Review of Telecom/Media Industry Comments to FTC's Privacy Framework
Written by Stu Eaton
Our ongoing effort to summarize the comments (see post here) filed in response to the FTC’s Privacy Framework continues this week as we focus on the Telecommunications and Media industry. The bulk of the comments came from the telecommunications industry, including key players such as AT&T, Verizon, the National Cable and Telecommunication Association (“NCTA”) and CTIA- The Wireless Association (“CTIA”). As a whole, the telecommunications industry’s comments focused on the following four issues:
- Continued industry self-regulation based on best practices identified by the FTC;
- Ensuring that any framework is competitively neutral;
- Maintaining the distinction between PII and Non-PII; and
- Consumer notice and choice (including “Do Not Track”).
More detail on each topic after the jump.
A. SELF REGULATION
Like their retail and advertising counterparts, telecommunications commenters uniformly argued against the imposition of a legislatively-imposed regulatory framework that might stifle innovation in a marketplace characterized by rapidly-evolving technology. Instead, commenters asked the FTC to create a framework of best practices to guide industry in establishing its own regulations for the collection and use of consumer information.
For example, AT&T argued that the best regulations identify performance objectives rather than specifying actual behavior or the manner of compliance. This approach would leave industry the flexibility to continue developing innovative products and services while also protecting privacy.
The NCTA argued that any policy framework adopted by the FTC should preempt the patchwork of state data privacy laws, but not include a private right of action. The NCTA believes that a private right of action will hinder effective communication between companies and consumers about privacy. Faced with the threat of class action liability, companies will be forced to adopt defensive, legalese-ridden privacy policies that are difficult for consumers to comprehend.
B. COMPETIVELY NEUTRAL
Competitive neutrality was a particular area of concern for telecommunications providers. Specifically, commenters were concerned that the FTC would enact a privacy framework that unfairly burdened one industry – or technology -- over another, resulting in competitive disparities and market inefficiencies. For example, Verizon felt the FTC “unfairly” singled out Internet Service Providers (“ISPs”) and “deep packet inspection” as requiring heightened regulation, which would “unfairly disadvantage[] ISPs and favor[] companies, technologies, and business models based on cookies or other technologies and software that collects and use[s] similar . . . information.” In same vein, the NCTA noted that any new regulations should account for existing privacy regulations in specific industries – such as cable and telecommunications – to avoid imposing a duplicative burden on those industries.
C. PERSONALLY IDENTIFIABLE INFORMATION
The industry was also critical of the FTC’s efforts to “collapse” the distinction between PII and non-PII. The NCTA pointed out the PII/non-PII distinction forms the basis for how many Internet businesses function, and warned that altering the definition may adversely affect the marketplace - particularly when there is no evidence that anonymization and de-identification software does not work.
AT&T offered an alternative to the FTC’s proposal, arguing that the appropriate definition for “data that can be reasonably be linked” should be “non-public data that can be linked with reasonable effort.” Under this definition, anonymization standards, including restricted access provisions, can provide sufficient protection to justify treating resulting data sets as non-personal information. AT&T felt the definition of “personal information” should be a flexible continuum that appreciates the reasonable possibility that of linking any data to individuals, as well as commitments (i.e. contracts) that entities make not to engage in such linkage.
Finally, the CTIA – which represents wireless providers – argued that the FTC’s definition would unduly burden business, overwhelm customers and lock down data. The CTIA proposed that the protection for “linkable data” should depend how that data is used by each company – simply because a company may link data does not mean it will link data. Similarly, the CTIA argued that not all location data is equally sensitive because different location technologies vary in terms of the granularity of information they provide, meaning that not all location data can be used to precisely locate someone. Further, the degree of protection afforded such data under any regulations should depend on how it used rather than by the fact the nature of the data itself.
D. CONSUMER NOTICE AND CHOICE
While industry commenters generally support increased notice and choice for consumers, they warned the FTC against regulations that would interfere with user experience. AT&T was the only commenter to support a “Do Not Track” mechanism, declaring that it supports the ability of users to surf in private. However, AT&T’s support came with caveats that any “Do Not Track” mechanism should: (1) apply to the entire advertising ecosystem; (2) offer users granular choice as to the specific information they want kept private ; and (3) only apply to cookies or similar technologies used for behavioral advertising (as opposed to other uses).
The industry generally applauded the FTC’s identification of “commonly accepted practices,” but pointed out that such practices should be defined so that they can evolve with technology. Thus, the NCTA suggested any definitions should focus on the “kinds of uses” for information (e.g. sharing with unaffiliated third parties) rather than actual uses.