Nov. 1, 2016
Last week, the Federal Communications Commission (FCC) voted on significant new privacy rules that fulfill its statutory mandate to ensure internet service providers (ISPs) protect the confidentiality of the data they collect from their customers to provide internet service. The rules focus on giving consumers choice over how their data is used, requiring transparency around ISP privacy practices, and ensuring the data ISPs collect is secure. In a clear win for privacy, under these new rules ISPs will now have to ask for their customers’ permission before they can use private information such as browsing history for non-service-related purposes. These rules will finally return to consumers some of the control over their privacy that they’ve long desired.
Increasing Consumer Privacy Protections
The debate over broadband privacy rules has been ongoing for more than a year. When the FCC reclassified broadband as a common carrier service under Title II of the Communications Act, that extended the privacy provisions of Title II to ISPs. At the same time, the Federal Trade Commission (FTC) lost authority to police the privacy practices of ISPs because it does not have authority over common carriers. Since then — for over a year now — there were no clear rules from the FCC regarding how ISPs should treat their customer data.
Last Thursday’s vote changed that. With this vote, the FCC ensures ISPs protect their customers’ privacy, as they are required to do under Title II. The new rules will provide important protections for consumers. The regime includes strong notice and consent requirements, and requires a persistently available mechanism available to consumers to opt-in or opt-out of data practices at any time. The FCC also plans to direct the Consumer Advisory Committee to design a standardized privacy notice format that would serve as a “safe harbor” for the new notice requirements.
The FCC adopted a framework similar to the FTC’s “sensitive/nonsensitive” approach to data collection — a departure from what the FCC proposed in March. The “sensitive” data category largely tracks the FTC’s definition — including children’s information, health and financial information, and Social Security Numbers. Significantly, however, ISPs will also have to treat as sensitive web browsing history and app usage history (and their functional equivalents), and the contents of communications. To use these types of data for non-service-related purposes, such as marketing, an ISP has to solicit opt-in consent from the customer. To use “nonsensitive” data for non-service-related purposes requires only opt-out consent, where customers automatically grant permission unless they affirmatively state otherwise. In addition, ISPs by default will be allowed to use non-sensitive information to advertise their own products to the customer.
Further, the FCC could at any time revisit what constitutes “sensitive” information as societal views change and thus redefine the category. In the future, the FCC should remain flexible to add new types of information to the “sensitive” category to ensure consumers are protected against use of data that may become sensitive.
Once the rule becomes official in the next few weeks, consumers may begin to see changes in their ISP’s privacy policies and available options regarding privacy practices. As ISPs begin to act on the rules, consumers should start to see clearer notifications from their providers about intended uses of private information, and have real opportunities to grant (or decline to grant, as the case may be) their permission. The grace period for implementing the new rules is one year, but changes may happen sooner.
The FCC still has some work to do and loose ends to tie up, which will likely happen in a separate proceeding. At the top of the list of items to be considered in the subsequent rulemaking is the issue of forced arbitration. The FCC has asked about this issue in multiple proceedings, including this one. In a recent op-ed, FCC Commissioner Mignon Clyburn and Senator Al Franken argued that companies should not be able to keep consumers out of court by forcing them into arbitration. It is clear that this will be a priority for Clyburn, and others, going forward.
These new rules are a big step in the right direction for consumer privacy.