WASHINGTON�The Federal Trade Commission wants the FCC to require opt-in for some uses of customer proprietary network information (CPNI), whether it is by an ISP, an affiliate or a third party. It would also combine that with a more finessed view of information, setting the level of protection to the level of sensitivity.
As a “general matter,” said FTC staff in comments to the FCC, it supports the FCC’s focus on “transparency, consumer choice, and security” but has some specific tweaks, suggesting the FCC proposal would overprotect some information and under-protect other information.
For example, the FTC staff says that categorizing any information that is linkable to a person as personally identifiable information subject to the rules “could unnecessarily limit the use of data that does not pose a risk to consumers,” adding: “[W]hile almost any piece of data could be linked to a consumer, it is appropriate to consider whether such a link is practical or likely in light of current technology. FTC staff thus recommends that the definition of PII only include information that is ‘reasonably’�linkable to an individual.”
The FTC would also make linking applicable to devices�cookies, static IP addresses�as well as people.
The FCC’s approach to consumers opting in or out of the use of their information by ISPs, affiliates or third parties is divided into three categories: 1) uses for which consent is implied�billing-related and aggregated info that is not personally identifiable;�2) marketing of telecom services by ISPs and their affiliates, which would require consumers to opt out;�and 3) sharing with third parties (potentially for targeted marketing purposes), which would require opt-in.
The FTC would confine the opt-in requirement to “sensitive information” including the content of communications, Social Security numbers, health�and financial info, information on kids or geolocation.�
But it would make that applicable across the board. “Under the FCC�s proposal, BIAS providers could use content of communications for internal and affiliate marketing without obtaining consumers� opt-in consent first,” the FTC pointed out.
The FTC staff would instead require opt-in for first-party and affiliate uses of the content of communications, which would include “contents of emails,�communications on social media, search terms, website comments, items in shopping carts, inputs on web-based forms, and consumers� documents, photos, videos, books read, movies watched.”
“Although paragraph 49 of the NPRM notes that the FCC does not ‘think that providers should ever use or share the content of communications that they carry on their network without having sought and received express, affirmative consent for the use and sharing of content,’�the text of the Proposed Rule does not appear to reflect this approach.� FTC staff proposes that the Proposed Rule be revised to clearly require choice for the contents of consumer communications.”
As to transparency, the FCC generally supports the FCC approach to clearly notify�customers about privacy policies. The FTC also says that names, addresses and phone numbers should all be considered PII.
On security, the FTC is generally supportive of the FCC approach, including a breach notification for ISPs.
To check out all the FTC recommendations, click�here.
Having reclassified ISPs as common carriers under Title II, the FTC no longer has�jurisdiction over broadband privacy because there is an exemption from its enforcement authority for common carriers. That means the FCC had to come up with its own privacy framework.