President Woodrow Wilson signs into the law the Federal Trade Commission Act creating the FTC, heir to the Bureau of Corporations created by President Theodore Roosevelt. The act declares unlawful unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce, and empowers the commission to issue “cease and desist” orders to corporations engaged in such behavior. Exemptions are banks, air carriers and “common carriers” which were regulated by the 1887 Interstate Commerce Act, amended by Congress in 1910 to include interstate telephone companies.
1934
President Franklin Roosevelt signs the Communications Act on June 19. It replaces the Federal Radio Commission with the Federal Communications Commission, expanding jurisdiction over both wired and wireless communication. The act is codified into law as Chapter 5 of Title 47 of United States Code. It regulates telephone and telegraph common carriers and their rates, allocates radio frequencies and licenses radio operators.
1970
Computer I is the protocol established by the FCC for regulating telephone services (pure communication) and pure data processing. The agency determines that data processing is a competitive market with low barriers to entry, but the communications (telephone) market is approaching monopoly. To this end, Computer I establishes a barrier between the two sectors by requiring that to enter the data processing market, common carriers form a subsidiary with totally separate operations.
1974
Amid concerns about spying after the Watergate scandal, The Privacy Act of 1974 establishes practices governing the collection, maintenance, use, and dissemination of information about individuals by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual.
1980
Computer II replaces Computer I, separating basic service from enhanced service. Basic service includes processing the movement of information, computer processing, security, protocol conversion and memory storage service is used in interstate communications that employees computer processing applications that act on the format, content, code, protocol or similar aspects of the subscriber’s transmitted information, provides the subscriber with additional, different or restructured information, or involves subscriber interaction with stored information.
1996
Congress passes the Telecommunications Act of 1996, which amends the law created by the Communications Act of 1934 to include Section 222 in U.S. code Title 47 Chapter 5, “Title II,” which defines the term customer proprietary network information (CPNI) and prohibits telecommunications carriers from using such information for anything other than providing telecommunications service. It specifically prohibits using CPNI for a carrier’s own marketing purposes. Only in aggregate form may a carrier use customer information for other purposes. Basic services become Title II "telecommunications carriers," which transmit information; enhanced services are classified as Title I "information service providers" (referring to the Title numbers in the original act of 1934. DSL companies are classified as carriers, while internet “portals” fall under information services. The act also lifts the ban on broadcast networks from owning cable companies. DSL ISPs are regulated by the FCC.
2002
The FCC rules that cable modem service is not a "cable service" as defined by the Communications Act. The agency added that cable modem service does not contain a separate "telecommunicationsservice" offering and therefore is not subject to common carrier regulation. Internet Service Providers move under the control of the FTC.
2004
California passes the first state law in the nation to require web sites to post a privacy policy, the California Online Privacy Protection Act (CalOPPA). It was amended in 2013 to require new privacy disclosures regarding tracking of online visits.
2005
Congress passes the Department of Justice Reauthorization Act of 2005, mandating that the Attorney General designate a senior official in the Department of Justice to assume primary responsibility for privacy policy. Prior to this, section 1062 of the Intelligence Reform and Terrorism Prevention Act of 2004 found that it was “the sense of Congress that each executive department or agency with law enforcement or antiterrorism functions should designate a privacy and civil liberties officer.
2010
U.S. Commerce Secretary Gary Locke announces the creation of an Internet Policy Task Force. “Through a Notice of Inquiry (NOI) published in the Federal Register, the Commerce Department is seeking public comment from all Internet stakeholders – commercial, academic and civil society sectors and citizens – on the impact of current privacy laws in the United States and around the world on the pace of innovation in the information economy.”
2011
Sens. John Kerry and John McCain co-sponsor the Commercial Privacy Bill of Rights, which defines and protects “covered information” as “(i) Personally identifiable information. (ii) Unique identifier information (iii) Any information that is collected, used, or stored in connection with personally identifiable information or unique identifier information in a manner that may reasonably be used by the party collecting the information to identify a specific individual.” California introduces a similar bill, which is opposed by Google and Facebook. Kerry and McCain’s bill never makes it out of committee.
