Data privacy attorneys consider future of consumer protections

Olivia Covington
April 19, 2017
Back to TopCommentsE-mailPrintBookmark and Share

A rule designed to provide internet users with an extra layer of control over their web use history is dead before it ever fully came to life, but data privacy law experts say there’s little reason for consumers to panic.

A proposed Federal Communications Commission rule, which was first recommended last October, would have required internet service providers, such as Comcast, Verizon or AT&T, to obtain explicit permission before selling their customers’ personal online data, which includes the history of their app usage or browser searches. Such data is highly valuable to advertisers who try to target potential customers with online ads tailored to their specific interests. But under the FCC’s proposal, ISPs could not have sold that data to advertisers without first obtaining permission from consumers.

However, Congress voted to roll back those protections last month, sending the bill to President Donald Trump’s desk before the FCC rule ever took effect. Though public response to Congress’ decision and Trump’s approval was generally negative, data privacy attorneys say because the rule was never enforced, little about online privacy has changed.

“It effectively re-established the status quo,” said Fred Cate, a professor at the Indiana University Maurer School of Law and senior fellow at the IU Center for Applied Cybersecurity Research.

While in the past ISPs may have been hesitant to use consumer data without permission as they waited for Congress to decide whether such practices were permissible, they were never explicitly prohibited from selling the data, Cate said. The difference now is ISPs officially have a green light to capitalize on their customers’ online histories, though it remains to be seen how far service providers will go to profit from the data, he said.

McGinnis McGinnis

For data security and privacy attorneys, the vote to roll back the FCC recommendation creates more uncertainty in terms of where to draw the line on privacy regulations, said Brian McGinnis, a Barnes & Thornburg LLP partner and member of the firm’s Internet and Technology and Data Security and Privacy practice groups. The central question is where should the burden be placed, McGinnis said. Should consumers bear the responsibility of taking steps to protect their online data, or should ISPs be required to ask for permission before selling customer information to advertisers?

The FCC’s recommendation was meant to place more of the burden on ISPs by establishing an “opt-in” form of privacy protections, Cate said. In an opt-in policy, consumers must give their consent to the sale of their data before ISPs can share that data for profit. Opt-in policies are the norm in other parts of the world, McGinnis said, particularly in Europe.

But the system now reverts to an opt-out system in which ISPs can sell consumer data unless a customer explicitly says otherwise, placing more of the burden on consumers. U.S. policy decisions have generally been trending more toward opt-out systems, McGinnis said.

The proposed rule was further seen as leveling the playing field among ISPs and internet giants such as Facebook and Google, which can take their users’ data history and turn it into targeted advertising on their sites. But there are some notable differences between the likes of Comcast and Facebook, Cate said — namely the fact that consumers often have little choice in their ISP.

While no one is forced to create a Facebook account or to use Google for their online searches, consumers are generally only given two or three choices when it comes to their internet service provider, Cate said. Thus, in some areas where only one ISP is available, that provider could develop a virtual monopoly over consumers and their data in that area.

In those situations, Cate said the FCC protections were designed to hold ISPs to a higher standard of regulation and let customers know that their data was being collected for a possible commercial purpose. Congress’ decision represents a change in the country’s political climate regarding regulations and a continuation of the ongoing net neutrality debate, McGinnis said.

Gasper Gasper

Aside from the sale of consumer data, privacy experts are also examining how that data might be used outside the realm of advertising. This is a particularly poignant issue for those who specialize in the internet of things, a concept Ice Miller LLP partner George Gasper describes as “devices talking to each other.”

For example, a “smart” thermostat, or one controlled remotely by a smartphone, is considered part of the internet of things because the thermostat must communicate with the phone to perform the desired function. But performing those IoT functions naturally implicates large amounts of user data, which can then be collected to create a “profile” of the data consumer.

