The Federal Trade Commission will make sure companies like Google follow the same privacy rules as cable providers if the Federal Communications Commission allows them to build their own set-top boxes, according to the FTC.
FTC Chairwoman Edith Ramirez told Congress Tuesday the FTC advised the FCC to require device manufacturers intending to enter the set-top box market to make consumer-facing statements saying they’ll comply with FCC privacy rules for cable and satellite providers.
“I am aware that Commissioner Wheeler has indicated an intent to include that in the rule,” Ramirez said. “And that would allow us to take action in appropriate circumstances.”
Under rules the FCC is scheduled to vote on Thursday, pay-TV providers will have to offer their content to subscribers on apps, giving consumers the option to forego renting a set-top box for a monthly fee. The apps must be downloadable on all major device platforms (Roku, Apple TV, smartphones, tablets, etc.), but will also allow third-party companies like Google, which has expressed interest in entering the market, to build their own boxes consumers could buy.
Critics of the plan said companies like Google, with a noted reputation for hoarding and monetizing consumer data, shouldn’t be allowed to collect and monetize data from cable subscribers, whose privacy is protected by FCC rules that bar using subscriber data for anything other than providing service unless they obtain permission from the user.
The FCC has said those same rules will apply to third-parties, but since the FCC lacks the jurisdiction to enforce the rules on device manufacturers, the FTC will do the enforcing, according to Ramirez.
“By doing this it would facilitate the ability of the FTC to enforce in this arena,” she told the Senate Commerce, Science and Transportation Committee Tuesday.
The arrangement is an interesting role reversal for the FTC, which has been caught in the middle of a year-plus long battle between Congress and the FCC over its forthcoming privacy rules for internet service providers (ISPs) — rules it’s had to develop since claiming jurisdiction over ISPs with its net neutrality ruling last year.
Republicans have urged the FCC to follow the FTC’s case-by-case approach to privacy enforcement instead of adopting rules proposed by Wheeler. Those would forbid ISPs from using consumer data for almost anything outside of providing service without a subscriber’s prior consent.
“I think it is important for there to be general harmony in the way that data is treated,” Ramirez said with regard to whether separate agencies should enforce privacy with differing standards, adding the FTC said as much in comments to the FCC.
“I will note that we’re in an era when a number of different agencies are having to take a look at issues that relate to privacy and data security,” she said.
The chairwoman repeated her support for repealing legislation that bars the FTC from leveling enforcement action against common carriers, a classification that now includes ISPs. Removing the exemption would allow both the FCC and FTC to have jurisdiction over ISPs — something Ramirez said was even more important following a recent FTC loss against AT&T in a federal appeals court.
The ruling came after AT&T argued the FTC could no longer levy an enforcement action against it for deceiving subscribers about their data plans because AT&T is now a common carrier under net neutrality. The ruling, in combination with existing FCC rules that bar it from regulating the privacy of data not in transmission, could leave a privacy enforcement gap in which companies that offer internet connectivity — like Google with its fiber service — would be free of privacy oversight from either agency.
“We’re going to explore all options that we have available in terms of appeal,” Ramirez said.
It could be the FTC’s privacy rules that change as a result of the hack disclosed last week by Yahoo, which compromised personal data including email login information for more than 500 million users. Lawmakers slammed the company during Tuesday’s hearing for reportedly waiting more than a year before disclosing the breach to users.
“There are serious questions as to whether Yahoo effectively notified consumers as promptly as they should have been told about those security breaches,” Connecticut Democratic Sen. Richard Blumenthal told all three FTC commissioners present at Tuesday’s hearing.
“The FTC has brought numerous enforcement actions over the years against companies for lax data security practices, but this piecemeal, after-the-fact approach might be better served if the commission were able to prescribe rules requiring security practices,” Blumenthal said.
Ramirez expressed support for more authority to regulate those practices multiple times during Tuesday’s hearing, including Blumenthal and Florida Democratic Sen. Bill Nelson’s Data Security and Breach Notification Act — legislation that would stiffen enforcement and penalties against companies that inadequately protect data or disclose hacks.