Photo of John J. Heitmann

Email
(202) 342-8544
Bio

The Republican-led FCC’s effort to get out of the business of regulating broadband providers’ consumer practices took a step forward on Monday.  In an appeal that has been proceeding in parallel with the FCC’s “Restoring Internet Freedom” reclassification proceeding, the U.S. Court of Appeals for the Ninth Circuit issued an opinion giving the Federal Trade Commission (FTC) broad authority over practices not classified by the FCC as telecommunications services.  Specifically, the Ninth Circuit, sitting en banc, issued its long-awaited opinion in Federal Trade Commission v. AT&T Mobility, holding that the “common carrier exemption” in Section 5 of the FTC Act is “activity based,” exempting only common carrier activities of common carriers (i.e., the offering of telecommunications services), and not all activities of companies that provide common carrier services (i.e., rejecting a “status-based” exemption).  The case will now be remanded to the district court that originally heard the case.  Coupled with the FCC’s reclassification of Broadband Internet Access Services (BIAS) in the net neutrality/restoring internet freedom proceeding, the opinion repositions the FTC as top cop on the Open Internet and broadband privacy beats.

Background

As we discussed in several earlier blog posts, this case stems from a complaint that the FTC filed against AT&T Mobility in the Northern District of California in October 2014 alleging that AT&T deceived customers by throttling their unlimited data plans without adequate disclosures.  AT&T moved to dismiss the case on the grounds that it was exempt under Section 5, based on its status as a common carrier, but the district court denied the motion, finding that the common carrier exemption was activity-based, and AT&T was not acting as a common carrier when it offered mobile broadband service, which, at the time the FCC classified as a non-common-carrier “information service.”  AT&T appealed and a three-judge panel of the Ninth Circuit reversed the district court, holding that the common carrier exemption was “status-based,” and the FTC lacked jurisdiction to bring the claim.  As we noted then, the three-judge panel’s decision was the first recent case to address the “status-based” interpretation of the common carrier exemption, and the decision – if it stood – could re-shape the jurisdictional boundaries between the FCC’s and the FTC’s regulation of entities in the communications industry.

The En Banc Court’s Analysis

The FTC appealed the case to an en banc panel of the Ninth Circuit, which issued its opinion this week.  The court’s decision relied on the text and history of the statute, case law, and significant deference to the interpretations of the FTC and FCC, which both view the common carrier exemption as activity-based rather than status-based.

The Court first analyzed the history of Section 5 and the common carrier exemption.  It found that the Congress intended the exemption to be activity based and rejected textual arguments advanced by AT&T that other statutory provisions—including Section 6 of the FTC Act and the Packers and Stockyard Exception—demonstrated that the common carrier exemption was status based.  The Court gave significant weight to the understanding of common carriers in 1914, when the FTC Act was first passed, and legislative statements made during consideration of that Act.

The Court then addressed case law that an entity can be a common carrier for some activities but not for others.  The Court found this case law to support an activity-based interpretation of the common carrier exemption.  Specifically, the Court found that while Congress has not defined the term “common carrier,” Supreme Court case law leading up to and following the passage of the FTC Act interpreted the term “common carrier” as an activity-based classification, and not as a “unitary status for regulatory purposes.”  The Court found that its approach was consistent with the Ninth Circuit’s longstanding interpretation of the term “common carrier” as activity-based, as well as the interpretations of the Second, Eleventh, and D.C. Circuits.  (AT&T did not contest these cases, but instead argued that the FCC had many legal tools to address non-common carrier activities, including Title I ancillary authority and potential structural separation.)

Notably, the Court also provided significant deference to the views of the FTC and FCC, both of which have recently expressed the view that the FTC could regulate non-common carrier activities of common carriers.  The Court cited the FCC’s amicus brief before the en banc panel and a 2015 Memorandum of Understanding between the two agencies that interpreted the common carrier exemption as activity-based.

Finally, the Court rejected arguments that the FCC’s 2015 Open Internet Order reclassifying mobile broadband as a common carrier service (or the FCC’s 2017 Restoring Internet Freedom Order reversing that classification) retroactively impacted the outcome of the appeal.

