In late October, the Federal Communications Commission (FCC) approved sweeping new rules covering the consumer privacy policies of broadband ISPs that will govern how they can collect and share personally identifiable data about their customers. The rules come out of the long-term and controversial Net Neutrality process, which requires ISPs not to discriminate against or favor different forms or suppliers of content and gave the FCC more authority to regulate ISP practices. The new rules will not control the practices of individual websites, such as Facebook and Google, and may be re-evaluated by the incoming presidential administration.
ISPs are in a position to collect extensive amounts of data from their customers. Some of it comes from the subscription process, including name and contact information. But it can also include financial information, such as credit card numbers or credit scores, or the subscriber’s Social Security number. More critically, ISPs can also collect information about customers’ use of its services, such as their web browsing history, app downloading and usage, and, in the case of mobile devices, GPS and cell tower-based geolocation. The ISPs often gather and use this data in their marketing and development of services, and they may sell the information to or exchange it with third parties.
What Are the New Rules?
The new rules give consumers “Increased Choice, Transparency, and Security Online” in the use of their data. ISPs may still collect information, but the rules provide for a number of restrictions on their ability to share and use it. Foremost among the new rules is that ISPs must obtain express permission from customers in order to use or share sensitive information. Described as an opt-in form of consent, this rule says that ISPs cannot use a customer’s geolocation, financial, browsing, or content information without receiving affirmative approval from him or her. The rules allow ISPs to provide incentives to customers to get them to agree, such as price discounts and higher tiers of service—but they are not permitted to penalize customers who do not give permission. Nor can ISPs make approval a condition of service, a so-called take it or leave it offer.
For information that is less sensitive or has been “de-identified” (altered to be no longer associated with an individual consumer or device), the rules are more flexible. ISPs can use or share less-sensitive information, provided the customer does not specifically opt out. They can also use de-identified information, but have to take specific steps to prevent it from being “re-identified” or linked to specific customers or devices, either by themselves or any entity they share information with.
Transparency is also a significant part of these new rules. They require that ISPs take steps to protect their data from hacking that are “appropriately calibrated to the nature and scope” of the ISP’s activities, the sensitivity of the information, and the size of the provider. Those steps should include maintaining an industry best practice level of security management, improving accountability, and disposing of data when it is no longer required. In the event of a data breach, the ISP must notify customers as soon as possible (no later than 30 days after it), and it must bring in the FBI and the Secret Service to investigate breaches involving 5,000 or more customers.
The FCC is pursuing these rules under the same authority it has to impose Net Neutrality. In the past, the FCC did not consider ISPs to be in the same category as traditional telecommunications companies, known as common carriers. In February 2015, the FCC voted to change its existing policy and reclassify ISPs as common carriers in light of the expansion from modem- and DSL-based services to comprehensive broadband communications providers. This change allows the FCC to impose Net Neutrality rules and gives it the authority to impose the new privacy rules. While opponents to Net Neutrality have filed legal challenges to the FCC’s 2015 action, the courts have, for now, have upheld it.
Reactions to the Rules
As with any major change in policy, the FCC’s new privacy rules generated swift positive and negative reactions. Consumer and privacy groups, including Consumers Union, the Open Technology Institute, Common Sense Kids Action, Public Knowledge, the Center for Digital Democracy, and Demand Progress have praised the new rules. An Open Technology Institute representative describes the rules as giving “consumers the protection that they deserve and … confidence in the internet as a safe platform for the exploration and expression of viewpoints. …”
The reaction from the ISP industry was mixed to negative. Comcast senior EVP David Cohen argues that the rules will “likely do more harm than good for consumers, competition, and innovation in the all-important internet ecosystem.” Forbes contributor Howard Homonoff notes that by restricting data sharing and use by ISPs, the new rules will threaten the digital advertising that largely subsidizes the internet. With digital advertising already under threat from ad-blocking software and the demand for more “personalized, attention-worthy advertising” to maintain consumer notice, Homonoff says that the FCC’s rules will only “accelerate the chaos.”
As noted, these rules apply only to ISPs and not to websites such as Facebook and Google. Website privacy standards are governed by the Federal Trade Commission (FTC) generally on a case-by-case basis and rarely use the more rigorous opt-in regime for the use of consumer data. Having ISPs governed by one set of standards and websites governed by another may result in confusion and possibly may be grounds for a legal challenge. Rick Boucher, former chairman of the House of Representatives’ Subcommittee on Communications and Technology, says the new rules “board up the windows while leaving the doors unlocked.” Of course, one possibility is that the FTC could ratchet up its privacy enforcement to the FCC’s standards, although that is seen as unlikely.
The FCC approved the new rules by a 3-to-2 party line vote, with the three Democratic commissioners, including FCC chairman Tom Wheeler, voting in favor, and the two Republican commissioners opposed. The rules do not have legal authority until they are published in the Federal Register, a process that could take several weeks or more. Once published, they are phased in over a period of several months, with the major notice and opt-in choice requirements taking effect no later than 12 months after publication.
If the rules survive, that is. With the election of a Republican administration and a Republican Congress, it is possible that the rules may be modified or even canceled. It is the practice of commissions such as the FCC to be chaired by a member of the party that occupies the White House and for that party to have a majority of the five-member commission. Wheeler, a Democrat who advocated for both Net Neutrality and the privacy rules, is expected to step down from his chairmanship prior to Jan. 20, and another of the Democratic members will likely leave at the end of the year. Both replacements would be Republicans. In light of these changes, Sen. John Thune (R-S.D.), chairman of the Senate Committee on Commerce, Science, and Transportation, recently wrote to Wheeler to urge the FCC to “avoid directing its attention and resources in the coming months to complex, partisan, or otherwise controversial items. …”
In addition, the 20-year-old Congressional Review Act gives Congress the power to review recently passed administrative rules. If both houses of Congress vote to invalidate a rule, and the president does not veto the congressional action, the rule is effectively canceled. The act has been used only once in 20 years, but if there is enough of an objection to the privacy rules, we now have congressional Republicans with the power to undo them and a Republican president who is less likely to veto their actions.