WASHINGTON — The Federal Trade Commission regulates data privacy practices of Google, Meta, and Amazon. The Federal Communications Commission regulates data privacy practices of AT&T, Verizon, and T-Mobile. That sentence captures the jurisdictional split — but not its contested edges. A 2018 en banc ruling, a 2024 broadband reclassification order struck down in January 2025, and the absence of comprehensive federal privacy legislation have left the boundary between the two agencies structurally unresolved.
The Statutory Divide: FTC Act § 5 vs. Communications Act § 222
The FTC’s consumer protection authority rests on Section 5(a) of the FTC Act (15 U.S.C. § 45), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The statute contains an explicit carve-out: Section 5(a)(2) exempts “common carriers subject to the Communications Act of 1934.” Telephone companies, which have been classified as common carriers since the Act’s passage, historically fell outside FTC jurisdiction entirely.
The FCC’s privacy authority over carriers derives from Section 222 of the Communications Act (47 U.S.C. § 222), which governs Customer Proprietary Network Information. CPNI covers the call detail records carriers generate about their customers — telephone numbers dialed, call duration, frequency, timing, and any services purchased. Carriers must protect CPNI from disclosure to third parties without customer consent, file annual compliance certifications with the FCC Enforcement Bureau, and maintain policies governing data broker access. Monetary forfeiture for CPNI violations can reach $251,322 per violation or per day of a continuing violation, up to a statutory cap of $2,513,215.
The two frameworks govern different data types at different entities. Section 222 is precise in scope — call records and related telecommunications data — and limited to entities classified as common carriers. Section 5 is broader in theory — any unfair or deceptive practice — but its common carrier exemption creates a gap for the country’s largest telecommunications companies on their core carrier activities.
The operative question for two decades has been whether the exemption is status-based — stripping FTC jurisdiction over any activity of a company that holds common carrier status — or activity-based — stripping FTC jurisdiction only over activities conducted as a common carrier, while leaving FTC authority intact over the same company’s non-carrier services.
FTC v. AT&T Mobility: The 9th Circuit Resolves the Threshold Question
The case began as a data throttling dispute. The FTC filed suit against AT&T Mobility in October 2014, alleging that AT&T had deceived customers enrolled in unlimited data plans by throttling their speeds after they reached a data threshold — without adequate disclosure in the original plan terms. AT&T moved to dismiss, arguing the FTC had no jurisdiction over it as a common carrier regardless of the specific conduct at issue.
A three-judge 9th Circuit panel agreed with AT&T in 2016, holding that the common carrier exemption was status-based. Because AT&T held common carrier status, the FTC could not regulate any of its activities. The FTC sought en banc review. On February 26, 2018, an 11-judge en banc panel reversed (FTC v. AT&T Mobility LLC, 883 F.3d 848 (9th Cir. 2018)).
The en banc court held that the exemption is activity-based. It applies to the offering of telecommunications services — but not to other commercial activities of the same company. AT&T’s mobile data plan was a common carrier offering; AT&T’s advertising analytics subsidiary, its connected-device services, and its internet platform products are not. The FTC retained jurisdiction over those non-carrier activities even if AT&T was simultaneously operating as a common carrier. The decision drew on statutory text, legislative history, and a joint FTC-FCC brief arguing the activity-based interpretation reflected both agencies’ longstanding position.
The practical effect was significant. Major carriers increasingly derive revenue from advertising technology, cloud services, device sales, and software platforms — none of which constitutes common carrier activity. The activity-based ruling confirmed FTC jurisdiction over all of it. But it did not resolve whether broadband internet access — the central contested terrain — fell under FTC or FCC jurisdiction.
The Broadband Privacy Gap: 2016, 2017, and the Title II Question
Broadband internet access has been the subject of repeated reclassification disputes with direct consequences for privacy jurisdiction. Under the Obama FCC, broadband was reclassified as a Title II telecommunications service under the Communications Act in 2015. That reclassification made broadband providers common carriers — and in 2016, the FCC issued broadband privacy rules under WC Docket 16-106 requiring opt-in consent for ISP collection and sale of sensitive data, including browsing history, precise geolocation, and financial data.
Congress acted within months. In April 2017, a Congressional Review Act resolution (Pub.L. 115-22) repealed the FCC’s 2016 broadband privacy rules with a 215–205 House vote and 50–48 Senate vote. The CRA resolution also barred the FCC from issuing “substantially similar” rules in the future without new statutory authority. The FCC subsequently reclassified broadband as a Title I information service under the Trump administration’s 2018 Restoring Internet Freedom Order, removing broadband from Title II and stripping the FCC of its common carrier regulatory authority over ISPs.
The FTC stepped in to assert jurisdiction over ISP privacy practices on the theory that broadband was no longer a common carrier service — meaning the Section 5(a)(2) exemption no longer applied to it. The Electronic Frontier Foundation, Mozilla, and consumer advocacy organizations endorsed the FTC’s position while noting that the FTC’s enforcement posture was reactive rather than rule-based, and that the agency lacked authority to require affirmative opt-in consent the way the 2016 FCC rules had.
The 2024 Biden FCC Order and the 6th Circuit Ruling
The Biden FCC reclassified broadband as a Title II telecommunications service for the second time in April 2024 under WC Docket 23-320. The order restored the FCC’s common carrier regulatory authority over broadband providers and reopened the prospect of FCC-issued broadband privacy rules. Privacy advocates anticipated the Commission would revisit data-use restrictions that the 2017 CRA repeal had foreclosed.
