Federal Communications Commission Chairman Tom Wheeler released his proposed order to regulate the privacy and data security of internet service providers (ISPs) by mandating opt-in consent for ISPs to use and share sensitive information and by requiring notification in the event of a data breach.

The controversial proposal began with the agency's Open Internet Order, which reclassified broadband Internet service as a telecommunications service under the purview of the FCC. In March, the agency released a draft order on ISP privacy and data security and received extensive public comments.

Reflecting those comments, Chairman Wheeler circulated a proposed order to his fellow Commissioners intended to increase choice, transparence, and online security for consumers. While the agency did not release the text of the order, it provided a fact sheet about the proposal.

The draft rules require that ISPs notify customers about what types of information it collects, specify how and for what purposes the information is to be used and shared, and identify the "types of entities" with which the ISP shares the information. Notification "must be persistently available" on the ISP's website or mobile app, when a customer signs up for service, and updated when the privacy policy changes in significant ways. The Commission's Consumer Advisory Committee will develop a proposed standardized privacy notice format that would serve as a safe harbor for the providers who elect to use it.

To increase consumer choice, the proposal divides customers' personal information into sensitive and non-sensitive categories. To use and share sensitive information—which is defined to include geolocation, children's information, health information, financial information, Social Security numbers, Web browsing history, app usage history, and the content of communications—ISPs would be required to obtain opt-in consent from consumers.

For non-sensitive customer information, use and sharing by ISPs would be subject to opt-out consent. "The focus on the sensitivity of the information—rather than how it is used—is in line with customer expectations," the FCC explained.

The agency also included rules about de-identified information (acceptable for use and sharing outside the consent regime required for other consumer data), a prohibition on "take-it-or-leave-it" offers where an ISP refuses to serve customers who don't consent to the use and sharing of their information, and required heightened disclosures for plans that provide discounts or other incentives in exchange for a customer's express affirmative consent to the use and sharing of their personal information. "Consumers should not be forced to choose between paying inflated prices and maintaining their privacy," the FCC said.

Pursuant to the draft rules, ISPs must implement reasonable data security measures and adhere to data breach notification requirements. Eschewing a formal checklist of data security standards, the FCC said covered entities must "take reasonable measures to protect customer data," such as properly disposing of data and implementing robust customer authentication tools.

In the event of a reportable breach (where an ISP determines that an unauthorized disclosure of a customer's personal information has occurred, unless it establishes that no harm is reasonably likely to occur), ISPs must notify affected customers (as soon as possible but no later than 30 days after discovery), the FCC (no later than seven business days after discovery), and, if the breach impacts more than 5,000 customers, the Federal Bureau of Investigation and the U.S. Secret Service (within seven days).

Federal Trade Commission Chairwoman Edith Ramirez praised the proposal. "We know that consumers care deeply about their privacy, and I am pleased to see the FCC moving forward to protect the privacy of millions of broadband users across the country," she said in a statement. "The FTC, which has protected consumers' privacy for decades in both the online and brick-and-mortar worlds, provided formal comment to the FCC on the proposed rulemaking, and I believe that our input has helped strengthen this important initiative."

The full FCC will vote on the proposed order on October 27.

To read a Fact Sheet about the proposed order, click here.

Why it matters: While the draft rules contained some tweaks from the initial proposal, industry members expressed concern about the breadth of the FCC's definition of "sensitive information," which would generally require ISPs to obtain opt-in consent before serving consumers with targeted advertising based on their web browsing history. "There is no record of consumer harm to justify treating web viewing and application use history as sensitive or for it to be subject to opt-in consent," according to a letter from a coalition of advertising groups including the American Association of Advertising Agencies, the American Advertising Federation, the Association of National Advertisers, and the Interactive Advertising Bureau. The proposal "would upend the established and thriving Internet economy, which relies on the support of data-driven advertising."