Yesterday, FCC Chairman Tom Wheeler began circulating a draft order among his fellow commissioners that revises the FCC’s initially proposed regulatory approach to broadband privacy to incorporate the “sensitivity” model used by the Federal Trade Commission (FTC) in its oversight of websites and other edge providers. Resembling consumer proprietary network information rules that the FCC has applied to telephone service providers, the rules first proposed by the FCC would have required broadband Internet service providers (ISPs) to obtain subscriber consent before collecting and sharing certain data with advertisers and other third-parties. The proposal would also have separated consumer data into three categories (inherent, opt-out, and opt-in) requiring different levels of consent.
As stated in a fact sheet issued yesterday, the FCC’s revised approach to broadband privacy “reflects extensive public comments received in response to the comprehensive proposal adopted by the Commission in March” which includes “input from the FTC.” Instead of classifying data according to how it is used, the draft order would require ISPs to obtain opt-in consent from consumers corresponding with the sensitivity of the data in question. Under this revised approach, ISPs would be thus required to obtain “opt-in” consent before using the following categories of sensitive information: (1) mobile geo-location data, (2) children’s information, (3) health information, (4) financial information, (5) social security numbers, (6) web browsing history, (7) app usage history, and (8) the content of communications. All other “individually identifiable” consumer data would be classified as non-sensitive although consumers would have the right to “opt-out” of sharing or other usage of that data.
Fixed and mobile broadband ISPs would also be required to inform customers about the collection, sharing and other usage of their personal data, specifying (1) what types of data are collected, (2) how and for what purposes data would be used or shared, and (3) the types of entities with which the ISP would share such data. In the event of security breaches, ISPs would be required to notify the FCC within seven days and affected customers within 30 days.
Despite the similarities between the draft FCC order and the regulatory approach used by the FTC, one cable industry executive lamented that the FCC’s plan to classify web browsing and app usage as sensitive would create a significant disparity between how the FTC governs edge providers and how the FCC would treat ISPs. A spokeswoman for the Center for Digital Democracy, however, welcomed the fact that ISPs “would have to obtain customer consent for the use of web browsing and app usage history for advertising purposes” as she lauded the draft order as one that “offers consumers . . . much needed safeguards and desired control over their own personal information.”