In 1934, Congress created the Federal Communications Commission (FCC) to oversee telecommunications and radio. Over time, however, its core areas of regulation—telephone rates and broadcast licensing—have waned in importance. In the past decade, despite receiving no major statutory update from Congress, the FCC has attempted to reinvent itself into a social regulator and consumer protection agency to avoid obsolescence.

One such FCC effort is to transform itself into a privacy regulator. In 2016, the agency issued an order imposing new privacy requirements—including new data breach reporting rules—on broadband and telephone providers. However, Congress swiftly passed a disapproval resolution under the Congressional Review Act (CRA), and the President signed it. Once Congress disapproves a rule under the CRA, “a new rule that is substantially the same as such a rule may not be issued.”

Despite that prohibition, the FCC issued another order in 2024 again imposing data breach notification requirements. A trade association representing telecommunications companies sued to block the new rule, but a panel of the U.S. Court of Appeals for the Sixth Circuit upheld it. The panel reasoned that a general provision of the Communications Act—Section 201(b)—gave the FCC authority to regulate the “practices” of telecommunications providers, and that this language was broad enough to include data breach rules.

The Ohio Telecommunications Association has now asked the full Sixth Circuit to rehear the case. The Cato Institute has filed an amicus brief in support of that petition.

Our brief points out that in Loper Bright Enterprises v. Raimondo (2024), the Supreme Court made clear that courts must interpret laws for themselves and find a statute’s “single, best meaning,” rather than defer to an agency’s interpretation. The panel failed to apply that principle.

First, the text and history of Section 201(b) show that the FCC’s authority over “practices” was never meant to include privacy regulation. Since 1934, both Congress and the courts have understood that term to cover matters like rates, classifications, and service conditions—traditional aspects of communications service—not data-security policies. Stretching “practices” to cover anything tangentially related to communications would erase those limits and turn the FCC into a general consumer protection agency, something Congress never authorized.

Second, even if the statute were ambiguous, deference to the FCC is especially unwarranted here. Congress has already spoken directly by rescinding the FCC’s 2016 privacy rules under the CRA. That action independently bars the 2024 order. But even if it did not, Congress’s explicit disapproval should weigh heavily against endorsing the agency’s “discovery” of broad new authority in old statutes.

The Sixth Circuit should grant rehearing and invalidate the FCC’s 2024 order. The court should affirm that federal agencies cannot expand their authority without clear authorization from Congress.