The Proposed Privacy Bill Would Treat Your Phone Data Like Your Amazon Account. This is NOT a Good Thing.

New privacy bill strips consumer protections from voice communications. We can fix this without jettisoning the bill.

On July 20, something really big happened for consumers: The House Energy and Commerce Committee successfully brought forward bipartisan consumer privacy legislation – the American Data Privacy Protection Act (ADPPA). As Public Knowledge said after passage out of the Committee, “This sweeping bill provides individuals with broad privacy protections across all sectors of the economy,” restricting what and how businesses collect, use, and share consumer data and giving individuals the right to access, correct, and delete the data companies have collected about them, placing them in greater control over its collection and use. These are big wins for consumers and we will be working to try to secure passage of this legislation in this Congress.

However, there is a significant issue with the ADPPA – it removes protections that consumers have come to expect in regards to their voice communications. The ADPPA was designed to create a new privacy framework for an environment (the internet) which previously had none. Instead of focusing on regulating this previously unregulated space, Section 404(b)(3) of the ADPPA preempts the telephone privacy work the Federal Communications Commission had been doing for decades (while preserving that authority for emergency communications, treaty obligations, and restrictions on use for customer retention efforts). It does this by preempting Section 222 of the Communications Act for “covered entities” to the extent they process “covered data” (which includes phone calls and other sorts of communications). Although proponents of preempting the FCC’s authority over privacy through the ADPPA argue that there should only be one privacy regulator, that position is inconsistent with the ADPPA itself, which leaves in place other sector-specific regulators to protect consumers’ health information (under HIPAA regulations) and financial privacy (under Gramm Leach Bliley). 

So why is the FCC being preempted in this bill? Because a handful of the largest telephone, cable, and broadband providers that the FCC is charged with regulating are tired of being under a sector-specific regulator that has used its regulatory tools to develop clear rules that provide oversight and enforcement for violations, all in furtherance of greater consumer privacy. And these companies are not afraid to put the money you pay them for service where their mouth is. In the last quarter alone, they spent $360,000 on outside lobbyists to weaken consumer privacy, and over the last decade they have spent $10.3 million in outside lobbying on this single issue.  

The privacy of communications has been protected by state and federal regulators for more than 100 years. Originating in state-level common law and then formalized in federal law in the Manns-Elkin Act of 1910, the telephone system basically evolved around a regulatory regime that protected the privacy of users and competitors. Congress consolidated both the personal privacy protections and the competition parts of this regulatory regime in Section 222 as part of the 1996 Telecommunications Act. So, as explained in more detail below, expressly preempting certain critical aspects of Section 222 for “covered entities” with regard to “collecting, processing, and transferring covered data” goes well beyond altering consumers’ expectations of personal telephone privacy; it alters fundamental tools that promote the modest competition that exists in the sector and restructures the entire phone industry by moving communications providers from a rules-based regime to a contract-based regime where the dominant market participants have little interest in contracting with rivals and providers in smaller, more rural markets (or at least contracting on terms that are reasonable).

The FCC’s Rules and Enforcement Authority Should Be Preserved To Match Consumer Expectations 

Eliminating the authority of the FCC to protect consumer privacy under Section 222 means that, for the first time in over a century, the federal telephone regulator will have no power to protect the privacy of consumers’ communications. Instead, your most intimate phone details will now be protected by the Federal Trade Commission under a scheme designed for your Amazon ordering history and your Facebook “likes.” But while this means going from nothing to something real for Amazon and Facebook, it also means going from what is a robust regulatory regime that protects telephone information to something a lot less good.

Section 222, also known as the Customer Proprietary Network Information (CPNI) rules, are generally regarded as one of the great success stories of both privacy and competition. We have written extensively about CPNI and its importance to both privacy and competition, which you can review here, here, and here. Importantly, eliminating Section 222 through the ADPPA has the effect of eliminating a regulatory structure that protects consumers through robust rulemaking and enforcement authority. 

Over the years, the FCC has used its rulemaking authority to expressly prohibit practices that violate customer privacy and to have those rules evolve as the industry evolves. For example, as new Internet Protocol-enabled services began to emerge in the 2000s, the FCC updated its rules to cover consumers that were switching to Voice over Internet Protocol (VoIP) service. As part of that proceeding, the Commission also took steps to prevent pretexting and adopt other rules that were designed to prevent access by data brokers to consumers’ information. In 2013, the Commission took steps to ensure data that providers directed to be collected and stored on consumers’ mobile devices was treated as CPNI and, thus, protected. 

