What Really Happens When the FCC’s Online Privacy Rules Are Cancelled
Last fall, with the clock running out on the Obama administration, the Federal Communications Commission adopted stringent new online privacy rules over Internet service providers. The providers sharply criticized the rules as burdensome and unnecessary. This year, with Republicans in control of Congress and the White House, lawmakers moved quickly to repeal the rules, and President Trump signed the measure on April 3.
The controversy over the rules—which had not yet gone into effect–has led to a battle among privacy advocates, Internet service providers, and politicians in both parties.
Here are some common questions and answers about the debate.
Why did the FCC adopt its privacy rules?
Traditionally, the FCC stuck to regulating telecommunications carriers. Under the 1934 Communications Act, telephone companies are subject to strict rules governing the collection and sale of customers’ personal information, including calling history. But more general privacy enforcement, including covering Internet service providers and web sites, has been conducted by the Federal Trade Commission.
Unfortunately, the system broke down in court last year.
The FCC’s online privacy rules were an outgrowth of the agency’s years-long legal battle to protect net neutrality. After two major court losses, the FCC took a new approach in 2015 when it declared that Internet service providers like Comcast’s Xfinity, Charter Communications’ (CHTR) Spectrum, and Verizon’s FiOS operations were more like telephone networks and could be regulated as “common carriers.”
Get Data Sheet, Fortune’s technology newsletter.
That was a successful legal strategy for the FCC, as a federal appeals court that had struck down the earlier net neutrality rules upheld the third try.
But an unintended consequence was that another federal appeals court ruled last August that companies designated as common carriers are broadly exempt from FTC oversight. The ruling meant that the FTC no longer had jurisdiction over the activities of common carriers, and there were suddenly no specific rules or laws limiting what Internet service providers could do with most of the personal information they collected.
In a brief seeking to appeal the ruling, the FTC warned that the newly created enforcement gap was “especially severe in the area of consumer data privacy.”
What kind of rules did the FCC adopt?
Under the FCC’s rules, modeled on the tight privacy limits that applied in the telecommunications market, Internet service providers had to get customer permission in advance—known as opting in—before using or sharing sensitive information including precise location, financial and health information, social security numbers, web browsing history, app usage and the contents of communications.
Companies could use less sensitive information, such as email addresses, unless customers asked them not to, or opted out. The rules also required Internet service providers to clearly explain their privacy practices and implement best practices to secure all collected data. The opt-in privacy rules were scheduled to take effect towards the end of 2017—12 months after being published in the Federal Register.
Why did companies oppose the new limits?
The FCC’s rules prompted major protests from the Internet service providers and even some Internet companies that weren’t subject to them.
The FTC, relying on its core mission to stop “unfair” and “deceptive” practices, typically allowed companies to collect information without requiring an advance opt in, as long as customers could optionally opt out. Since most consumers don’t take the time to opt out of data collection, that suited the Internet service providers and big web sites like Google (GOOGL) and Facebook (FB) just fine.
But the new FCC rules required an opt-in only by ISP customers and didn’t apply to web sites.
The big ISPs complained that just as much or more tracking was done by the web sites, so the FCC rules created an unfair limitation without fully protecting consumer privacy. And even Google wrote a letter to the FCC opposing the new rules, likely fearing that the agency’s move might stir a movement for stricter rules applying to web sites, too.
What happens now that President Trump signed the legislation revoking the FCC rules?
Although laws protecting online privacy in a few specific areas remain in effect, the enforcement gap created by last October’s appeals court ruling against the FTC is reopened.
FCC chairman Ajit Pai and Republican lawmakers have said they plan to revoke the net neutrality rules. That could possibly make some of the companies subject to FTC privacy rules again. But it’s not certain when or how Pai and his allies will eliminate the net neutrality rules.
But haven’t major ISPs said nothing is changing either way?
The big ISPs issued carefully worded statements last week seeking to quell the controversy. Since the FCC rules had not yet gone into effect, their statements that nothing has changed by repealing the rules is technically correct.
Verizon (VZ) used similar language in its statement. The carrier said it had two programs that used customer information for targeting advertising and that customers could opt out of either.
AT&T (T) didn’t repeat the same pledges, but said it had not changed its privacy practices and noted that it was still subject to privacy rules included in the Communications Act. Left unsaid was that the act’s privacy provisions discuss only telecommunications data, like call location and information published in phone directories.
In all three cases, the companies continue to collect customers’ personal data such as individual web browsing history. Customers are offered the limited ability to opt out of sharing of the data for some ad programs.
What are privacy advocates worried could happen next?
Without formal rules, Internet service providers are free to change their policies. And at various times in the past, privacy advocates note, the service providers have engaged in more intrusive data collection and marketing. For example, many ISPs intercepted search requests and sent customers results from their own marketing agency instead of the search engine that the customer expected.
The lack of privacy rules could also be harmful to cybersecurity. Oftentimes, the injected advertising and tracking software used by marketers has security holes that can be exploited by hackers.
And the huge databases of customer data are enticing targets for hackers. The growing data stores are also available for law enforcement agencies and spies to tap into.
(Updated April 4 with news of Trump signing the roll back.)