Roundup: FCC Adopts New Broadband Privacy Rules

From the FCC:

The Federal Communications Commission (FCC) adopted an Order at the October meeting that will give  consumers the tools they need to choose how their Internet service providers (ISPs) use and share their  personal data. Building on widely accepted privacy principles, the rules require that ISPs provide their  customers with meaningful choice and keep customer data secure while giving ISPs the flexibility they  need to continue to innovate. The rules do not prohibit ISPs from using or sharing their customers information  they simply require ISPs to put their customers in the driver seat when it comes to those decisions. The approach the Commission adopted reflects extensive public comments received in response to the comprehensive proposal adopted by the Commission in March 2016.
[Clip]
The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice and security requirements for customers’ personal information:

• Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.

• Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.

• Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

In addition, the rules include:

• Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences;

• A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.

• Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information. The scope of the rules is limited to broadband service providers and other telecommunications carriers. The rules do not apply to the privacy practices of web sites and other “edge services” over which the Federal Trade Commission has authority.

The scope of the rules is limited to broadband service providers and other telecommunications carriers. The rules do not apply to the privacy practices of web sites and other “edge services” over which the Federal Trade Commission has authority. The scope of the rules do not include other services of a broadband provider, such as the operation of a social media website, or issues such as government surveillance, encryption or law enforcement.

Read the Complete News Release
Direct to FCC Fact Sheet About New Broadband Privacy Rules
Media Coverage

FCC Passes Privacy Rules That Could Cloud At&t’s Time Warner Deal (via Politico)

The agency voted 3-2 along party lines to pass the rules, which require internet service providers to get customers’ permission before using their web browsing and app history for advertising purposes. The restrictions, which have been bitterly opposed by the telecom industry, couldn’t come at a worse time for AT&T, which is betting big that data from its more than 100 million customers can provide opportunities for targeted advertising with viewers of Time Warner’s video content, such as CNN and HBO.

FCC Tells ISPs to Get Customer Permission Before Sharing Sensitive Info (via IDG News Service)

The new FCC privacy rules are slightly watered down from an agency proposal earlier this year that would have required broadband providers to get opt-in permission before sharing most customer information with other companies.

Internet Providers Will Soon Need Permission to Share Your Web Browsing History (via The Verge)

In theory, rules are also in place to ensure that internet providers can’t force consumers to opt into sharing. The FCC will prohibit internet providers from refusing to serve customers who don’t agree. But it might still allow internet providers to charge customers more if they refuse to opt in. That’s something that could become pretty controversial — and there doesn’t appear to be any clear rules governing the practice.
[Clip]
Even without customers’ permission, there’s still one way that internet providers will be able to share their data: anonymously. The FCC will allow sharing to occur without permission so long as internet providers anonymize the data “so that it can’t be reasonably linked to a specific individual or device” and contractually prohibit partners from attempting to identify who that data belongs to.

Industry Reaction
CTIA–The Wireless Association Statement After the FCC Adopted its Broadband Privacy Order

“Consumers expect consistent data privacy protection regardless of when, where or how they access the Internet. CTIA members appreciate the Commission moving toward rules that incorporate pieces of the guidance from the FTC and the Administration. Unfortunately, elements of the Order remain out of step with longstanding privacy practices. Today’s action is likely to create more consumer confusion, higher costs and less innovation,
“Efforts to begin a separate FCC arbitration inquiry on questions already answered by Congress and the courts are similarly misguided. The Commission should embrace arbitration provisions that lower costs for wireless service for Americans and provide a streamlined and efficient process to address disputes.”

–Senior Vice President and General Counsel Tom Power
From The Internet and Television Association:

The Commission’s decision to break with the FTC’s proven privacy framework in favor of a cobbled-together approach that abandons principles of fair competition is profoundly disappointing.  Instead of creating a consistent and uniform approach to privacy that consumers can easily understand, today’s result speaks more to regulatory opportunism than reasoned policy.  We strongly agree with the bipartisan Commissioners’ comments that the federal government should develop a common approach to online privacy, as there is no lawful, factual or sound policy basis to justify a discriminatory approach that treats ISPs differently from some of the largest companies in the Internet ecosystem that engage in similar practices but operate under different regulatory standards.

MORE TO COME

Filed under: Data Files, News, Roundup