Industry and Public Interest Groups Disagree on Preempting FCC Data Privacy Authority

WASHINGTON, April 17, 2024 – Experts at a Wednesday House hearing disagreed on whether a federal privacy law should preempt the Federal Communications Commission’s consumer protection authority over telecom companies.

Lawmakers released draft language of the American Privacy Rights Act last week. The bill has yet to be introduced and could change before that happens, but generally the draft would allow consumers to opt out of targeted advertising and would limit the data companies can collect to only what is necessary to provide a given service.

The draft would also strip the FCC of most of its data privacy authority, except for its recently adopted data breach notification rules, and hand enforcement over to the Federal Trade Commission. That could be a problem, according to David Brody, managing attorney at the Lawyers’ Committee for Civil Rights Under Law’s digital justice initiative, both because it would take telecom regulation out of the hands of an expert agency and because it could muddle the FCC’s authority to combat scam calls and texts.

“The displacement of the Communications Act is vague and overbroad,” he said at the hearing. “This could endanger the FCC’s consumer protection authorities and its work to combat illegal robocalls.”

“It’s important, I agree, for the FTC to have strong powers here. But we don’t want to squander the expertise of the Federal Communications Commission with regard to telecommunications and the many important things it does that the FTC would not be equipped to do,” he added.

Large telecom companies do not want a privacy law to leave in place any FCC authority over them with respect to data privacy. 

“To facilitate a consistent approach to the bill’s privacy and data security requirements, the FCC’s authority should be eliminated,” said Maureen Ohlhausen, co-chair of the 21st Century Privacy Coalition, a group representing AT&T, Comcast, Cox, and telecom trade associations.

Some of those associations, USTelecom and CTIA, are suing to block the agency’s data breach rules that the draft language would leave in place.

Those rules expand both the FCC’s definition of a breach and the kinds of data covered by its policies, as well as requiring telecom providers to notify the FCC in the event of a breach. As they did in comments during the rulemaking process, the trade groups are arguing the agency does not have legal authority to expand the scope of covered data.

The agency is set to vote next week on reinstating net neutrality rules and reclassifying broadband internet as a Title II service under the Communications Act, which would make ISPs subject to the draft privacy legislation. Commissioners moved to establish privacy rules for internet providers through the FCC’s rulemaking process in 2016, when broadband was a Title II service, but Congress stepped in to nullify them.

Wednesday’s hearing came at a time of heightened interest in a federal data privacy law, something that still only exists at the state level. Witnesses discussed 10 pieces of pending legislation including updated children’s safety legislation introduced in both chambers yesterday.