As we discussed in our recent client alert, the National Broadband Plan (the “Broadband Plan”) of the U.S. Federal Communications Commission (“FCC”) contains an ambitious set of some 200 recommendations for regulatory and legislative actions to improve the innovation, access, and affordability of broadband Internet service. Tucked among “big-ticket” items that have received much attention in recent weeks – such as reallocation of wireless spectrum and reform of the FCC’s Universal Service Fund – are a number of less-heralded suggestions relating to privacy issues and the management of personal data. The implementation of these privacy-related Broadband Plan recommendations by Congress, the FCC, and the Federal Trade Commission (“FTC”) could affect a wide range of firms, including broadband Internet access Internet service providers, advertisers, online content providers, and indeed any business with an Internet presence. The purpose of this alert is to provide greater focus and detail on the Broadband Plan’s recommendations for privacy regulation.
The Broadband Plan’s Recommendations to Regulate Privacy
Addressed under the rubric of “competition and innovation policy” in broadband applications and content, the Broadband Plan sets the stage by noting that consumers have little knowledge about or control over the collection and use of their personal data. The collection, aggregation and analysis of personal information have “become a source of value to businesses . . . as an enabler of more targeted and relevant advertising and increased user loyalty.” The Broadband Plan warns, however, that innovation in the broadband application market “will suffer if a lack of trust exists between users and the entities with which they interact over the Internet.” As a result, the Broadband Plan contends that “privacy concerns can serve as a barrier to the adoption and utilization of broadband.”
The Broadband Plan sets a goal of creating policies that “reflect consumers’ desire to protect sensitive data and to control dissemination and use of what has become essentially their ‘digital identity.’” This “digital identity” is described as the aggregation of detailed personal information about individuals that firms may collect over time through an individual’s use of Internet applications. The Broadband Plan notes that the “value of a targeted advertisement based on personal data can be several times higher than the value of an advertisement aimed at a broad audience,” a differential that will “likely increase as targeting becomes more refined.” This targeted online advertising allows online content providers to monetize their audience and provide free or inexpensive access to their products and services.
In order to achieve the Broadband Plan’s goal of greater consumer control over their digital identities, the Broadband Plan makes three recommendations that may lead to legislative and regulatory action in the near future:
1. Congress, the FTC and the FCC should consider clarifying the relationship between users and their online profiles, addressing these questions:
- What obligations do firms that collect, analyze or monetize personal data or create digital profiles of individuals have to consumers in terms of data sharing, collection, storage, safeguarding and accountability?
- What, if any, new obligations should firms have to transparently disclose their use of, access to and retention of personal data?
- How can informed consent principles be applied to personal data usage and disclosures?
2. Congress should consider helping spur development of trusted “identity providers” to assist consumers in managing their data in a manner that maximizes the privacy and security of the information.
3. The FCC and FTC should jointly develop principles to require that customers provide informed consent before broadband service providers share certain types of information with third parties.
The Broadband Plan notes that the FCC, FTC and other agencies regulate these privacy issues with authority from a variety of implementing statutes, ultimately leaving gaps in the regulatory framework. The Broadband Plan suggests that Congress could implement these recommendations and remedy these perceived gaps in a number of ways. Among other recommendations, the Broadband Plan suggests that Congress could revise the Privacy Act of 1974, 5 U.S.C. § 552a, “to give consumers more control over their personal data and more confidence in the security of their personal data.” The Broadband Plan states that “done correctly, this would increase innovation, rather than stifling it, by allowing consumers to transparently understand and choose how their government data are used.”
Barring such legislative action, the FCC and FTC would likely seek to implement the Broadband Plan’s privacy-related recommendations through rulemaking proceedings pursuant to their existing statutory authority. The FTC has devoted considerable attention to privacy issues in recent years and has congressionally delegated powers to regulate and influence certain online privacy matters. The FTC’s regulatory authority on these matters has been described as a “patchwork,” and the FTC may require additional delegated authority in order to implement the Broadband Plan’s privacy recommendations. The FTC is currently hosting a series of public roundtables examining the adequacy of existing privacy rules, and the Broadband Plan’s privacy recommendations dovetail with these existing FTC efforts.
