Protecting Americans’ Online Privacy

In October 2016 the Federal Communications Commission (FCC) approved a privacy rule for companies that provide broadband internet access. The rule, which has not yet become effective, is being challenged by Internet Service Providers (ISPs) and other special interests who claim that it’s not needed and that the FCC did not have the power to enact it. If they win, Americans will lose the ability to have any real say over how the information that their ISPs can collect about them can be used and shared.

Why we need these privacy protections

  • ISPs have a unique window into our lives.
    • All websites we visit and what we do there is usually fully visible to our ISPs. [1]
    • ISPs collect a growing amount of information about users and have created a sophisticated apparatus that tracks us, online and off. Every aspect of our online activities can be collected by our ISPs – not only the websites we go to but the apps we use and often the content of our communications.
    • This data – which can include information on our location, race/ethnicity, finances, health, and families – is available to marketers, advertisers, and others.
    • We have little knowledge and practically no control over how our ISPs collect, analyze, and use our data for profit.
  • We should understand, and have control over, how our ISPs use and share our personal information. The FCC’s broadband privacy rule is a critical step in the right direction.
    • Most Americans don’t believe that having to give up their personal information to get basic communications over broadband is a fair deal. [2]
    • Most consumers only have a choice of one or two high speed broadband providers. This lack of competition means that we can’t necessarily avoid our ISPs’ data policies simply by switching service providers.
    • Verizon’s purchase of Yahoo is an example of how ISPs aren’t satisfied with just selling internet access anymore; they want to sell our data. We are now the commodity.
    • The FCC’s broadband privacy rule puts Americans in the driver’s seat, requiring our ISPs to be transparent about their privacy practices and to get our affirmative consent before they use or share sensitive data such as information about our health, finances, precise geolocation, children, web browsing history and app use, the content of our communications, and our Social Security numbers.
    • The rule also gives Americans the right to opt-out of non-sensitive data being used or shared for purposes other than providing the internet services that we’re paying for.
    • ISPs are required to safeguard our personal information and notify us if there is a data breach.
    • It’s no longer “take it or leave it” — ISPs can’t deny us service if we refuse to let them do whatever they wish with our data.

Why are only ISPs covered by the broadband privacy rule and not all online companies?

  • Federal law requires the FCC to protect our privacy when we use communications services such as telephone and broadband internet access. The Telecommunications Act doesn’t give the FCC this power over online websites, aka edge providers. That remains at the FTC.
  • Congress can and should act to require other companies that collect our personal information to provide strong privacy protections.

 Isn’t  encryption technology enough to protect our online privacy?

  • Most websites and information from our browsing the internet are not encrypted.
  • Even with encryption, our ISPs can learn a lot about us, including our browsing habits and daily routines.
  • Many people, in particular children, older Americans, and those using broadband at schools and libraries, don’t have access to personal encryption tools.
  • Encryption technology is no substitute for basic privacy rights and protection.

 Shouldn’t  the  Federal Trade  Commission (FTC) be in charge of privacy for all companies?

  • As a federal court recently affirmed, the FTC has no jurisdiction over “common carriers,” a designation which includes ISPs. [3]
  • The FTC has no power to enact privacy rules. The agency can sue companies under its jurisdiction if they mislead the public about their privacy practices, but it has no authority to require them to be transparent about what personal information they collect and what they do with it, to ask for individuals’ consent to use or share that information, or to prohibit “take it or leave it” privacy policies. Its enforcement powers are also not as strong as the FCC’s.
  • The Telecommunications Act recognizes that communications are a special and essential category of services, similar to the special industry-specific rules authorized by Congress in banking, health care, and education. It properly gives the FCC authority to ensure that privacy and other aspects of the public interest in communications are protected.
  • The FTC’s “privacy framework” is a set of principles that the agency encourages companies to follow. It does not require companies to do anything and is weaker than the FCC privacy rule. That is why opponents of the FCC rule favor it. Non-binding recommendations and industry self-regulation have not and will not adequately protect Americans’ privacy.

What will happen if the FCC privacy rule is pulled back by the agency or overturned by Congress?

  • Federal law will still require the FCC to protect the privacy of Americans’ communications, but without the rule there will be no clear guidance for communications services to follow.
  • Cable providers will still be covered by the privacy requirements under the Cable Communications Policy Act, creating a disparity with other communications providers.
  • Repeal with the Congressional Review Act will prevent the FCC from revisiting broadband privacy rules at all in the future.
  • Americans will be the losers, as they will have no meaningful control over the privacy of the information about them that their ISPs can use and share.

1 Upturn, “What ISPs Can See” (March 2016) available at

2 Turow, Hennessy, Draper, “The Tradeoff Fallacy,” University of Pennsylvania (June 2015) available at

3 See Davis Wright Tremaine LLC, “Ninth Circuit Rules All Carriers Beyond Reach of FTC’s Consumer Protection Authority” (September 1, 2016) available at