There is a quiet (or not so quiet) battle between the FCC and the FTC and Congress over who will regulate and enforce mobile carrier privacy practices. The FCC is currently far ahead. On July 18, 2022, the FCC, under Chairman Jessica Rosenworcel, turned its attention to the privacy practices of wireless carriers, a day before the House Energy & Committee adopted the American Data Privacy and Protection Act (ADPPA) on July 19, 2022.
In the July 18, 2022 notice, the FCC asked 15 wireless carriers, including AT&T, Charter Comcast, DISH, Google, T-Mobile, and Verizon, to explain their privacy practices related to network information. property of the customer (“CNPI”) and in particular location data. Section 222 of the Telecommunications Act of 1996 requires the FCC to regulate carrier use of CPNI. The APPA, if it becomes law, which many do not believe, will supersede the FCC’s authority under Section 222 to regulate data privacy and would give authority to the FTC. After nearly 100 years of the FCC’s exclusive authority to protect the privacy of customer telephone communications, the ADPPA bill would shift responsibility from the FCC to the FTC.
The 15 operators submitted their information responses on 3 August. After reviewing the responses, Chairman Rosenworcel announced on August 25 that she had asked the FCC’s Office of Enforcement to initiate an investigation regarding wireless carriers’ compliance with the FCC’s CPNI privacy rules. . In particular, she wanted to ensure that carriers “fully disclose to consumers how they use and share geolocation data.”
This recent push by the political agency to take mobile privacy regulation out of the hands of the FCC and into the hands of the FTC has its origins in 2015. That year, the Democratic-led FCC, under the leadership of Chairman Tom Wheeler, expanded the FCC’s regulatory authority over broadband Internet. providers, treating them under the same regulations as telephone companies by adopting the Open Internet Order. The order found that high-speed Internet service providers were subject to Title II common carrier regulation. In 2016, the same FCC passed comprehensive new privacy rules covering Internet service providers under Title II.
Then, in 2017, the new Republican-controlled Congress took the dramatic step of overriding the FCC’s 2016 Broadband Privacy Order by passing the Congressional Review Act (“CRA”) that supersedes the 2016 FCC Privacy Rules. 1 Congress’s cancellation of the privacy rule was dramatic because in the nearly 100 years of FCC rulemaking, only FCC regulations have been canceled by Congress. Some have even argued that the CRA blocked the FCC from enacting future privacy rules. Nonetheless, the FCC Part 222 CPNI rules were enacted before Congress passed the 2017 ARC, and thus the CPNI, the foundation of the FCC’s telecommunications privacy rules, remained in effect. . Even the Republican-led FCC made it clear in a 2017 “ministerial” order that the CPNI rules remain in effect. It is unclear whether other privacy rules enacted prior to the Broadband Privacy Order have remained in effect because, as former Commissioner Mignon Clyburn pointed out in her dissent, this issue was not addressed by the Commission.2 In 2018, the Republican-led FCC, under Chairman Ajit Pai, referred the privacy practices of internet service providers to the FTC. In his 2018 Restoring Internet Freedom Order, President Pai rescinded the 2015 Open Internet Order and explicitly referred privacy regulation of broadband Internet service providers to the FTC. The 2018 FCC order stated: “By restoring the Information Services Classification of Broadband Internet Access Service, we return jurisdiction to regulate the privacy and security of broadband data to the Federal Trade Commission ….” 3 Prior to the 2018 FCC order, the FTC oversaw the privacy issues of internet content companies such as Google and Facebook, but did not regulate the broadband service providers delivering the content. Some critics have compared the FTC’s takeover of the privacy regulation role of broadband providers to the concept of taking over privacy regulation involving education, transportation, or health care from industry regulators such as the DOT, HHS, and DOE to the FTC as the generalist privacy regulator.
Even though the Republican-led FCC referred broadband company privacy matters to the FCC, it fined three cellphone carriers for breaching CPNI privacy under Section 222. On 28 February 2020, the Commission issued Notices of Apparent Liability (NAL) totaling more than $200 million for the nation’s four largest wireless carriers, AT&T, Sprint, T-Mobile, and Verizon, for CPNI violations involving the selling access to customer location information. The carriers allegedly sold the data to third parties, who then resold the data, which apparently ended up in the hands of advertisers but also nefarious actors, such as bounty hunters and even stalkers. The carriers later denied selling the data improperly or said if they sold the data that they would refrain from selling location information to aggregation services in the future. The FCC found that Section 222 requires carriers to protect data relating to “telecommunications service, including location information.” The 2020 NALs explained that Section 222(c) includes “quantity, technical configuration, type, destination, location and amount of use…”. 4
Chairman Rosenworcel’s Notice of Inquiry on July 18, 2022 and the initiation of an enforcement investigation on August 25, 2022 sent the message that the FCC will not stop enforcing operator privacy of mobile telephony. His decision to file a lawsuit on August 25, 2022 underscored his determination that the FCC, not the FTC, would be the agency charged with overseeing the wireless carriers’ handling of consumer and data privacy. “Geographical location” data would be the main confidentiality data to be protected. . Location data is the exact same type of mobile data that the FTC seeks to regulate. Indeed, on October 21, 2021, the FTC published a study on ISPs entitled “A Look at What ISPs Know About You”. 5 The FTC study focused on the privacy practices of wireless carriers, T-Mobile, Verizon, and AT&T, as well as cable and fiber providers offering broadband service, noting that mobile always accumulates more data than necessary and expected by consumers.
While this practice of collecting consumer data and selling it to aggregation services is believed to have ceased, significant concerns may still linger as the FTC raises its voice in the battle for mobile privacy just four days after President Rosenworcel announced the law enforcement investigation. On August 29, 2022, the FTC filed a lawsuit against data broker Kochava, Inc. for an injunction alleging that Kochava failed to adequately protect its mobile phone geolocation data from public exposure and allowed anyone to obtain a large sample of sensitive data and use it without restriction.6
We will continue to see whether the FCC with deep experience in regulating wireless carriers and broadband providers or the FTC with experience in prosecuting Internet content providers, or both agencies, will regulate and protect from adequately consumers against the ability for anyone to track their movement. and location. Regardless of which agency wins the battle, mobile carriers’ practices and policies regarding the use, sale and sharing of their customers’ geolocation data are under the spotlight of two agencies, each with years of experience in regulating corporate privacy matters within their jurisdiction. Mobile operators should therefore carefully re-examine their location sharing practices to prevent law enforcement actions and also potential privacy-focused class actions.