Following the U.S. Senate’s recent vote, the U.S. House of Representatives has now voted to overturn the FCC’s Broadband Privacy Order using the Congressional Review Act (CRA). Enacted in 1996, the CRA allows Congress to fully roll back the FCC’s Broadband Privacy Order with only a majority disapproval vote in both the House and the Senate, followed by signature into law by the president. Now that the CRA resolution of disapproval has passed, it goes to President Trump for his signature or veto. The White House has indicated that President Trump will sign the CRA resolution. FCC Chairman Ajit Pai also released a statement that Congress’ action was due to the FCC’s own “overreach” in the Broadband Privacy Order, but that the “FCC will work with the FTC to ensure that consumers’ online privacy is protected though a consistent and comprehensive framework.”
The effect of the CRA is far more significant than a typical appellate court remand of an FCC rulemaking, where the agency gets an opportunity to fix court-identified flaws and re-adopt a regulatory rule. Instead, the CRA prohibits the FCC from adopting anything “substantially similar” to the overturned Broadband Privacy Order. Arguably, the use of the CRA is excessive given that there are pending petitions for reconsideration before the FCC by which the new Republican-controlled FCC could have substantially revised the Broadband Privacy Order to fit Chairman Pai’s policy goals—for example, by aligning it more closely with the FTC’s framework. Now, however, the FCC’s future role has been severely limited.
As we noted previously, the U.S. Court of Appeals for the Ninth Circuit has held that all common carriers (including reclassified BIAS providers) are currently exempt from Federal Trade Commission authority—this means that the FTC cannot bring enforcement actions against any company regulated as a common carrier under Title II regardless of whether the entity was acting in a common carrier capacity. FTC v. AT&T Mobility LLC, 835 F.3d 993 (9th Cir. 2016) (en banc appeal pending). While this ruling remains in effect (and at least within the Ninth Circuit), it appears the FTC will not police violations of consumer privacy by BIAS providers. The result of Congress’ action yesterday combined with the Ninth Circuit decision means that broadband providers will likely continue to operate under the vague guidance of Section 222 of the Communications Act but without any FCC rules providing greater clarity or guidance, and with no corresponding FTC enforcement.
Now that Congress has effectively overturned the Broadband Privacy Order, what is next?
Commentators have advocated for a legislative solution to the FCC/FTC jurisdictional problem created by the Ninth Circuit decision discussed above: a repeal of the prohibition on FTC enforcement against common carriers. Industry observers as well as FTC commissioners from both parties have contemplated this change to FTC jurisdiction at various points in the past several decades, and legislation to that effect might again find bipartisan support. In addition, both FCC Chairman Pai and many Congressional Republicans have expressed strong opposition to the FCC order that caused broadband providers to be subject to Section 222 of the Communications Act—the reclassification of BIAS as a Title II common carrier service in the FCC’s Open Internet Order of 2015 (i.e., Net Neutrality). Congress or the FCC could take steps to eliminate the Title II status of BIAS providers. If broadband internet is no longer a common carrier service, then the FTC would regain jurisdiction over such services even without a change to the FTC’s statutory authority.
In the coming months, stakeholders should also watch for legislative and regulatory activity at the state level. Several statehouses are poised to enact new laws to increase consumers’ privacy rights. Although not directly applicable to BIAS providers, Illinois legislators are considering a “right to know” bill that would let consumers find out what information is collected and with whom that information is shared by websites and online services. Other proposals in the Illinois legislature would regulate consumer location tracking by smartphone applications and would restrict the use of microphones in Internet of Things devices like smart TVs and “always on” home personal assistants. Other, similar privacy bills have been proposed in Connecticut and California.