Review your content's performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
Questions? Please contact [email protected]
There is a quiet (or not so quiet) battle going on between the FCC and FTC and Congress to determine which who will regulate and enforce the privacy practices mobile carriers. The FCC is currently far out front. On July 18, 2022, the FCC, under Chairwoman Jessica Rosenworcel’s leadership, turned its sights on mobile carrier privacy practices, one day before the House Energy & Committee passed the American Data Privacy and Protection Act (ADPPA) on July 19, 2022.
In the July 18, 2022 notice, the FCC asked 15 mobile carriers, including AT&T, Charter Comcast, DISH, Google, T-Mobile, and Verizon, to explain their privacy practices related to Customer Propriety Network Information (“CNPI”) and in particular location data. Section 222 of the 1996 Telecommunications Act requires the FCC to regulate carriers’ use of CPNI. The APPA, if it becomes law, which many do not think it will, would preempt the FCC’s authority under Section 222 to regulate privacy data and give the authority to the FTC. After almost 100 years of the FCC having sole authority for protecting the privacy of telephone customer communications, the ADPPA bill would shift the responsibility from FCC to the FTC.
The 15 carriers submitted their information responses on Aug. 3. After reviewing the responses, Chairwoman Rosenworcel announced on Aug. 25 that she had instructed the FCC Enforcement Bureau to launch an investigation regarding the mobile carriers’ compliance with FCC CPNI privacy rules. In particular, she wanted to ensure that carriers “fully disclose to consumers how they are using and sharing geolocation data.”
This recent political agency scramble attempt to take mobile privacy regulation from the hands of the FCC and give it to the FTC has its origins in 2015. That year the Democrat-led FCC, under Chairman Tom Wheeler, expanded the FCC’s regulatory authority over broadband Internet providers, treating them under the same regulation as telephone companies by passing the Open Internet Order. The Order found that high speed internet service providers were subject Title II common carrier regulation. In 2016, the same FCC passed new comprehensive privacy rules covering providers delivering internet service under Title II.
Then in 2017, the new Republican-controlled Congress took the dramatic step of nullifying the FCC’s 2016 Broadband Privacy Order by passing Congressional Review Act (“CRA”) overriding the FCC 2016 privacy regulation. 1 Congress’s nullifying the privacy rule was dramatic because in the almost 100 years of FCC rulemaking, it was only FCC regulation ever nullified by Congress. Some even contended that the CRA blocked the FCC from ever passing any future privacy rules. Nevertheless, the FCC Section 222 CPNI rules passed before Congress passed the 2017 CRA, and thus CPNI, the bedrock of FCC telecom privacy rules, remained in effect. Even the Republican-led FCC made it clear in a 2017 “ministerial” order that the CPNI rules remained in effect. It is not clear if other privacy rules passed before the Broadband Privacy Order remained in effect because as former Commissioner Mignon Clyburn pointed out in her dissent this issue were not addressed by the Commission.2 In 2018, the Republican-led FCC, under Chairman Ajit Pai, tossed the privacy practices of Internet providers over to the FTC. In his 2018 “Restoring Internet Freedom” order, Chairman Pai overturned the 2015 Open Internet Order and explicitly tossed privacy regulation of broadband internet providers to the FTC. The 2018 FCC order stated: “By reinstating the information service classification of broadband Internet access service, we return jurisdiction to regulate broadband privacy and data security to the Federal Trade Commission….” 3 Before the 2018 FCC order, the FTC oversaw the privacy matters of internet content companies like Google and Facebook but did not regulate broadband service providers carrying the content. Some critics analogized the FTC’s taking over the privacy regulatory role of broadband providers to the concept of taking privacy regulation involving education, transportation, or health care from sector-specific regulators like DOT, HHS, and DOE to the FTC as a generalist privacy regulator.
Even though the Republican-led FCC gave over privacy matters of broadband companies to the FCC, it proceeded to fine three mobile carriers for CPNI privacy violations under Section 222. On Feb. 28, 2020, the Commission issued Notices of Apparent Liability (NAL) totaling more than $200 million for the country’s four largest wireless carriers, AT&T, Sprint, T-Mobile, and Verizon, for CPNI violations involving selling access to customer location information. The carriers allegedly sold the data to third parties, who then resold the data, which apparently ended-up in the hands of advertisers but also nefarious actors, such bounty hunters and even stalkers. The carriers subsequently either denied improperly selling the data or stated if they did sell the data that they would refrain from selling in the future location information to aggregation services. The FCC reasoned that Section 222 required that carriers to protect the data related to “…telecommunications service, including location information.” The 2020 NALs explained that Section 222(c) includes “quantity, technical configuration, type, destination, location, and amount of use….” 4
Chairwoman Rosenworcel’s July 18, 2022 Notice of Inquiry and Aug. 25, 2022 opening of an enforcement investigation sent the message that the FCC will not be letting up on enforcing privacy protection of mobile carriers. Her decision to open an enforcement action on August 25, 2022 underscored that her determination that the FCC, not the FTC, would be the agency overseeing mobile carriers’ handling of consumer privacy and “geographic location” data would be the key privacy data to protect. Location data is exactly the same type of mobile data the FTC seeks to regulate. Indeed, on Oct. 21, 2021, the FTC released a study of ISPs entitled “A Look at What ISPs Know About You.” 5 The FTC study focused on the privacy practices of mobile carriers, T-Mobile, Verizon, and AT&T, as well as cable and fiber providers delivering broadband service, pointing out mobile still accumulates more data than is necessary and expected by consumers.
While this practice of collecting consumer data and selling it to aggregation services was believed to have stopped, significant concerns still apparently may still exist as the FTC made its voice heard in the mobile privacy battle just four days after Chairwoman Rosenworcel announced the enforcement investigation. On Aug. 29, 2022, the FTC filed a lawsuit against data broker Kochava, Inc. for injunctive relief alleging that Kochava failed to adequately protect its geolocation data from mobile phones from public exposure and allowed anyone to obtain a large sample of sensitive data and use it without restriction.6
We will continue to see whether the FCC with deep experience in regulating mobile carriers and broadband providers or the FTC with experience in bringing actions against internet content providers, or both agencies, will adequately regulate and protect consumers from having anyone be able to track their movement and location. Regardless of which agency wins the battle, mobile carriers’ practices and policies regarding the use, sale, and sharing of their customers’ geolocation data are under the spotlight of two agencies, each with years of experience in regulating privacy matters of companies falling under their jurisdiction. Mobile carriers should thus carefully reexamine their location sharing practices in order to prevent agency enforcement actions and also potential privacy-focused class actions.
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected] .
© Copyright 2006 - 2022 Law Business Research