The Federal Communications Commission voted today to adopt rules that protect consumers' privacy on the internet. The rules give broadband customers tools to make informed choices about how their personal information is used and shared by internet service providers (ISPs).
"It's the consumers' information," said FCC Chairman Tom Wheeler when the proposal was unveiled earlier this year, "and the consumer should have the right to determine how it's used."
Industry groups fought the proposal bitterly. USTelecom, a trade group, took to Twitter to denounce the rules as a "naked power grab."
But most consumer and privacy advocates endorsed the measure. Meredith Rose, staff attorney at Public Knowledge, said the rules would be "a step forward to protecting consumers’ economic and dignitary rights in their own data."
Rose said that without such rules, "consumers face a very real threat of having personal data exposed, sold to third parties without their knowledge, or misused in other fashions."
Thorn in the side?
The 3-2 party line vote by the five FCC commissioners is seen as a potential thorn in the side of the pending Verizon/Yahoo and AT&T/Time Warner mergers. The deals are built around the notion that Verizon will have access to data Yahoo has collected about its customers, likewise for AT&T and Time Warner.
To provide consumers more control over the use of their personal information, the rules establish a framework of customer consent that will be required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information. Sensitive information requires greater transparency and consent than more routine data.
The approach is consistent with other privacy frameworks, including the Federal Trade Commission’s and the Administration’s Consumer Privacy Bill of Rights.
The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice and security requirements for customers’ personal information:
Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share "sensitive" information, which includes precise geo-location, financial information, health information, children’s information, Social Security numbers, web browsing history, app usage history, and the content of communications.
Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” The "non-sensitive" information basically includes everything not included under the "sensitive" definition -- for example, email address or service tier data.
Exceptions: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.
The rules require ISPs to give customers clear, conspicuous, and persistent notice about what information is being collected, how it is being shared, and how customers can change their privacy preferences.
ISPs are also required to follow "reasonable" data security practices and to notify customers of data breaches.
The rules apply only to broadband service providers and other ISPs and telecommunications carriers. They do not apply to websites and other "edge services," which are not under the FCC's jurisdiction.