There is a quiet (or not so quiet) battle going on between the FCC and FTC and Congress to determine which of the two agencies will regulate and enforce the privacy practices of mobile carriers. The FCC is currently far out front, but proposed legislation in Congress, the American Data Privacy and Protection Act (“ADPPA”) could shift the balance.
In a July 18, 2022 notice, the FCC asked 15 mobile carriers, including AT&T, Charter, Comcast, DISH, Google, T-Mobile, and Verizon, to explain their privacy practices related to Customer Propriety Network Information (“CPNI”) and in particular, location data. Section 222 of the Communications Act requires the FCC to regulate carriers’ use of CPNI. The ADPPA, if it becomes law, which many think it will not, would preempt the FCC’s authority under Section 222 to regulate data privacy and give the authority to the FTC. After decades of the FCC having sole authority for protecting the privacy of telephone customer communications, under Section 222 and other provisions, the ADPPA bill would shift the responsibility from the FCC to the FTC.
The 15 carriers submitted their information responses on August 3, 2022. After reviewing the responses, FCC Chairwoman Rosenworcel announced on August 25, 2022 that she had instructed the FCC Enforcement Bureau to launch an investigation regarding the mobile carriers’ compliance with FCC CPNI privacy rules. In particular, she wanted to ensure that carriers “fully disclose to consumers how they are using and sharing geolocation data.”
This recent political scramble to shift mobile privacy regulation from the FCC to the FTC has its origins in 2015. That year the Democrat-led FCC, under Chairman Tom Wheeler, in adopting the Open Internet Order, expanded the FCC’s regulatory authority over broadband Internet providers, treating them as Title II common carriers under the same regulatory regime as telephone companies. In 2016, the same FCC passed new comprehensive privacy rules covering providers delivering internet service under Title II.
Then in 2017, the new Republican-controlled Congress took the dramatic and never before taken step of nullifying the FCC’s 2016 Broadband Privacy Rules under the Congressional Review Act (“CRA”).1 Some also contended that the CRA action blocked the FCC from ever passing any future privacy rules applicable to broadband providers. Nevertheless, the FCC Section 222 CPNI rule, the bedrock of FCC telecom privacy regulation, was adopted before the 2017 CRA, and thus CPNI remained subject to FCC jurisdiction notwithstanding the CRA nullification of the FCC’s broadband privacy rules. Even the Republican-led FCC made clear in a 2017 “ministerial” order that the CPNI rules remained in effect.2
In 2018, the Republican-led FCC, under Chairman Ajit Pai, tossed the privacy practices of Internet providers over to the FTC. In his 2018 “Restoring Internet Freedom” order, Chairman Pai overturned the 2015 Open Internet Order and explicitly returned privacy regulation of broadband Internet providers to the FTC. The 2018 FCC order stated: “By reinstating the information service classification of broadband Internet access service, we return jurisdiction to regulate broadband privacy and data security to the Federal Trade Commission….”3 Before the 2018 FCC order, the FTC oversaw the privacy practices of Internet content and technology companies, like Google and Facebook, but under the FCC’s classification of broadband as a common carrier service following the Open Internet Order, the FTC was ousted of its jurisdiction over the privacy practices of broadband service providers that carried the content. Some critics analogized the FTC being handed privacy oversight of broadband service providers to the concept of privacy regulation involving education, transportation, or healthcare being snatched from sector-specific regulators like DOE, DOT and HHS.
Even though the Republican-led FCC gave over privacy matters of broadband companies to the FTC, it proceeded to fine three mobile carriers for CPNI privacy violations under Section 222. On February 28, 2020, that same Commission issued Notices of Apparent Liability (“NALs”) totaling more than $200 million to the country’s four largest wireless carriers, AT&T, Sprint, T-Mobile, and Verizon, for alleged CPNI violations involving selling access to customer location information. The carriers allegedly sold the data to third parties, who then resold the data, which apparently ended up in the hands of advertisers but also various nefarious actors and others, such as bounty hunters, seeking to use the data to physically locate a particular user. The FCC reasoned that Section 222 required carriers to protect the data related to “…telecommunications service, including location information.” The 2020 NALs explained that Section 222(c) includes “quantity, technical configuration, type, destination, location, and amount of use….”4 The carriers subsequently either denied improperly selling the data or stated if they did sell the data that they would refrain from selling in the future location information to aggregation services.
