FCC approves broadband privacy rules, gives ISP customers the ability to opt-out of data sharing

“FCC Chairman Tom Wheeler at WRC-15 Media Briefing” by United States Mission Geneva. Licensed under CC BY-ND 2.0.

On Thursday, October 27th, the Federal Communications Commission (FCC) announced that its proposed rules regarding increased data privacy for broadband Internet subscribers passed by a 3-2 vote of the agency’s commissioners. The rules place new restrictions on Internet service providers (ISPs) and their ability to use data collected from consumers accessing the Internet through them. The FCC says that the rules are intended to provide ISP consumers with more meaningful choices on how their data is used while improving consumer data security and promoting greater transparency of how ISPs use their data, such as for advertising purposes.

The FCC’s broadband privacy rules require ISPs to present their customers with a choice to opt in or opt out of providing consent to use certain categories of information which are deemed to be sensitive. Such sensitive information includes any data pertaining the the customer’s geo-location, health, finances, children, Social Security number, browsing history, app usage history or the content of electronic communications. Information related to a customer’s e-mail address or tier level of broadband service, however, is considered non-sensitive.

There are also situations in which the rules exempt ISPs from presenting the opt-in/opt-out choice to consumers when consumer consent is implied. This includes any usage of consumer data to provide advertising on the ISP’s own broadband services as well as billing or collection services. The rules consider the creation of the consumer-ISP relationship as the basis for consumer consent in these cases.

The transparency requirements in the FCC’s new broadband privacy rules require ISPs to provide “clear, conspicuous and persistent notice” about collected information, how that info is used, with whom it can be shared as well as a consumer’s options for changing privacy preferences. The FCC will also seek to improve consumer data security and breach notifications to consumers and law enforcement through what it calls “common-sense data breach notification requirements.” Other requirements of the new rules enforce ISPs to engage in “reasonable data security practices” and the FCC will offer guidelines on steps for ISPs to consider regarding consumer authentication tools, oversight of security practices and proper data disposal. The FCC has also established a provision in the rules which prohibits ISPs from engaging in “take-it-or-leave-it” offers in which they could avoid serving those consumers who decide to opt-out of information sharing.

The FCC’s order leaves open the possibility for ISPs to de-identify information, or alter data so that it cannot be traced back to an individual, so as to create information which can be shared without causing privacy concerns. The FCC has established a three-part test which such de-identified information needs to satisfy which require ISPs to: alter customer information so that it couldn’t reasonably be traced back to an individual or an electronic device; publicly commit to using such information in a de-identified format; and prohibit the re-identification of such information through contractual terms.

[Internet-Things]

In case an unauthorized breach of consumers’ personal data occurs, the FCC has established a rigid timeline in which ISPs are required to let consumers and government officials know about such breaches. Under the new rules, ISPs must notify their customers about breaches as soon as possible and no later than 30 days after it has been reasonably determined that a breach has occurred. If the breach affects more than 5,000 customers, then the ISP’s timeline is moved up and it must notify the FCC, the Federal Bureau of Investigations and the U.S. Secret Service of such a breach within seven days of determining that the breach has occurred. For breaches which affect fewer than 5,000 customers, only the FCC has to be notified of the event, but the agency must be notified at the same time that customers are put on notice of the breach. By contrast, many data breaches affecting sensitive information held by large corporations or even government agencies like the Federal Deposit Insurance Corporation (FDIC) are reported months after the breach first occurred.

The FCC has been able to step up its regulatory actions regarding ISPs and broadband providers thanks to the Open Internet Order which it adopted in February of 2015. This order, part of the net neutrality debate which has bubbled up in recent years, gave the FCC regulatory jurisdiction over ISP and broadband providers by reclassifying them as Title II common carriers under the terms of the Telecommunications Act of 1996; prior to that, oversight of ISPs was granted to the Federal Trade Commission (FTC). Currently, the FCC’s open Internet order seems as though it will remain the law of the land thanks in large part to net neutrality rules being upheld in a decision handed down this June by the District of Columbia Court of Appeals.

Despite the judicial approval of the FCC’s net neutrality regime, the Title II reclassification of ISPs has received pushback from the industry and Congressional Republicans. At a Senate commerce committee hearing held this July, both Republican committee members and representatives from industry trade groups argued that the open Internet order imposes unnecessary costs on the ISP business model and creates a standard which creates an inconsistent playing field across the Internet.

The advertising industry’s initial reaction to the FCC’s adoption of the broadband privacy rules was both swift and negative. A reaction piece published in the advertising and marketing journal AdAge quoted an executive with the Direct Marketing Association as saying that “the FCC got this wrong.” The article notes that aspects of data sharing and use plans which are often baked into the business model of many telecommunications and media firms.

Pro-privacy consumer advocacy groups, on the other hand, are claiming no small victory on the behalf of U.S. consumers. A statement from Gaurav Laroia, the policy counsel for Free Press, was very congratulatory in tone as it lauded the FCC’s decision to give more choices for privacy to consumers. “Thankfully, the FCC’s new order appears to define the sensitive-data information category broadly, offering higher levels of protection to all internet-user content and addresses,” Laroia’s statement reads. “These protections allow the agency to keep a watchful eye on plans that would force users to make an impossible choice – whether to surrender all of their privacy just to get an internet connection.” Laroia also adds that the approval of these rules includes a resolution to proceed with rulemaking next February which would address mandatory arbitration agreements in communications services contracts.

The FCC’s notice of its approval of broadband privacy rules also identifies certain business sectors which are not affected by the new regulations. It notes that the privacy practices of apps and websites, including large social media sites like Twitter and Facebook, remain under the purview of the FTC. The rules also don’t social media websites which might be operated by ISPs and broadband providers. The consumer data privacy provisions also only cover the sharing of data between businesses and does not address surveillance by government and law enforcement as well as any issues involving encryption.