Federal Communications Commission Chairman Ajit Pai on Friday moved to stay a portion of the broadband privacy rules.
The rules, passed by a 3-2 vote last October, require Internet service providers to obtain consumers' opt-in consent before drawing on their Web-surfing data or app usage history for ad targeting. The privacy order also imposes other requirements on broadband providers, including provisions regarding data breach notifications and data security.
Pai said Friday that either the full FCC or the agency's Wireline Bureau will stay the rules relating to data security, which are slated to take effect next Thursday. Those data security rules require broadband carriers to take reasonable steps to protect consumers' information.
Pai said through a spokesperson that he wants the full FCC to vote on a request to stay the rules, but that even if the agency doesn't do so before March 2, the Wireline Bureau will hold off on enforcing the data-security rules. The spokesperson added that Pai believes the rules slated to go into effect March 2 are inconsistent with standards of a different agency -- the Federal Trade Commission.
Other portions of the FCC's privacy order are being phased in throughout the year. The data breach notifications requirements take effect in June, and the provision regarding obtaining consumers' opt-in consent -- the most controversial of the rules -- takes effect in December. A separate provision banning broadband providers from forcing consumers consent to ad targeting as a condition of receiving service took effect in January.
Internet service providers, the ad industry and others have petitioned the agency to reconsider the privacy order; broadband carriers also separately asked the FCC to immediately stay the rules.
Critics argue that rules requiring opt-in consent for ad targeting impose a tougher privacy standard on Internet service providers than edge providers -- meaning online publishers, search engines or other Web companies. Those edge providers aren't bound by the FCC's regulations, and need not obtain users' explicit permission to draw on data about their Internet use for ad purposes.
As a practical matter, many Web companies allow consumers to opt out of receiving a broad range of behaviorally targeted ads, but seek opt-in consent before targeting ads based on a narrow category of "sensitive" information, like precise geolocation data and financial account numbers.
Privacy advocates and other supporters of the relatively stringent rules counter that broadband providers should be held to higher privacy standards, because ISPs are able to glean information about every unencrypted site users visit, as well as revealing metadata about usage patterns.
The FCC stated Friday that Pai supports a uniform framework. "All actors in the online space should be subject to the same rules, and the federal government shouldn’t favor one set of companies over another," the spokesperson stated.
Earlier this month, Republican lawmakers said they are prepping a resolution to rescind the privacy rules. Sen. Jeff Flake (R-Arizona) reportedly aims to revoke the rules under the Congressional Review Act -- a 1996 law that allows federal lawmakers to overturn recent agency decisions.
Some privacy advocates say that even though they oppose the stay, Pai's move could discourage Congress from taking the drastic step of revoking the privacy order. If Congress rescinds the privacy rules under the Congressional Review Act, the FCC won't be allowed to replace them with new privacy regulations.
"The fact that he's staying this part of the rule should be a signal to Congress that there is no need to use the Congressional Review Act here," Public Knowledge's Dallas Harris tells MediaPost. "Pai is signaling that he's going to provice the relief that Internet service providers are looking for."