The Brave New World of Privacy

To quote Dorothy in The Wizard of Oz: “I’ve a feeling we’re not in Kansas anymore.” With the Federal Communications Commission’s (FCC) recent passage of highly restrictive and sweeping new privacy rules, consumers and advertisers have been sent down an extremely winding regulatory yellow brick road. This new rule (taken together with two important recent decisions overseas) has completely scrambled the entire privacy regime that has fostered the explosive growth of the Internet and mobile media over the last decade. Sadly, we’re not likely to wake up and find out it’s all just a dream.
 
The FCC’s new rules require Internet Service Providers (ISPs) to obtain opt-in consent to use and share “sensitive data,” a term defined now by the FCC to include all web browsing and application use history when linked to a device alone. This is unprecedented. It also could seriously undermine the support that data-driven advertising provides to on-line commerce. It appears that, every time someone goes on-line utilizing an ISP device to look up almost anything (for example, the closest pizza shop, a weather report or the latest sports score), they will need to provide opt-in consent before that information – however innocuous – can be gathered. Clearly, children’s data, significant financial and health information, and precise geolocation data are sensitive privacy categories, but to treat general browser activity and app use history as equally sensitive and therefore deserving an opt-in consent requirement makes no sense at all.

This vast overreach will mean that consumers either will have to opt-in repeatedly during their web browsing, or be overloaded with a constant drumbeat of opt-in choices. The only alternative is for consumers to agree to a more global privacy opt-in with their ISPs that could fail to distinguish what is highly sensitive data and what is not. This requirement is not consistent with the longstanding approach taken by the FCC’s sister agency – the Federal Trade Commission (FTC) – as well as the Digital Advertising Alliance’s (DAA) highly successful privacy self-regulatory program and state requirements. These other entities recognize that some information requires a higher degree of consent from consumers, while data collected during general web browsing or app use does not. The FCC’s action also ignores many court rulings that have found that the advertising use of web browsing histories tied to device information does not harm or injure consumers. This FCC action is highly counterproductive since data-driven online commerce and advertising provide the economic underpinnings of the innovation and services consumers desire and use in their on-line activity.    

While all this was happening in Washington, a challenge was just filed to the U.S.-European Union (EU) Privacy Shield program put in place this year following the rejection of the previous privacy protocols involved in transferring private data from the EU to the United States. This new agreement allows personal data to move smoothly between Europe and the United States and gives EU citizens greater means to seek remedies if they feel that their data is not handled appropriately. Digital Rights Ireland, however, claims that this program does not contain adequate privacy protections, and so has sought to invalidate it. Though it will be awhile before a final decision is rendered in this case, the mere possibility that the Privacy Shield program could be undone places the more than 500 companies that use the new shield program in a position of significant uncertainty, increasing the possibility that efficient data transfer could once again be threatened.

Finally, the EU Court of Justice last week determined that Internet protocol (IP) addresses regarding use of websites is “protected data” under EU laws. This ruling could mean that companies (including US firms) doing business in the EU that identify users by IP addresses for tracking or other purposes will have to change their practices. Under this ruling, companies can no longer assume that their data won’t be combined with data from other sources to identify consumers, and therefore the data would then become subject to EU data protection requirements. Companies will likely have to examine what steps they can take to anonymize data in order to make it more difficult for it to be combined with other information that permits consumers to be personally identified.

In a future blog, we’ll look at some of the legal issues involved in the FCC’s new privacy rules.  For now, however, advertisers in the Internet and mobile media marketplace are going to have to reexamine and recalibrate their activities quickly in order to navigate this brave new regulatory world.