Extract

JOINT PETITION FOR STAY

The American Cable Association (ACA), the Competitive Carriers Association (CCA), CTIA, ITTA – The Voice of Mid-Sized Communications Companies (ITTA), NCTA – The Internet & Television Association (NCTA), NTCA – The Rural Broadband Association, the United States Telecom Association (USTelecom), the Wireless Internet Service Providers Association (WISPA), and WTA – Advocates for Rural Broadband (together “Petitioners”), pursuant to Sections 1.41, 1.43, and 1.44(e) of the Commission’s rules, respectfully request that the Commission stay the rules adopted on October 27, 2016 in the above-captioned proceeding, / pending resolution of their respective Petitions for Reconsideration of the Order, as well as the Petitions for Reconsideration filed by several other parties.

INTRODUCTION AND SUMMARY

Eleven parties filed petitions for reconsideration of the Commission’s privacy, data breach, and data security rules for broadband Internet access service (BIAS) providers. These petitions raise significant questions about the legal basis for the rules and their potentially deleterious impact on consumers, competition, and innovation. Notably, several petitions were filed on behalf of companies not even directly subject to the rules but that are nonetheless impacted by them due to the adverse effects of the rules on the digital economy, / thereby highlighting the potential for tangible harm to the public from moving forward with the rules. Other petitions were filed by associations representing small broadband providers that face disproportionate burdens arising from the rules adopted in the Order.

Broadband consumers should receive consistent and uniform protection of the privacy of their personal information from all entities in the online ecosystem that come into contact with such data as it transits the Internet. As the Commission itself has recognized, the “importance of privacy protection is certainly not new to the nation’s largest broadband providers, all of which have publicly available privacy policies, describing their use and sharing of confidential customer information.” / Petitioners’ member companies have considerable experience in safeguarding broadband service information and strong business incentives to secure and strengthen the trust of the customers with whom they share an ongoing business relationship by serving as responsible stewards of their personal information. Indeed, Internet Service Providers (ISPs) have released a voluntary set of privacy and data security principles that are predicated upon the core tenets of transparency, consumer choice, and security that undergird the Federal

Trade Commission’s (FTC) well-known and highly successful privacy framework. As set forth more fully in the Petitions for Reconsideration filed by Petitioners, which are incorporated by reference herein, the rules imposed in the Order governing ISP use and sharing of BIAS customer data are unsound as a matter of both law and policy. Petitioners seek a stay in order to undo the Order’s dramatic departures from the FTC’s privacy framework, which effectively balances the twin objectives of providing consumers control over their personal information while preserving opportunities for beneficial uses of data that lead to innovation, new products and capabilities, customized services, and growth in the digital economy. Staying the Order would allow the Commission to consider the Petitions for Reconsideration without causing significant disruption to businesses and creating confusion for consumers. The Petitions aim to restore the proven and effective approach of protecting consumers’ privacy rights through the consistent and uniform application of a single set of privacy obligations applicable across the Internet to all companies that come into contact with broadband consumer data.

As detailed below, Petitioners satisfy the applicable standard for grant of a stay.

Petitioners Are Likely to Succeed on the Merits. The Order contravenes Section 222 of the Communications Act and violates the First Amendment. Congress did not empower the Commission to adopt the rules in question. To the contrary, Section 222 addresses only access to, and use and disclosure of, certain information pertaining to the provision of voice telephony service. Further, Congress did not authorize regulation of information that does not fall within the definition of customer proprietary network information (CPNI), such as broadband customer personally identifiable information (PII). The tortured constructions of Section 222(a) employed to reach a contrary result underscores the rupture between the Order and the language and structure of the statute. The constraints on ISP use and sharing of IP addresses, MAC IDs, and other device identifiers established in the Order, as well as the regulation of broadband customer content information, are likewise beyond the scope of the Commission’s authority under Section 222. The rules also infringe on the protected speech of ISPs in a manner that cannot pass muster under the First Amendment.

Apart from its statutory and constitutional defects, the Order is also arbitrary and capricious in several key respects. First, disregarding voluminous evidence in the proceeding, the Order erroneously and irrationally concludes that ISPs have unique and pervasive visibility into broadband customer information relative to other Internet entities that come into contact with the same data, and wield undue leverage over such information by occupying a putative gatekeeper role. / Both of these conclusions are contrary to the record and undergird the Order’s core policy infirmity: the imposition of significantly more costly and onerous restrictions on ISP use of online consumer data than all other online entities.

Second, the Order unjustifiably departs from key elements of the long-standing and effective privacy framework developed by the FTC. It imposes an opt-in consent obligation solely upon ISP use of Web browsing and app usage data, under the faulty assumption that such data is uniformly “sensitive” when accessed by ISPs. The Order also overrides consumer expectations and common industry practice – as well as established findings and conclusions of the FTC and the previous Administration – by subjecting most ISP first-party marketing to either opt-out or opt-in consent, instead of implied consent. The Order thus establishes inconsistent privacy standards that will confuse consumers and violate key principles of fair competition. The rules enshrine this asymmetric treatment into law without any showing that consumers would be harmed by the uniform application of the FTC’s privacy framework to ISPs and non-ISPs alike with respect to the use of Web browsing/app usage data and first-party marketing.