The order did not survive judicial review. On January 2, 2025, a three-judge 6th Circuit panel struck down the FCC’s 2024 reclassification order in its entirety. The court applied the Supreme Court’s June 2024 Loper Bright Enterprises v. Raimondo holding, which overturned Chevron deference, conducting its own statutory interpretation rather than deferring to the FCC’s reading of “telecommunications service” under the Communications Act. The 6th Circuit concluded that broadband internet access is an “information service” — not a “telecommunications service” — under the best reading of the statute, citing the service’s integrated information-processing components.
FCC Chairman Brendan Carr, confirmed in January 2025, publicly welcomed the ruling. The FCC has not sought Supreme Court review. Broadband is again classified as a Title I information service, the FCC has no Title II authority over ISPs, and the FTC’s claimed jurisdiction over ISP data practices — contested but operative during Title I periods — is the default federal enforcement posture for broadband privacy.
CPNI Enforcement: What the FCC Actively Regulates
Despite losing broadband privacy jurisdiction, the FCC retains direct enforcement authority over CPNI for voice carriers and interconnected VoIP providers. The Enforcement Bureau pursues both programmatic compliance — annual certifications, due March 1 each year — and specific violations. Penalties for CPNI sharing without authorization can be substantial: in 2024, the FCC finalized combined penalties exceeding $200 million against AT&T, T-Mobile, Verizon, and Sprint for selling customers’ real-time location data to aggregators and data brokers without adequate consent, in violation of Section 222.
The CPNI framework covers call detail records, location data generated by network operations, and services subscribed to by the customer. It does not extend to internet browsing history, app usage data, device identifiers generated outside the network, or the vast majority of data that broadband providers collect from customer behavior on the open internet. That data falls entirely outside Section 222 — and, in the absence of Title II reclassification, outside FCC jurisdiction.
The gap matters. A carrier like Verizon operating its core voice network is subject to FCC CPNI rules for the call records it generates. The same carrier’s advertising technology subsidiary, operating on data derived from customers’ broadband activity — websites visited, app usage patterns, geolocation inferred from IP addresses — is subject to FTC Section 5 jurisdiction on the activity-based theory established in FTC v. AT&T Mobility. Two divisions of the same corporate enterprise answer to different federal regulators under different legal standards.
Where the Jurisdiction Gap Creates Enforcement Risk
The split produces three identifiable enforcement gaps. First, broadband ISPs are regulated by neither agency under a rule-based consent framework for data collection. The FTC can act after the fact against deceptive practices, but it has no authority to require opt-in consent for sensitive data categories the way the 2016 FCC rules did and ADPPA would have. Second, data brokers that aggregate carrier-derived data with commercial data sit in a regulatory middle ground: FCC authority ends at the carrier’s network boundary; FTC authority covers deceptive commercial practices but does not specifically regulate data broker operations absent explicit misrepresentation. Third, non-carrier technology companies — platform operators, advertising networks, device manufacturers — are subject only to FTC Section 5 and sector-specific statutes such as COPPA and GLBA. There is no general federal data minimization or consent requirement applicable to them.
For carriers and ISPs, the practical compliance posture involves parallel tracks: Section 222 compliance programs for CPNI, FTC-standard privacy policy disclosures for non-carrier services, and state privacy law compliance for operations in the twenty states with comprehensive privacy statutes in force as of 2026. That state patchwork — explored in depth in the US data privacy law and ADPPA policy guide — adds obligations that neither the FTC nor the FCC imposes federally.
The FCC’s spectrum policy authority, which operates entirely independently of its consumer privacy jurisdiction, is examined separately in the FCC spectrum auction policy guide. The two regulatory domains — spectrum allocation and consumer data protection — are administered by separate bureaus within the FCC and have no structural overlap.
The FTC’s Broader Enforcement Posture in 2025
Under Acting Chair Andrew Ferguson, the FTC narrowed its enforcement priorities in 2025 toward established statutory theories — COPPA and GLBA — and away from the novel Section 5 unfairness expansions the prior Commission had pursued against data brokers and commercial surveillance operators. The Commission’s first privacy enforcement actions under the second Trump administration targeted COPPA violations by Disney, robot toy manufacturer Apitor Technology, and the operators of the Sendit app.
The FTC retains jurisdiction over non-carrier privacy practices under the activity-based framework established in FTC v. AT&T Mobility. That jurisdiction covers Google, Meta, Apple, Amazon, and all major technology platforms whose services do not constitute common carrier offerings. It also covers the non-carrier subsidiaries of AT&T, Verizon, and T-Mobile — a consequence of the activity-based ruling that those carriers have structured their businesses to account for. An overview of the FTC’s enforcement authority in adjacent product markets is available in the article on FTC right-to-repair enforcement.
The structural jurisdictional question — which agency governs broadband privacy, and under what standard — remains unresolved by statute. The answer has changed with each administration’s broadband classification decision, each court ruling on FCC rulemaking authority, and each Congress’s failure to pass comprehensive federal privacy legislation. Until Congress acts, the FTC-FCC boundary will continue to shift with regulatory and judicial cycles rather than settle into a stable legal framework.