On October 27, 2016, the Federal Communications Commission (FCC) passed rules regarding increased data privacy for customers of broadband Internet Service Providers (ISPs). The FCC says that these rules intend to provide ISP consumers with more meaningful choices on how their data is used, while also improving their data security and pushing ISPs to be more transparent about how they use consumers’ data.
A July 2015 survey shows that 19 percent of Internet-using households reported that they had been affected by an online security breach, identity theft, or other malicious activity during the 12 months prior to the survey.
Instead, the FCC’s rules require ISPs to give consumers a choice to opt in or opt out of providing consent to use certain sensitive information, including data about the consumer’s geo-location, health, children, finances, Social Security information, browsing history, and more. This framework is similar to other privacy frameworks, including those of Federal Trade Commission and the Administration’s Consumer Privacy Bill of Rights.
The rules articulate three categories of the use and sharing of information: 1) opt-in, 2) opt-out, and 3) exceptions to consent requirements. The opt-in approach requires ISPs to obtain affirmative consumer consent to use and share sensitive information. The opt-out approach allows ISPs to use and share non-sensitive information unless a consumer choose to opt out. Non-sensitive but personally identifiable consumer information include email addresses and service tier information. Exceptions to these requirements apply when ISPs can infer customer consent. Such situations include billing and collection.
The rules leave open the possibility for ISPs to de-identify information so that it cannot be traced back to any specific information. Privacy consumer advocacy groups have celebrated the FCC’s decision, as it will offer higher protection to ISP consumers.
Many ISPs who are affected by this regulation are not happy. Joan Marsh, an AT&T senior vice president, said in a blog post that the FCC approach was “illogical,” adding that “consumers want their information protected based on the sensitivity of the information collected, not the entity collecting it.”
David Cohen, a top Comcast executive, termed the decision “disappointing,” saying it “will likely do more harm than good for consumers, competition, and innovation in the all-important internet ecosystem.”
However, many business sectors are not affected by the new regulations. For example, privacy practices of apps and social media sites, including Twitter and Facebook, remain under the purview of the FTC. On the other hand, consumer privacy groups celebrate the new FCC rules. Gaurav Laroia, policy counsel at Free Press, an open-media advocacy group, says, “We congratulate the FCC’s majority for resisting last-ditch efforts from industry giants to water down these protections.”
See, generally, Protecting the Privacy of Customers of Broadband and Other Telecommunication Services, Report and Order, WC Docket No. 16-106, FCC 16-148 (rel. Nov. 2, 2016) (Broadband Privacy Order or Order).
John D. McKinnon, FCC Approves New Customer Privacy Rules for Broadband Providers, , The Wallstreet Journal (Oct. 27, 2016), http://www.wsj.com/articles/fcc-approves-new-customer-privacy-rules-for-broadband-providers-1477583556
See Rafi Goldberg, NTLA, Lack of Trust in Internet Privacy and Security May Deter Economic and Other Online Activities, NTLA Blog (May 13, 2016), https://www.ntia.doc.gov/blog/2016/lack-trust-internet-privacy-and-security-may-deter-economic-and-other-online-activities.
AT&T Statement on FCC’s Privacy Order, AT&T Public Policy (Oct. 27, 2016), https://www.attpublicpolicy.com/privacy/att-statement-on-fccs-privacy-order/
Free Press Hails FCC’s Landmark Broadband-Privacy Rules, Freepress (Oct. 27, 2016), http://www.freepress.net/press-release/107621/free-press-hails-fccs-landmark-broadband-privacy-rules