Recently, Congress voted to overturn new FCC rules that regulated the privacy of broadband Internet Service Providers (ISPs). The rules implemented the Communications Act, 47 U.S.C. § 222 to ISPs, requiring opt in for sharing sensitive customer data, opt out for sharing non-sensitive customer data, as well as transparency requirements. Sensitive data includes precise geo-location, children’s information, health information, financial information, Social Security Numbers, Web browsing history, app usage history, and the contents of communications. The rules required reasonable data security protections as well as data breach notification.
This development is a setback in Internet privacy protection, but it doesn’t mean that Internet privacy is doomed. There are many other regulators and sources of privacy law to fill the void.
Pro-industry advocates often decry much privacy regulation and cheer the death of rules such as the FCC rules. They advocate for rolling back the jurisdiction and power of regulatory agencies like the FCC and FTC.
Ironically, efforts to weaken the FTC and FCC probably won’t lead to more freedom for industry. In the short term after regulation is weakened or killed, there is a void, so this seems like a nice freer zone for companies.. But nature abhors a vacuum. Other regulators will fill the void, and typically it is regulators who are most passionate about protecting privacy such as California and the EU. They are far more likely to regulate privacy even more stringently than the FCC or FTC.
In the absence of federal regulation, many states pass laws that create a complicated patchwork of inconsistent regulation. This is what happened with data security regulation and data breach notification. Way back in 2005, after the ChoicePoint breach captured national headlines, Congress was considering enacting a law. But it failed to act. Instead, the vast majority of states passed data breach notification statutes, and many states passed data security laws. Instead of having to comply with one law, companies must navigate laws in many states. The most common strategy for companies operating in all states is to try to follow the strictest state law, Thus, the de facto rule is the law of the state with the most strict protections.