September 26, 2016
The Honorable Tom Wheeler
Chairman, Federal Communications Commission
445 12th St., S.W.
Washington, D.C. 20553
Dear Chairman Wheeler:
The Information Technology Industry Council (“ITI”) and the 21st Century Privacy Coalition
(“Coalition”) share the Federal Communications Commission’s (“FCC”) interest in protecting the
privacy and security of consumers’ online information. Privacy and data security exist at the core of
the trust relationship that all entities in the internet ecosystem must establish with consumers.
However, we continue to have concerns about the FCC’s broadband privacy proposal1. We therefore
urge the FCC to modify the proposal so that it provides Americans with appropriate privacy
protections while at the same time enabling consumers to fully benefit from the products and
services our member companies are proud to provide.
Fundamentally, the FCC has proposed a series of burdensome privacy and data security requirements
that are inconsistent with established law, policy, and practice in this area. These requirements do
not reflect what is best for consumers. There is no evidence to indicate that consumers have been ill-
served under the traditional privacy framework currently administered by the Federal Trade
Commission (“FTC”).
Consumers have embraced today’s thriving internet, fueled by responsible data practices, and they
have come to expect a seamless online experience across multiple applications, services, and devices
that delivers convenience while also protecting their privacy. The current online ecosystem supports
online offerings that consumers value, promotes innovation, and contributes substantially to U.S.
economic growth. As currently drafted, the NPRM could disrupt this healthy ecosystem.
Rather than adopting a regime aligned with the FTC’s well-established, sensitivity-based approach to
online privacy, the privacy regime proposed by the FCC in the NPRM departs from the FTC framework
in significant and material respects. We are concerned that the prescriptive nature of the proposed
regulatory approach could have precedential effects that would negatively impact the entire internet
ecosystem. We believe the FCC’s primary objective should be to closely harmonize its rules with the
existing FTC framework that has both protected consumers and enabled the internet to flourish.
1
Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No.
16- 106, Notice of Proposed Rulemaking, FCC 15-138 (April 1, 2016) (“NPRM”).
Our additional concerns with the NPRM include its (1) overly broad definition of personally
identifiable information; (2) unnecessary restrictions on first-party marketing that would deprive
consumers of discounts and new product offerings that can save consumers money; (3) inflexible,
strict-liability data security and breach notification requirements; and (4) an impractically short
breach notification timeframe.
Consistent with the FTC’s enforcement framework, the FCC should modify its consent requirements
to take into consideration whether the information is sensitive, rather than focusing on the use of
such information and the entity engaged in such use. In addition, internet protocol addresses or other
unique identifiers necessary for the functioning of connected internet devices, application usage
data, and persistent online identifiers (cookies)—data that is highly unlikely to contribute to a risk of
concrete harm such as identity theft—should not be subject to onerous consent requirements.
The FCC’s data breach proposal does not afford organizations adequate time to remediate any
discovered vulnerabilities or to conduct thorough investigations to ascertain the nature and scope of
any breach before notifying customers or government agencies of a breach of data. It also fails to
include a risk analysis, and therefore will contribute to notice fatigue at best, or incite unnecessary
panic at worst. If over-notification becomes commonplace, consumers will have difficulty
distinguishing between notices and determining which ones warrant them to take action. Notification
should be made to consumers if an organization has determined there is a significant risk of identity
theft or financial harm.
We support the goal of ensuring that consumers’ online activities are subject to privacy and data
security protections that comport with consumer expectations and long-standing policies that have
protected consumers from harm while allowing the internet to flourish. We hope that the FCC will
modify its privacy proposal to ensure that this goal will be achieved.
Sincerely,
Dean Garfield
ITI President & CEO
Mary Bono
Jon Leibowitz
Co-Chair
Co-Chair
21st Century Privacy Coalition
21st Century Privacy Coalition
cc: The Honorable Mignon Clyburn; The Honorable Michael O’Rielly; The Honorable Ajit Pai;
The Honorable Jessica Rosenworcel