On March 28th, 2017, the House of Representatives repealed a Federal Communication Commission (FCC) regulation that would have required internet service providers (ISPs) to receive consumer consent before sharing their personal information (such as browsing histories, app usage, etc.) with third parties. While the implementation of some parts of the broader regulation around data security had already been suspended by the FCC before the vote, the restrictions on sharing personal information were to become effective in December 2017. Thus, though the repeal does not change much for consumer privacy from a practical standpoint, it does reverse the progress made under the Obama administration towards protecting consumer privacy.
The FCC chairman, Ajith Pai, has indicated that he is interested turning over the jurisdiction over ISPs to the Federal Trade Commission (FTC) because of its extensive history of regulating privacy practices. However, FTC’s authority to regulate privacy practices of broadband mobile providers such as AT&T was restricted by the ninth circuit in FTC v. AT&T Mobility in 2016, which held that “common carriers” are exempt from FTC’s regulation under Section 5 of the FTC Act (which prohibits “unfair and deceptive trade practices”) even when the act in question (data throttling, in this case) is not related its common carrier function. In order to turn over jurisdiction of ISPs to FTC, they would have to be re-classified to non-common carrier status, which would likely endanger the net neutrality rules implemented by the FCC.
In the absence of FCC or FTC regulation of ISPs, the privacy practices of these companies will continue to be regulated through various state consumer protection laws as implemented by the state attorneys’ general. Unfortunately, this means that there will be a patchwork of regulations and lack of clarity on the security and privacy standards for ISPs to follow.