In 2015, the FCC took additional steps to extend CPNI protections to broadband services. That step, unfortunately, was later blocked by the same forces that are today trying through this legislation to “finish the job.” As an aside, it is worth remembering how then-FTC Acting Chair Maureen Ohlhausen (who now works as an industry lobbyist pushing FCC privacy preemption for the 21st Century Privacy Coalition, a coalition of communications companies founded by AT&T, Comcast, and other communications companies) and FCC Chair Ajit Pai jointly joyously proclaimed that a “benefit” of getting rid of FCC oversight of broadband was giving broadband providers privacy oversight to the FTC. A follow-up study by the FTC in 2021 concluded that, in the few years since the FCC abdicated privacy protection for broadband providers, the companies studied had grown into major privacy violating giants with “illusory” tools for consumers to control the use of their personal information. The FTC staff report noted that the FCC not only had highly specialized knowledge of the industry, but that the FCC enforcement statutes provided more powerful tools to protect privacy, such as the ability to issue injunctive relief without going to court and the ability to level civil fines for first-time offenses.

The FCC does indeed have some powerful enforcement tools that it can use to protect consumers’ data. Under those authorities, the FCC fined the four large wireless providers in 2020 for selling their customers’ location information and failing to take adequate steps to protect against unauthorized access. These enforcement tools and a willingness to use them also explain why, for example, AT&T and Verizon had no worries testing their “supercookie” tracking system (the one customers could not shut off) when under FTC’s jurisdiction but dropped the program like a hot rock when the FCC started applying CPNI to broadband in 2015.

To be clear, the FTC does a solid job as a general privacy enforcement agency and has brought about concrete consumer protections in a number of sectors of the economy under a general statute without any specific privacy protection authority (which is a structure that the ADPPA builds upon and that Public Knowledge supports). The FTC, though, does not have the tools, expertise, or resources to effectively police privacy on communications networks, but the Federal Communications Commission – a sector-specific regulator – does. And that is not just our assessment. That’s the assessment of the FTC itself in the FTC staff report

In sum, consumers currently have strong privacy protections for their telephone data based on existing law and precedent. Consumers currently have strong federal and state agencies that can enforce their privacy rights. Many people do their most private and most personal communications by phone for precisely this reason. This alone is a sufficient basis for the ADPPA to be revised to exclude voice services from the scope of the preemption language in the bill. Yet, there are more reasons.

Section 222 Is About More Than Privacy, It Also Fosters Competition

The FCC’s CPNI rules under Section 222 do more than provide some of the strongest privacy protections for individuals in the country. The CPNI rules also protect competition by protecting competitor proprietary information and giving consumers the right to order the telecommunications provider to transfer needed information to competitors immediately so they can provide competing service. These competition rules go back to the 1970s and 1980s, when the FCC was opening the local telephone monopoly (“Incumbent Local Exchange Carriers,” or ILECs) to new types of competition in long-distance calling (provided by “Interexchange Carriers,” or IXCs) and “enhanced service providers” of things like voicemail and dial up internet access. The Telecommunications Act of 1996 (as explained at considerable length here) took these FCC rules and put them in Section 222 so that the newly created competing local phone companies (“Competitive Local Exchange Carriers,” or CLECs) and others could provide needed information to the ILECs to access customers and be sure the ILECs wouldn’t use that information to undermine competition. These rules proved so successful at promoting competition that the U.S. (at the request of companies like AT&T and Verizon) included provisions in a number of our bilateral trade agreements requiring other countries to adopt CPNI rules (for competition, not consumers). That is to say, while the carriers don’t like these rules when they are the incumbents, they like them a lot when they are competitors. Why? Because they work.

To be clear, Section 222 is only part of the pro-competition regulations set up under the Telecommunications Act of 1996. For example, the ability to move your phone number from one carrier to another (number portability) is required by Section 251(b) of the Communications Act and switching providers is governed by Section 258. Under the ADPPA, these regulations remain intact, although carriers could potentially erect new barriers under the ADPPA to try to stop you from switching carriers, like cable companies do when you try to cancel your subscription.

