworks already treat sensitive and non-sensitive data differently. In particular, ISPs and non-ISPs alike have successfully operated under the FTC’s sensitivity-based framework for many years.
Others have argued that ISPs can only treat sensitive and non-sensitive consumer information differently by snooping on the content of consumers’ communications. This claim, though alarming, doesn’t hold up to scrutiny. The FCC could easily address this “dilemma” by treating the content of communications as sensitive, as the FTC already does. ISPs don’t need to read the content of consumer email to treat that content as sensitive any more than a mail carrier needs to open a sealed envelope to determine that the contents are private. And ISPs don’t need to snoop on consumers to determine their particular privacy preferences when they can simply ask, for example, whether the consumer would like to allow the ISP to target advertising based on email content in exchange for some benefit, such as free webmail.
A new framework that ignores whether data is sensitive has other problems. If regulators treat ISP data collection differently than website data collection, consumers may be confused because many of them don’t distinguish between ISPs and websites. This also hamstrings competition by restricting ISPs compared to other companies in the Internet ecosystem that may use the same non-sensitive data for the same purpose, such as advertising. And it will reduce consumers’ choices. Unsurprising, then, that FTC staff – supported by a unanimous, bipartisan Commission – submitted comments criticizing the FCC’s proposal on several points, including the fundamental failure to distinguish between sensitive and non-sensitive data.
Some might argue that privacy can never be over-protected and that consumers benefit from any restrictions on companies’ use of consumer data. If consumers cared only about privacy, this might be true. But consumers also care about other values, such as convenience, price, efficacy, safety, flexibility, and reliability, and they constantly balance all these values. I value privacy but I also use a discount grocery store loyalty card for my family groceries and a traffic app to shorten my commute. Like many consumers, I choose to share some shopping and driving information to save money and time. Privacy frameworks should enable, not restrict, such consumer choices.
I believe that the FCC also wants to ensure that consumers have choices. I therefore hope that the FCC will consider carefully the FTC’s experience in protecting consumer privacy and adopt a similar, information-sensitivity-based framework that promotes robust competition and innovation while respecting consumer preferences and preserving consumer choice.
The views expressed by authors are their own and not the views of The Hill.