Who needs the FCC? Seattle writes its own broadband privacy rule

Hardly anyone was pleased by the rollback of the broadband privacy rule last month, opening up the possibility of ISPs collecting and selling your browsing data — including, as it turns out, cities whose citizens were left out in the cold. Seattle wasted no time taking matters into their own hands, and the result is a local rule that provides a few of the repealed one’s critical protections.

The FCC’s broadband privacy rule would have boosted requirements for transparency and security practices — and more importantly would have added browsing history to the list of “customer proprietary information” and required ISPs to get advance permission from consumers to track and sell it.

Of course, it was never allowed to take effect. Seattle’s response was swift; I talked with the city’s CTO, Michael Mattmiller, about what happened next.

“When the president and Congress repealed the rule, the mayor directed us to look for authority the city already had to restore — or perhaps not restore, but make a rule like it,” he said.

The city found its authority in the municipal code governing cable franchises; the rules on the books are mostly about TV service, but setting “privacy standards for subscribers of cable service and other services provided over the cable system” seems well within the mandate.

The new rule was added yesterday; it requires cable internet providers to obtain opt-in consent before using web browsing history or other internet usage data for its own purposes.

Internet providers have occasionally protested that they don’t do that kind of thing anyway.

“We say that’s great, but we still think there should be a rule. Trust, but verify — that’s our mantra,” Mattmiller said. “ISPs don’t want to be treated different from Google, Facebook, Amazon and other tech companies. But we believe that a consumer’s relationship with their ISP is fundamentally different from other services or websites.”

In addition to getting opt-ins from consumers, ISPs would have to provide their privacy statement to city authorities for inspection yearly, and if they do any aggregating and anonymizing of data, provide their methods and reasons for doing so.

The rule affects Comcast, CenturyLink and local ISP Wave; these three account for a large majority of broadband subscribers in the city. ISPs that do wireless or satellite connections technically aren’t bound by the cable rules, so they’re unaffected for now — unless, Mattmiller joked, they volunteer to submit themselves to the new regulation.

May 24 is the deadline for compliance with the rules, so if you’re in Seattle (like me), one of two things will happen. You might receive an update from your internet provider asking you to opt into their data collection scheme. But you also might not, which either indicates that the ISP doesn’t have a scheme like that, or decided to shut it down before the 24th. Sounds good to me either way.