In a prior post, we commented on how the recent expansion of the FCC’s authority to regulate the privacy practices of Internet service providers (ISPs) has ignited calls for further expansion of the FCC’s authority to cover “edge providers” – online companies that offer services, content, products, and applications over the broadband Internet service provided by the ISPs and that track user activity and collect personal information. Just last week, the FCC provided hints that it might just answer these calls by exercising authority over the privacy practices of edge providers.
In a recent interview, FCC Commissioner Mike O’Rielly indicated that the FCC intends to expand its authority to include edge providers. O’Rielly stated, “I don’t know if it’s immediately in the next six months . . . I just know that the commission is going to continue to creep toward edge providers, and I’m very confident that eventually we will capture edge providers under one form or another.” O’Rielly added, “I just don’t see a possibility where we stop at an imaginary line . . . If I was an edge provider today, I would be extremely concerned that the FCC will be involved in my day-to-day activity.”
Implications of Extending FCC Authority to Edge Providers
The FCC’s expressed intent to expand its authority to regulate the privacy practices of edge providers could have significant ramifications for nearly all companies operating online. Edge providers could be subject to enforcement actions by both the FTC and FCC and could potentially face dual fines – a situation that has already manifested itself in the ISP context with an established broadband telecommunications company facing an enforcement action by the FTC and a $100 million proposed fine from the FCC. In addition, edge providers would likely face some uncertainty surrounding how the FCC will exercise its authority. The FCC may look to extend its existing authority over ISPs under Section 222 of Title II of the Communications Act to further include edge providers. However, Section 222, which was established to govern the privacy practices of telephone companies and the types of data collected from telephone users, doesn’t fit neatly over edge providers that collect unique data elements that differ from the typical customer proprietary network information (CPNI) collected by telephone companies. The FCC has yet to adopt more Internet service-focused rules, and until it does, it will presumably advise edge providers in a manner similar to how it has advised ISPs, which is to take “reasonably, good-faith steps to comply with the “core customer privacy protections” set forth under Section 222. Such an approach can cause uncertainty about what privacy practices the FCC deems compliant. This uncertainty, coupled with the aggressive approach to enforcement exhibited by the FCC in privacy actions so far, could create a precarious environment for online companies to operate in. Continue Reading