In a highly anticipated vote, the U.S. Federal Communications Commission has approved sweeping new privacy rules for broadband providers. Voting 3-2 along party lines, with Democrats in the majority, the FCC's new rules will require broadband providers to get consumer opt-in consent to collect sensitive information.
“The bottom line is that broadband subscribers will finally be in the driver’s seat,” said FCC Chairman Tom Wheeler during a press conference after this morning’s vote. “When it comes to decisions about the use of their information,” he added, “consumers will be in control.”
The rules will implement new requirements under Section 222 of the Communications Act for internet service providers and separates the use and sharing of data into three categories: opt-in, opt-out and exceptions to consent requirements. Broadband providers will need to acquire opt-in consent to use and share "sensitive" information. This would include location, financial and health data, children's information, Social Security numbers, web browsing history, app usage, and content of communications. To use or share non-sensitive data, ISPs only need to provide consumers with an opt-out control. Exceptions to consent requirements generally involve using consumer information to implement the service, such as billing information.
Additionally, ISPs must provide consumers with clear notice about its data collection and use practices, that providers employ "reasonable data security practices," and that they follow "common-sense data breach notification requirements."
Commissioners Jessica Rosenworcel and Mignon Clyburn supported Wheeler's proposal, while Commissioners Ajit Pai and Michael O'Rielly dissented.
Though ISPs and many in the ad industry have been vocal in their opposition to the new regulations, today's approval doesn't come as a total surprise. Davis Wright Tremain Partner Christin McMeley, CIPP/US, who recently fact-checked the FCC privacy proposal for Privacy Perspectives, said she was disappointed that overtures made by Pai and O'Rielly were ultimately rebuffed. "This in no way protects the privacy of consumers," she explained in a phone interview with The Privacy Advisor. "The irony is that ISPs can buy consumer information from edge providers." She said this transactional cost will then likely be passed down to the consumer. She also contends this will put ISPs in a competitive disadvantage with edge providers.
If true, such an advantage for edge providers could be short lived, McMeley added, if the FCC decides to increase its regulatory scope over those edge providers through Section 706 of the Telecommunications Act of 1996.
In a column for The Hill posted yesterday, Internet Advertising Bureau Executive Vice President of Public Policy Dave Grimaldi wrote, "The FCC proposal simply makes no sense." He said consumers will "only be confused" and many "will believe they have made choices to protect their data and be shocked to learn those choices only cover some of the information, some of the time."
Sen. Edward Markey, D-Mass., tweeted out his support for the new regulations.
New @FCC#broadband privacy rules will ensure that consumers, not corporations, have control over their personal information.
— Ed Markey (@SenMarkey) October 27, 2016
Consumer and privacy advocacy groups have also expressed their support for the new rules. "Today's decision represents a clear win for consumer privacy," said Laura Moy, Acting Director of Georgetown Law's Institute for Public Representation. In comments provided to The Privacy Advisor, Moy added, "Internet access is essential - it is our most powerful tool not only for reading, learning, expression, and commerce, but also for long-distance association, movement building, health care, employment, and so much more. Consumers should not have to worry that when they go online, their ISP might be watching and monetizing everything they say and do. It's not too much to require ISPs to simply ask permission before using and sharing highly sensitive information like web browsing for non-service-related purposes, and that's what today's order will do."
During today's press conference, Chairman Wheeler stressed the consumer's role in the information ecosystem: "It's the consumer's information. It's not the network who the consumer hires unless they give them permission."
The elephant in the room was clearly the recently proposed merger between AT&T, which has not supported the new privacy rules, and Time Warner, as well as last week's DDoS attacks on domain service provider Dyn. Though Wheeler said he has yet to receive details on the merger, he did hint that the FCC may have a role to play in preventing the type of IoT-based cyber attack that hit the internet last Friday. He said Sen. Mark Warner's letter questioning what role the FCC could play in cybersecurity was a "thoughtful letter" and that he'd respond "in kind." He added, "The open internet order clearly give the agency leeway to deal with issues like this."
Though the FCC released a fact sheet and news release on Thursday's vote, the final order will not be available for some time. Though Wheeler said they would be available within 24 to 48 hours, FCC staffers clarified it will take longer than that, possibly weeks, according to multiple sources.
Top image from federal government site, fair use