Agency Response

After the court issued its opinion, both FTC Acting Chairman Maureen Ohlhausen and FCC Chairman Ajit Pai applauded the ruling.  Chairman Ohlhausen stated that the ruling “ensures that the FTC can and will continue to play its vital role in safeguarding consumer interests including privacy protection, as well as stopping anticompetitive market behavior,” while Chairman Pai stated that the ruling is “a significant win for American consumers” that “reaffirms that the [FTC] will once again be able to police Internet service providers” after the Restoring Internet Freedom Order goes into effect.

Our Take

The Ninth Circuit’s ruling is unsurprising in some senses.  When a court grants en banc review, it often is for the purpose of reversing or at least narrowing the panel’s initial decision.  AT&T also faced fairly strong questioning during the oral argument in September.  Further, the Court’s decision affirms a position that the FTC had taken for many years and that the FCC – as evidenced by the 2015 Memorandum of Understanding – supported.  Thus, the en banc court here effectively affirms current practice.

All of that said, the issue is not settled.  AT&T’s reaction was decidedly muted, and it may still seek Supreme Court review of the question.  This option may be particularly attractive to AT&T because it noted several times during the oral argument that it faced both FTC and FCC enforcement actions against it for allegedly the same activities.  The Ninth Circuit did not mention the FCC enforcement action or the potentially conflicting interpretations of AT&T’s obligations.  It is not clear whether both actions could or would proceed as a result of the decision.

Going forward, once the FCC’s Restoring Internet Freedom Order takes effect, we can expect that the FTC will serve as the top cop for alleged broadband consumer protection violations, including with respect to open Internet- and privacy-related complaints.  And yet, there is still some uncertainty.  The FCC’s Restoring Internet Freedom Order is under appeal.  If the appeals court that ultimately hears the challenges to the Restoring Internet Freedom Order were to reverse the Order, the possibility exists that broadband services would again come under FCC common carrier jurisdiction, thereby exempting the provision of such services from FTC jurisdiction even under an activity-based interpretation of the FTC Act.  Thus, we may not have finality on broadband regulation, despite the Court’s decision this week.

More broadly, we expect that the FTC will continue to push for eliminating the common carrier exemption altogether before the Congress, as it has for many years.  Congressional action to repeal the exemption appears unlikely in the near term.

At least for now, broadband providers should continue to ensure that their privacy and broadband practices are in line with FTC guidelines and judicial interpretations of Section 5, and should comply with remaining FCC Open Internet requirements, such as the transparency rule.

On Thursday, February 22, 2018, the Federal Communications Commission (FCC or Commission) published the Restoring Internet Freedom Order (the Order) in the Federal Register.

As we previously discussed, the Order effectively reverses the Commission’s 2015 Open Internet Order, reclassifying broadband Internet access service as a lightly regulated Title I “information service” and eliminating the 2015 Order’s open Internet rules (while retaining a modified version of the transparency requirement).

The Order will not go into effect until after the Office of Management and Budget completes its Paperwork Reduction Act review, which could take several months. However, last Thursday’s publication is significant because it triggers deadlines for challenges to the Order, both in the courts and in Congress.

The Federal Register publication gives litigants ten days to file petitions for review in federal courts of appeals if they would like to be included in a court lottery to determine the venue for consolidating the Order’s challenges. The following petitions have already been filed:

  • New York District Attorney General Eric Schneiderman announced he and 22 other Democratic attorneys general filed a petition for review at the U.S. Court of Appeals for the D.C. Circuit;
  • Public Knowledge, Mozilla, Vimeo, National Hispanic Media Coalition, and New America’s Open Technology Institute each filed petitions for review in the D.C. Circuit;
  • The California Public Utilities Commission and Santa Clara County each filed appeals in the Ninth Circuit;

Several other parties, including the Internet Association (representing Google, Microsoft, and Amazon, among others), INCOMPAS, the Computer & Communications Industry Association (CCIA), and Free Press are expected to file petitions for review in the near term.

Federal Register publication also allows lawmakers to formally introduce a Congressional Review Act (CRA) resolution of disapproval, which would reverse the Order and prevent the Commission from subsequently introducing a substantially similar Order. While CRA resolutions are a powerful tool in the hands of the majority – as we saw with the rollback of the Broadband Privacy Order earlier this year – as the minority party, the Democrats are at a significant disadvantage. Senator Ed Markey, D-MA, and House Communications Subcommittee ranking member Mike Doyle, D-PA, have led the Democrat’s effort to draft a CRA resolution to nullify the Order. At the time of this blog post, the CRA resolution had 50 Senator co-sponsors, including all 49 Democratic senators and Senator Susan Collins, R-ME.  President Trump is not expected to support the CRA resolution, even if the measure passed both chambers of Congress.

