On Thursday, the Federal Communications Commission approved a broad set of consumer privacy protections setting limits on what information internet service providers (ISPs) can collect about their customers.
The rule was approved on a party line vote with the commission’s three Democrats beating its two Republicans. It requires ISPs to obtain the permission of each customer before collecting that customer’s personal data like web browsing habits, app usage, and location information. This opt-in would only apply to data collected for marketing purposes. As per the language of the commission’s notice of proposed rulemaking, “customer data necessary to provide broadband services… would require no additional customer consent beyond the creation of the customer-ISP relationship.”
These requirements only apply to providers of broadband service, ISPs like Comcast and AT&T. Web-based services like Google and Facebook are not covered under the FCC’s regulatory jurisdiction and are not subject to its opt-in privacy rules. Until last year, ISPs weren’t under regulation by the FCC; however, as part of its effort to impose net neutrality rules, the agency reclassified ISPs as private utilities, which do fall under its jurisdiction.
In addition, the rule requires ISPs to increase transparency into what data they collect from consumers and how that data is used or shared with third parties. There are also requirements regarding the implementation of risk-management practices for keeping customer data safe from breaches and mandatory notifications to customers if and when a data breach occurs.
FCC Chairman Tom Wheeler framed the commission’s decision as being intended to give internet users a greater agency in controlling their own online privacy. “The more our economy and our lives move online, the more information about us goes over our Internet Service Provider… and the more consumers want to know how to protect their personal information in the digital age,” he said in a statement. “The bottom line is that it’s your data. How it’s used and shared should be your choice.”
Wheeler added that the growth of the Internet of Things, smart devices that use their internet connections to deliver new functionality, is creating a whole new realm of potential avenues for data collection. “When looking at a smart refrigerator that collects and shares data over the internet, the discussion turned to privacy,” he noted. “Who would have ever imagined that what you have in your refrigerator would be information available to AT&T, Comcast, or whoever your network provider is?”
Civil libertarians cheered the move. “Today’s vote is a historic win for privacy and free expression and for the vitality of the internet,” ACLU Senior Policy Analyst Jay Stanley said in a statement. “Just as telephone companies are not allowed to listen in to our calls or sell information about who we talk to, our internet providers shouldn’t be allowed to monitor our internet usage for profit.”
Stanley added that activists still need to put pressure on regulators to enforce the spirit of these privacy roles when telecom firms are likely to search for loopholes in the letter of law. “The FCC’s order is not airtight,” he insisted. “We can expect the industry to try to exploit every crack in these protections, and hope that the spirit of vigorous oversight and consumer protection that has animated this proceeding will continue. ”
Jessica González, executive vice president and general counsel for the National Hispanic Media Coalition, concurred. “We applaud the FCC’s action to put the decision to use the private, personal information of consumers back into our hands,” González said in a statement. “We should always have the power to control what kind of information is being collected about us, how it is being shared, and with whom. We look forward to working with the commission to develop these rules into practices that will earn back the trust of Latinos.”
Not everyone was especially happy about the results of the vote. FCC Commissioner Ajit Pai, one of the two Republicans on the commission who voted against the rule, charged that the decision is, in effect, the government picking winners in losers when it comes to mining user data to generate revenue.
“The FCC tilts the regulatory playing field by proposing to impose more burdensome regulation on internet service providers, or ISPs, than the FTC imposes on so-called ‘edge providers.’ But consumers don’t necessarily know which particular online entities can access their personal information, let alone the regulatory classification of those entities,” Pai noted in a statement that accompanied the FCC’s release of documents following Thursday’s vote.
“They do care that their personal information is protected by everyone who has access to it. And, more broadly, it makes little sense to give some companies greater leeway under the law than others when all may have access to the very same personal data. This disparate approach does not benefit consumers or the public interest. It simply favors one set of corporate interests over another.”
“Slanted regulation is bad enough. Illogically slanted regulation is worse,” Pai continued. “Here’s the reality: There is no good reason to single out ISPs—new entrants in the online advertising space—for disparate treatment.”
Similarly, Berin Szóka, president of the laissez faire tech policy think tank Tech Freedom, asserted these news rules will end up harming both internet service providers and their customers by reducing competition in the ISP ecosystem. “The FCC is not an ‘expert agency’ on privacy — it should have simply adopted the FTC’s longstanding approach, which would protect consumers without distorting the online advertising market,” he asserted. “A broad coalition of civil society groups, broadband providers, edge companies, and device manufacturers urged the FCC to maintain regulatory harmony.”
“Instead, Chairman Wheeler has catered to a narrow group of hardline activists, insisting that some internet companies be held to a different standard than others,” Szóka added. “The Chairman keeps saying he wants ‘competition, competition, competition,’ but his rules will make it much harder for companies like AOL (owned by Verizon) to compete with ad giants Google and Facebook.”
This action is unlikely to be the only instance in which the FCC takes aim at ISP practices. While the rule approved this week didn’t include any language regarding the mandatory arbitration clauses often present in contracts between ISPs and their customers, Wheeler said during Thursday’s meeting that such regulation is already in the pipeline.
“As my colleagues have said, the time has also come to address another important consumer issue and that is the harmful impact of mandatory arbitration requirements that are imposed in the contracts of communications service providers,” said Wheeler. “To address this issue comprehensively, we have begun an internal process that is designed to produce a Notice of Proposed Rulemaking… on this very important issue no later than February 2017.”