On March 23, 2017, the U.S. Senate voted 50-48 to reverse the Federal Communications Commission (FCC) privacy rules that were put into place just days before the end of the Obama administration. The new rules were designed to limit what broadband providers, who consequently were reclassified as carriers, could do with customer data.
The new privacy rules, although well-intentioned, were at odds with the existing privacy framework put forth by the Federal Trade Commission (FTC) circa 2004, CAN-SPAM. The vote in the senate paves the way for a house vote and ultimately the presidential signing. Given the Republican majority and strict party line vote, the repeal has a very good chance of passing the house.
I had the honor of heading to Capitol Hill on the 22nd to represent SendGrid alongside other concerned entities including Return Path, Acxiom, Experian, Buxton and the Data and Marketing Association‘s (DMA) chief lobbyist to pay visits to congressional staffers whose bosses, Senators Gardner (R) CO, and Blunt (R) Missouri, were concerned about the new legislation and what it would mean for marketers and advertisers.
The DMA’s stance on the new privacy legislation
The position taken by the DMA was simple: these laws were an overreach of the jurisdiction of the FCC. They would greatly undermine businesses that rely on ISP data as a source of their overall big data initiatives and further complicate the landscape given the opt-out nature of CAN-SPAM.
The FCC’s privacy rules for broadband providers were interesting. I think the intention was correct, but the application and construction of the rules didn’t take into consideration the nuances of how ISP/broadband providers use data. For instance, M3AAWG (Messaging, Malware, Mobile, Anti-Abuse Working Group), opposed the legislation on the grounds that it would greatly limit the ability of these organizations to share anti-abuse data and intelligence to curb malicious activity on their networks and external attacks that affect their networks and users.
The privacy framework put forth by the FCC is not without merit. In the U.S., we approach privacy sector by sector. HIPPA covers matters related to medical privacy, COPPA to persons under 13, and CAN-SPAM covers email, etc. Frameworks for privacy in Europe and Canada are much broader and meant to be umbrella policies that fundamentally protect privacy as a basic human right. Each European country has their own additional restrictions/requirements. The FCC framework, in spirit, seemed to resemble these more broad definitions of PII and how it is to be treated, but it failed to take into account the unique applications of this type of data beyond what is marketable.
The LA Times published an article on March 24 about the senate vote and roll back of the FCC regulations where they pitted the two opposing viewpoints: Democrat vs. Republican. The arguments focus on what is friendly to business vs. protecting consumer privacy. One of the things that isn’t mentioned is how big data also encompasses information relevant to combatting Internet and mailbox abuse. Nor is the fact that technology and eCommerce companies have their own massive stores of data that they use on a daily basis for profiling customers, improving communications, and creating personalized and highly tailored experiences affected by the FCC rules.
From a messaging standpoint, the only rule set that applies is covered by the FTC’s CAN-SPAM which is a strict opt-out paradigm, and other self-regulatory frameworks supported by the DMA and other industry trade groups.
Protecting personally identifiable information
Although privacy and the protection of Personally Identifiable Information (PII) are critical conversations to have in an age of big data, the real conversation needs to be around security. Security regulations enforce the application of industry standard methods for protecting PII and decrease the surface area and exposure of a company. There’s a saying among security experts: “there are only two types of companies—the ones that know they’ve been hacked and the ones that don’t know they’ve been hacked.”
Although the intention to protect Americans’ privacy was a good one, the fact is that more security regulations, protocols and standards will do more to protect consumer privacy than regulating new standards for opt-in. The actors involved in high profile data breaches are not concerned with opt in vs. opt out, they are buying and selling compromised account and profile data that needed security controls to protect it from theft.
For more content on email privacy and legislation, check out How The Email Privacy Act Affects Todays List Builders.