In addition to activities in federal court and in Congress, 26 states are considering net neutrality legislation, and five state governors have issued executive orders regarding net neutrality following the Commissioners’ December 2017 vote.

We will follow up this blog post with a more comprehensive review of the Restoring Internet Freedom Order soon. In the meantime, contact any of the authors of this blog post for more information on the proceeding.

Related image

Last week, the Federal Communications Commission (FCC), in a 3-2 vote, approved an order allowing “television broadcasters to use the ‘Next Generation’ broadcast television (Next Gen TV) transmission standard, also called ‘ATSC 3.0.’”  Described in the Order “as the world’s first Internet Protocol (IP)-based broadcast transmission platform,” the Next Gen TV standard is expected to allow broadcasters to provide more targeted advertisements to individual viewers.  Some had expressed concerns over the collection of the demographic and consumer data necessary for Next Gen TV targeted advertising, and applicable privacy safeguards for the new standard.  At this stage though, the FCC majority took a wait and see approach to privacy concerns.

Continue Reading Will Your TV Watch You? FCC Green Lights Targeted Advertising in Next Gen TV Broadcasting Standard

On November 1, 2017 the House Antitrust Law Subcommittee held a hearing to discuss the role of federal agencies in preserving an open Internet.

The core question discussed at the hearing was whether current antitrust law is sufficient to ensure net neutrality absent FCC rules. The panelists—including FTC Acting Chairman Maureen Ohlhausen and Commissioner Terrell McSweeney; former FCC Commissioner Robert McDowell; and Michael Romano, NTCA Senior Vice President of Industry Affairs and Business Development—and committee members were generally divided down party lines, with Republicans arguing that FCC rules were both unnecessary and counterproductive and Democrats arguing that rules were necessary to ensure an open Internet, free expression, and innovation.

Continue Reading House Antitrust Subcommittee Explores the Role of Antitrust Law in Net Neutrality

On April 3, 2017, President Trump signed into law a Congressional joint resolution eliminating new broadband and voice privacy rules set forth in a November 2016 order (the 2016 Privacy Order) by the Federal Communications Commission (FCC) (the Joint Resolution).  Members of Congress largely voted along partisan lines. The House approved the Joint Resolution by a 215-205 vote and the Senate approved it by a 50-48 vote.

The repeal occurred via Congressional Review Act (CRA) procedures, which enable Congress to rescind recently adopted agency rules.  The Joint Resolution will have a modest impact on the status quo with respect to both broadband Internet access service (BIAS) providers and traditional voice providers, since few of the new rules in the 2016 Privacy Order had gone into effect when the Joint Resolution was passed into law.  However, a less aggressive privacy posture at the FCC is likely to have ripple effects on privacy enforcement at both the federal and state level, as the Federal Trade Commission (FTC) and state attorneys general may attempt to step in to fill the gap, despite potential jurisdictional challenges.  Moreover, unless and until the FCC finds otherwise, Section 201(b) (bars unjust and unreasonable practices) and Section 222 (requirements applicable to broadband are unclear) still apply to BIAS.  As a result, BIAS providers and voice carriers should maintain reasonable privacy and data security policies and procedures to mitigate risks of enforcement intended to mind the gap in some way.

Our client advisory, available here, provides an overview of the repealed order, the CRA, and the steps providers should take to protect themselves during this period of uncertainty.

On Wednesday, November 2, 2016, the Federal Communications Commission (FCC) released the text of its long-awaited Broadband Privacy Order, which it adopted on October 27, 2016. For an overview of the Order, you may read our client advisory here.

