Earlier this month FCC Chairman Wheeler released a draft fact sheet and Notice of Proposed Rule Making (NPRM), identifying several key concerns regarding consumer privacy and the use of their data. In response, OTA submitted written comments to the Commission. Update on March 31 the FCC Commisioners voted 3 to 2 to move forward on the NPRM.
OTA applauds the Commission’s efforts to enhance consumer privacy, while recognizing the need to promote innovation. As recognized by the Commission, self-regulation regarding data privacy is failing as industry ignores the call for meaningful and persistent consumer controls. By focusing on Providers, the FCC has a unique and timely opportunity to shift control back to consumers. Unlike choosing what web sites to visit, consumers have few if any broadband options. In locations where such options are available to change Providers, the barriers and costs to change can be significant. Consumers are paying for these services and should not be also be expected to pay in perpetuity with their personal and business data.
It should be noted that data collection is not only being conducted by Providers, but also by “edge providers” including search engines, analytics companies and the ad-tech industry who continue to amass significant amounts of personal data. While such practices are outside of the FCC’s jurisdiction, it is important that other parallel regulatory efforts are needed to help curb such practices and encourage responsible privacy practices. OTA recommends the Commission consider the following:
- Data collection for the purpose of security, fraud and related security purposes should not be restricted nor require opt-in, providing that Providers are restricted from using such data for any other purpose, and take reasonable steps to remove any personally identifiable information when shared with third parties for threat intelligence purposes.
- Scope of the NPRM to be expanded to include any user data. Increasingly businesses of all sizes, are permitting employees to utilize residential and non-traditional Internet services for work-at-home and telecommuting. As such, businesses must be afforded equal protections and considered in any rulemaking.
- Security - Providers have a responsibility to take reasonable steps to help protect consumers’ data and devices from harm, (e.g., malicious code or botnet activities resulting from compromise). To date many Providers have been reluctant to commit to the adoption of best practices including those published by various FCC CSRICs and other working groups. The Commission should continue to work with Providers and encourage the adoption of practices to provide consumers added transparency of their provider’s security practices.
- First Party Limitations – Data collection and use directly related to the services being provided to the user should be permitted and not required opt-in. Any usage for other purposes for un-related services should require opt-in. OTA recommends Providers annually obtain consent and opt-in for any such sharing with third parties, including unrelated affiliates or for business purposes unrelated to their current service subscriptions and services. Such a requirement would afford consumers the ability to re-evaluate their choice(s) as well as provide the service provider an opportunity to articulate to the consumer the value proposition of such activities.
- Respect for Do Not Track Settings (DNT) – Providers must honor a user’s browser DNT request. Reliance on cookie based controls is ineffective and does not limit data collection, or subsequent sharing and usage of user’s online activities. Efforts by the interactive advertising industry have failed to provide consumers a meaningful way to curb such practices. As the industry is increasingly employing mechanisms including device finger printing and cross device tracking technologies, a universal and persistent mechanism such as DNT should be considered.
- Analytics – Data collection restricted for site analytics such as measuring unique sites visitors, page views and related metrics, should be permitted and should not require user consent providing that such data is anonymous.
- Incentives & Competition – Rule making should encourage and consider incentives for Providers to compete on privacy and security, starting with baseline consumer-centric notices. The Commission should consider requiring standardized privacy notices and disclosures with the goal to provide users notice on data collection, usage, sharing and retention and ability to easily compare such practices with other Providers. Another example could include discounts and incentives for consumers to share their data for marketing purposes.
Share your thoughts on how we can enhance online trust and the long-term vitality of the Internet.