The FCC has approved a draft proposal regulating how ISPs can use customer data. This follows a public consultation earlier this year which received extensive feedback. The Commission will vote on the proposal on 27 October.
The FCC already regulates personal data and privacy issues at telecom network operators. Its oversight is extended to internet providers after its Open Internet Order last year reclassified broadband access as a telecommunications service. The rules, if adopted, would give consumers greater control over their ISPs’ use and sharing of their personal information, and provide them with ways to easily adjust their privacy preferences, the FCC said.
The draft rules require that ISPs offering either mobile or fixed broadband to consumers must tell customers about what types of information the ISP collects about its customers; specify how and for what purposes the ISP uses and shares this information; and identify the types of entities with which the ISP shares this information. ISPs must provide this information when a customer signs up for service, and update customers when their privacy policy changes in significant ways. In addition, the information must be available clearly on the ISP’s website or mobile app.
The Commission’s Consumer Advisory Committee (CAC) will develop a standardized privacy notice format that would serve as a ‘safe-harbor’ for those providers who choose to adopt it. In order to use customers' sensitive information, ISPs would be required to obtain explicit prior persmission, through an opt-in. This covers data such as location, health, on children, social security numbers, web browsing history or the content of communications. Sharing of most other types of information would be subject to an opt-out. ISPs would still be able to share anonymised data without being subject to the above rules, as long as they committ to not re-identifying the customers associated with the data.
Additional rules include a ban on rejecting customers who refuse to share part or all of their data, and heightened disclosure and vetting by the FCC for 'pay for for privacy' type products.
In addition, the rules would require ISPS to take reasonable efforts to protect customer data from security theats. A set of guidelines on such measures is included, in line with the FTC's Consumer Privacy Bill of Rights. Any data breaches would need to be reported to affected customers within 30 days of discovery and to the FCC within seven days, and the FBI must be notified if more than 5,000 customers are affected.
The FCC's rules stop short of regulating online services such as search engines and social media sites. Consumer Watchdog welcomed the broadband regulations but said "ultimately we also need privacy regulations covering so-called 'edge providers' like Google, Facebook, Amazon and Twitter".
Industry group USTelecom was more concerned about how the FCC determines what is 'sensitive' customer data. While welcoming the approach to basing the privacy regulation on the type of data, USTelecom said that the Commission would be better off deferring to the FTC on defining what is sensitive, in order to ensure a uniform approach. "We are concerned . . . that the commission, which has no expertise with regard to determining the content of speech, is now attempting to redefine what consumers may regard as sensitive," the group said in a statement.