FCC broadband privacy proposal; Potential challenge to FTC privacy enforcement power

FCC to consider broadband privacy proposal

On October 6, the Chairman of the Federal Communications Commission (FCC) issued proposed rules that would impose on broadband providers privacy regulations similar to those implemented and enforced by the Federal Trade Commission (FTC).  The proposal calls for increased disclosure regarding collection and use of consumer information, as well as greater consumer input on what information is shared.  The proposed rules require opt-in consent for sharing “sensitive” information, which includes regarding geolocation, health and financial information, browsing history, and social security numbers, while an opt-out scheme would govern “non-sensitive” data such as home and IP addresses.  Broadband providers would also be required to comply with data security requirements consistent with FTC requirements and the National Institutes of Standards and Technology’s (NIST) cyber-security framework.

If adopted, the proposal would effectively require that in most cases, providers must obtain consumer permission before sharing data.

However, there is the potential for some inconsistencies with the FTC’s scheme.  Critics of the revised proposal find it does not go far enough in mirroring the FTC’s scheme.  One overarching criticism is that the FCC proposal unnecessarily burdens broadband providers through, among other things, regulatory mandates that are more restrictive than the FTC’s flexible, guideline-based approach.

The FTC’s commissioners will vote on the proposal at the end of October.

FTC data security enforcement authority likely to be challenged in federal appeal

An appeal filed last week will likely challenge the FTC’s authority with respect to data security.  The FTC issued an opinion finding a medical testing company’s data security practices unreasonable, thus constituting an unfair act or practice under Section 5 of the FTC Act.  The FTC ruling reversed an administrative law judge’s finding that evidence failed to show the company’s data security practices—which included storing patient information on a peer-to-peer file-sharing network and failing to implement “even basic precautions to protect the sensitive consumer information” on the network—did or were likely to cause substantial injury to patients.  The FTC also denied a petition by the company, LabMD Inc., to stay the FTC’s enforcement pending the appeal to the U.S. Court of Appeals for the Eleventh Circuit.  In its petition, LabMD challenged both the FTC’s data security enforcement authority and the adequacy of the FTC’s definitions of what constitutes reasonable security practices and substantial injury.

It is likely both issues will be briefed on appeal, and a ruling by the court on any of these questions may alter the current state of data security enforcement.  Without any specific grant of authority to enforce data security compliance, the FTC has relied on the FTC Act’s general grant of authority to prohibit unfair and deceptive practices.  Furthermore, the FTC has not issued any global standards defining what constitutes reasonable data security practices.  Instead, companies have been urged to discern reasonableness based on consent decrees entered into by the FTC and companies found to have unreasonable data security practices.