In a party-line vote, the Federal Communications Commission passed a broad set of privacy rules that would require broadband providers and wireless carriers to give consumers more control over their personal data.
FCC Democratic commissioners approved the new rules 3–2, which mandates that internet service providers (ISPs) give consumers three tiers of data consent — opt-in, opt-out, and inferred — regarding the information they collect to provide internet services. The two Republican Commissioners Ajit Pai and Michael O’Reilly dissented.
Thanks to the new rules adopted Thursday, ISPs need customers’ explicit “opt-in” consent to share sensitive personal data, such as financial data, location, social security numbers, health or medical information, internet browsing or app history, message content, and data belonging to minors.
For non-sensitive data, ISPs must give customers the ability to opt-out. The FCC determined that email addresses didn’t qualify as sensitive data despite their identifying nature, which means customers would have to opt-out of ISPs being able to share that information. That is likely because email is the main form of communication between broadband companies and customers.
“Consumer protection rules are only as strong as their ability to be enforced.”
The rules also require ISPs give customers “clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences,” the FCC wrote in a news release announcing the rules. Broadband companies, however, retain the right to market products and services to customers based on the information they collect.
Additionally, the FCC’s privacy rules stress broadband and wireless providers use appropriate data security practices and notify customers when there is a data breach.
The rules received initial, albeit cautious, praise from pro-consumer policy groups.
“These rules are a really big deal,” Chris Calabrese, the Center for Democracy and Technology’s vice president of policy, told ThinkProgress. “There was a lot of pressure on the commission to water down these rules.”
The takeaway from Thursday’s ruling, he said, is that “[Consumers] are getting the privacy they are paying for right now. By passing these rules, the FCC is updating for the 21st century the ideas of how we should handle communications. You assume the mailman isn’t going to open your mail. This updates that for the broadband context.”
Public Knowledge’s policy fellow Dallas Harris expressed a bit of trepidation in a statement regarding enforcement of the rules, saying that while the FCC’s decision gives consumers “more control over how their information is used online than ever before,” such protections are “only as strong as their ability to be enforced. So it is imperative that the commission follow these strong rules with strict enforcement.”
The Washington, D.C.-based think tank Information Technology and Innovation Foundation, which opposed the net neutrality rules that birthed the FCC’s new privacy rules, took a different stance and disagreed with the agency’s decision, calling it a “terrible precedent” that discourages innovation.
“The privacy framework established today sets a terrible precedent likely to reverberate throughout the internet ecosystem for years to come,” said Doug Brake, ITIF’s telecom policy analyst in a statement.
“Counting browsing and app history as sensitive data are a particularly disappointing departure from the flexible oversight regime that has helped make the U.S. data-fueled economy the envy of the world.”