Federal Communications Commission officials unveiled Thursday details surrounding new privacy rules for internet service providers, months after Chairman Tom Wheeler proposed significantly stricter limitations on subscriber data than those included in the final plan.
Senior FCC officials described the latest draft as a significant departure from Wheeler’s original pitch. The plan would have required internet service providers (ISPs) to obtain “opt-in” consent from subscribers before collecting almost all data for any purpose, including targeted advertising and offering new services.
The proposal commissioners will vote on during the FCC’s open meeting on Oct. 27 requires ISPs to only obtain opt-in consent from subscribers when collecting data deemed sensitive, including location, health and financial data, information on children, social security numbers, app usage history, the content of communications and web browsing history.
“Use and sharing of non-sensitive information would be subject to opt-out consent requirements in most cases,” the agency explained in a fact sheet. “All other individually identifiable customer information — for example, service tier information used to market an alarm system — would be considered non-sensitive and the use of sharing of that information would be subject to opt-out, consistent with customer expectations.”
Customer consent is inferred for collecting data regarding service delivery and billing information like names and addresses.
Critics of the initial plan urged the agency to adopt sensitive and non-sensitive tiers in line with the Federal Trade Commission’s privacy rules, which ISPs were subject to before the FCC claimed jurisdiction over them with its net neutrality rules adopted last year.
“We are very much aligned with the FTC,” a senior FCC official said.
One major difference from FTC rules, and the one likely to receive the same criticism, is the opt-in requirement to collect data on users web browsing history. Opponents of the initial plan said such a provision would disadvantage ISPs, subjecting them to stricter rules than edge providers like Google and Facebook with no such restrictions.
“What we’re saying is, when you’re providing someone access to the internet — whether you’re a new ISP or an existing ISP providing someone access to the internet — in that case web browsing is sensitive,” one official said.
“People like to use Google a lot, so you’re Google providing Google search — obviously not under our rules — we’re not saying whether web browsing is sensitive there. That’s not our jurisdiction,” he continued. “But Google Fiber, when they come in and provide internet access service and they can see all day all of the sites someone is looking at — whether or not they’re using Google online services — that’s sensitive.”
Additional rules would require ISPs to clearly disclose to consumers what data they’re collecting, who they share it with and how they intend to use it.
Providers must adopt industry best practices for cybersecurity and notify consumers and authorities in the event of data breaches. Consumers must be notified no later than 30 days in the event of data security breaches, the FCC no later than seven days and FBI and Secret Service no later than seven days when the breach compromises data on more than 5,000 subscribers.
Sharing and use of de-identified information is permitted, so long as companies don’t make any attempt to re-identify such data. Internet providers can’t refuse service to subscribers who refuse to share data, banning so called “take-it-or-leave-it” offers, and the FCC will judge on a case-by-case basis “pay-for-privacy” plans — when subscribers consent to sharing most or all of the data gleaned from their web browsing habits, including sensitive information, in exchange for discounts on service and receiving targeted ads.
“The chairman’s fact sheet describes a regime that departs from the FTC’s proven sensitivity-based approach to consumer privacy in several key respects,” NCTA, a trade group representing broadband providers, said in a statement. “Specifically, in its treatment of web browsing data and first party marketing of ISP services, the FCC departs from past FTC practice in ways that violate principles of fair competition and deny consumers the benefit of a consistent approach to online privacy protection.”