Creating a storm of controversy, the Federal Communications Commission released information about its privacy proposal for Internet service providers.
Pursuant to the plan, consumers must provide consent before a broadband provider can make use of their Internet history for behavioral targeting unless the ads are related to other communications services, which require opt-out consent. The proposal "does not prohibit ISPs from using or sharing customer data, for any purpose," the FCC explained, "[i]t simply proposes that consumers have choices—either to opt out in some instances or to require that the ISP first obtain customers' permission before using and sharing the customer's data in others."
In a fact sheet released by the agency, the FCC emphasized that ISPs have access to personal and private information about broadband consumers, giving them the ability "to create detailed profiles about [consumers'] lives." Based on the websites consumers visit and the applications they use, a broadband provider can discover information such as a chronic medical condition or financial problems, the FCC said.
"A consumer's relationship with her ISP is very different than the one she has with a website or app," according to the fact sheet. "Consumers can move instantaneously to a different website, search engine or application. But once they sign up for broadband service, consumers can scarcely avoid the network for which they are paying a monthly fee."
The FCC based its privacy proposal on three principles: choice, transparency, and security. Consumers have the right to exercise "meaningful and informed control" over the personal data used by a broadband provider, the agency said, and deserve to know what information is being collected about them, how it's being used, and under what circumstances it will be shared. Accurate disclosures of privacy practices must be provided to consumers "in an easily understandable and accessible manner," the FCC added.
As for security, the agency was clear: "Broadband providers have a responsibility to protect consumer data, both as they carry it across their networks and wherever it is stored." To that end, ISPs would at a minimum be required to "adopt risk management practices; institute personnel training practices; adopt strong customer authentication requirements; identify a senior manager responsible for data security; and take responsibility for use and protection of customer information when shared with third parties."
Consumers must be notified if their data has been compromised, with the proposal mandating that affected customers receive notice no later than ten days after discovery of the breach with just seven days to notify the Commission (and other federal agencies if the breach involved more than 5,000 customers).
To read the FCC's fact sheet, click here.
Why it matters: The full Commission will consider the proposal and vote at a March 31 meeting. If the NPRM is adopted, a period of public comment would follow. Not surprisingly, the release of the fact sheet was met with praise from consumer advocates and protests from broadband providers. USTelecom President Walter McCormick issued a statement that privacy rules should be "evenly applied across the Internet economy," arguing that ISPs should not be subject to more stringent privacy regulations than websites the FCC doesn't have jurisdiction over, which are governed by the Federal Trade Commission. Moody's Investor Services rated the proposal "credit negative," stating that it believes the plan "to be a long-term risk to the current TV advertising business model, as well as all broadband providers who also have ad sales exposure." The Commission itself is divided on the proposal, with Commissioner Michael O'Rielly releasing a statement in opposition. "The 'fact' sheet demonstrates that the FCC is doubling down on its misguided and broken Net Neutrality decision by imposing troubling and conflicting 'privacy' rules on Internet companies, as well as freelancing on topics like data security and data breach that are not even mentioned in the statute," he wrote.