3 years later, privacy rules specifically for internet service providers remain bad policy | American Enterprise Institute
the twilight of the Obama administration, the Federal Communications Commission
(FCC) passed a misguided rule that would have subjected internet service
providers (ISPs) — but not other companies — to heightened privacy regulations.
Fortunately, before the rule took effect, Congress took the extraordinary step
of invalidating it pursuant to the Congressional Review Act. The resulting Congressional
Resolution of Disapproval invalidated the rule and prohibited the FCC from
adopting rules “substantially the same” as the repealed regulation.
But like Justice Scalia’s description of the Lemon test — a “ghoul in a late night horror movie that repeatedly sits up in its grave and shuffles abroad, after being repeatedly killed and buried” — this idea has reemerged as a cause célèbre in various state legislatures. Its reincarnation is part of a broader trend of Obama-era activists trying to recreate at the state level restrictions that were repealed by federal regulators. It remains a bad idea to create an unlevel playing field for privacy regulation. Here’s why.
State ISP privacy laws
this year, Maine passed an ISP privacy bill that would effectively impose an
“opt-in” privacy regime for broadband internet service providers. With limited
exceptions, ISPs are prohibited from collecting and using personal information
unless they first receive explicit permission from the consumer. In the last
week, New Hampshire and Connecticut have held hearings on similar proposed
An unlevel playing field
many (including me) noted when the FCC passed its rules, it is a mistake to
create a new, more stringent privacy regime that applies to ISPs but not internet-based
companies such as Google, Amazon, and Facebook. This creates an unlevel playing
field in the market for digital advertising dollars. Supporters justify this
disparate burden by highlighting the allegedly “privileged place” that ISPs
occupy in the network, by controlling the wires that carry information to and
from the consumer’s home. But this is misleading. My home broadband provider
can only gather, at most, information about my online activity while I am at
home. By comparison, Google can capture all my activity while logged into my
Google account whether at home, at work, or on mobile networks, if, like me,
you use a phone powered by Google’s Android operating system. Furthermore,
technological limitations such as encryption and use of virtual private
networks significantly limit what information ISPs can gather from the data to
which they have access. The notion that an ISP is in a privileged position
vis-à-vis edge providers is, at best, questionable.
ISPs at a competitive disadvantage in the digital advertising market is
especially problematic because ISPs were late to the digital advertising game. Studies
suggest that as much as two out of every three dollars spent on digital
advertising goes to only two companies: Google and Facebook — which is an
astounding figure when you consider the broad array of advertising-supported
content available online. ISPs have the potential to be disruptive innovators
in this market. This means that a regulatory regime that makes it harder for
ISPs, but not edge providers, to collect and monetize data not only tilts the
playing field, it tilts it in favor of incumbents and against innovation.
Ultimately that’s bad for consumers and for competition.
Opt-out vs. opt-in
if regulators sought to impose a uniform privacy rule across the internet ecosystem,
it’s a mistake to favor an “opt-in” regime over an “opt-out” one. Proponents of
the bills discussed above make a mistake that is, unfortunately, all too common
in this debate: They consider privacy in a vacuum, without considering the role
that consumer data plays as the lifeblood of the internet ecosystem. It is the
monetization of customer data that allows Google, Facebook, and countless other
companies offer the “free” services that we all take for granted as the modern
internet experience — and may someday bring broadband prices down as ISPs cover
more of their fixed costs with advertising rather than subscription dollars.
both an opt-out and an opt-in regime, consumers have ultimate control over how
their data is collected and used. The difference is that an opt-in rule dries
up the pool of data available for monetization, by prohibiting companies from
accessing data on consumers who are indifferent to the practice. At a minimum,
this reduces revenue available for research and innovation and can cause
companies to reduce the quality of their products to compensate. At worst, an
opt-in regime means those companies might start charging for services that they
currently provide for free and charge higher prices for goods that could
otherwise be subsidized through advertising —thus widening the digital divide
by stratifying available services between the haves and have-nots.
state lawmakers suggest they are simply enacting policy preferences endorsed by
the Obama-era FCC, there’s an important distinction. The FCC did not choose
between a two-tier privacy regime and a uniform set of rules to govern all
companies equally. Rather, the FCC created ISP-specific rules because it lacked
jurisdiction over the rest of the internet ecosystem. Supporters of the FCC rule
saw it as a transition measure — they hoped that an opt-in rule for ISPs would
prompt lawmakers to create similar opt-in measures for other companies as well.
There are good reasons not to impose a blanket opt-in regime on all digital advertising companies. But there are even stronger reasons why, given the choice, a legislature should not adopt industry-specific rules that entrench the existing Google-Facebook ad duopoly by hobbling their competitors.