Get ready for a potentially sweeping set of changes governing the use of data by ISPs. Tom Wheeler, chairman of the Federal Communications Commission (FCC), submitted a proposal to regulate the use and disclosure of the data that ISPs collect about their customers’ online activities. If adopted by the FCC, it would require ISPs, including broadband and cellular providers, to obtain consumers’ consent for many uses of their data, disclose other uses, protect personal information, and report data breaches. Since its release, the proposal has been hailed as a significant improvement in online consumer privacy—but also has been criticized for singling out broadband providers while doing nothing about the use of data by large-scale collectors such as Google, Facebook, and Amazon.
The proposal arises out of the FCC’s newly claimed authority to regulate broadband providers in the same manner as other telecommunications companies. The FCC asserted this authority as part of its 2015 Open Internet Order, which also gave the organization its Net Neutrality authority. Under this order—which is being challenged in court—the FCC gained the power to address industry practices such as data discrimination, throttling, and the use of consumer data.
Consumers’ use of the internet results in the creation of huge amounts of data, which can include their searches on Google, complete social media life, video viewing habits, banking and healthcare information from public and secured websites, memberships in organizations, and use of adult sites and services—a complete array of information. Websites collect the data that is generated when customers use their sites, and they can communicate it to third parties (often advertisers) to encourage more use of the site and to generate more revenue. The privacy rights of consumers in their use of these sites is a patchwork of click-through—and rarely actually read—privacy policies, with scattered laws and regulations covering certain types of data.
The gateway to all of this information is the consumers’ ISPs, both their broadband provider and their cellular service provider. The ISPs generate data about network traffic, including websites visited (even in “incognito” or “private” mode), applications used, the amount of time spent at particular sites, and in the case of cellular services, the customers’ location. Unlike websites that customers can choose whether to go to, or ones that allow them to make selections about privacy (such as tightening privacy settings on social media sites, restricting or clearing cookies, or using a browser’s incognito or private mode), consumers must use their ISPs to access all of this information.
Choices, Transparency, and Security
The Wheeler proposal focuses on giving consumers a choice in what data the ISP uses and shares with third parties, transparency in providing clear descriptions about what information is being collected and how it is used, and security in protecting consumer data.
To achieve the first and second goals—consumer choice and transparency—the FCC would separate the use and sharing of information into three categories, with differing levels of consumer choice depending on the category. The first category would be data that is “Inherent in [the] Customer Decision to Purchase ISP’s Services. …” This would include basic billing information, email and IP addresses associated with the account, and basic data involving use, such as bandwidth and streaming practices, etc. The broadband company would be empowered to use that information for its own internal purposes without additional consent. This would include billing as well as data packet and email delivery activities, but it could also include promotions for new services such as increased or faster bandwidth by the carrier itself. It would not include the sharing of this data with others.
The second category would cover the use of data for marketing “other communications-related services” and sharing data with “affiliates that provide communications-related services. …” This might encourage customers to “bundle” the various services of the provider. For this use of consumer data, the ISP would have to provide customers with an affirmative opt-out mechanism so they can deny the ISP the ability to use information for those purposes. Opt-out clauses are not uncommon in privacy policies and are considered friendlier to the company, because many consumers will not exercise their opt-out rights; yet those who are interested or concerned enough can choose to protect their information by opting out.
The third (and broadest) category would be “all other uses and sharing of consumer data” and would require an affirmative opt-in from customers before the ISP could use the data beyond internal and affiliate marketing use. This would include sharing information with advertisers, app operators, online stores such as Amazon or eBay, or similar third parties. Opt-in clauses are considered less friendly to the company, because they automatically restrict the use of information absent an affirmative decision by consumers to allow it. In many cases, the use of this information is more in the company’s interest than consumers’, so making a case to consumers to affirmatively allow the company to use their data is often an uphill battle.
The Wheeler proposal will also impose new requirements on broadband providers to secure consumer information. Among these are stronger authentication requirements and better risk management practices. Additionally, ISPs would have to “take responsibility for [the] use and protection of customer information when shared with third parties.” This could include restrictions that would limit the third party’s ability to further share the data. The FCC would impose affirmative obligations to provide notice to consumers of any data breach no more than 10 days after its discovery, and to inform the FCC, the FBI, and the Secret Service of breaches involving more than 5,000 customers within 7 days of their discovery.
Reactions to the Proposal
Not surprisingly, initial reaction to the proposal is mixed. Privacy advocates strongly support it: The New York Times quotes one privacy advocate who describes it as “a historic moment” that will “allow an individual to have real control over how their information can be gathered and used.” An executive for Public Knowledge, a well-known consumer advocacy and privacy group, tells The Christian Science Monitor that “it certainly makes sense to have the FCC apply its expertise to this area.”
ISPs and broadband providers are quite critical of the proposals. AT&T asserts that existing privacy policies already do an effective job of protecting consumer privacy and that ISPs are “mischaracterized” as having no access to data, although the level of data they collect is more limited than that collected by Google, Facebook, and other internet companies. According to The Washington Post, the Federal Trade Commission (FTC) already heavily regulates privacy in the internet space, but it “has only a limited ability to establish new rules. …” Verizon says that any FCC rules should remain consistent with those of the FTC.
The Wheeler proposal will go before the FCC on March 31, 2016. If the commission approves the proposal, it will be formally adopted as a proposed rule and will be submitted for a period of public comment. If the initial reactions at both ends of the spectrum are any indication, there will be a lot of comments. FYI: Any citizen is allowed to submit comments on this or any other federal proposed rule via the federal government’s Regulations.gov.