2012
The U.S. Federal Trade Commission publishes a report in which Chairman Jon Leibowitz stated that "data brokers have deceived the Internet users" and "we need to focus on that the data brokers have collected personal information without users knowing it." The FTC reported that user privacy is constantly exposed while surfing the Internet, recommending a Do Not Track mechanism and an opt-out function on browsers. The FTC also required data brokers to reveal their identities by establishing a centralized web site enabling transparent collection of personal information, and to allow users to access personal information collected by data brokers.
2012
The Obama Administration unveils the Consumer Privacy Bill of Rights as a framework for future legislation, which will depend on input requested from stakeholders by the Commerce Department. Consumer and privacy groups are cautiously optimistic, with a few concerns, especially that stakeholders such as Google, Yahoo and Facebook will water down any future legislation.
2013
California adopts the Do Not Track disclosure law (Assembly Bill 370). It requires operators to identify the categories of personally identifiable information collected through the Web site or online service about individual consumers who use or visit its site and the categories of third-party persons or entities with whom the operator may share that personally identifiable information. A previous bill introduced in the California Senate was vehemently opposed by Google, Facebook and other companies as “unconstitutional.”
2015
President Obama releases a draft of the Consumer Privacy Bill of Rights Act, to somewhat negative reaction from consumer groups. While they applaud its willingness to work with them to improve the bill, they identify several shortcomings, including the fact that the draft does not adequately define sensitive information, or protect geolocation data, business records and “cyber threat indicators.” According to Consumer Watchdog, “the bill does not give the Federal Trade Commission (FTC) adequate resources and strong enough standards” to enforce privacy laws. The initiative stalls in the stakeholder input process.
February 2015
The FCC passes an order to clarify the Communications Act of 1934, hailed as a way to maintain an open Internet (though case law through the FTC has also done so). As part of the ruling, the FCC classifies broadband providers as common carriers or utilities, putting them under their jurisdiction. Information companies such as Google and Facebook remain under the jurisdiction of the FTC. https://apps.fcc.gov/edocs_public/attachmatch/FCC-15-24A1.pdf
2016
In FTC vs. AT & T Mobility LLC, the 9th Circuit Court of Appeals (the same panel that denied Trump’s travel ban, incidentally) ruled against the FTC, effectively declawing the agency when it comes to ISPs or telecom, and ruling that the agency had no authority to punish the company for data throttling – the practice of slowing down data speeds for unlimited data customers when a certain monthly limit has been reached.
December 2, 2016
The FCC issues a sweeping ruling (73 pages in summary) classifying sensitive information. and requiring broadband providers to ask consumers for an “opt-in” affirmative consent to use or share their information.Among other things, would have required ISPs to request opt-in permission at crucial junctures. Broadband and telecoms contended this was unfair because Google and Facebook have no such requirements, and are only required to offer an opt-out. The rule also designated identifying characteristics of customers’ web presence as sensitive information — including dynamic IP addresses.
March 28, 2017
The U.S. House and Senate vote mostly along party lines to nullify the FCC rule of the previous year. Republicans believe the law is unfair to broadband providers by making them use an “opt-in” consent and leaving information providers such as Google and Facebook to only be required to use “opt-out.” Democrats are outraged that privacy protections have been rolled back. But they remain silent on the de facto loophole that had remained for Google and Facebook.
April 3, 2017
President Donald Trump signs the resolution into law, nullifying the FCC's sweeping privacy ruling under the contention that it does not present a level playing field to technology companies.
Legal requirements for broadband service providers revert back to U.S. Code Title 47 (Section 222), with enforcement by the FCC.
“…except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories. Information shared for marketing must not be personally identifiable (must be aggregate).
Legal requirements for information providers such as Google and Facebook remain under the jurisdiction of the Federal Trade Commission.