Remarks of Ruth Milkman
FCC Chief of Staff
Protecting Broadband Privacy Forum
New America Foundation
Washington, D.C.
March 15, 2016
Thank you to New America for hosting today’s forum. 
Also, thank you to New America’s Open Technology Institute for your research on the 
topic of broadband privacy. The paper you released in January offers valuable insight into the 
privacy issues that we at the Commission are preparing to address.
As I have been thinking about the topic of privacy, I find myself thinking of the teaching 
of Hillel:  “If I am not for myself, then who will be for me?  But if I am only for myself, then 
who am I?  And if not now, when?”
I will explain.
The first part of the teaching is this:  If I am not for myself, then who will be for me?
The data used and shared by providers of broadband Internet access service is my data.  It 
can be used to paint a detailed picture of my life.  When am I awake and when asleep? How 
many people are in my household at what times of the year? What health concerns do I have?
What is my financial situation?
If it’s my data, then I should have the ability to make sure it is protected. U.S. consumers 
say they want control of their data, and that they are worried about how that data is being used.  
According to a Pew Research Center May 2015 survey, 93 percent of adults say that being in 
control of who can get information about them is important.  Ninety percent say that controlling 
what information is collected about them is important.
1
The goal of Section 222 of the Communications Act is to give consumers control, 
through notice and choice mechanisms, over how their data is used.
The second question is:  But if I am only for myself, then who am I?
One reason that customers need control is that broadband providers have the incentive 
and the ability to monetize customer data.  Providers want to take data they receive from 
consumers in the context of providing service, sometimes combine it with other consumer data, 
and use it or share it for the purpose of targeted advertising.  And that can be a very good thing –
as long as consumers have the ability to control the use and sharing of their information.
                                                          
1
Pew Research Center, Americans’ Attitudes About Privacy, Security, and Surveillance (2015), 
http://www.pewinternet.org/files/2015/05/Privacy-and-Security-Attitudes-5.19.15_FINAL.pdf.
But here’s the rub: when it comes to protecting the privacy of the personal information 
customers share with their broadband providers, U.S. consumers cannot “be for me” if they lack
the necessary tools and protections.
It has been just over a year since the reclassification of Broadband Internet Access 
Service, which recognized that, in light of the statutory text and the facts on the ground, 
broadband access is a “telecommunications service” under the Communications Act. Because 
Congress has limited the ability of the Federal Trade Commission to regulate common carriers, 
however, a gap was created – a gap that needs to be filled with specific guidance for consumers 
and broadband providers.  Today, broadband providers can make use of consumers’ data in ways 
that consumers (a) don’t know about; and (b) might not permit if they were aware of what is 
going on.  
That is why, last week, Chairman Wheeler circulated a proposal to establish baseline 
privacy standards for broadband providers. 
Let me talk for a moment about why the FCC is well-positioned to tackle this issue. 
The United States has multiple privacy laws, both at the federal and state level, and these 
laws have different functions that together serve to protect consumers. For example, FTC 
Commissioner Julie Brill refers to the multiple strands at the federal and state level as forming
the “strong fabric” of U.S. privacy law.
Under its Section 5 authority, the FTC has a mandate to address unfair or deceptive acts 
or practices, a general protection mandate that the FTC has used successfully to bring many 
privacy-related and data security actions. These decisions have set important precedents for the 
Internet ecosystem. Beyond its case-by-case work, the FTC has offered best practices guidelines 
and the Administration has offered a Consumer Privacy Bill of Rights.
Over time, Congress has enacted sector-specific privacy protections, including with 
respect to financial institutions, schools and other educational institutions, healthcare providers, 
and credit reporting agencies. And communications networks. It is within that construct of 
sector-specific privacy regulation that we find Section 222 of the Communications Act, 
captioned “Privacy of Customer Information.” In Section 222, in addition to Section 631, which 
covers cable providers, and Section 338, which covers satellite providers, Congress has found 
that certain information used and shared by communications networks requires particular 
protections and expert agency oversight.  
All of these federal statutes, FTC case law and guidance, as well the Consumer Privacy 
Bill of Rights, draw heavily on the Fair Information Practices Principles. In the Chairman’s 
proposed rules, we didn’t seek to reinvent the wheel. We’ve placed our proposed rules within the 
existing fabric of U.S. privacy laws.  
In particular, we’ve sought to have a framework that is complementary to the FTC’s 
precedents and guidance because we are dealing with closely related industry segments. The 
FCC has a history of coordinating closely with the FTC, including on privacy and data security, 
and the staff of the two agencies adopted a Memorandum of Understanding last year to 
memorialize that coordination, and to ensure that it continues as protection of consumer data 
becomes ever more important.  
That history, along with our expertise on the operation of communications networks, are 
reasons that the FCC is well-suited to help consumers protect the information collected by their 
broadband providers. So what are we proposing? 
