Before the
Federal Communications Commission
Washington, D.C. 20554
In the Matter of
)
)
)
)
Protecting the Privacy of Customers of Broadband
and Other Telecommunications Services
WC Docket No. 16-106
Comments of the American Advertising Federation, American Association of
Advertising Agencies, Association of National Advertisers, Direct Marketing
Association, Electronic Retailing Association, Electronic Transactions Association,
Interactive Advertising Bureau, National Business Coalition on E-Commerce &
Privacy, and Network Advertising Initiative
I.
Introduction
The undersigned trade associations collectively represent hundreds of companies, from
small businesses to household brands, which engage in responsible online data collection and use
that benefits consumers and the economy. We appreciate this opportunity to comment on the
Federal Communication Commission’s (“FCC”) Notice of Proposed Rulemaking on Broadband
Privacy (“NPRM”).1 We and our member companies are concerned that the FCC, through the
NPRM, is attempting to create restrictive new requirements for data collection and use that will
threaten the Internet’s economic success and consumer benefits. We believe that the proposed
restrictions are unnecessary, overly burdensome, and outside the FCC’s statutory authority.
II.
Data-Driven Marketing Benefits Consumers
The FCC’s proposal for restrictive regulations is a solution in search of a problem. The
FCC has not established a record of consumer harm that necessitates new regulation in this area
1
Protecting the Privacy of Customers of Broadband and Other Telecomm. Servs., 81 Fed. Reg.
23,360-23,411 (Apr. 20, 2016) (to be codified at 47 C.F.R. pt. 64) [hereinafter NPRM]. When
possible, we cite to the FCC’s notice in the Federal Register. However, no footnotes were
included in the Federal Register notice. As a result, where we cite to the FCC’s footnotes, we
cite to FCC 16-39.
1
or justifies the specific approach put forward by the FCC. In fact, the current online ecosystem
subsidizes content and programming that consumers value, promotes innovation, and grows the
economy.2 A recent study commissioned by DMA’s Data-Driven Marketing Institute (“DDMI”)
and conducted independently by Harvard Business School Professor John Deighton and recent
Adjunct Columbia University Professor Peter Johnson, entitled, The Value of Data:
Consequences for Insight, Innovation, & Efficiency in the U.S. Economy (“Value of Data”),
quantifies the concrete economic benefits of data.3 The Value of Data study found that the DataDriven Market Economy (“DDME”) generates vital revenue and jobs for the U.S. economy.
Specifically, the study found that the use of data-driven marketing added $202 billion in revenue
to the U.S. economy and fueled more than 966,000 jobs in 2014.4 The study also found that the
U.S. DDME provides the American people with high value jobs.5 While the undersigned
associations are committed to responsible data practices, the unnecessary new restrictions in the
NPRM could threaten these economic benefits.
A recent academic analysis identified significant concerns with regulating privacy
through legislation and formal rulemaking.6 The article explains how positive corporate privacy
A recent Zogby Analytics poll commissioned by the Digital Advertising Alliance (“DAA”)
shows that consumers assign a value of almost $1,200 a year to ad-supported online content.
DAA, Zogby Poll: Americans Say Free, Ad-Supported Online Services Worth $1,200/Year; 85%
Prefer Ad-Supported Internet to Paid, PR Newswire (May 11, 2016 8:30 AM),
http://www.prnewswire.com/news-releases/zogby-poll--americans-say-free-ad-supported-onlineservices-worth-1200year-85-prefer-ad-supported-internet-to-paid-300266602.html.
3
Deighton and Johnson, The Value of Data: Consequences for Insight, Innovation & Efficiency
in the U.S. Economy (2015) (hereinafter “The Value of Data”).
4
Id. at 19.
5
Id.
6
Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the Books and on the Ground, 63
STAN. L. REV. 247, 260 (2010) (“Statutes provide inconsistent treatment of similar information
and similar business activities leading to an uneven playing field for business and an
unpredictable set of protections for individuals.”),
http://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=2305&context=facpubs.
