The Federal Communications Commission (FCC) wants to get back into the business of regulating privacy. On Wednesday, Chairwoman Jessica Rosenworcel announced the agency had created a Privacy and Data Protection Task Force that will be led by Loyaan Egal, the head of the enforcement bureau. The task force will continue its investigation of the sale of consumers’ personal information (including geolocation data) from wireless carriers to data brokers. Rosenworcel also hinted that the FCC would soon announce two new enforcement actions tied to protecting consumers’ privacy.
While creating a task force and promising a more active approach on customer privacy is great, a panel that followed Rosenworcel’s remarks got into some of the details associated with the agency’s plan. This is where most people’s eyes will glaze over, and where I started losing hope.
Rosenworcel claimed that the FCC has the authority to force wireless carriers to stop selling sensitive consumer information. But as both privacy rights advocates and an attorney on the panel made clear, many of the justifications for FCC authority are weak or have loopholes so large that the majority of the actions taken by the agency will be fought down to meaningless settlements or actively kicked out of court.
Add to this the fact that when it comes to forcing wireless carriers to keep consumer data private, the FCC shares authority with the Federal Trade Commission (FTC). And the FTC has a lot of other policy goals on its plate right now.
I originally planned to take a deep dive into the legal authority and rules that the FCC has to work with when it comes to keeping consumer data private, but there’s not much point. I have very little confidence that our current patchwork of laws and exceptions will do the trick.
Rather, we need a federal privacy law that regulates both the information companies can sell and the brokers who buy that information from carriers, app makers, credit card companies, and social media sites, and that limits how governments can access that data in pursuit of criminal justice.
Last year, we saw the American Data Privacy and Protection Act pass through committee before it failed to continue on in the House or the Senate. The law had many awesome provisions, such as requiring consumer opt-in before sharing or transferring certain classes of data. It also protected a wide variety of personal data by covering any data that “identifies or is linked or reasonably linkable” to an individual.
However, it also had a big loophole that allowed carriers to continue selling consumer data — including geolocation data — and it stripped the FCC of any authority to fine wireless carriers that had illegally sold customer data in the past. The FCC had issued those fines in response to carriers selling geolocation information to a private data broker who then sold that information to local law enforcement, bounty hunters, and others back in 2018. The fines remain uncollected to this day.
These sorts of geolocation data sales are still happening. Just last week, the Office of the Director of National Intelligence (ODNI) released a report showing that the Federal Bureau of Investigation was getting around the need for a warrant by buying geolocation data and credit card data from data brokers.
The ODNI report is notable not just for the details of a federal agency using this commercially available information, but because the authors of the report recognize the sensitive nature of this information and have thoughts about how to regulate it. When intelligence officers warn that there’s a lot of sensitive information floating about that citizens aren’t aware of, it’s akin to the CEO of McDonald’s telling people to stop eating Big Macs so often.
We should listen. Which means that instead of spending years of my life following the inevitable legal battles associated with the current FCC and FTC efforts to regulate the sale of consumer information wrought by connected devices, I want to spend it calling for the passage of a federal privacy law that doesn’t exclude coverage of an industry that is well known for having a lot of sensitive information and selling it indiscriminately.
Such a law should create new classifications of personally identifiable data that apply across industries. Right now, protected information in one industry may not be protected in another. But when every industry is selling data to data brokers, building a complete picture of an individual is easier, despite laws or even company policies that aim to protect sensitive information.
A federal privacy law should also require companies to ask consumers to opt into schemes that involve consumer data leaving the company consumers are doing business with. These opt-in requests should be written in plain English and clearly describe what the data will be used for. Think of the opt-ins consumers agree to when downloading an app, only the opt-in request would have to say why the business wants permission to share consumers’ camera feed or location data. Today, most privacy rules are agreed to as part of multipage contracts a user clicks through without reading. Even if you do read them, they are hard to parse. Additionally, most privacy and data sharing schemes are opt-out or simply not an option if a consumer wants to use the service.
Does that mean a service like Google Maps or Waze might require fees for use as a means of protecting privacy? It could. I don’t love the idea of turning privacy into a luxury good, but I can’t deny that these services cost money to provide. And companies currently offset those costs by selling location data as well as ads.
Federal laws should also give individuals the right to take action when their data is misused or used without their permission. Many legislative proposals rely on a federal regulatory agency or the state attorneys general to sue on behalf of consumers, but that’s not enough when individuals find they have been harmed.
There are dozens of other elements that federal privacy rules should have. We should also recognize that a law that truly protects consumers will have big effects on the way internet and data businesses work today. They will not go lightly, and in some cases, consumers may see beloved services disappear or end up costing money.
I don’t believe that we as a society want to walk blithely into a panopticon of corporate and government surveillance simply for the sake of free apps and services, but I know that’s where our current mishmash of laws and lax oversight are taking us. First it will come for those who are incarcerated or poor. But eventually it will affect us all.
So I’m happy that the FCC has created this committee, but it’s really a distraction from the overarching need for comprehensive privacy regulation at the federal level. Let’s get on it.