ThinkstockPhotos-504041382-webThe Federal Communication Commission’s (FCC’s) newly promulgated Open Internet rules (2015 rules)—also known as the net neutrality rules—went into effect on June 12, 2015.1 The new rules apply specifically to broadband Internet access service providers, and not to Internet content, application, and device providers (edge providers). Nonetheless, by design, the rules will have a potentially far-reaching impact on edge providers’ and consumers’ rights and the avenues for redress in the face of harm inflicted by broadband providers. To date, the FCC has yet to receive any formal complaints from companies, though those may well be in the offing, according to some media reports and public statements.2

As anticipated, telecommunications and broadband providers3 filed challenges to the 2015 rules at the U.S. Court of Appeals for the D.C. Circuit in July 2015. Oral arguments are scheduled for December 4, 2015. Media coverage—and to a large extent the legal challenges brought against the 2015 rules—have focused on the FCC’s decisions to reclassify fixed and mobile broadband providers as common carriers and to prohibit Internet traffic blocking, throttling, and prioritization. Other aspects of the new rules, however, also have important implications for the Internet economy, as the new rules address deceptive and unfair practices by broadband providers, consumer data security and privacy, and the transparency of information available to consumers and edge providers.

The FCC concluded in 2010, and again in 2015,4 that Internet openness fosters a virtuous cycle in which Internet-based application, service, and device innovation increases broadband use, which leads to the expansion and improvement of broadband infrastructure. That, in turn, fosters further application, service, and device innovation.5 The FCC found that privacy protections are a fundamental aspect of the virtuous cycle because privacy-related concerns might otherwise decrease Internet usage, thereby threatening to disrupt the cycle.6

FCC to Take On Deceptive and Unfair Practices

The 2015 rules prohibit broadband providers from “unreasonably” discriminating against Internet content, applications, or devices, relying on a catch-all “no unreasonable interference/disadvantage” standard.7 While a discriminatory practice that is reasonable network management does not violate the rules,8 the FCC will conduct a case-by-case analysis to determine whether a practice unreasonably interferes with or disadvantages consumers’ access to edge providers. Among other factors, the FCC will consider whether a broadband provider employs “any deceptive or unfair practices,” including those that “fail to protect the confidentiality of end users’ proprietary information.”9 Importantly, a given practice may violate the new standard only when it unreasonably interferes with consumers’ ability to use or access lawful Internet content.

This seemingly narrow category of activities prohibited by the 2015 rules contrasts with the Federal Trade Commission’s (FTC’s) broader consumer protection standard. The FTC has a long track record of using its authority under Section 5 of the FTC Act to protect consumers from “unfair or deceptive acts or practices,” including (and increasingly) those related to data privacy and security.10 The FTC’s deception standard, for instance, does not require actual injury, but rather applies to practices that are likely to cause consumer harm. The FTC’s unfairness standard applies to any practice that causes actual and substantial harm, not just practices that could interfere with consumers’ ability to use or access lawful Internet content.11 Prior to the 2015 rules, the FTC may have had jurisdiction over broadband providers when they provided broadband services and not common carrier services.12 Now that the 2015 rules have reclassified broadband Internet access services as a “common carrier” service under Title II of the Communications Act, at least one provider of broadband Internet access services, AT&T, has challenged the FTC’s jurisdiction over AT&T’s practices. AT&T has argued that the FTC Act’s “common carrier” exemption from the FTC’s jurisdiction applies to entities based on their status as a common carrier, not just based on common carrier activities. The FTC asserted, and a district court agreed, that it properly has jurisdiction over AT&T’s non-common carrier activities.13 In early August 2015, the U.S. Court of Appeals for the Ninth Circuit agreed to hear AT&T’s appeal of that determination and will review briefs later this fall.14

Data Privacy and Security Requirements

The Communications Act imposes a number of obligations on common carriers, including a duty to protect the confidentiality of customers’ proprietary information.15 The FCC’s 2015 rules newly apply the Communication Act’s provisions related to data privacy—previously applicable to voice telecommunications services—to broadband providers.16 Now, except as expressly authorized by customers or otherwise required by law, a broadband provider that possesses individually identifiable customer proprietary network information (CPNI) will only be permitted to use or disclose CPNI for the purpose of providing the broadband Internet service.17 As applied to voice telecommunications services, this privacy restriction has not applied to aggregate customer information.18 The CPNI definitions applicable to broadband Internet access services, though, have not yet been resolved. Chairman Wheeler has stated that the FCC will likely launch a rulemaking on broadband definitions for CPNI this coming fall.19 The broadband equivalent of the FCC’s CPNI rules could encompass a broad swath of information such as, for example, data generated when a consumer visits a website through a web browser or mobile application—increasingly valuable information for advertisers and content providers.

