FCC wants ISPs to get customer permission before sharing personal data

The proposed rules would also require broadband providers to report data breaches

FCC building in Washington

The Federal Communications Commission's headquarters in Washington, D.C.

Credit: Federal Communications Commission

Broadband providers would often be required to get customer permission to use and share personal data they collect under regulations proposed by the U.S. Federal Communications Commission.

Broadband providers have an unrivaled ability to track customers and collect personal data, and there currently are no specific rules covering broadband providers and customer privacy, FCC officials said Thursday.

The goal of the rules is to give broadband customers notice, choice and control over their personal data, FCC officials said during a press briefing.

"Your ISP handles all of your network traffic," FCC Chairman Tom Wheeler wrote in the Huffington Post. "That means it has a broad view of all of your unencrypted online activity -- when you are online, the websites you visit, and the apps you use."

On mobile devices, providers can track customers' physical locations, he added. "Even when data is encrypted, your broadband provider can piece together significant amounts of information about you -- including private information such as a chronic medical condition or financial problems -- based on your online activity," Wheeler said.

The proposed rules, to be debated during the FCC's March 31 meeting, would allow broadband providers to send information about new deals and deliver Web-browsing functionality without seeking further customer permission.

The proposal, which would go out for public comment if approved later this month, would allow broadband customers to opt out of data collection for the broadband providers' internal and affiliate marketing and other communications-related services. For all other purposes, including most sharing of personal data with third parties, broadband providers would be required to get customers' opt-in permission to use and share customer personal data.

The rules don't prohibit ISPs from using the personal information they collect, "only that since it is your information, you should decide whether they can do so," Wheeler wrote. "This isn’t about prohibition; it’s about permission."

Wheeler's proposal would also require Internet service providers to notify customers about data breaches of personal data, with affected users notified within 10 days of discovery of the breach. More than 40 U.S. states have data breach notification laws, but there's no national standard.

ISP trade groups have called on the FCC to avoid passing an extensive set of new rules that specifically target providers.

"Consumer information should be protected based upon the sensitivity of the information to the consumer and how the information is used -- not the type of
business keeping it, how that business obtains it, or what regulatory agency has authority over it," five ISP trade groups said in a letter to the FCC this month.

Some ISPs and trade groups have questioned the need for new rules by noting the that use of encryption and virtual private networks is growing among broadband users.

But broadband customers shouldn't have to rely on encryption or VPNs to protect their personal data against sharing by providers, FCC officials said.

The move of the FCC toward new privacy rules for ISPs is related in part to the agency's reclassification of broadband as a regulated, common-carrier service in new net neutrality rules passed in February 2015. Reclassification of broadband moved the authority for policing broadband privacy from the Federal Trade Commission to the FCC, privacy groups have said.

Under common-carrier rules, "the information collected by the phone company about your telephone usage has long been protected information," Wheeler wrote.  FCC rules "limit your phone company’s ability to repurpose and resell what it learns about your phone activity. The same should be true for information collected by your ISP."

Privacy advocate Jeffrey Chester, executive director of the Center for Digital Democracy, called the proposed rules a "major step forward" for privacy in the U.S.

"Today, Americans have really no privacy when they go online, use mobile phones, or stream videos," he said. "They face a growing threat to their privacy as cable and phone company broadband ISPs construct a powerful and pervasive data gathering apparatus."