Unwilling to be left behind by the likes of Google and Facebook, Internet Service Providers are increasingly exploring how they may capitalize on the high-value targeted advertising market. In November 2016, AT&T explained that targeted advertising is a major contributor behind its bid to buy Time Warner Inc. for $85 billion. AT&T is not alone. In 2015, Comcast acquired an ad-targeting firm, Visible World, in what has been widely viewed as an effort to gain stronger footing in the industry. Another major mobile carrier recently came under fire following its acquisition of a name-brand ISP for sharing information about users of its mobile phone network with the ISPs advertising network.

These and other ISP efforts to collect and capitalize on user data have not gone unnoticed. On October 27, 2016, the Federal Communications Commission passed new rules that govern how ISPs may share customers’ information with third parties. According to the FCC “[t]he [R]ules do not prohibit ISPs from using or sharing their customers’ information – they simply require ISPs to put their customers into the driver’s seat when it comes to those decisions.”

The rules are significant and complex. Here are some highlights:

Notice

The FCC believes customers “deserve to know” how their ISP handles their information. So, the Rules require ISPs to:

  • Notify their customers about the types of information the ISP collects about them
  • Specify how the ISP uses and shares this information
  • Identify the types of entities to whom the ISP shares the information

Customer Choice

The Rules also put a significant degree of control into the hands of the customer based on whether the collected information is deemed sensitive. Moving forward, ISPs will be required to obtain “opt-in” consent from their customers to use and share sensitive information. Certain categories of information are considered “sensitive” under the Rules, including:

  • Precise geo-location
  • Children’s information
  • Health information
  • Financial information
  • Social Security numbers
  • Web browsing history
  • App usage history
  • The content of communications

As for information that is not characterized as “sensitive,” ISPs will still be obligated to offer users the opportunity to “opt-out” of the use and sharing of their information, though some exceptions to these consent requirements are already in place.

Take-It-Or-Leave-It Offers

Importantly, ISPs are prohibited from making “take-it-or-leave-it” offers. This means that an ISP cannot refuse to serve a customer who does not consent to use of their data for commercial purposes.

Critics of the Rules complain that they create consumer and industry confusion by conflicting with similar guidance issued by the Federal Trade Commission to govern the conduct of non-ISPs such as Amazon, Facebook and Google. A focus of these criticisms is the perception that the Rules enacted by the FCC are seen as more restrictive than the FTC guidance. While the FTC guidance aims to restrict the selling or sharing of a customer’s personal information, it defines “personal information” in a more limited context, focusing mostly on health data, financial information, and Social Security numbers.

The FCC, however, has been cautious to note that its rules “do not regulate the privacy practices of websites or apps, like Twitter or Facebook, over which the FTC has authority… [and] [d]o not regulate other services of broadband providers, such as operation of a social media website.” In other words, the FCC sees no problem with the enforcement of different rules on differing industries.

Criticisms aside, there can be no dispute that the FCC has taken a big step forward in establishing itself as a player in the privacy regulation space. How ISPs handle this new level of regulation and how these Rules impact the consolidation and convergence of different industries that make up the consumer communications market remains to be seen.