The practical impact and reach of the rules will not be known for some time, but at this point we can offer a few of our key takeaways from the Order:

  • All carriers must prepare and maintain public-facing privacy notices. The Commission’s new notice rules will require all telecommunications carriers to draft and post public-facing privacy policies that describe their collection, use, and sharing of customer PI. Formerly, this obligation only applied to BIAS providers (through the Commission’s transparency rule). We expect that disclosures in these privacy policies will be a significant area of enforcement, similar to the Commission’s enforcement of annual CPNI certifications.
  • The sensitivity-based consent framework upends the existing CPNI approval framework. The Commission’s adopted rules fundamentally reshape the consent framework for telecommunications carriers, focusing on the sensitivity of the information, rather than on the particular uses and recipients of the information (as the voice CPNI rules did). As a result, all carriers should carefully review and revise their policies, procedures, and systems for obtaining and tracking customer approval.
  • The Order leaves a significant interpretive role for FCC’s Enforcement Bureau with respect to data security. Unlike the existing voice CPNI rules and the Commission’s proposed data security rules, which mandated specific data security compliance practices, the new rules simply require carriers to adopt “reasonable” data security practices. By focusing on the “reasonableness” of carriers’ privacy and data security practices, the Commission leaves significant room for its Enforcement Bureau to interpret whether particular practices are reasonable, in a manner similar to the FTC’s approach to privacy and data security enforcement. For this reason, providers should carefully review the Commission’s “exemplary” data security practices and Enforcement Bureau consent decrees in order to gauge which practices the Commission expects of providers.
  • Now is the time to begin reviewing contracts with vendors. In the Order, the Commission makes clear that carriers will be held responsible for the acts of their agents, vendors, and other third parties with whom they share customer PI. As a result, carriers should take the opportunity now to review contracts with those third parties to determine whether they include specific terms addressing privacy and security. This is particularly important for non-BIAS telecommunications carriers serving enterprise customers, who will be able to take advantage of the Commission’s expanded business customer exemption.

Kelley Drye’s Communications and Privacy & Information Security practice groups are well-versed in privacy law at the federal and state level, and stand ready to help interested parties understand the scope of these rules and how to operationalize them. Should you have any questions, please contact any of the attorneys listed in the margin.

iStock_000019536561Large-300x225At the Federal Communications Commission’s (“FCC”) Open Meeting on October 27, the Commission voted along party lines (3-2) to impose more stringent rules on broadband Internet service providers (“ISPs”). Chairman Tom Wheeler, along with Commissioners Rosenworcel and Clyburn voted in favor of the item, while Commissioners Pai and O’Rielly voted against it.

The new rules clarify the privacy requirements applicable to broadband ISPs pursuant to Section 222 of the Communications Act. The new rules also apply to voice services and treat call-detail records as “sensitive” in the context of voice services.

According to an FCC press release issued immediately after the meeting, these rules “establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information.” The Commission further asserts that this approach is consistent with the existing privacy framework of the Federal Trade Commission (“FTC”). Continue Reading FCC Votes to Impose Aggressive New Privacy Rules on Broadband Providers

On October 6, 2016, Federal Communications Commission (FCC or Commission) Chairman Tom Wheeler published a blog entry on the Commission’s website outlining proposed privacy rules for broadband Internet Service Providers (ISPs). The proposed rules are scheduled to be considered by the full Commission at its monthly meeting on October 27, 2016. These rules come after the Commission received substantial public comment on its March notice of proposed rulemaking (discussed in an earlier blog post) from stakeholders representing consumer, public interest, industry, academics, and other government entities including the Federal Trade Commission (FTC). The proposed rules appear to soften several elements of the Commission’s initial proposal, which received considerable industry criticism.

The actual text of the proposed order is not available, however, a fact sheet along with the Chairman’s blog post outlines the details of the proposal. Under the proposal, mobile and fixed broadband ISPs would have the following requirements:

