New Internet Privacy Bill Would Bring European-Style Regulations

[Shutterstock - Scanrail1]

As debate over the future of internet regulation drags on, Representative Marsha Blackburn, R-Tenn., Chairwoman of the House Energy and Commerce Committee’s Communications and Technology Subcommittee, introduced, amid strong public backlash against Congress’s repeal of FCC privacy regulations, a surprising new bill (H.R. 2520) regarding the privacy of users’ online information: the BROWSER Act. The bill would impose stronger privacy obligations on internet service providers (ISPs) and also require, for the first time that all websites, applications and other “edge companies”—firms like Google, Facebook and Amazon—obtain opt-in consent before tracking and using consumer data online.

This bill is surprising in many respects, not least of which is the fact that Blackburn was one of the chief forces pushing fellow Republicans to use the Congressional Review Act to repeal the FCC’s broadband privacy rules from October 2016, notably requiring ISPs to get opt-in consent before collecting or sharing user data.

Opponents of the FCC rules noted that they created an unleveled playing field since edge providers would fall under the FTC’s jurisdiction, requiring only that they offer a simple way for users to opt-out of such tracking, while ISPs were held to a more burdensome standard. The BROWSER Act would keep the playing field level, but subject ISPs and edge providers to the more burdensome opt-in standard, placing the FTC in charge of enforcing the rules for both groups.

This new regime would closely resemble the European privacy system, under which websites are mandated to display pop-up notifications whenever users visit a site and get opt-in consent before tracking or using their data (such as to sell ads or improve the site’s services). This process provides additional privacy protections, but also renders online service less convenient for users and discourages data innovation. The comparatively flexible FTC privacy regime is a key reason why the U.S. has so many successful tech firms and such a vibrant online ecosystem, while Europe has failed to produce many firms of similar prowess.

It’s commendable that Chairwoman Blackburn is trying to improve U.S. privacy laws, and Congress should move quickly to resolve the status of internet regulation and establish a layer-neutral approach to privacy. Harmonizing the regulatory regime for ISPs and edge providers also is a laudable goal. Similarly, the bill’s preemption of patchwork and contradictory state laws that create regulatory uncertainty and compliance problems is also a positive step. Regulating everyone up to an opt-in standard, however, is a step in the wrong direction.

Conspicuously, the bill also makes no mention of the other side of the privacy coin: data security. Users are more willing to share their data when they have confidence it will be kept secure. The FTC has ample experience regulating data security, and any privacy bill should fix the current jurisdictional gap, preventing it from regulating ISPs.

It’s important to note that consumer data shared with advertisers is not directly linked to any person—advertisers can’t buy data about a particular individual. Rather the data are aggregated into broad demographic categories, which are then used to sell ads targeted toward those demographics. Collecting and sharing this kind of information is essential to the business model of many internet companies. Indeed, it is the reason why consumers can use so many great apps and websites without having to pay separate subscription fees for each.

While ads can be annoying, most people don’t mind giving up some information in exchange for free services. Most people also prefer ads targeted to their interests over random ads. Furthermore, for those who want more privacy, numerous tools exist to serve that need that don’t require changing the rules for the whole ecosystem. Privacy-oriented internet companies—like Ello and Duck Duck Go—have been around for years, but haven’t attracted many users, which says a lot about people’s privacy preferences (as revealed by their actions) and cautions against taking an overly precautionary approach that could have drastic consequences for internet commerce.

If the default is set against sharing information, expect less information to be shared and less innovative uses of data to be developed going forward. In a two-sided market, one in which ISPs and edge providers sell both their services to consumers and ad space to advertisers, diminishing the ability to collect from one side of the market (advertisers), will result in higher prices for the other side (consumers). Economists call this the “waterbed effect.” So, while there are legitimate concerns about the extent to which user data should be shared, it’s also important to recognize the real-world trade-off between strict default privacy rules and higher prices for online goods and services.

How to balance that trade-off is a choice consumers should make for themselves, rather than relying upon the benevolent paternalism of government. While both opt-out and opt-in regimes allow users to control their privacy and usage of their data, the default option should be the one that already reflects people’s revealed preferences, and that keeps online services accessible to the greatest number of people. The current opt-out regime is thus the best mechanism to keep the internet free and innovative. In its current form, the BROWSER Act will do more harm than good.

Tom Struble is tech policy manager and Joe Kane is tech policy associate or the R Street Institute