The Chairman’s proposal is built on three core principles –transparency, choice and 
security. The proposal has three goals: first, to enable every broadband consumer to know what 
information is being collected and how it is used; second, to enable every broadband consumer to 
choose how their information bits are used and shared; and third, to give every consumer 
confidence that their information is being securely protected. 
Not surprisingly, this proposal has generated a lot of interest and questions. Let me now 
address a couple of hot topics.
First, we are not regulating the edge. The FCC has jurisdiction over Broadband Internet 
Access Service because it’s a telecommunications service. We do not have jurisdiction over edge 
providers like Weather.com, Yahoo and Facebook. The Commission said that clearly in the Open 
Internet Order, and we’ll say it again in the context of privacy. The Chairman’s proposal will not 
regulate the privacy practices of edge providers. Moreover, the Chairman’s proposal will not 
limit the ability of broadband providers to offer separate services, for example, through 
ownership of social media sites, or online advertising platforms.
Second, we recognize that broadband providers want to monetize data, and we think that 
means there should be rules of the road. The argument that broadband providers must be treated 
exactly like edge providers makes me think of one of my favorite books on child rearing:  “It’s 
Not Fair, Jeremy Spencer’s Parents Let Him Stay Up All Night!” 
So if you are a parent (or were a child) you probably think the following: I doubt Jeremy 
Spencer’s parents let him stay up all night – most likely they have rules and supervision. Edge 
providers are subject to FTC oversight and enforcement, and often state oversight as well. Not to 
mention that some of the biggest edge providers are subject to 20-year consent decrees with the 
FTC, with very specific terms and conditions.
Of course, ISPs are not edge providers. An Internet Service provider handles all of its 
customers’ network traffic. Once signed up, a customer cannot avoid her Internet Service 
provider the way she can move between search engines or apps or websites. It’s just not 
practical.  
In addition, ISPs have the capacity to capture more information about consumers than 
any single website or search engine. Even when data is encrypted, broadband providers can still 
see the websites that a customer visits, how often the customer visits, and how much time is 
spent on each website.  
The proposed framework of transparency, choice and security – this is not a news flash.  
These are well-established privacy principles, and are used by the FTC, and other federal and 
state agencies when analyzing privacy issues.
As I mentioned earlier, privacy in the United States has focused on sector-specific laws 
and regulations. For example, HIPAA, implemented and enforced by HHS, applies to health 
care. The Gramm-Leach-Bliley Act applies to financial information, and is enforced by a range 
of agencies that include the FTC, the CFPB, the CFTC, the SEC and the Bank Regulatory 
agencies like the Office of Thrift Supervision. The Department of Education oversees privacy 
regulations with respect to education data. And the FCC is responsible for implementing the 
Communications Act, which applies to communications networks. This is our area of expertise.
And let me be clear – the Chairman’s proposal does not prohibit ISPs from using and 
sharing customer data. It simply proposes that ISPs first obtain customers’ permission.  There is 
room for innovation.
The Chairman is committed to making sure that consumers have the benefits of 
transparency, choice and security. Industry groups have also embraced these three principles.  
Given that there is broad agreement that these are the right goals, we look forward to engaging 
with all stakeholders about how best to provide clear guidance for the benefit of consumers and 
their broadband providers.  
Let me close where I started, with the words of Hillel, notably the last four words of the 
passage I used to open my remarks, “If not now, when?”
The Internet creates myriad opportunities for innovation and improvements in our quality 
of life. To seize these opportunities, consumers need to trust that their personal information is 
safe and secure. 
When 91 percent of Americans say they have lost control over how their personal 
information is being used,
2
now is the time to do better.
When the majority of Americans say they are NOT confident that cable and wireless 
companies are protecting their information,
3
now is the time to do better.    
When six in ten Americans say they would like to do more to protect the privacy of their 
personal information online,
4
now is the time to do better. 
When consumers sign up for Internet service, they shouldn’t have to sign away their right 
to privacy. We should empower consumers with the tools they need to make informed choices 
about how and whether their data is used and shared by broadband providers. It’s the right thing 
to do. And now is the right time to do it.
Thank you.
                                                          
2
Mary Madden, Privacy and Cybersecurity Key findings from Pew Research (2015), http://www.pewresearch.org/key-
data-points/privacy/. 
3
Pew Research Center’s Internet Project/GfK Privacy Panel Survey #2 (2014), 
http://www.pewinternet.org/files/2015/05/Privacy-and-Security-Attitudes-5.19.15_Topline_FINAL.pdf; Pew 
Research Center’s Internet Project/GfK Privacy Panel Survey #2 (2014) in Pew Research Center, Americans’ 
Attitudes About Privacy, Security, and Surveillance (2015), http://www.pewinternet.org/files/2015/05/Privacy-
and-Security-Attitudes-5.19.15_FINAL.pdf.
4
Pew Research Center, Public Perceptions of Privacy and Security in the Post-Snowden Era, (2014), 
http://www.pewinternet.org/files/2014/11/PI_PublicPerceptionsofPrivacy_111214.pdf.