Why do we believe this? First, shifting from CPNI to the ADPPA eliminates the right to transfer necessary proprietary information. Section 222(c)(2) of the Communications Act requires the carrier to disclose a customer’s CPNI to a third-party at the request of the customer, no questions asked, which is powerful for allowing customers to switch mobile or landline providers. The FCC has put some regulatory meat on those statutory bones to ensure that carriers provide that CPNI to the rival third-party in a form that actually enables competition when directed, and in a timely manner, so you can actually start using your rival service. Under Section 203 of the ADPPA… not so much, or at least maybe not so much. This is because the ADPPA and the FCC’s number portability and switching rules are in tension on a number of things. 

For example, the ADPPA Section 203(e)(A)(iv) allows the “covered entity” to refuse to disclose your individual data when doing so would disclose proprietary information. The FCC’s rules require the transfer of individual data upon the request of the consumer. Such a request can, and most often is, made through the new phone provider the consumer wants to go to instead of through her current provider. If the ADPPA governs, Section 203(e) could end the ease with which consumers can switch because the customer’s current provider could potentially seek to frustrate that change by creating its own verification system and requiring verification of the number port directly from the consumer, consistent with the ADPPA.  

Moreover, under the ADPPA, a covered entity has anywhere between 45 days and 90 days to actually respond to the request (depending on the size of the entity and the complexity of the request) and you only get two free information requests per year – after that, the carrier gets to charge you. Under the FCC’s rules, a few hours or, at most, four days are all that is allowed for a carrier to honor a customer’s request to switch providers, depending on the type of switching the customer requests. Regardless, this is far short of the 45 and 90 days in the ADPPA. These points of tension between the FCC and the ADPPA authorities are quite real and could potentially impact competition for service in the communications space in a way that would not provide for easy resolution, leaving consumers in the lurch until it is sorted out – likely in court.

More generally, protecting the privacy of individual and proprietary information has been central to the operation of the phone system, shaping how the various components of the system work. That system, at its core, operates based on statutes, rules, and requirements concerning the transmission of data necessary to complete the requested communication. Those rules have been decades in the making and cannot be replicated, particularly under a system that is built on contractual agreements between the parties sharing data, which is the structure envisioned in the ADPPA. Again, while such a structure works for Amazon and its vendor relationships, it will not work for the phone network. As the FCC’s most recent Communications Market Report states, there are more than 1,300 independent phone network companies in the United States, ranging from rural cooperatives to international giants like AT&T. These phone companies – and countless others that do everything from provide custom enterprise services to phone call routing – rely on the pro-competition privacy rules adopted and enforced over decades by the FCC under its Section 222 authority for the transfer of customer proprietary information to complete calls. Absent that structure, all of these companies will need a whole set of new contracts they never needed before to comply with the requirements of the ADPPA.

Which brings up one final point of concern. The industry transformation that would need to take place under the ADPPA for phone companies would have to occur without any transition period, and without any oversight or guidance from the FCC or state public utility commissions (PUCs), which would also be preempted under the ADPPA. If you detect a note of panic in these words, you are spot on. There is genuine, supportable fear for what the unintended consequences of this would be for the boring but critically necessary function of making sure the telephone network actually works.

We Can Fix This To Bolster Consumer Privacy

Fixing this does NOT require jettisoning the ADPPA and the substantial strides it makes in promoting consumer privacy for its original target – the online digital market where consumers have been the product of these companies for far too long with little to no oversight. Public Knowledge suggests that Congress should restore the FCC’s authority over consumer voice privacy if we want to avoid the unintended consequences (or, perhaps, “intended consequences” if you’re a broadband provider) outlined in this blog post. 

We have not outlined the many, many benefits of the ADPPA so that we could focus on this critical concern. But it is important to say, it is significant that on a bipartisan basis, the House has achieved something so many thought was impossible: moving comprehensive, meaningful privacy legislation. The leadership of Chairman Pallone, Chairwoman Schakowsky, Ranking Member McMorris Rogers and Bilarakis, along with the other members of the Energy and Commerce Committee that supported this legislation 52-2, made a powerful showing. They are to be commended for their hard work and willingness to find compromise. We hope to continue to work with members on trying to address the concerns raised in this blog and a few other concerns that remain with this legislation. Our objective is straightforward: We want to ensure that, as we add greater privacy protections for consumers in their online lives, we do not weaken the protections in place over their voice communications. Just as the ADPPA preserves the more specific rules covering consumers’ health and financial privacy, so, too, should the ADPPA protect consumers’ voice privacy by leaving the FCC in place.