Eliminating Broadband Privacy Rules with One Weird Trick

Two weeks ago, the Federal Communications Commission (FCC) officially proposed to reinstate the 2015 net neutrality order. In an earlier post, I discussed why this attempt to turn back the regulatory clock was a mistake, in part because of the agency’s failure to account for the many legal and technological developments since the Open Internet Order. There’s another unintended consequence, one that flows directly from the detritus of the FCC’s earlier regulatory misadventure: reclassifying broadband as a Title II common carrier will create a gap in privacy law, leaving broadband providers unregulated and raising concerns about how, or even if, the FCC can close it.

The issue stems from the fact that reclassification creates a turf war between the FCC and the Federal Trade Commission (FTC). The FTC is America’s primary privacy regulator. Congress has adopted some sector-specific privacy statutes, governing sensitive areas such as banking, medical, and children’s privacy. Outside those narrow areas, the FTC has asserted jurisdiction in this realm, regulating companies’ privacy policies as part of its broad mandate to prevent unfair or deceptive trade practices. But Title II reclassification prohibits the FTC from extending this oversight to broadband providers because the FTC Act exempts common carriers from the agency’s purview.

One might respond that the FCC could fill that gap, but the scope of its authority to do so is questionable. When commentators recognized this privacy gap during the FCC’s previous reclassification debacle, the agency responded by enacting an aggressive privacy order specifically for broadband providers. That order imposed stringent opt-in rules about data collection similar to those imposed by the European Union’s heavy-handed regulatory regime and represented a departure from the privacy framework that the FTC applies to the rest of American society. Viewing the rule as excessive, Congress repealed the regulation through the Congressional Review Act, a rarely-used statute that allows the elected branches to veto an agency regulation by passing a joint resolution of disapproval.

Congress’s invocation of the Congressional Review Act creates some difficulties for the FCC going forward. When a joint resolution of disapproval is enacted, the regulation immediately ceases to take effect. More importantly, the agency is prohibited from reissuing the disapproved rule or “a new rule that is substantially the same” as the repealed rule. The act does not explain what “substantially the same” means, and because Congress so rarely invokes the process, courts have not had occasion to interpret the phrase. Almost certainly, it means the FCC cannot impose new EU-style opt-in privacy rules on broadband providers. Given the concerns that Congress expressed about an uneven playing field in privacy law, it could mean that the FCC can only adopt privacy rules that mirror those the FTC imposes on the rest of society. A court could also rule the FCC cannot regulate broadband privacy at all going forward, although this is a less likely outcome.

Regardless of how a court interprets the phrase, reclassification under Title II reopens the possibility that different privacy rules could apply to broadband than other providers. Unless and until the FCC adopts a privacy rule, broadband providers’ privacy practices will be largely unregulated. Even if the FCC avoids its earlier mistake and adopts an approach similar to the FTC, there may be inconsistencies between the regimes in practice because the two agencies may apply the same language in different ways.

The broadband privacy saga also highlights the risk that the net neutrality proceeding will ultimately become a stalking horse for greater broadband regulation. When the FCC identified the privacy gap in 2016, it responded not merely by restoring the status quo through FTC-like rules, but by adopting a more aggressive regulatory approach. Many supporters of this approach saw the broadband privacy proceeding as a means by which the FCC could nudge lawmakers to adopt EU-like rules for other companies as well. Overall, the anecdote reminds us that regulation can often have unintended consequences and that regulators often embrace Rahm Emanuel’s maxim to never let a serious crisis go to waste.