"The FCC got this wrong."
At least that's the reaction of the Direct Marketing Association to a set of privacy rules approved Thursday by the Federal Communications Commission that has privacy advocates thanking the agency for the early Christmas present. Similar sentiments are likely in the coming days as the advertising and media industries react to the regulations, which forbid internet service providers from activities like using and sharing data on location and web browsing habits unless consumers explicitly opt in.
The prospect of the rules have had companies throughout the digital ecosystem quaking since earlier this month when the FCC, which was recently empowered to oversee privacy related to broadband internet service providers, sprung an updated proposal on them.
"Today the FCC took an action which discards the regulatory framework that has fostered the growth of the internet economy and supports much of the content and services consumers enjoy every day," wrote Emmett O'Keefe, senior VP of advocacy for the DMA, in a statement that the trade group released soon after the FCC's 3-2 party-line vote, with Democrats in support. "The FCC's decision is bad for consumers and bad for the U.S. economy. There are no winners in this action; only losers. In short, the FCC got this wrong."
By requiring ISPs to get "opt-in" consent from consumers before using and sharing what the agency deems to be sensitive data -- including geographic locations, browsing history and app-usage information, -- the rules throw a wrench into data sharing and use plans and practices of some of the largest telco and media firms as well as small ad tech players.
It's important to note that the FCC rules do not prohibit ISPs from using what it now defines as sensitive data. Rather, they make ISPs give consumers more control over their information by requiring them to opt-in before it is used.
The Association of National Advertisers blasted the "FCC's new sweeping privacy rules decision," calling it "unprecedented, misguided, counterproductive, and potentially extremely harmful."
Recent deals made by ISPs Verizon and AT&T are prominent in industry thinking. Acquisitions of AOL and Yahoo by Verizon, in addition to the more recent purchase of Time Warner by AT&T, now are viewed through a lens clouded by restrictions on how those companies can combine their data assets to enable unprecedented levels of ad targeting sophistication. Verizon aims to use AOL's and Yahoo's ad tech as conduits for turning the data it already generates to enable phone calls, deliver text messages and connect customers to the web into information that can be employed for ad targeting, campaign measurement and other purposes in AOL and Yahoo's ad platforms.
The acquisition of Time Warner by AT&T last week brings with it similar potential for combining web and mobile browsing data and geographic location data to TV targeting.
The Internet & Television Association complained in a statement that "The [FCC]'s decision to break with the FTC's proven privacy framework in favor of a cobbled-together approach that abandons principles of fair competition is profoundly disappointing. Instead of creating a consistent and uniform approach to privacy that consumers can easily understand, today's result speaks more to regulatory opportunism than reasoned policy."
The Federal Trade Commission takes a different approach to defining sensitive or personally identifiable data. It only considers location data, web cookies and mobile device IDs to be personally identifiable when related to children, thus requiring parental consent for use. The Interactive Advertising Bureau's Executive VP of Public Policy Dave Grimaldi wrote in an op-ed in The Hill yesterday that the FCC should follow the FTC's approach.
The new FCC rules also make financial and health information, children's information and social security numbers "sensitive information," requiring opt-in consent from consumers for use by ISPs. Unless a consumer opts out from use of other information such as email addresses or service-tier information, ISPs can employ or share it. The FCC also allows ISPs to use any data it gathers to implement its broadband services or for administrative purposes such as billing.
This new privacy arena for the FCC opened as a result of the agency's adoption of net-neutrality rules for broadband last year, giving it jurisdiction over ISP use of consumer data, the same way the agency has purview over how phone companies use our information. The FCC arguably can have more impact than the Federal Trade Commission has had when it comes to safeguarding consumer privacy, however, mainly because the FCC has rulemaking authority while the FTC does not.
The FTC, the consumer watchdog people have come to know as the primary digital privacy protector, still has oversight of the so-called "edge" providers to which ISPs connect consumers, such as website operators like Facebook, email providers like Google or app platforms like Apple.