New rules adopted yesterday in a close vote by the Federal Communications Commission (FCC) are aimed at increasing privacy protections for customers of broadband Internet services. The rules spell out opt-in and opt-out requirements for different types of customer data that ISPs can use or share with others, and also set out new requirements for transparency and security.
FCC commissioners approved the rules in a 3-2 vote divided along party lines, with Republicans Ajit Pai and Michael O’Rielly dissenting.
The updated specifications for ISP data security are set to take effect within 90 days of the publication of the rules, while service providers will have six months to implement newly required procedures for notifying customers about data breaches. Large companies, such as AT&T and Verizon, will have one year to roll out new opt-in and opt-out privacy policies, while smaller providers will have an additional 12 months to comply with the rules.
New Protections for the Digital Age
The new rules are needed to address the changing technology landscape and its potential impacts on consumer privacy and security, said FCC chairman Tom Wheeler (pictured above) in a statement released following the commission’s vote. He recounted a recent tour of the product testing facility at the headquarters of Consumer Reports, where the topic of privacy came up while looking at a smart refrigerator that collects and shares data over the Internet.
“Who would have ever imagined that what you have in your refrigerator would be information available to AT&T, Comcast, or whoever your network provider is?” Wheeler asked. “The more our economy and our lives move online, the more information about us goes over our Internet service provider (ISP) — and the more consumers want to know how to protect their personal information in the digital age.”
The rules adopted yesterday classify as “sensitive” any ISP data about customers’ exact geo-location, Social Security numbers, Web browsing history, communications content as well as health, financial and children’s information. Before service providers can use or share such data, they will have to obtain an opt-in OK from customers.
In addition, customers will be able to opt out of the sharing of other kinds of personal information such as email addresses or types of ISP services used.
Putting Customers ‘in Driver’s Seat’
The FCC’s new rules don’t require ISPs to obtain customer consent to use certain types of data for billing or collection purposes. They also don’t apply to other services that providers might offer, such as social media sites, or to issues such as government surveillance, encryption or law enforcement.
“Building on widely accepted privacy principles, the rules require that ISPs provide their customers with meaningful choice and keep customer data secure while giving ISPs the flexibility they need to continue to innovate,” according to the the FCC’s fact sheet on the regulations. “The rules do not prohibit ISPs from using or sharing their customers’ information — they simply require ISPs to put their customers in the driver’s seat when it comes to those decisions.”
Under the new regulations, service providers will have to provide “clear, conspicuous and persistent notice” about what kinds of customer data they collect, use and share. They will also be required to follow “reasonable” data security practices and to notify customers and law-enforcement authorities if a data breach occurs.
In her statement following yesterday’s vote, Democratic commissioner Mignon Clyburn cited data showing that 91 percent of U.S. consumers believe they have lost control of how their personal information is collected and used by companies.
“With news seemingly breaking every week about a cyberattack, massive data breaches, and companies collecting and selling customer data to government agencies, that number should come as no surprise to anyone,” she said. “This Order, I am proud to say, adopts strong privacy protections and provides robust choice for those who consent to the use or sharing of their information, as a means of receiving new products, more targeted advertising, or other innovative offerings made possible by big data.”
