FCC Takes Action Ahead of the FTC in Regulating Mobile Carrier Privacy Practices
There is a quiet (or not so quiet) battle going on between the FCC and FTC and Congress to determine who will regulate and enforce the privacy practices mobile carriers. The FCC is currently far out front. On July 18, 2022, the FCC, under Chairwoman Jessica Rosenworcel’s leadership, turned its sights on mobile carrier privacy practices, one day before the House Energy & Committee passed the American Data Privacy and Protection Act (ADPPA) on July 19, 2022.
In the July 18, 2022 notice, the FCC asked 15 mobile carriers, including AT&T, Charter Comcast, DISH, Google, T-Mobile, and Verizon, to explain their privacy practices related to Customer Propriety Network Information (“CNPI”) and in particular location data. Section 222 of the 1996 Telecommunications Act requires the FCC to regulate carriers’ use of CPNI. The APPA, if it becomes law, which many do not think it will, would preempt the FCC’s authority under Section 222 to regulate privacy data and give the authority to the FTC. After almost 100 years of the FCC having sole authority for protecting the privacy of telephone customer communications, the ADPPA bill would shift the responsibility from FCC to the FTC.
The 15 carriers submitted their information responses on Aug. 3. After reviewing the responses, Chairwoman Rosenworcel announced on Aug. 25 that she had instructed the FCC Enforcement Bureau to launch an investigation regarding the mobile carriers’ compliance with FCC CPNI privacy rules. In particular, she wanted to ensure that carriers “fully disclose to consumers how they are using and sharing geolocation data.”
This recent political agency scramble attempt to take mobile privacy regulation from the hands of the FCC and give it to the FTC has its origins in 2015. That year the Democrat-led FCC, under Chairman Tom Wheeler, expanded the FCC’s regulatory authority over broadband Internet providers, treating them under the same regulation as telephone companies by passing the Open Internet Order. The Order found that high speed internet service providers were subject Title II common carrier regulation. In 2016, the same FCC passed new comprehensive privacy rules covering providers delivering internet service under Title II.
Then in 2017, the new Republican-controlled Congress took the dramatic step of nullifying the FCC’s 2016 Broadband Privacy Order by passing Congressional Review Act (“CRA”) overriding the FCC 2016 privacy regulation. 1 Congress’s nullifying the privacy rule was dramatic because in the almost 100 years of FCC rulemaking, it was only FCC regulation ever nullified by Congress. Some even contended that the CRA blocked the FCC from ever passing any future privacy rules. Nevertheless, the FCC Section 222 CPNI rules passed before Congress passed the 2017 CRA, and thus CPNI, the bedrock of FCC telecom privacy rules, remained in effect. Even the Republican-led FCC made it clear in a 2017 “ministerial” order that the CPNI rules remained in effect. It is not clear if other privacy rules passed before the Broadband Privacy Order remained in effect because as former Commissioner Mignon Clyburn pointed out in her dissent this issue were not addressed by the Commission.2
In 2018, the Republican-led FCC, under Chairman Ajit Pai, tossed the privacy practices of Internet providers over to the FTC. In his 2018 “Restoring Internet Freedom” order, Chairman Pai overturned the 2015 Open Internet Order and explicitly tossed privacy regulation of broadband internet providers to the FTC. The 2018 FCC order stated: “By reinstating the information service classification of broadband Internet access service, we return jurisdiction to regulate broadband privacy and data security to the Federal Trade Commission….” 3 Before the 2018 FCC order, the FTC oversaw the privacy matters of internet content companies like Google and Facebook but did not regulate broadband service providers carrying the content. Some critics analogized the FTC’s taking over the privacy regulatory role of broadband providers to the concept of taking privacy regulation involving education, transportation, or health care from sector-specific regulators like DOT, HHS, and DOE to the FTC as a generalist privacy regulator.
