Tuesday, May 10, 2016 – 4:45pm
Dear Senator Flake and Senator Franken:
The undersigned trade associations collectively represent hundreds of companies, from small businesses to household brands, which engage in responsible online data collection and use that benefits consumers and the economy. We applaud the Subcommittee on Privacy, Technology, and the Law (“Subcommittee”) for holding a hearing on May 11, 2016, to examine the Federal Communications Commission’s (“FCC”) recent “Notice of Proposed Rulemaking on Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (“NPRM”).
Even in difficult economic times, the Internet – powered by data, innovation, and private investment – has been an engine of economic growth and a source of exciting consumer benefits. In recent decades, consumers’ daily lives have been transformed by a wealth of data-driven online resources, including an unprecedented array of high-quality information and entertainment, all available to consumers because these resources are subsidized by advertising. The economic benefits of the Internet revolution are just as substantial. One recent study estimated that the use of data-driven marketing added output of at least $202 billion to the U.S. economy in 2014, representing a 35% increase since 2012. All 50 states experienced job growth in the data-driven marketing economy during the same time period.
We and our member companies are concerned that the FCC, through the NPRM, is attempting to create restrictive new requirements for the data collection and use that are central to economic success and consumer benefits. We believe that the proposed restrictions are unnecessary and would exceed statutory authority.
• Existing voluntary self-regulatory standards supported by Federal Trade Commission (“FTC”) enforcement are the appropriate tool to govern the dynamic and interrelated online content and advertising ecosystem. Currently, online data collection and use are governed by robust industry self-regulatory regimes that subject the industry to the jurisdiction of the FTC and state attorneys general. These regimes are regularly updated to reflect new business models. Responsible data practices are essential for the continued success of the Internet economy. Enforceable, voluntary selfregulatory codes remain best suited to promote consumer privacy protections while
allowing these legitimate data practices to flourish. The Congress has considered these issues many times based on ample hearings and debate, and each time has declined to enact new legislation, recognizing that new regulation in this rapidly evolving area would hinder innovation, not provide new benefits to consumers, and threaten the economic value of a thriving market sector.
• The NPRM is unnecessary because effective legal safeguards already exist for online data practices. In addition to industry self-regulation, the FTC vigorously enforces consumer privacy and data security standards using its authority to address “unfair or deceptive” business practices under Section 5 of the FTC Act. The FTC has used this authority to enforce prior company commitments to comply with industry self-regulatory requirements and to protect consumers from harm. State attorneys general typically follow FTC positions to actively enforce similar laws at the state level. These legal frameworks already provide consistent, meaningful consumer protections which can apply across industries, including to the practices the FCC now seeks to regulate. There is no need to create a new framework because the FTC has already established principles in this area.
• The FCC is overreaching and lacks congressional authority to issue the proposed regulation. Congress directed the FCC to foster competition among telephone providers, and in that context to enforce rules to safeguard the proprietary data that such providers maintained through their services. The FCC does not have authority from Congress to establish new privacy restrictions in the very different area of online data collection.
• Consumers and industry benefit when one agency takes the lead on privacy regulation and enforcement. The FTC has a long history of addressing and enforcing privacy-related issues across industries. The FCC’s NPRM is not consistent with the established approach of the FTC, and would result in a different and problematic regime. The FCC has not sufficiently analyzed the implications of its NPRM, but is now rushing to finalize its flawed proposal; in fact, it denied industry’s request for a reasonable extension of time to properly evaluate and advise the FCC on the NPRM’s impact. The limited time for the creation of a robust record is all the more concerning when the FCC does not have the FTC’s long history of expertise on this issue. The FCC would benefit from allowing more time for public comments.
• The NPRM is out of step with existing privacy frameworks and would undermine the ad-supported Internet. For example, the FCC would expand the definition of personally identifiable information (“PII”) to data elements that are not, and have not been considered, individually identifiable, such as application usage data, persistent online identifiers (cookies), device identifiers, and Internet browsing history. Many companies have developed service models that focus on collecting such data instead of PII.
• The proposed consent standard is too restrictive. Further, the FCC has proposed to restrict most uses and disclosures of such data with an “opt in” consent standard. Experience shows that where consumer choice is warranted, an opt-out or implied consent standard is the best way to recognize consumer privacy preferences with respect to these types of online data while allowing legitimate practices, including advertising, to continue.
• There is no record of harm to justify new regulation in this area or the specific proposals put forward by the FCC. Consumers have embraced today’s thriving Internet, which is fueled by responsible data practices governed by the existing regulatory framework. The current online ecosystem subsidizes online offerings that consumers value, promotes innovation, and grows the economy. There is no record of consumer harm that supports the FCC’s proposal for such restrictive regulations.
• Congress should set a uniform national breach notification and data security standard. The FCC has proposed to regulate breach notification in a way that is contrary to the existing state notification regimes as well as the proposals under consideration by Congress. This would cause compliance burdens for businesses and confusion for consumers. Congress should establish a uniform standard for breach notification and data security.
We, the undersigned organizations, thank you for your oversight of this important issue. The NPRM, as drafted, would create unnecessary and inconsistent privacy regulations that would undercut the vibrant online ecosystem. Congress can and should exercise its oversight authority to protect consumers and the economy from this outcome.