The Federal Communications Commission (FCC) has adopted new privacy rules for broadband customers, giving them more say about how about their personal data is used and shared by broadband ISPs. For ISPs, the rules establish a framework of customer consent before they can use or share customer data, calibrated to the sensitivity of the information. Under the rules, information has now been divided into three categories, with clear action guidelines for each.
For the most sensitive information, ISPs will have get an affirmative “opt in” consent in order to share data. This kind of information includes precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications. ISPs will be able to use and share non-sensitive information unless customers “opt-out.” This kind of information includes email address or service tier information. Finally, there is a category of information that needs neither opt-in nor opt-out to be used or shared, beyond the creation of the customer-ISP relationship. This includes information inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection.
The rules also include transparency requirements for ISPs, which will have to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences.
Broadband providers will also have to engage in “reasonable” data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.
There must in addition be “common –sense” data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information.
The FCC noted that the scope of the rules is limited to broadband service providers and other telecom. They do not apply to the privacy practices of web sites and other “edge services” over which the Federal Trade Commission has authority. The scope of the rules do not include other services of a broadband provider, such as the operation of a social media website, or issues such as government surveillance, encryption or law enforcement. The FCC said the approach is consistent with other privacy frameworks, including the Federal Trade Commission’s and the Administration’s Consumer Privacy Bill of Rights.
Verizon said that while it was encouraged by the preliminary information it received about the privacy order, the company will need to closely review the text of the order after it is released.
USTelecom praised the rules for aligning themselves with the framework developed by the Federal Trade Commission (FTC) but disagreed on certain points, and in particular the classification of all web browsing as sensitive information.”This is a disservice to the goal of providing consumers with consistency in privacy expectations when they use the internet and poses a threat to continuing web innovation,” it said, with IAB agreeing. USTelecom added that the FCC‘s ban on mandatory arbitration clauses in service contracts will do a disservice to consumers who seek speedy resolutions to problems that may arise, and goes well beyond the agency’s statutory mandate.
CTIA said elements of the order remain “out of step” with longstanding privacy practices and that the rules will create more consumer confusion, higher costs and less innovation. CTIA added that efforts to begin a separate FCC arbitration inquiry on questions already answered by Congress and the courts are similarly misguided.
The Telecommunications Industry Association (TIA) agreed that the rules will create an uneven and overly burdensome regulatory environment. TIA called the rules were more restrictive than the privacy regulations placed on websites.
Finally, the American Cable Association (ACA) said the rules improved consumer privacy but were still inconsistent with the expectations of ISPs and their customers for the collection and sharing of data. They do not treat all participants in the internet ecosystem alike, and will impose overly burdensome requirements on smaller ISPs. They also do not give providers sufficient flexibility to serve the needs of their customers in a rapidly evolving Internet market. ACA said it also intends to carefully review the order.
