Verizon $1.35 Million Fine Shows Agency Will Not Wait for Upcoming Rulemaking to Enforce Privacy Rules
At long last, the Federal Communications Commission (“FCC”) showed its cards last week, previewing the new privacy framework that it will seek to impose on broadband Internet access service (“BIAS”) providers at this month’s March 31 Open Commission Meeting. In addition to releasing basic contours of the upcoming proposal, the FCC also announced a $1.35 million settlement agreement with Verizon Wireless in exchange for a termination of an investigation into the company’s “supercookie” advertising program.
The nation’s telecommunications regulatory authority has waded into the privacy debate before, fining businesses that do not follow their own privacy practices or suffer preventable security breaches.
But the latest moves demonstrated a new approach for the agency as it seeks to increase its role in regulatory oversight of privacy compliance. The FCC’s Verizon case and its new privacy rules represent efforts to reign in BIAS provider advertising programs, which could have vast consequences for the Internet advertising ecosystem. And as the Verizon case suggests, BIAS providers are already at risk of potentially costly regulatory scrutiny.
Verizon’s $1.35 Million Mistake
The Verizon enforcement action arose out of news in late 2014 that the company had used “supercookies,” tracking devices that users could not delete even when clearing their “cookies.” The tracking technology employed was a unique identifier header (“UIDH”) that the company inserted into all wireless network Internet traffic. Despite statements Verizon made to the contrary, its advertising partners were able to use the identifiers for unauthorized purposes such as resurrecting deleted cookies.
In investigating Verizon, the FCC did not defer to the upcoming rulemaking process that will develop privacy rules for BIAS providers. Instead, the FCC relied on authority already available: the 2010 Open Internet Transparency Rule and Section 222 of the Communications Act.
According to the FCC, the Open Internet Transparency Rule “requires every fixed and mobile broadband Internet access service provider to ‘publicly disclose accurate information regarding the network management practices, performance, and commercial terms of its broadband Internet access services sufficient for consumers to make informed choices regarding use of such services and for content, application, service, and device providers to develop, market, and maintain Internet offerings.’” In the Verizon case, the FCC determined that Verizon did not disclose its use of “supercookies” for over two years to its customers.
Section 222, meanwhile, “imposes a duty on carriers to protect their customers’ proprietary information and use such information only for authorized purposes.” As applied to this case, the FCC considers the instance of resurrection of deleted cookies to be contrary to this Section 222 duty.
Verizon admitted defeat in exchange for an end to the FCC investigation. To satisfy the consent order, Verizon will be subject to the typical privacy compliance requirements that have become familiar to those following recent FCC’s privacy cases. Verizon will be required to appoint a senior compliance officer, institute a compliance plan, and report regularly to the FCC. As part of the compliance plan, Verizon will be required to obtain opt-in consent before sharing a UIDH with a third party to deliver targeted advertising.
The Coming Battle Over Opt-in Versus Opt-out
New privacy rules arriving at the end of the month will further restrict BIAS companies like Verizon from using advanced tracking technologies for advertising purposes. The proposal calls for three different categories of data protection. First, consent would be presumed where customer data is used as part of the customer relationship created when a customer signs up for broadband services, including marketing related to that relationship. Opt-out options would be required to be available in cases when a broadband provider uses customer data to market other communications services or when sharing customer data with affiliates that provide communications services.
The third prong, an opt-in provision, is likely to be the most controversial. It would require BIAS providers to obtain opt-in consent for all other uses and sharing of customer data, for instance, in advertising network arrangements such as in the Verizon case. If customers do not explicitly consent, their information could not be used in the Internet advertising ecosystem for targeted advertising.
The full contours of the plan remain to be seen, and the new rules will be subject to a notice and comment period before the FCC. BIAS providers should continue to monitor developments in this area given the potential impact on advertising business, data-driven revenue streams, and privacy compliance.
Our firm will continue to follow developments, including when the FCC releases its Notice of Proposed Rulemaking on BIAS provider privacy rules. If you have any questions about your business’ privacy compliance with FCC rules, please contact Linda McReynolds, firstname.lastname@example.org – 703-714-1318.