Enhanced Transparency Rule

The 2015 rules expand the scope and detail of the FCC’s previously issued transparency rule, which survived the D.C. Circuit’s Verizon decision. The enhanced transparency rule is intended to ensure that consumers and edge providers will have the information they need to evaluate different broadband providers’ service offerings—including technical performance characteristics. Under the new transparency rule, broadband providers now must disclose more detailed information about network practices, performance characteristics, and commercial terms.20 The 2010 Open Internet rules merely suggested, in some instances, the kinds of detailed disclosures that might be appropriate. Required disclosures include terms related to pricing, privacy policies, data caps or allowances, and other fees.21 Disclosures in privacy policies should include “whether network management practices entail inspection of network traffic, and whether traffic information is stored, provided to third parties, or used by the carrier for non-network management purposes.”22 The FCC also clarified that broadband providers have a duty to update their mandatory disclosures in a timely manner whenever there is a material change in the terms or circumstances.23

Of special interest to edge providers, the enhanced transparency rule newly requires that broadband providers use packet loss as a measure of network performance.24 The previous transparency rule already required actual network performance disclosures related to speed and latency.25 Separately, broadband providers also now will be required to send a specific notification to consumers when a “network practice” is likely to significantly affect their use of the service.26 Finally, the 2015 rules adopt a voluntary safe harbor for broadband providers that elect to use a consumer disclosure format the FCC will promulgate in late 2015.27 The FCC expects that the format will be “clear and easy to read—similar to a nutrition label” so that consumers can easily compare different broadband providers.28

Edge Provider and Consumer Avenues for Redress

If edge providers or consumers believe that they are being harmed by a broadband provider’s practices that may violate the 2015 rules, the FCC has put forth three ways that those concerns may be addressed.29 Edge providers or consumers can formally or informally submit complaints to the FCC about the practices of broadband providers.30 Additionally, edge providers or broadband providers that are unsure whether a practice or commercial arrangement may run afoul of the 2015 rules may seek an advisory opinion from the FCC before implementing them.31 The FCC will not bring an enforcement action against a requesting party acting in good-faith reliance upon an advisory opinion, so long as the request was truthful and fulsome, and the resulting activity matches that proposed in the request.32 Nevertheless, the FCC reserves the right to reconsider an issue addressed by an advisory opinion and to rescind or revoke an opinion.33

Under the auspices of the 2015 rules, the FCC has signaled that privacy and consumer protection is one of its key enforcement priorities. Challenges to the rules from broadband providers do not appear to have slowed or otherwise chilled the FCC’s enforcement agenda.34 In the coming year, we will begin to see the practical bounds and implications of these new consumer protection measures as they are implemented by the FCC and reviewed by courts.

1 “Protecting and Promoting the Open Internet,” Final Rule, 80 Fed. Reg. at 19737 (April 13, 2015); 47 CFR pts. 1, 8, 20.

2 See e.g., David Schaeffer, Cogent Communications, Remarks at Q2 2015 Earnings Call (August 6, 2015) (describing how negotiations with some ISPs have stalled and that Cogent is preparing to seek enforcement action and/or litigation); Margaret Harding, “Industry Moves Closer to First FCC Net Neutrality Complaint,” Law360, August 11, 2015, http://www.law360.com/articles/689915/industry-moves-closer-to-1st-fcc-net-neutrality-complaint.

3 Petitioners include: Alamo Broadband, the American Cable Association (ACA), AT&T, CenturyLink, the Cellular Telephone Industries Association (CTIA), the National Cable & Telecommunications Association (NCTA), USTelecom, and the Wireless Internet Service Providers Association (WISPA).

4 The previous Open Internet rules put forth by the FCC in 2010 were largely struck down by the D.C. Circuit in Verizon v. FCC. In re Preserving the Open Internet, 25 F.C.C.R. 17905 (2010); 740 F.3d 623 (D.C. Cir. 2014). The D.C. Circuit’s decision left the 2010 transparency rule undisturbed; the 2015 rules not only adopt the 2010 transparency rules, but also expand and add privacy measures.

5 “Protecting and Promoting the Open Internet,” 80 Fed. Reg. at 19739.

6 Id. at 19814-15.

7 Id. at 19756.

8 Id. “A network management practice is a practice that has a primarily technical network management justification, but does not include other business practices. A network management practice is reasonable if it is primarily used for and tailored to achieving a legitimate network management purpose, taking into account the particular network architecture and technology of the broadband Internet access service.” Id. at 19741.