2
2
practices developed using the existing legal framework as a base.7 The study’s authors
concluded that “reliance on compliance with a set of detailed provisions may frustrate, rather
than further, underlying regulatory ends. Rule systems are inevitably incomplete, failing to
provide guidance in a host of contexts, especially as circumstances change.”8
III.
Self-Regulation Is the Appropriate Tool to Regulate Online Data Practices
The NPRM is unnecessary because existing voluntary self-regulatory standards are the
appropriate tool to govern the dynamic and interrelated online content and advertising
ecosystem. Currently, online data collection and use are governed by robust enforceable
industry self-regulatory regimes. The Congress has considered online privacy issues many times
based on ample hearings and debate, and each time has declined to enact new legislation,
recognizing that new regulation in this rapidly evolving area would hinder innovation, not
provide new benefits to consumers, and threaten the economic value of a thriving market sector.
Consistent with this longstanding approach, we believe that enforceable, voluntary selfregulatory codes remain best suited to honor consumer privacy preferences while allowing
legitimate data practices to flourish. Self-regulation is flexible and responsive, both of which are
key qualities for the regulation of rapidly evolving technologies and practices. Companies
participating in self-regulation recognize that responsible data practices are essential for the
continued success of the Internet economy, and such regimes are vigorously enforced and
regularly updated. In addition, companies have a strong business incentive for compliance with
self-regulation, since many companies choose to work only with companies that have a proven
track record of responsible data collection and use. Industry provides model approaches for self-
7
8
Id. at 260.
Id. at 303.
3
regulation including those of the Direct Marketing Association (“DMA”), Digital Advertising
Alliance (“DAA”), and the Network Advertising Initiative (“NAI”).
By way of example, the DAA, led by multiple trade associations, has convened industry
to address complex policy issues involving the collection and use of web viewing, application
use, precise geolocation, and other online data for interest-based advertising and other applicable
uses (“Self-Regulatory Program”).9 The successful approach taken by the DAA led to an event
in February 2012 at the White House where the then-Chairman of the Federal Trade Commission
(“FTC”), the then-Secretary of Commerce, and White House officials publicly praised the
DAA’s cross-industry initiative. The White House recognized the Self-Regulatory Program as
“an example of the value of industry leadership as a critical part of privacy protection going
forward.”10 The DAA Self-Regulatory Program’s principles have been expanded several times
since they were launched to address new business practices such as cross-device linking and
mobile advertising. The DAA’s further work in releasing the expanded principles has garnered
additional praise, including from FTC Commissioner Ohlhausen who has stated that the DAA “is
one of the great success stories in the [privacy] space.”11 If a company fails to meet its
obligations under the Program, the DAA’s independent accountability programs, run by the
Council for Better Business Bureaus (“CBBB”) and the DMA, will work to bring a company into
compliance. The programs may refer unresolved matters to the FTC. The CBBB publicly
9
The NAI Code of Conduct requires similar notice and choice with respect to Interest-Based
Advertising.
10
Speech by Danny Weitzner, We Can’t Wait: Obama Administration Calls for A Consumer
Privacy Bill of Rights for the Digital Age (February 23, 2012),
http://www.whitehouse.gov/blog/2012/02/23/we-can-t-waitobama-administration-callsconsumer-privacy-bill-rights-digital-age (last visited May 18, 2016).
11
Katy Bachman, FTC's Ohlhausen Favors Privacy Self-Regulation, Adweek (June 3, 2013,
2:50 PM), http://www.adweek.com/news/technology/ftcs-ohlhausen-favors-privacy-selfregulation-150036 (last visited May 18, 2016).
4
reports its decisions and has brought more than 60 enforcement actions since the DAA Program
went into effect.