Chairwoman Rosenworcel’s July 18, 2022 Notice of Inquiry and August 25, 2022 opening of an enforcement investigation sends the message that the FCC will not be letting up on its enforcement actions involving the privacy practices of mobile carriers, or deferring to the FTC. The Chairwoman’s decision to open an enforcement action on August 25, 2022, underscored her determination that the FCC, not the FTC, would be the agency overseeing mobile carriers’ consumer privacy practices. The decision also made clear that “geographic location” data would be the key information to protect. Yet, location data is exactly the same type of mobile data the FTC seeks to regulate. Indeed, on October 21, 2021, the FTC released a study of ISPs entitled “A Look at What ISPs Know About You.”5 The FTC study focused on the privacy practices of mobile carriers, T-Mobile, Verizon, and AT&T, as well as cable and fiber providers delivering broadband service, pointing out that mobile still accumulates more data than is necessary and expected by consumers.
While the practice of collecting consumer data and selling it to aggregation services was believed to have stopped, significant concerns still exist as the FTC made its voice heard in the mobile privacy battle just four days after Chairwoman Rosenworcel announced the enforcement investigation. On August 29, 2022, the FTC filed a lawsuit against data broker Kochava, Inc. alleging that the broker failed to adequately protect mobile geolocation data from public exposure and by allowing anyone to obtain a large sample of sensitive data and use it without restriction.6
We will continue to see whether the FCC, with deep experience in regulating mobile carriers and more limited experience regulating the activities of broadband providers, or the FTC, with experience in bringing actions against Internet content providers, or both agencies, will oversee practices involving the use of location data and the ability of companies to track user movement and location. Regardless of which agency wins the battle, mobile carriers’ practices and policies concerning the use, sale, and sharing of their customers’ geolocation data are under the spotlight of two agencies, each with years of experience in regulating privacy matters of companies falling under their respective jurisdiction. Mobile carriers should thus carefully reexamine their location-sharing practices to help insure against agency enforcement actions and also potential privacy-focused private actions.
Ryan Gilcrist also contributed to this article.
1 See, Womble Partner Marty Stern’s 2017 blog post analyzing the CRA’s nullification of the Broadband Privacy Order.
2 Protecting the Privacy of Customers of Broadband and Other Telecommunications Services Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, Order, WC Docket No. 16-106 (2017) (Dissenting statement of Democrat FCC Commissioner Mignon Clyburn disagreed with the use of a mere ministerial order used by the Republican-led FCC to confirm the use of Section 222: “But I must disagree both with the simplistic treatment of the Congressional Review Act (CRA) found in this item, and more significantly, leaving out any requirements for broadband providers. I believe the better course would have been to close out the existing proceeding (or initiate a new proceeding) to come up with another holistic approach to voice and broadband. First, it seems facile and bull-headed to move forward with an Order without seeking comment on how the CRA impacts this proceeding… Here, not only do we not seek comment, but in the first time the CRA is applied to FCC rules, we respond with “ministerial” changes to the Code of Federal Regulations. Important and nuanced legal questions remain unanswered. Are aspects of the legacy voice rules substantially similar to the harmonized rules the Commission adopted last year? Does the CRA work to undo the modified adopted rule but leave in place the extinguishing of the original rule? We do not grapple with any of these fundamental interpretational issues.”)
3 Restoring Internet Freedom Order, FCC-17-166 (2018), https://www.fcc.gov/fccreleases-restoring-internet-freedom-order.
4 In the Matter of T-Mobile, Notice of Apparent Liability for Forfeiture and Admonishment, 35 FCC Rcd 1785 (2020); See FCC Press Release, “FCC Proposes over $200M in Fines for Wireless Location Data Violations” (Feb. 28, 2020), https://www.fcc.gov/document/fcc-proposes-over-200m-fines-wireless-locationdata-violations.
5 See “A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers, An FTC Staff Report,” Federal Trade Commission (Oct. 21, 2021) https://www.ftc.gov/system/files/documents/reports/look-what-isps-know-about-you-examining-privacy-practices-six-major-internet-service-providers/p195402_isp_6b_staff_report.pdf
6 FTC Press Release, “FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of Worship, and Other Sensitive Locations,” FTC (Aug. 29, 2022) https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-sues-kochava-selling-data-tracks-people-reproductive-health-clinics-places-worship-other (“Agency Alleges that Kochava’s Geolocation Data from Hundreds of Millions of Mobile Devices Can Be Used to Identify People and Trace Their Movements”).