FCC proposes new privacy rules for ISPs

As widely expected, the FCC has proposed expansive new data privacy rules for broadband providers that, if adopted, could see ISPs required to gain explicit consent from users for using or sharing their data.

Although the Notice of Proposed Rulemaking (NPRM), adopted by the FCC late last week, seeks to tighten privacy rules it would not require broadband providers to gain explicit opt in customer consent for all purposes — with leeway left for providing the broadband service, marketing the specific service to users, and for certain other specific purposes “consistent with customer expectations”, such as public safety contacts.

ISPs would also still be able to share customer data for marketing other comms-related services and with any affiliates providing these services — provided broadband customers have not opted out of receiving this type of marketing missive.

However all other uses of customer data by ISPs would require explicit opt in consent from users under the proposals.

The FCC said the aim is to implement the privacy requirements of Section 222 of the Communications Act for broadband ISPs, with chairman Tom Wheeler arguing that tighter privacy rules are necessary because of the visibility ISPs have into users’ online activity.

In a statement, Wheeler said the proposal is aimed at giving consumers “the tools we need to make informed decisions about how our ISPs use and share our data, and confidence that ISPs are keeping their customers’ data secure”.

Unlike with Internet services consumers cannot easily swap to another broadband provider or choose not to use an ISP at all, he noted.

“Our ISPs handle all of our network traffic. That means an ISP has a broad view of all of its customers’ unencrypted online activity — when we are online, the websites we visit, and the apps we use. If we have mobile devices… our providers can track our physical location throughout the day in real time. Even when data is encrypted, our broadband providers can piece together significant amounts of information about us — including private information such as a chronic medical condition or financial problems — based on our online activity,” said Wheeler.

In January a group of U.S. privacy and consumer rights groups called on the FCC to tighten privacy rules for ISPs, arguing that ISPs have increasingly been using the same big data analytics/tracking techniques as Internet ad platform giants like Google — posing massive risks to user privacy.

As you’d expect, broadband providers are opposed to the proposals. Commenting in a blog post after the NPRM was published last week, Comcast’s SVP for public policy, David L. Cohen, wrote: “The proposed rules will not provide meaningful consumer Internet privacy protections, and will block ISPs from bringing new competition to the online advertising market that could benefit consumers.”

Cohen added that the NPRM is “inexplicably targeted to block ISPs… from entering and competing as disruptors and upstarts in the online advertising marketplace”, noting the latter is “dominated by edge providers and other non-ISPs”.

But Wheeler couched it as “narrowly focused” on ISPs because personal data gathered by ISPs is done so as a function of providing broadband connectivity — rather than because a consumer chooses to visit a website or use a particular online service.

“This proposal does not prohibit ISPs from using and sharing customer data — it simply proposes that the ISP first obtain customers’ express permission before doing so,” Wheeler added.

The FCC proposal was approved by a 3-2 Democratic majority, with Republican commissioners dubbing it corporate favoritism, according to NPR. The next steps in the FCC’s process will be a period of public consultation before a final vote to set new rules.