Today the Federal Communications Commission (FCC) approved new privacy rules for mobile and fixed broadband ISPs by a vote of 3-2. The rules seek to harmonize the requirements for ISPs with current FCC CPNI rules that restrict usage of customer data by telecommunications carriers.
The rules are broader than FTC privacy standards. In particular, they expand the current categories of information considered to be sensitive to include routine web browsing and app usage data, as well as content of communications. The rules require customer opt-in consent prior to the use by ISPs of these new categories of sensitive information for advertising or marketing. This creates different requirements for ISPs than the regime that applies for the rest of the Internet ecosystem, where web browsing and app usage information is subject to implied consent or opt-out consent.
The FCC otherwise applies sensitive data categories that are very similar to the FTC sensitive data categories set out in the FTC’s 2012 Privacy Report. The FTC privacy framework defines sensitive to include health information, children’s information, precise geolocation information, financial account data and Social Security Numbers. The FTC has declined to include within the definition of sensitive, web browsing or app usage information that does not itself include health, children’s, geolocation and financial account information or Social Security Numbers.
The rules also require immediate and persistent notification to customers about the ISPs information collection practices, its use and sharing of the information, and with whom the ISP shares the information
The FCC also created a new requirement for Commission case-by-case approval of an ISP’s offers of financial incentives, such as discounts, in exchange for customer’s consenting to use and share their customer information. This will likely chill some pricing and specialized service offerings.
Finally, the rules include new security requirements for customer information in the form of “guidelines” on reasonable data security practices. There is also a requirement for ISPs to notify customers of data breaches within 30 days after determination of a breach.
In sum, the rules provide disparate treatment for the same online data depending upon which entity is collecting and using it, and may be challenged in court. If the FTC follows the FCC’s lead as to categories of information that are sensitive and should require opt-in consent for use in marketing and advertising, it would produce a sea-change in the U.S. privacy framework and severely restrict Internet advertising.
The notice and opt-in requirements go into effect 6 months after publication in the Federal Register (although small providers will have 18 months to comply), the data security requirements go into effect 90 days after publication, and the data breach notifications go into effect 6 months after publication.