By a partisan vote of 3-2, the FCC yesterday approved new rules requiring broadband Internet service providers (ISPs) to obtain affirmative “opt-in” permission from their customers before sharing sensitive personal data with advertisers and other third parties. The new rules extend to broadband ISPs and the privacy requirements of Section 222 of the 1934 Communications Act while incorporating the “sensitivity” model which is used by the Federal Trade Commission (FTC) in its oversight of websites and other edge providers. Web sites and other edge providers are not covered by the rules prescribed in the Report and Order.
Instead of separating consumer data into three categories (inherent, opt-out, and opt-in) which would require different levels of consent as first proposed early this year, the framework adopted yesterday, in the words of an FCC news release “is calibrated to the sensitivity of the information.” Under that framework, ISP usage of “sensitive” information consisting of geo-location data, social security numbers, web browsing and app usage history, the content of e-mail communications, and financial, health and children’s information would be subject to the opt-in standard. ISP usage of all other individually-identifiable information (i.e., e-mail addresses, service tiers, etc.) would be permitted unless the customer decides to opt out of such usage. Subscriber consent would be inferred for personal data used for the provision of broadband services and for billing and collection purposes. The rules also include a transparency mandate which requires ISPs “to provide customers with clear, conspicuous and persistent notice about the information they collect” as well as “common sense data breach notification requirements to encourage ISPs to protect the confidentiality of consumer data.”
Asserting, “our digital footprints are no longer in sand; they are in wet cement,” FCC Commissioner Jessica Rosenworcel applauded the new rules as “real privacy control for consumers.” Although FCC Chairman Tom Wheeler agreed that the rules are designed to place privacy control in the hands of consumers and not “some corporate algorithm.” Commissioner Ajit Pai lamented in a dissenting statement, however, that the order contains “one-sided rules” that “will cement edge providers’ dominance in the online advertising market and lead to consumer confusion.” As he took issue with the majority’s decision to apply opt-in rules to web browsing and app use history, Commissioner Michael O’Rielly warned of the potential of the new privacy framework to discourage ISPs from introducing new services.