Third, the Order fails to undertake any analysis of whether the economic and consumer welfare costs of the rules’ constraints on beneficial uses of data outweigh the benefits, if any, associated with such restrictions. The disparate treatment of Web browsing/app usage data and first-party marketing will interfere with the ability of consumers to receive customized services and capabilities they enjoy and information about new products and discount offers. It also will hinder the ability of ISPs to innovate by developing and furnishing new customized offerings and to provide much-needed competition in the highly concentrated online advertising market. These costs to consumers and competition will be incurred with little, if any, corresponding benefit to consumer privacy, since the same broadband consumer data that ISPs will be constrained from using will continue to be used by all other Internet ecosystem entities subject to the FTC’s more flexible regulatory approach. Further, the Commission ignored its responsibilities under the Regulatory Flexibility Act (RFA), which includes a duty to describe and assess the significant economic impact the Commission’s proposals might have on small entities. Indeed, the record reflects that small BIAS providers with limited resources, most of which do not monetize consumer data, will struggle to shoulder the costs imposed by the Order. Therefore, on multiple counts, the Order ignores the Commission’s responsibility to rigorously assess whether the benefits of its rules are worth its substantial costs.

Fourth, the Order subjects such a broad swath of non-sensitive data to its data breach and data security requirements that the implementation of these requirements will be costly, burdensome, and unworkable due to the ready availability of such data to countless entities in the Internet ecosystem. The defects of the data breach rules are compounded by the Order’s vague definition of harm and its decision to peg the short timetable for notifying law enforcement and the Commission to the date of breach determination – rather than the date of determination of harm – which will lead to over-notification of putative data breaches that do not actually cause consumer injury, creating customer confusion and potential unwarranted distrust of ISPs.

Absent a Stay, Petitioners Will Suffer Irreparable Harm. Petitioners’ member companies will suffer immediate and irreparable harm in the absence of a stay of the broadband privacy rules. As an initial matter, the rules adopted by the Commission contravene the First Amendment rights of ISPs, and constitutional harms are sufficient on their own to meet the harm threshold for a stay. Moreover, to come into compliance with the rules by their various upcoming effective dates, ISPs must take costly and time consuming technical, operational, and administrative steps now. Those steps include making changes to hardware and software assets and configurations across their networks to account for new choice mechanisms, constraints on data use and sharing, and data breach notification and data security requirements. They also include (1) the development of new internal privacy business rules that must be reflected in operating manuals, organized into training programs, and taught to thousands of employees and vendor personnel; and (2) the creation of new notices to consumers about those new privacy practices and the consumers’ data rights under the law, and procedures for the collection and administration of new customer consents that must be in place before the rules go into effect. These administrative and compliance burdens are particularly onerous for small providers serving unserved and underserved communities that cannot readily absorb the costs and must pass them through to their customers in order to stay in business.

Requiring ISPs alone make changes to their privacy policies for data subject to the Commission’s asymmetrical privacy rules is inherently confusing for customers, and will lead to a loss of goodwill, particularly since (1) many other companies using the same data will continue to be subject to the FTC’s privacy framework, and (2) such company policy changes are likely to change again if the FCC modifies or eliminates the new rules on reconsideration. In short, the harms caused by subjecting ISPs to the substantial costs and burdens of operationalizing rules that are unlikely to be retained in their current form are unnecessary, counterproductive, and irreparable. Petitioners’ member companies will also suffer competitive harms as they are forced to forgo potential business opportunities to their non-ISP competitors, due to the disparate restrictions on the use of the same customer data and the likelihood of notice fatigue and customer alienation engendered by the defects in the data breach rules.

A Stay Will Not Injure Other Parties and Will Further the Public Interest. Grant of a stay will not harm any other party. / Instead, it will maintain a status quo that has been in place for nearly two years since the Commission adopted the Open Internet Order and reclassified BIAS as a telecommunications service, thereby removing ISPs from the purview of the FTC privacy and data security framework. During that time period, ISPs continued to honor their commitments to consumers set out in their privacy policies, and to provide appropriate choices to consumers concerning the use of their information. If a stay is granted, consumers will remain subject to those protections, as ISPs will continue to adhere to privacy policies predicated upon the FTC’s core principles of transparency, choice, and security. Further, the voluntary privacy and data security principles that ISPs have pledged to follow will provide consumers with additional safeguards should the Commission’s broadband privacy rules be stayed. 9/ In addition, the guidance previously provided by the Commission to deter bad faith and unreasonable privacy practices can, if necessary, remain in effect pending a resolution of the merits of the reconsideration petitions.10/ Thus, while ISPs have not been subject to specific implementing rules for nearly two years now, they have complied with the Commission’s interim guidance, other applicable federal and state privacy, data security, and breach notification laws, and their own privacy policies, with scant evidence of harm to consumers.

The public interest also favors a stay. Preserving the status quo pending further examination of whether to uphold the Order’s repudiation of key components of the FTC’s successful privacy framework would benefit consumers, competition, innovation, and the digital economy – and thus furthers the public interest. There are no public benefits from compelling ISPs to incur substantial costs and burdens to implement rules tainted with the legal and policy defects identified by Petitioners in their Reconsideration Petitions. Further, the prospect of the Commission revisiting Title II reclassification also militates in favor of a stay, because the relief requested here would permit the Commission to defer the operative effect of the broadband privacy rules until the issue of the appropriate regulatory classification of broadband service is definitively resolved. As with the relief requested in the instant stay request, revisiting the decision to reclassify BIAS as a Title II service would benefit consumers by helping to restore the application of consistent and uniform privacy and data security obligations across the Internet.

Read full petition