With regard to FCC implementation, the Broadband Plan notes that the Communications Act of 1934, as amended (the “Act”), “contains various provisions outlining consumer privacy protections,” and that the FCC “typically works” with broadband Internet access providers. However, as noted above, the FCC’s jurisdiction over broadband Internet access service providers has been called into question by the Comcast v. FCC decision, which was issued after the Broadband Plan. This decision may inhibit the FCC’s ability to adopt new privacy rules of general application governing all broadband Internet access services regardless of platform, though careful consideration will need to be given to whether there are unique provisions in the Act applicable to the particular type of provider and its use of subscriber information. 
Implementation of the Broadband Plan’s privacy recommendations through either a congressional update of the Privacy Act and/or other legislation to address the “digital identity” and other privacy issues, or rulemaking proceedings by administrative agencies such as the FTC and FCC, would have broad implications for online content providers, broadband Internet access service providers, advertisers, and businesses with an online presence. These and other stakeholders should be prepared to help shape any legislation arising from these recommendations and to comment on any related rulemaking proceedings before the FCC and FTC.
 See Marc S. Martin, Martin L. Stern and Peter W. Denton, The FCC’s Sweeping National Broadband Plan: How it Will Affect You (Mar. 22, 2010), available at http://www.klgates.com/newsstand/Detail.aspx?publication=6295. A copy of the Broadband Plan, released on March 16, 2010, is available at the following FCC link: http://www.broadband.gov/download-plan.
 As a result of an April 6, 2010 decision by the U.S. Court of Appeals for the District of Columbia Circuit, holding that the FCC lacks jurisdiction over broadband Internet access services, there is a cloud of uncertainty over the FCC’s jurisdiction to implement some of the Broadband Plan’s recommendations. See Marc S. Martin and Martin L. Stern, Court Overturns FCC’s Net Neutrality-Based Decision Against Comcast: What Happens Next? (Apr. 8, 2010), available at http://www.klgates.com/newsstand/Detail.aspx?publication=6337 (“Comcast Alert“).
 The FTC relies on its authority under Section 5 of the FTC Act to prohibit unfair or deceptive acts in connection with the collection, use, disclosure, and protection of personal information. The Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6802-6803, also provides the FTC with authority to regulate the activities of financial institutions with respect to personal information they collect on consumers. The Fair Credit Reporting Act, 15 U.S.C. §§ 521-573, allows the FTC to regulate the activities of consumer credit reporting agencies as they relate to their interaction with consumers and the use of their personal data.
 See FTC, Exploring Privacy: A Roundtable Series, http://www.ftc.gov/bcp/workshops/privacyroundtables/.
 For example, Section 222 of the Act, 47 U.S.C. § 222, applies to the protection of customer proprietary network information in connection with the provision of telecommunications services (as defined in the Act), which does not, at this point, include the provision of broadband Internet access services. On the other hand, Section 631, 47 U.S.C. § 551, applies to personally identifiable information acquired by cable operators, and is not limited exclusively to the provision of cable services, but also to “other service” provided by cable operators. In a pending notice of proposed rulemaking accompanying its declaratory order finding that cable modem service is an information service, the FCC tentatively concluded that “cable modem service would be included in the category of ‘other service’ for purposes of Section 631.” Inquiry Concerning High-Speed Access to the Internet Over Cable and Other Facilities; Internet Over Cable Declaratory Ruling; Appropriate Regulatory Treatment for Broadband Access to the Internet Over Cable Facilities, Declaratory Ruling and Notice of Proposed Rulemaking, 17 FCC Rcd 4798, ¶¶ 11-112 (2002). The FCC observed, however, that “Section 631’s terms are enforced by the courts, and not by the Commission.”