9 Id. at 19757.

10 15 U.S.C. § 45 (a)(1). E.g., Decision and Order, In re Snapchat, Inc., FTC No. 1323078 (December 23, 2014) (alleged violations of Section 5 when deceptively marketing mobile application that could send temporary messages that would disappear after a certain time period); Decision and Order, In re Aaron’s Inc., FTC No. 1223264 (March 10, 2014) (alleged violations of Section 5 when using installed software on computers rented to consumers to log keystrokes, take screenshots, and employ webcams without consumers’ knowledge in a way that was unfair to consumers); Decision and Order, In re HTC America, Inc., FTC No. 1223049 (June 25, 2013) (alleged violations of Section 5 when failing to employ reasonable security on mobile devices).

11 15 U.S.C. § 45(n). Under the FTC’s unfairness standard, substantial and actual harm is weighed against any “countervailing benefits to consumers or to competition.” Id.

12 Order Denying Defendant’s Motion to Dismiss, Fed. Trade Comm’n v. AT&T Mobility LLC, No. C-14-4785 EMC (N.D. Cal. March 31, 2015) (holding that the FTC Act’s common carrier exception applies only when: (1) the entity has the legal status of a common carrier, and (2) the entity is performing common carrier activities).

13 Order Denying Defendant’s Motion to Dismiss, FTC v. AT&T Mobility LLC, No. 14-C-4785 (N.D. Cal. March 31, 2015).

14 Order, FTC v. AT&T Mobility LLC, No. 15-16585 (9th Cir. August 10, 2015).

15 47 U.S.C. § 222. Customers’ proprietary information includes information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service and information contained in customers’ bills. § 222 (h)(1).

16 “Protecting and Promoting the Open Internet,” 80 Fed. Reg. at 19814. The FCC exercised its so-called forbearance prerogative by temporarily refraining from imposing on broadband providers many of the Communications Act’s statutory provisions and associated rules currently applicable to telecommunications services. Some of the provisions that the FCC forbore from applying to broadband providers include the requirement to unbundle networks, the requirement to provide service in some circumstances, and rate regulation.

17 § 222 (c)(1). The FCC had previously issued rules implementing the statutory privacy provision, but those rules are specific to voice calls, and the FCC decided not to apply those implementing rules to broadband providers. “Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information,” Report and Order and Further Notice of Proposed Rulemaking, 22 FCC Rcd 6927 (2007); “Protecting and Promoting the Open Internet,” 80 Fed. Reg. at 19815. The FCC stated that it will develop new implementing rules applicable to broadband providers, and suggested that customers’ web browsing history was sensitive information that would be protected under such rules. “Protecting and Promoting the Open Internet,” 80 Fed. Reg. at 19815.

18 “The term ‘aggregate customer information’ means collective data that relates to a group or category of services or customers, from which individual customer identities and characteristics have been removed.” § 222 (h)(2).

19 Tom Wheeler, FCC Chairman, “Maximizing the Benefits of Broadband,” Remarks at the Brookings Institution (June 26, 2015) (transcript and recording, http://www.brookings.edu/events/2015/06/26-maximizing-benefits-broadband-wheeler); Brian Fung, “The Messy Battle to Protect Your Data from Your Own Internet Provider,” The Washington Post, August 20, 2015, https://www.washingtonpost.com/news/the-switch/wp/2015/08/20/the-messy-battle-to-protect-your-data-from-your-own-internet-provider/.

20 Specifically, the transparency rule requires that broadband Internet service providers disclose: “(1) network practices, including congestion management, application-specific behavior, device attachment rules, and security measures; (2) performance characteristics, including a general description of system performance and the effects of specialized services, if any, on available capacity; and (3) commercial terms, including pricing, privacy policies, and redress options.” “Preserving the Open Internet, Broadband Industry Practices,” Report and Order, 25 FCC Rcd 17905, 17938-39, para. 54 (2010).

21 “Protecting and Promoting the Open Internet,” 80 Fed. Reg. at 19760.

22 Id. at 19761.

23 Id. at 19760.

24 Id. at 19761.

25 Id.

26 Id.

27 Id. at 19763.

28 Id.

29 Id. at 19742.

30 Id. at 19771.

31 Id. at 19772. The requests and opinions will be publicly available and are intended to guide the Internet industry. Id. at 19773.

32 Id. at 19773.

33 Id.

34 See e.g., FCC Press Release, “TerraCom and YourTel to Pay $3.5 Million to Resolve Consumer Privacy and Lifeline Investigations,” July 9, 2015, https://apps.fcc.gov/edocs_public/attachmatch/DOC-334286A1.pdf; FCC Press Release, “Enforcement Bureau Guidance: Broadband Providers Should Take Reasonable, Good Faith Steps to Protect Consumer Privacy,” May 20, 2015, https://apps.fcc.gov/edocs_public/attachmatch/DA-15-603A1.pdf; FCC Press Release, “FCC Joins Asia Pacific Privacy Authorities,” April 15, 2015, https://apps.fcc.gov/edocs_public/attachmatch/DOC-333037A1.pdf.