In early 2015, the Federal Communications Commission reclassified broadband internet as a telecommunications service, a public utility under Title II of the Telecommunications Act, and approved long-debated net neutrality rules. (The DC Circuit denied a challenge to those rules in June.) With broadband ISPs firmly in its regulatory grasp, the FCC set its sights on consumer privacy.
In its October 27 open meeting, the Commission will vote on proposed consumer privacy rules. The April notice of proposed rulemaking received over 250,000 comments from companies, consumers, and advocacy groups. Though the FCC has not published the resulting proposed order, Chairman Tom Wheeler released a factsheet summary last Thursday. (And Wheeler simultaneously blogged a defense of the proposal.)
The notice-and-comment rigmarole resulted in a revised proposal that more closely mirrors the Federal Trade Commission’s rules for other internet companies like Facebook and Google. The new rules lay out (1) a framework for affirmative consumer notice of ISP privacy practices, including opt-in and opt-out requirements for sensitive information and restrictions on the use of de-identified consumer information, and (2) data security standards and data breach protocols.
Disclosure and Consent
The new rules would mandate disclosure of what information the ISPs collect and how they use or share it. Beyond disclosure, ISPs would need affirmative (opt-in) consent from customers to use “sensitive” information: web browsing history, the content of internet communications, financial information, geolocation data, and personal health information. For some less-sensitive data—such as “service tier information used to market an alarm system” and basic data like names and addresses—an opt-out option would suffice. And while the consent framework would exempt some de-identified information, ISPs would be required to sufficiently anonymize the data and safeguard it both technically and contractually against re-association with individual consumers. This approach largely mirrors the FTC’s.
The proposal would prohibit ISPs from outright denying service to consumers who refuse to consent, but waffles on the extent to which companies may incentivize consent through financial discounts. The FCC will assess those techniques on a case-by-case basis.
Though the proposal is careful to avoid a rigid manual of data security protocols, it would provide guidelines and set best practices of security and oversight. Additionally, it would require prompt notification of any data breach to both consumers and to the FCC, and in breaches that expose sufficiently large amounts of consumer data, to the FBI and Secret Service.
Both ISPs and consumer privacy advocacy groups seem at least tentatively appeased. The Wall Street Journal reports that Verizon—an outspoken critic of the original proposal—expressed approval of the FCC’s incorporation of the concerns of ISPs in the revised proposal. Questions linger on both sides regarding the FCC’s division of “sensitive” and “nonsensitive” information. Google, for example, asserts defining all web browsing data as “sensitive” is overinclusive and unwarranted.