Sen. Nelson Slams Attempt to Rollback Internet Privacy Rules

March 22, 2017

U.S. Sen. Bill Nelson (D-Fla.) took to the Senate floor today in opposition to a Republican-led measure that would prevent consumers from having a say about the sale and use of their personal information by the nation's internet providers. 

Sepcifically, the measure, S.J.Res.34, would rollback new Federal Communications Commission rules that require internet providers to seek customers' consent before selling or sharing sensitive personal information, including data about one's precise geographic location, health, finances, children or browsing history. 

Below are Sen. Nelson's floor remarks:

Mr. President, I rise today in opposition to this resolution, a resolution brought under the Congressional Review Act to disapprove the Federal Communications Commission’s (FCC’s) broadband consumer privacy rules.

Americans care about their online privacy and want to have control over how their personal information is exploited by third parties.

In fact, a recent survey by the Pew Research Center found that 91 percent of adults feel they have lost control of how their personal information is collected and used.

That same study found that 74 percent of Americans believe it is “very important” that they be in control of who can get information about them – and a majority believe that their travels around the Internet, the sites they visit, and how long they spend there is sensitive information that should be protected.

That is why, this past October, the FCC provided broadband subscribers with tools to allow them to have greater control over how their personal online information is used, shared, and sold.  The FCC has been protecting telephone customer privacy for decades and it updated its longstanding privacy protections to protect the privacy of broadband customers. 

In fact, it is safe to say that what the FCC did last October was the most comprehensive update to its consumer privacy and data protection rules in decades.

The FCC put in place clear rules that require broadband providers to seek their subscribers’ specific and informed consent before using or sharing sensitive personal information, and to give broadband customers the right to opt-out of having their non-sensitive information used and shared if they choose to do so.  The FCC also gave broadband subscribers additional confidence in the protection and security of their data by putting in place reasonable data security and breach notification requirements for broadband providers.

Simply put, the FCC decided to put American consumers – each one of us who pay monthly fees for their broadband service – in the “driver’s seat” of how their personal online data is used and shared by their broadband provider.

And make no mistake, broadband providers know a lot about every one of us.  In fact, it may be startling the picture that your broadband provider can develop about your daily habits – and then sell that to the highest bidder.

Your home broadband provider can know when you wake up each day – either by knowing the time each morning that you log on to the internet to check the weather/news of the morning, or through a connected device in your home.  And that provider may know immediately if you are not feeling well – assuming you decide to peruse the internet like most of us to get a quick check on your symptoms.  In fact, your broadband provider may know more about your health – and your reaction to illness – than you are willing to share with your doctor.

Your home broadband provider can build a profile about your listening and viewing habits – given that most of us today access music, news, and video programming over broadband.  Your broadband provider may have a better financial picture of you than your bank, brokerage firm, or financial advisor.  They see every website that you visit across every device in your home – and can build a thorough profile about you through those habits.  And if you live in a connected home, they may know even more detail about how you go about your day.

Your mobile broadband provider knows how you move about your day through information about your geolocation and internet activity through your mobile device.  And that’s not to mention the sort of profile that a broadband provider can start to build about our children from birth.

This is a gold mine of data – the holy grail so to speak.  It is no wonder that broadband providers want to be able to sell this information to the highest bidder without consumers’ knowledge or consent.  And they want to collect and use this information without providing transparency or being held accountable.

As a country, we have not stood in the past for this sort of free utilization of information by entities that may have a unique look into who we are.  We place stringent limits on the use of information by our health providers, our banks, and when it comes to our children.  Broadband providers can build similar profiles about us – and in fact may be able to provide more detail about someone than any one of those entities can.

Passing S.J. Res. 34 will take consumers out of this driver’s seat and place the collection and use of their information behind a veil of secrecy, despite rhetoric surrounding our debate today suggesting that eliminating these common-sense rules will better protect consumers’ privacy online or will eliminate consumer confusion.

In fact, the resolution will wipe out thoughtful rules that were the product of months of hard work by the expert agency on regulating communications networks of all kinds.  These rules were crafted based upon a thorough record developed through an extensive, multi-month rulemaking proceeding.  The FCC received more than a quarter of a million filings during this proceeding.  The agency received extensive input from stakeholders from all quarters of the debate – from broadband providers and telephone companies to public interest groups, and from academics to individual consumers.

On top of this, the rules are based on long-standing privacy protections maintained by the FCC for telephone companies, as well as the work of – and principles advocated by – the Federal Trade Commission (FTC), state attorneys general, and others in protecting consumer privacy.

The FCC’s rules put in place basic safeguards for consumers’ privacy, based on three concepts that are widely accepted as the basis for privacy regulation in the United States and around the world:  notice, choice and security.  And they are not the radical proposals that some would want you to believe they are.

First, the rules require broadband providers to notify their customers about what types of information it collects about them, when they disclose or permit access to it, and how customers can provide consent to that collection and disclosure.  