As with other online privacy concerns, there are multiple views on the implications of the collection of IoT data, said Gasper, a member of Ice Miller’s IoT team. While the information collected through IoT communications can enable ISPs to increase convenience to users, he said there is also the looming concern that such data will be somehow misused, either through its sale or some other form of dissemination.

merker Merker

To that extent, Nick Merker, a partner in Ice Miller’s Chicago office who specializes in data security and privacy and is a member of the firm’s IoT group, said allowing ISPs to sell consumer data can erode trust in IoT products. That loss of trust could cause a customer to abandon a particular brand, such as Amazon Alexa, in favor of a similar product from another brand, such as Google Home, if the customer believes Google handles its consumer data better than Amazon, Merker said.

But as Cate noted with the Facebook and Google comparison, such competition does not exist among ISPs, Merker said, so allowing service providers to self-regulate may be a more logical step than to impose federal guidelines.

As consumer privacy experts continue the ongoing net neutrality debate, the data privacy attorneys say there are steps consumers can take to actively protect their data if they have privacy concerns, such as purchasing a virtual private network.

Downloads of VPNs, which allow consumers to “mask” their online communications by routing them through another server, have shot up in the last month, Cate said. Describing VPNs as a tunnel, he said consumers can use them to shield and encrypt their data by making it seem as if the web data is coming from somewhere else. For example, if a consumer is in Europe but is using a VPN server located in the United States, the consumer’s web traffic will appear to websites to be coming from the United States.

“You can protect your communications from the prying eyes of parties that are transmitting your communications,” Cate said.•


  • privacy
    Almost everything connects to internet these days. From your computers and Smartphones to wearable gadgets and smart refrigerators in your home, everything is linked to the Internet. Although this convenience empowers usto access our personal devices from anywhere in the world such as an IP camera, it also deprives control of our online privacy. Cyber criminals, hackers, spies and everyone else has realized that we don’t have complete control on who can access our personal data. We have to take steps to to protect it like keeping Senseless password. Dont leave privacy unprotected. Check out this article for more ways:

Post a comment to this story

We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
You are legally responsible for what you post and your anonymity is not guaranteed.
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in Indiana Lawyer editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by
Subscribe to Indiana Lawyer
  1. File under the Sociology of Hoosier Discipline ... “We will be answering the complaint in due course and defending against the commission’s allegations,” said Indianapolis attorney Don Lundberg, who’s representing Hudson in her disciplinary case. FOR THOSE WHO DO NOT KNOW ... Lundberg ran the statist attorney disciplinary machinery in Indy for decades, and is now the "go to guy" for those who can afford him .... the ultimate insider for the well-to-do and/or connected who find themselves in the crosshairs. It would appear that this former prosecutor knows how the game is played in Circle City ... and is sacrificing accordingly. See more on that here ... Legal sociologists could have a field day here ... I wonder why such things are never studied? Is a sacrifice to the well connected former regulators a de facto bribe? Such questions, if probed, could bring about a more just world, a more equal playing field, less Stalinist governance. All of the things that our preambles tell us to value could be advanced if only sunshine reached into such dark worlds. As a great jurist once wrote: "Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman." Other People's Money—and How Bankers Use It (1914). Ah, but I am certifiable, according to the Indiana authorities, according to the ISC it can be read, for believing such trite things and for advancing such unwanted thoughts. As a great albeit fictional and broken resistance leaders once wrote: "I am the dead." Winston Smith Let us all be dead to the idea of maintaining a patently unjust legal order.

  2. The Department of Education still has over $100 million of ITT Education Services money in the form of $100+ million Letters of Credit. That money was supposed to be used by The DOE to help students. The DOE did nothing to help students. The DOE essentially stole the money from ITT Tech and still has the money. The trustee should be going after the DOE to get the money back for people who are owed that money, including shareholders.

  3. Do you know who the sponsor of the last-minute amendment was?

  4. Law firms of over 50 don't deliver good value, thats what this survey really tells you. Anybody that has seen what they bill for compared to what they deliver knows that already, however.

  5. As one of the many consumers affected by this breach, I found my bank data had been lifted and used to buy over $200 of various merchandise in New York. I did a pretty good job of tracing the purchases to stores around a college campus just from the info on my bank statement. Hm. Mr. Hill, I would like my $200 back! It doesn't belong to the state, in my opinion. Give it back to the consumers affected. I had to freeze my credit and take out data protection, order a new debit card and wait until it arrived. I deserve something for my trouble!