The FCC acknowledged that the NPRM’s notice and choice requirements were informed
by the DAA’s Self-Regulatory Program, as well as the NAI’s Updated Code of Conduct and
Updated Mobile Application Code,12 and noted the DAA’s and NAI’s efforts in its discussion of
the possible effect of its proposed rules on the broadband ecosystem.13 The FCC’s proposal
states the need for flexibility to accommodate new technologies while continuing to provide for
privacy-protective practices,14 and the DAA’s and NAI’s programs demonstrate that industry
self-regulation amply meets this need.
IV.
The NPRM Oversteps the FCC’s Authority
The FCC’s attempt to regulate this area is an overreach of its authority. The NPRM
states that the rulemaking “secur[es] what Congress has commanded.”15 On the contrary,
Congress directed the FCC to provide rules to safeguard telephone records—not to regulate
privacy in the very different area of online data collection. In 1996, “Broadband Internet access
service” (“BIAS”) did not even exist. Section 222 of the Telecommunications Act of 1996 gives
the FCC authority to regulate the privacy of “customer proprietary network information”
(“CPNI”) in the context of voice telephony, not BIAS. Other provisions in the Act include
references to the Internet, but Section 222 does not.16 Consistent with that understanding, both
Congress and the FCC itself have defined CPNI to include personal information specific to voice
12
FCC 16-39 ¶¶ 83, 142 n.250.
FCC 16-39 ¶ 132 n.235.
14
NPRM at 23,380.
15
NPRM at 23,361.
16
See, e.g., 47 U.S.C. § 230.
13
5
telephone records and billing information.17 A plain reading of the statute as a whole shows that
the FCC’s authority to address privacy under Section 222 is limited to CPNI and to voice
telephony.
V.
Specific Concerns with the Proposed Rules
A.
The Proposed Definition of PII Is Too Broad
The NPRM proposes to regulate a new category of customer information it terms
“Customer Proprietary Information” (“Customer PI”) made up of CPNI and “personally
identifiable information” (“PII”).18 The proposal defines PII as any information that is “linked”
or “linkable” to an individual.19 The NPRM proposes that information is “linked” or “linkable”
to an individual if it “can be used on its own, in context, or in combination to identify an
individual or to logically associate with other information about a specific individual.”20 The
proposal puts forth a broad definition of PII that includes, according to the FCC’s non-exhaustive
listing of more than 30 data elements, numerous data elements that generally are not, and have
not been considered, individually identifiable, such as application usage data, geo-location
information, and Internet browsing history.21 PII should, on its own, identify a specific
17
47 U.S.C. § 222(c); Implementation of the Telecommunications Act of 1996:
Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other
Customer Information, CC Docket No. 96-115, Report and Order And Further Notice of
Proposed Rulemaking, FCC 07-22, ¶ 5 (2007); Implementation of the Telecommunications Act of
1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and
Other Customer Information, CC Docket No. 96-115, Notice of Proposed Rulemaking, FCC 0610, ¶ 1 n.1 (2006).
18
NPRM at 23,408.
19
NPRM at 23,365.
20
NPRM at 23,366.
21
NPRM at 23,366. The NPRM cites several sources for its proposed list, but the use of such a
broad definition creates a broader impact in the context of the NPRM than in these other
contexts. For example, the FTC sources cited are consent orders with respect to specific
companies; the National Institute of Standards and Technology (“NIST”) framework lists items
6
individual. Using this definition, the NPRM would apply its strict framework to nearly all
customer data, including widely and publicly available information, such as names and
addresses. Such a broad application of restrictive rules creates no privacy benefit for consumers,
while imposing significant costs on businesses.
The NPRM’s approach of treating the above elements as PII where they stand
unassociated with any other element—much less any individual—is not only out of step with
current privacy standards but appears inconsistent with other elements of the NPRM. For
instance, if an entity is the victim of a breach involving non-eponymous online identities not
otherwise linked to an individual, does the breached entity have to collect additional PII and link
the breached information to an individual in order to provide the required notification? Such a
regime would create more privacy concerns than it seeks to address.
