A rule designed to provide internet users with an extra layer of control over their web use history is dead before it ever fully came to life, but data privacy law experts say there’s little reason for consumers to panic.
A proposed Federal Communications Commission rule, which was first recommended last October, would have required internet service providers, such as Comcast, Verizon or AT&T, to obtain explicit permission before selling their customers’ personal online data, which includes the history of their app usage or browser searches. Such data is highly valuable to advertisers who try to target potential customers with online ads tailored to their specific interests. But under the FCC’s proposal, ISPs could not have sold that data to advertisers without first obtaining permission from consumers.
However, Congress voted to roll back those protections last month, sending the bill to President Donald Trump’s desk before the FCC rule ever took effect. Though public response to Congress’ decision and Trump’s approval was generally negative, data privacy attorneys say because the rule was never enforced, little about online privacy has changed.
“It effectively re-established the status quo,” said Fred Cate, a professor at the Indiana University Maurer School of Law and senior fellow at the IU Center for Applied Cybersecurity Research.
While in the past ISPs may have been hesitant to use consumer data without permission as they waited for Congress to decide whether such practices were permissible, they were never explicitly prohibited from selling the data, Cate said. The difference now is ISPs officially have a green light to capitalize on their customers’ online histories, though it remains to be seen how far service providers will go to profit from the data, he said.
For data security and privacy attorneys, the vote to roll back the FCC recommendation creates more uncertainty in terms of where to draw the line on privacy regulations, said Brian McGinnis, a Barnes & Thornburg LLP partner and member of the firm’s Internet and Technology and Data Security and Privacy practice groups. The central question is where should the burden be placed, McGinnis said. Should consumers bear the responsibility of taking steps to protect their online data, or should ISPs be required to ask for permission before selling customer information to advertisers?
The FCC’s recommendation was meant to place more of the burden on ISPs by establishing an “opt-in” form of privacy protections, Cate said. In an opt-in policy, consumers must give their consent to the sale of their data before ISPs can share that data for profit. Opt-in policies are the norm in other parts of the world, McGinnis said, particularly in Europe.
But the system now reverts to an opt-out system in which ISPs can sell consumer data unless a customer explicitly says otherwise, placing more of the burden on consumers. U.S. policy decisions have generally been trending more toward opt-out systems, McGinnis said.
The proposed rule was further seen as leveling the playing field among ISPs and internet giants such as Facebook and Google, which can take their users’ data history and turn it into targeted advertising on their sites. But there are some notable differences between the likes of Comcast and Facebook, Cate said — namely the fact that consumers often have little choice in their ISP.
While no one is forced to create a Facebook account or to use Google for their online searches, consumers are generally only given two or three choices when it comes to their internet service provider, Cate said. Thus, in some areas where only one ISP is available, that provider could develop a virtual monopoly over consumers and their data in that area.
In those situations, Cate said the FCC protections were designed to hold ISPs to a higher standard of regulation and let customers know that their data was being collected for a possible commercial purpose. Congress’ decision represents a change in the country’s political climate regarding regulations and a continuation of the ongoing net neutrality debate, McGinnis said.
Aside from the sale of consumer data, privacy experts are also examining how that data might be used outside the realm of advertising. This is a particularly poignant issue for those who specialize in the internet of things, a concept Ice Miller LLP partner George Gasper describes as “devices talking to each other.”
For example, a “smart” thermostat, or one controlled remotely by a smartphone, is considered part of the internet of things because the thermostat must communicate with the phone to perform the desired function. But performing those IoT functions naturally implicates large amounts of user data, which can then be collected to create a “profile” of the data consumer.
As with other online privacy concerns, there are multiple views on the implications of the collection of IoT data, said Gasper, a member of Ice Miller’s IoT team. While the information collected through IoT communications can enable ISPs to increase convenience to users, he said there is also the looming concern that such data will be somehow misused, either through its sale or some other form of dissemination.
To that extent, Nick Merker, a partner in Ice Miller’s Chicago office who specializes in data security and privacy and is a member of the firm’s IoT group, said allowing ISPs to sell consumer data can erode trust in IoT products. That loss of trust could cause a customer to abandon a particular brand, such as Amazon Alexa, in favor of a similar product from another brand, such as Google Home, if the customer believes Google handles its consumer data better than Amazon, Merker said.
But as Cate noted with the Facebook and Google comparison, such competition does not exist among ISPs, Merker said, so allowing service providers to self-regulate may be a more logical step than to impose federal guidelines.
As consumer privacy experts continue the ongoing net neutrality debate, the data privacy attorneys say there are steps consumers can take to actively protect their data if they have privacy concerns, such as purchasing a virtual private network.
Downloads of VPNs, which allow consumers to “mask” their online communications by routing them through another server, have shot up in the last month, Cate said. Describing VPNs as a tunnel, he said consumers can use them to shield and encrypt their data by making it seem as if the web data is coming from somewhere else. For example, if a consumer is in Europe but is using a VPN server located in the United States, the consumer’s web traffic will appear to websites to be coming from the United States.
“You can protect your communications from the prying eyes of parties that are transmitting your communications,” Cate said.•