Travis LeBlanc on the FCC’s New Privacy Role

|

Confidential

At today’s FCBA brown bag lunch, FCC Enforcement Bureau Chief Travis LeBlanc discussed the Commission’s recent entrance into privacy enforcement and fielded questions as to what companies might do to avoid running afoul of the Enforcement Bureau. LeBlanc emphasized the innovation continues to outpace regulators, noting that much of the Commission’s investigative and enforcement work is a five to seven year process. “We’re at the point where we’d be having the Supreme Court judge [problems] with first-generation smartphones,” he mused. He highlighted the Commission’s recent decision to join the Global Privacy Enforcement Network as an effort to help keep pace with change in technology.

Kelley Dyre’s John Heitmann pressed LeBlanc on the FCC’s notices of apparent liability (NALs) against TerraCom and YourTel, which he suggested interpreted Sections 222(a) and 201(b) of the Telecommunications Act in novel ways to protect consumer privacy. Section 222(a) states that “[e]very telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to …customers.” While this has long been the basis for the FCC’s security rules around CPNI, but LeBlanc argued that Section 222 does not limit the duty of carriers to protecting only CPNI. He admitted that for “folks in the industry, in the media, and in the privacy community, there was an ‘uh huh, interesting’ moment” regarding the Commission’s interpretation, but he suggested this interpretation has been used to support other privacy work within the FCC, “if not squarely in the enforcement context.” He argued that Section 222’s protection of proprietary information was designed “to encompass the protection of information customers intended to keep private, which includes PII” and is more than just CPNI as defined by the FCC. “Going forward, fair to say, that’s the concept we’ll be using in our work,” LeBlanc stated.

LeBlanc also explained that Section 201(b), which prohibits carriers from engaging in unjust and unreasonable business practices, must be viewed as being co-extensive with Section 5 of the FTC Act. “It’s a basic consumer protection tool that we use to ensure carriers can’t engage in unjust practices,” he said, citing a recent settlement against AT&T for “cramming” extra charges onto consumer bills as an example of how to apply Section 201. He explained that the application of this interpretation within the context of policing privacy practices is “an iteration of that view and not a transformation.” Echoing the FTC’s actions on privacy policies, LeBlanc emphasized that the FCC hoped “to marry [company’s] language with their practices.” He added that the cramming settlement shows that the FCC is focused on conduct that directly harms consumers. The Enforcement Bureau, he suggested, was not interested in technical rules violations where no one was harmed or impacted. He also suggested it was important to differentiate between breaches of personal information, such as credit cards, that can be remedied and those that cannot such as Social Security number breaches. “In that circumstance, [a person’s] identity may be stolen or it may not, but no one’s going to re-issue you a Social Security number.”

LeBlanc spoke at length about the differences between the FCC and the Federal Trade Commission, the nation’s primary privacy cop. “We’re a regulatory agency with rule-making authority in contrast to the FTC, which is a primarily a policing agency,” he explained. “The benefit of having a law enforcement unit in the same angry as the one making the rules [is that] we can go talk to them before we do an enforcement action. If we’re going to do anything, we need to pick up the phone first. . . . It is impossible for anyone writing laws or rules to anticipate every circumstance out there you intend to bar, so you leave some part of it ambiguous. That’s an advantage over doing enforcement independently. There are risks that an enforcer could exploit a small error in the language of a statute.” He suggested housing both rule-making and enforcement in one entity improves effectiveness and efficiency.

The ramifications of the Commission’s recent $7.4 million settlement against Verizon for its past failure to notify consumers of their opportunity to opt-out of marketing using CPNI information were also a key topic of discussion. LeBlanc suggested the more interesting parts of the settlement were its non-financial terms. He applauded Verizon’s decision to include a notice of consumer opt-out rights in every monthly bill going forward. He suggested more notices like this give consumers the ability to evaluate (and rethink) their decisions to share information. He also suggested that CPNI rules move away from unclear “reasonable standards” and place stronger protections on customer’s proprietary information.

LeBlanc also reiterated his desire to see companies admit to wrong-doing in settlement actions. He suggested that negotiations with Verizon were already on-going at the time the Enforcement Bureau announced a practice of seeking admissions of liability or facts in settlements. Explaining that FCC settlements were designed to provide guidance to others engaging in similar conduct, “the only way to effectively do that is to provide some detail into what a company did that was wrong.” He was also dismissive of notions that admissions-of-wrongdoing would impede the ability of companies either to retain business or gain government contracts. “I don’t think that’s true,” he said, suggesting settlements could be narrowly worded enough to protect companies from that sort of sanction.

Turning to emerging privacy issues, LeBlanc emphasized that he hoped to prevent industry mistakes rather than to respond after the fact. “Where I can provide guidance to the industry to operate in compliance with the law, I’d like to do that,” he said. His chief recommendation was for companies to do better with their privacy policies. He admitted that the lack of baseline federal privacy law forced him, as well as other agencies, to “work on the representations industry makes,” pointing to existing FTC practice. He suggested that the SEC will be interested in this moving forward, as well.

“We understand that sometimes companies are victims,” he said. “They are targets — no pun intended.”  He pointed to some of the “mitigating practices” companies could pursue in the event of breaches, including (1) notifications when information was compromised, (2) credit monitoring services, and (3) providing hotlines or websites to consumers. He also highlighted the importance of chief privacy officers, training, and the adoption of industry best practices and security audits. That said, he also appeared skeptical of some common “excuses” for breaches such as (1) errant employees, (2) technological glitches, and (3) contractor practices. “The company that collects personal information from the consumer, that has that relationship with the consumer, is responsible for protecting it [downstream],” he said. “That duty cannot be out-sourced.”

Finally, Heitmann could not avoid asking LeBlanc whether all of his comments might apply to broadband services in the event the FCC reclassifies broadband under Title II. “Wouldn’t you like to know?” LeBlanc laughed. “I cannot speculate on what the Commission is going to do in this context . . . We will stand ready and prepared to meet the Commission’s goals.”