Even though the Republican-led FCC gave over privacy matters of broadband companies to the FCC, it proceeded to fine three mobile carriers for CPNI privacy violations under Section 222. On Feb. 28, 2020, the Commission issued Notices of Apparent Liability (NAL) totaling more than $200 million for the country’s four largest wireless carriers, AT&T, Sprint, T-Mobile, and Verizon, for CPNI violations involving selling access to customer location information. The carriers allegedly sold the data to third parties, who then resold the data, which apparently ended-up in the hands of advertisers but also nefarious actors, such bounty hunters and even stalkers. The carriers subsequently either denied improperly selling the data or stated if they did sell the data that they would refrain from selling in the future location information to aggregation services. The FCC reasoned that Section 222 required that carriers to protect the data related to “…telecommunications service, including location information.” The 2020 NALs explained that Section 222(c) includes “quantity, technical configuration, type, destination, location, and amount of use….” 4
Chairwoman Rosenworcel’s July 18, 2022 Notice of Inquiry and Aug. 25, 2022 opening of an enforcement investigation sent the message that the FCC will not be letting up on enforcing privacy protection of mobile carriers. Her decision to open an enforcement action on August 25, 2022 underscored that her determination that the FCC, not the FTC, would be the agency overseeing mobile carriers’ handling of consumer privacy and “geographic location” data would be the key privacy data to protect. Location data is exactly the same type of mobile data the FTC seeks to regulate. Indeed, on Oct. 21, 2021, the FTC released a study of ISPs entitled “A Look at What ISPs Know About You.” 5 The FTC study focused on the privacy practices of mobile carriers, T-Mobile, Verizon, and AT&T, as well as cable and fiber providers delivering broadband service, pointing out mobile still accumulates more data than is necessary and expected by consumers.
While this practice of collecting consumer data and selling it to aggregation services was believed to have stopped, significant concerns still apparently may still exist as the FTC made its voice heard in the mobile privacy battle just four days after Chairwoman Rosenworcel announced the enforcement investigation. On Aug. 29, 2022, the FTC filed a lawsuit against data broker Kochava, Inc. for injunctive relief alleging that Kochava failed to adequately protect its geolocation data from mobile phones from public exposure and allowed anyone to obtain a large sample of sensitive data and use it without restriction.6
We will continue to see whether the FCC with deep experience in regulating mobile carriers and broadband providers or the FTC with experience in bringing actions against internet content providers, or both agencies, will adequately regulate and protect consumers from having anyone be able to track their movement and location. Regardless of which agency wins the battle, mobile carriers’ practices and policies regarding the use, sale, and sharing of their customers’ geolocation data are under the spotlight of two agencies, each with years of experience in regulating privacy matters of companies falling under their jurisdiction. Mobile carriers should thus carefully reexamine their location sharing practices in order to prevent agency enforcement actions and also potential privacy-focused class actions.
This article was co-authored by Ryan Gillcrist.
1 See, Womble Partner Marty Stern’s 2017 blog post analyzing the CRA’s nullification of the Broadband Privacy Order.
2 Protecting the Privacy of Customers of Broadband and Other Telecommunications Services Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, Order, WC Docket No. 16-106 (2017) (Dissenting statement of Democrat FCC Commissioner Mignon Clyburn disagreed with the use of a mere ministerial order used by the Republican-led FCC to confirm the use of Section 222: “But I must disagree both with the simplistic treatment of the Congressional Review Act (CRA) found in this item, and more significantly, leaving out any requirements for broadband providers. I believe the better course would have been to close out the existing proceeding (or initiate a new proceeding) to come up with another holistic approach to voice and broadband. First, it seems facile and bull-headed to move forward with an Order without seeking comment on how the CRA impacts this proceeding… Here, not only do we not seek comment, but in the first time the CRA is applied to FCC rules, we respond with “ministerial” changes to the Code of Federal Regulations. Important and nuanced legal questions remain unanswered. Are aspects of the legacy voice rules substantially similar to the harmonized rules the Commission adopted last year? Does the CRA work to undo the modified adopted rule but leave in place the extinguishing of the original rule? We do not grapple with any of these fundamental interpretational issues.”)
3 Restoring Internet Freedom Order, FCC-17-166 (2018), https://www.fcc.gov/document/fcc-releases-restoring-internet-freedom-order
4 In the Matter of T-Mobile, Notice of Apparent Liability for Forfeiture and Admonishment, 35 FCC Rcd 1785 (2020); See FCC Press Release, “FCC Proposes over $200M in Fines for Wireless Location Data Violations” (Feb. 28, 2020), https://www.fcc.gov/document/fcc-proposes-over-200m-fines-wireless-locat...
5 See “A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers, An FTC Staff Report,” Federal Trade Commission (Oct. 21, 2021) https://www.ftc.gov/system/files/documents/reports/look-what-isps-know-a...
6 FTC Press Release, “FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of Worship, and Other Sensitive Locations,” FTC (Aug. 29, 2022) https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-sues-kochava-selling-data-tracks-people-reproductive-health-clinics-places-worship-other (“Agency Alleges that Kochava’s Geolocation Data from Hundreds of Millions of Mobile Devices Can Be Used to Identify People and Trace Their Movements”).