  • Clear Notification. ISPs would be required to notify consumers about the type of information they collect; explain how and for what purposes that information can be shared or used; and identify the types of entities with which they share information. ISPs will also be responsible for providing this information to customers when they sign up for a service and regularly informing them of any significant changes. The Commission’s Consumer Advisory Committee will be tasked with creating a standardized privacy notice format that will serve as a “safe-harbor” for those ISPs that choose to adopt it.
  • Information Sensitivity-Based Choice. ISPs must get a customer’s “opt-in” consent before using or sharing information deemed sensitive. Geo-location information, children’s information, health information, financial information, social security numbers, web browsing history, app usage history, and communications content are the broad categories of data that would be considered sensitive. All other individually identifiable customer information would be deemed non-sensitive, and will be subject to an “opt-out” approval requirement. For example, the use of service tier information to market an alarm system would be considered non-sensitive and opt-out policies would be appropriate, consistent with customer expectations.  Finally, the rules will infer consent for certain purposes identified in the Communications Act, including the provision of broadband service or billing and collection.
  • Security.
    • Protection: ISPs must take reasonable measures to protect consumer information from vulnerabilities. To help ensure reasonable data protection efforts, ISPs may: a) adopt current industry best practices; b) provide accountability and oversight for security practices; c) use robust customer authentication tools; and d) conduct data disposal consistent with FTC best practices and the Consumer Privacy Bill of Rights.
    • Breach Response: ISPs must notify customers when data is compromised in a way that results in unauthorized disclosure of personal information. ISPs must notify a) the customer no later than 30 days after discovery of the breach; b) the FCC no later than 7 business days after discovery; and c) if it affects more than 5,000 customers, the FBI and U.S. Secret Service no later than 7 business days after discovery.

The proposal addresses other issues, such as,

  • sharing and using de-identified information consistent with the FTC framework;
  • the use of take-it-or-leave-it data usage or sharing policies; and
  • heightened disclosure requirements for discount plans based on consent to data use.

The proposal emphasizes its focus on broadband services. The proposed rules will not apply to the privacy practices of websites or apps, including those operated by ISPs for their non-broadband services, as the Commission believes this is the purview of the FTC.  This is particularly notable in light of the recent 9th Circuit AT&T decision, which has further blurred the boundaries of the FCC and FTC’s jurisdiction (addressed in an earlier blog post). In that case, the Court determined that the FTC’s “common carrier exemption” is “status-based,” and as such exempts telecommunications carriers (like ISPs) from FTC jurisdiction, regardless of whether the company in question is engaging in common carrier activities. Presumably, the 9th Circuit’s reading of the common carrier exemption would extend to websites and apps provided by an ISP, although Chairman Wheeler appears to take a different reading in his privacy proposal.

In response to Chairman Wheeler’s proposal, FTC Chairwoman Ramirez expressed her pleasure with the FCC’s efforts to protect consumer privacy.

We will be tracking this proceeding as it develops, and will follow up with a client advisory when the Commission releases its final rules.

*Avonne Bell, an associate in Kelley Drye’s Communications Practice Group, co-authored this post.

In the wake of the White House’s February 23, 2012 release of Consumer Data Privacy in a Networked World: A Framework for Protecting and Promoting Innovation in a Global Digital Economy ("Framework"), the Commerce Department’s National Telecommunications and Information Administration (NTIA) published in today’s Federal Register a request for public comments from all interested stakeholders on consumer data privacy issues to be addressed through enforceable voluntary codes of conduct. Comments are due on March 26, 2012.

Although any topic is fair game, NTIA opens the process by signaling that implementation of the Framework’s transparency principle in privacy notices for mobile applications is among the agency’s highest priorities. Also listed as a specific topic on which NTIA seeks comment are other issues associated with mobile apps, including location based services. Cloud computing, online services directed toward teens and children, trusted identity systems, and the use of multiple technologies such as browser-based cookies to collect personal data also are highlighted as areas for comment.

NTIA also seeks comment on how the multistakeholder process should be conducted so as to best ensure openness, transparency, and consensus building. These comments are the first part of this process aimed at developing voluntary industry codes of conduct that eventually be enforced by the Federal Trade Commission.

Groupon recently made sweeping and material changes to its web-posted privacy statement, allowing the company to collect more information and share it more freely with other companies. The changes allow Groupon to collect more information, including location information for its app-driven Groupon Now! deals, and to share it more freely with others, such as Expedia for its Groupon Getaways product. The NextDailyDeal article, "Groupon Privacy Statement Revisions Reflect Rapid Changes in the Marketplace and an Evolving Legal and Regulatory Landscape," provides a quick take on the what and why with respect to the changes to Groupon’s privacy statement.

Groupon’s revised privacy statement brings it more in line with FTC guidance, key concepts in proposed legislation, and developing industry best practices. Now is a good time for all players in the online advertising ecosystem to take stock of their current privacy statements and decided what needs re-working to reflect their company’s current business model and the evolving legal and regulatory landscape.