B.
Opt-In Consent Is Not the Appropriate Standard
The FCC’s proposed regime would also set opt-in consent as the default standard for
most data collection and use.22 The current regulatory framework shows that implied or opt-out
consent is the appropriate standard. The FCC cites the FTC’s 2012 report on “Protecting
Consumer Privacy in an Era of Rapid Change” repeatedly throughout the NPRM in support of,
or as a source of, various aspects of its proposal.23 The FCC’s proposal is far more restrictive
than the guidance in the FTC report, which determines that choice is not required for first-party
that “may” be considered PII; and the White House draft bill was a proposal that never
progressed past a discussion phase.
22
NPRM at 23,375.
23
FCC 16-39 ¶¶ 17 n.38, 60 n.98, 90 n.158, 122 n.207.
7
marketing,24 opt-out is the appropriate standard for online data collection across sites,25 and an
opt-in regime is advisable only in limited scenarios such as the collection of sensitive data. 26
The FCC’s previous attempt to mandate opt-in consent was struck down by the Tenth Circuit in
U.S. West, Inc. v. FCC for violating the First Amendment’s commercial speech protections.27
The same logic applies to the broadband privacy context.
C.
The Proposed Rules for Affiliate Sharing Create False Distinctions
The NPRM sets forth a regime in which BIAS providers must provide notice and an
opportunity to opt-out prior to “us[ing a] customer’s PI, or shar[ing] customer PI with affiliates
who provide communications-related services, to market communications-related services to that
customer.”28 The proposed opt-out standard for sharing data with affiliates for marketing
communications-related services is unduly burdensome. It is a common practice, which
consumers understand, for companies to market to their existing customers and to share within
the same corporate family for this purpose, especially where the marketed service is related to
the existing customer relationship. This approach helps to preserve efficiencies and maintain
personalized, relevant relationships with consumers. Moreover, the FCC’s proposal
inappropriately regulates data based on the type of marketing it is used for, rather than the
context or the sensitivity of the data. The new opt-out requirements proposed by the FCC create
unnecessary hurdles for companies engaging in legitimate marketing efforts.
24
FTC, Protecting Consumer Privacy in an Era of Rapid Change 40 (Mar. 2012),
https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-reportprotecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf.
25
Id. at 52.
26
Id. at 57.
27
U.S. West, Inc. v. FCC, 182 F.3d 1224, 1230 (10th Cir. 1999).
28
NPRM at 23,375.
8
D.
Breach Notification and Data Security Should Be Left to Congress
The NPRM includes prescriptive breach notification and data security requirements. A
more flexible approach of requiring reasonable data security would be better suited to allow
companies to assess and respond to rapidly evolving security threats. The FCC has also
proposed to regulate breach notification in a way that is contrary to the existing state notification
framework as well as the proposals under consideration by Congress. This addition to the
existing patchwork of laws would cause compliance burdens for businesses and confusion for
consumers, especially in light of the NPRM’s broad definition of PII. Moreover, there is no
statutory basis for specific data security requirements or a breach notification regime imposed by
the FCC in the broadband context, and treating all types of PII (as defined in the NPRM), such as
traffic data and IP addresses, the same as data that is admittedly far more sensitive, like Social
Security numbers, is an ill-conceived approach to managing data security. Given these concerns,
data security and breach notification should be left to Congress to provide consistent, meaningful
standards across industries.
*
*
*
We appreciate the opportunity to submit these comments, and we look forward to
working with the FCC on this important issue.
Respectfully submitted,
American Advertising Federation
American Association of Advertising Agencies
Association of National Advertisers
Direct Marketing Association
Electronic Retailing Association
Electronic Transactions Association
Interactive Advertising Bureau
National Business Coalition on E-Commerce & Privacy
Network Advertising Initiative
May 27, 2016
9