By a 3-2 vote marked by dissents from both FCC Republicans, the FCC adopted a Notice of Proposed Rulemaking (NPRM) late last week soliciting comments on rules that would require Internet service providers (ISPs) to obtain subscriber consent before collecting and sharing certain data with advertisers and other third-parties. Released last Friday, the NPRM seeks to implement Section 222 of the Communications Act of 1934 with respect to broadband ISPs. Section 222 outlines the duty of telecommunications carriers “to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers.” In the words of an FCC news release, the rules outlined in the NPRM are “designed to ensure broadband consumers have meaningful choice, greater transparency, and strong security protections for their personal information collected by ISPs.”
Specifically, the proposed rules would separate consumer data into three categories that require different levels of consent. These categories are: (1) inherent, which covers consumer data that ISPs need to provide broadband and other specified services in accordance with consumer expectations and therefore would “require no additional customer consent beyond the creation of the customer-ISP relationship,” (2) opt-out, under which broadband ISPs may use consumer data to market other communications services or share such data with ISP affiliates for similar marketing purposes, unless the subscriber affirmatively opts-out, and (3) opt-in, under which ISPs must obtain affirmative subscriber consent for “all other uses and sharing of consumer data.” Transparency rules outlined in the NPRM would require ISPs to “provide customers with clear, conspicuous and persistent notice about what information they collect, use and share with third parties.” ISPs would be further required to implement “robust and flexible data security” measures that include, among others, risk management practices, customer authentication procedures, and acceptance of responsibility “for use and protection of customer information when shared with third parties.” The FCC also specified that the rules proposed in the NPRM would be limited to broadband ISPs and would not extend to websites and “edge” providers that fall under the jurisdiction of the Federal Trade Commission.
FCC Chairman Tom Wheeler asserted in a press statement that the rules contained in the NPRM, if adopted, would give consumers “the tools [they] need to make informed decisions about how . . . ISPs use and share” their personal data. Predicting, however, that the proposed rules will have little or no impact on consumer privacy, particularly as edge providers would be exempt, FCC Commissioner Ajit Pai countered in a dissenting statement: “there is no good reason to single out ISPs, new entrants in the online advertising space, for disparate treatment.”