Second, the rules give consumers choice by requiring broadband providers to obtain a customer’s affirmative “opt-in” consent before using or sharing “sensitive” information.  Sensitive information includes a customer’s precise geographic location, health, financial, children, social security number, content, web browsing, and application usage information.

For information considered non-sensitive, broadband providers must allow customers to “opt-out” of use and sharing of such information.

And broadband providers must provide simple and persistently available means for customers to exercise their privacy choices.

And third, broadband providers are required to take reasonable measures to protect customer’s information from unauthorized use, disclosure, or access.  They must also comply with specific breach notification requirements.

So, I ask my colleagues, what is wrong with requiring broadband providers to give their paying customers clear, understandable, and accurate information about what confidential and potentially highly-personal information these companies collect about their subscribers?

What is wrong with telling customers how their information is collected when they use their broadband service?

What is wrong with telling customers with whom they share this sensitive information?

What is wrong with letting customers have a say in how their information is used?

What is wrong with recognizing that information about a consumer’s browsing history and app usage is sensitive, personal information that should be held to a higher standard before it is shared with others? 

What is wrong with seeking a parent’s consent before information about their children’s activities or location is sold to the highest bidder?

What is wrong with protecting consumers from being forced to sign away their privacy rights in order to subscribe to broadband service?

What is wrong with making companies take reasonable efforts to safeguard the security of their customer’s data?

What is wrong with making companies notify their subscribers when there has been a breach?

Again, I ask my colleagues what is wrong with giving consumers increased choice, transparency and security online?

Supporters of the joint resolution fail to acknowledge the negative impact that this resolution would have on the American public. 

This legislation will wipe away a set of reasonable, common-sense protections.

It will open all of our internet browsing histories and application usage patterns up to exploitation for commercial purposes by broadband providers – and third parties who will line up to buy this information.

It will create a “privacy free” zone for broadband companies – with no federal regulator having effective tools to set rules of the road for collection, use, and sale of uniquely personal information.

It will tie the hands of the FCC and eliminate its future ability to adopt clear, effective privacy and data security protections for broadband subscribers – and in some cases, even telephone subscribers.

To be sure, there are those who disagree with the FCC’s broadband consumer privacy rules.  And there is an avenue for those complaints:  these same companies who are pushing the joint resolution have filed for reconsideration of the rules at the FCC – and there is the judicial system.

In fact, the critics of the FCC’s rules have an open proceeding at the FCC in which they can argue on the record – with an opportunity for full public participation – to change and alter these rules.

By contrast, the Congressional Review Act is a blunt instrument.

It means that all aspects of the rules adopted by the FCC must be overturned at once – including changes to the FCC’s telephone privacy rules.

It would deny the agency the power to protect consumers’ privacy online – and it would prevent the FCC from ever adopting even similar rules.  This does not make sense.

I also want to address the argument that the FCC’s rules are unfair to broadband providers because the same rules do not apply to other companies in the internet ecosystem.

Supporters of the resolution argue that other entities in the internet ecosystem have access to the same personal information that broadband providers do.  They argue that everyone in the data collection business should be on a level playing field.

I ask my colleagues whether they have asked their constituents that question directly.  Do Americans really believe that all persons who hold data about them should be treated them same?  I venture to guess that most Americans would agree with the FCC – that companies who are able to build detailed pictures about their lives through unique insights into their internet usage should be held to a higher standard.

In addition, the FCC’s rules still allow broadband providers to collect and use their subscribers’ information.  The providers merely need to obtain consent for those activities when it comes to their subscribers’ highly sensitive information.

The FCC also found that broadband providers, unlike other companies in the internet ecosystem, are uniquely able to see every packet of information that a subscriber sends and receives over the internet while on their networks.

Supporters of the joint resolution also hold out the superiority of the Federal Trade Commission’s efforts on protecting privacy.  They argue that there should only be one privacy “cop” on the beat – but that ignores reality.

There are a number of privacy cops on the beat.  Congress has given the FCC, the FTC, the FDA, and NHTSA regulatory authority to protect consumers’ privacy. 

But let’s be clear, the FCC is the only agency to which Congress has given statutory authority to adopt rules to protect broadband customers’ privacy.

The FTC does not have rule making authority in data security – even though commissioners at the FTC have asked Congress for just such authority in the past.

Given recent court cases, the FTC now faces even more insurmountable legal obstacles to taking actions protecting broadband consumer’s privacy and.

As many have pointed out, elimination of the FCC’s rules will result in a yawning chasm where broadband and cable companies have no discernible regulation, while internet “edge” companies abide by FTC enforcement efforts.

And without clear rules of the road, broadband subscribers will have no certainty or choice about how their private information can be used and no protection against its abuse.

That is why I support the FCC’s broadband consumer privacy rules, and I encourage my colleagues to vote against the joint resolution.