On August 8, 1999, the United States Court of Appeals for the Tenth Circuit struck down Federal Communications Commission ("FCC") regulations that had required telecommunications companies to obtain customer approval before they could use their customers' phone records and personal information for marketing purposes. In U.S. West, Inc. v. FCC, the court found that these regulations violated the telecommunications companies' right to free speech under the 1st Amendment to the Constitution. While the ruling will have an obvious impact on the telecommunications industry, it has broader implications for the ongoing debate over data privacy. The ruling will force data privacy advocates to offer a compelling justification for any data privacy regulations that infringe on the First Amendment rights of web site operators and Internet marketers.

The case focused on the use of customer proprietary network information ("CPNI") by phone companies. CPNI is information that each phone company collects about its customers, including phone records, calling patterns, and other related personal information. A phone company, armed with this information, can carefully market new or different services to its current customers, thus putting that phone company at a distinct advantage relative to competing service providers. For example, by examining CPNI a company could identify those customers that frequently make long distance calls and strategically market new long distance services to them.

The regulations, promulgated by the FCC after the passage of the Telecommunications Act of 1996, prohibited phone companies from using CPNI for marketing purposes unless the customer had specifically "opted in" by giving his or her express consent to such use of his or her personal information.

U.S. West and other phone companies argued that these regulations violated the 1st Amendment by restricting their ability to engage in commercial speech with their customers. The court had no trouble in concluding that the regulations did restrict commercial speech: the very purpose of the regulations was to prevent marketing (i.e. speech) to customers that did not want their data used for marketing purposes. Under prevailing constitutional doctrine, the government may only restrict non-misleading commercial speech regarding lawful activity if it can prove that: (1) the government has a substantial interest in regulating the speech; (2) the regulation directly and materially advances that interest; and (3) the regulation is no more extensive than necessary to serve that interest.

The court found that the protection of consumer privacy was not a substantial interest that would justify a restriction on the companies' free speech rights. The court stated "although we may feel uncomfortable knowing that our personal information is circulating the world, we live in an open society where information may usually pass freely." A general level of discomfort, the court noted, was not enough to justify a restraint on free speech. A restraint must be based on an identified harm, such as preventing a release of data that could be used to harm, harass, or defraud someone. The government "present(ed) no evidence showing (that) the harm to…privacy is real."

The court went on to note that an "opt-in" strategy is not narrowly tailored to pass constitutional muster, since an "opt-out" program might work just as well. Under an "opt out" scheme, companies would be able to use CPNI unless and until their customers specifically tell them not to do so.

The court noted that this case "is a harbinger of difficulties encountered in this age of exploding information." Indeed, the court's ruling comes at a time when concern over data privacy on the Internet is rising. Consumer groups are increasingly concerned about the use and misuse of personal data obtained over the Internet. Under current law, web site operators are free to collect information about visitors to their sites and use that information for their own marketing purposes or to sell it to others without so much as notifying their visitors of this practice.

Consumer concerns are justified, according to a recent report by the Federal Trade Commission (the "FTC") to Congress. The FTC report demonstrates that the current government policy of encouraging self-regulation of consumer data privacy on the Internet has been a failure. In a survey of 1,400 web sites, the FTC found that while 85% of the sites surveyed collect personal information from consumers and visitors, only 14% provided any notice to consumers about their data collection practices. These findings contradict earlier surveys financed by Internet-based companies. According to the FTC, the current status of Internet data privacy falls "far short" of what is needed to protect consumers.

As a result of its report, the FTC decided to promulgate regulations protecting children on the Internet. But the federal government, concerned about stifling the growing Internet economy, continues to promote self-regulation of all other data privacy issues.

In the absence of government action, a number of for-profit businesses have recently stepped up to fill the regulatory vacuum on the internet by offering products that automatically notify users about the privacy policies of web sites they visit. For example, Enonymous.com offers a free downloadable application that rates web sites from one to four stars based on their privacy policies. It is too early too tell whether consumers will respond to these products, some of which depend on a mixture of advertising and optional paid-for services.

It remains to be seen whether Congress or the FTC will decide to get more involved in the Internet data privacy debate. If the government acts, the U.S. West decision serves as a reminder that any future data privacy regulations will require a compelling justification if they act as a restraint on commercial speech.

Sources:
- U.S. West, Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999)
- Federal Trade Commission, 1999 Report to Congress on Self-Regulation and Privacy.
- Denise Caruso, Consumers' Desire for Information Privacy Ignored, N.Y. Times, August 30, 1999.
- Ted Bridis, Study Shows Improvement on Internet Privacy, Boston Globe, May 12, 1999.
- Christopher B. Kaczmarek, European Data Privacy Directive at Odds with American Policy, 1999 B.C. Intell. Prop. & Tech. F. 012501 (Jan. 25, 1999)