Follow ACC Docket Online:  

US Congress Voted to Remove FCC's Enforcement on ISPs Selling Personal Data

R ecently, the US House of Representative and the Senate passed a joint resolution to overrule a regulation adopted by the Federal Communication Commission (FCC) related to personal data collected by the internet service providers (ISPs). It is expected to be signed by US President Trump. The controversial resolution serves as one of the first major pushes into privacy enforcement by the FCC.

The controversy arose out of classifying ISPs as common carriers in an earlier rule passed in 2015, thus bringing them under FCC enforcement (specifically the more stringent common carrier regulations of Title II of the Communications Act of 1934) and subject to the same rules as other utilities. (See information on net neutrality or open internet here.) The privacy element came in a rule adopted in November 2016, the most critical provisions related to ISPs collecting, using, and profiting from users personal data that was slated to go into effect in December 2017.

The vote has required that the ISPs (including both traditional internet providers and mobile broadband) would need individual opt-in to allow ISPs to use that individual’s data — especially sensitive data such as health, location, financial, web-browsing, and app use — for profit. ISPs historically use this incredibly robust set of personal data to sell for targeted ads and other uses.

If you search medical websites for information on cancer, your ISP is likely selling that information to advertisers for medical providers, insurance enhancements, and pharmacies. Some of these profile activities may seem relatively obscure to the average person, but there is a lot of information that companies can glean based on browsing history — data analytics are amazingly accurate and broad.

Unlike edge services, like browsers and social media, individuals have little to no choices about using ISPs if they wish to be online, yet consumers typically pay for the privilege of connecting and the edge services are mainly free. Edge services see only what you use within their services; whereas ISPs see virtually everything you do online. Although most consumers are largely unaware of the profit and use of their data with ISPs, the FCC rule was seen as one of the most important privacy rules put in place on a federal level despite the opposition from ISPs.

The process that is being used to overrule this regulation is a law that has seldom come into play before the past few months. The US Congressional Review Act of 1996 requires that agencies promulgating covered rules must submit a report to Congress and the Comptroller General. Congress assigns the report to a committee in each house respectively, which then has a 20-day timeframe to report out. There are several more steps in this expedited review process, while the critical point is that Congress has 60 in-session days to overrule a proposed rule. Given how few days Congress was in session this past year, the timing means that rules promulgated since May 2016 are eligible for review. Used only once since it was passed, this process has now been used at least seven times this year.

However, the new director of the FCC, Ajit Pai, has stated that eliminating this enforcement ability by the FCC is the right step that clearly aligns with the Congressional majority. Privacy advocates in Congress may be dismayed by this action, but they are in the minority. There may not be an easy solution on how to restrict ISPs from profiting on sensitive personal data without an individual’s consent. However, now that this issue has been brought into the public scrutiny, action will likely be taken at some level.

In the meantime, there are many articles popping up on what people can do to keep their browsing histories private. These suggested solutions include everything from using virtual private networks (VPN), using TOR, changing from large ISPs to small, local ones (many have come out promising privacy protections for personal data), creating online “noise” by browsing for things that you have no interest in (purposefully skewing your profile), and moving to a country with applicable privacy laws.

However, no solution is perfect other than internet abstinence. The average person doesn't know or comprehend the amount of data being collected or shared about them.  Nor does the average person have the resources or diligence to effectively protect their personal data online. Thus, our reliance is on industry self-regulation, government oversight, or third-party solutions.

About the Author

K RoyalK Royal is the technology columnist for, and vice president, AGC privacy, and compliance/privacy officer at CellTrust Corp. @heartofprivacy

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.