Federal Communications Commission (FCC) Places Privacy Rule On Agenda for Vote

The contentious rule would limit what broadband carriers can do with their customers' data

Federal Communications Commission (FCC) Places Privacy Rule On Agenda for Vote
Image: Pixabay
October 7, 2016

Tom Wheeler, chairman of the Federal Communications Commission (FCC), has announced that the commission is scheduled to vote later this month on a contentious rule that would limit what internet service providers (ISPs) can do with their customers' data.

The Three Options

According to Consumerist, the proposal puts forth three options for ISPs to follow according to the specific data in question. There are some data that ISPs can use without consumer consent because they need it to provide their services. There are other data that ISPs absolutely cannot use until and unless consumers allow them to by opting in. Finally, there are some data that ISPs are allowed to use without authorization but must provide the option for consumers to opt out at any time.

Carriers cannot use "sensitive" data without customer consent, i.e. customers choosing to opt in. The types of information that the FCC will consider as "sensitive" in this matter includes the following:

  • Geographic location
  • Information about children
  • Health information
  • Financial information
  • Social Security numbers
  • Web browsing history
  • App usage history
  • Communications content

Consumers should be aware that some of these types of information already have privacy rules in place, including children's information, health information, and financial information. Those rules apply not only to the type of data, but also to who is handling it. Although some entities, e.g. doctors and lenders, are legally required to handle certain types of sensitive or identifiable information in a certain manner, others are not. The FCC's new rule would limit how some of that information can be used with consumers' consent.

Non-sensitive data falls into the category of what ISPs can use without authorization but for which they have to provide an opt-out option. Examples of this kind of information include names, addresses, and the current service-level tier.

Then there's the information required by the ISPs. This type will be anonymized, i.e. ISPs will be able to use it once it is "legitimately de-identified," and it does not fall into either the opt-in or opt-out categories. According to senior officials at the FCC, the agency will require anonymization of this data, as well as that the information be unable to be traced back to one particular user in any way in accordance with existing Federal Trade Commission (FTC) guidance dating from 2012.

Pay-for-Privacy Programs

The proposal also addresses pay-for-privacy, financial incentive programs implemented by ISPs.

ISPs are forbidden from making opting-in mandatory in order for consumers to receive service, and they are also prohibited from refusing to allow consumers to opt-in to receive service. The ISP must allow consumers to sign up for service and must continue providing that service regardless of whether or not consumers allow it to use their data.

That being said, the FCC is not banning pay-for-privacy agreements altogether. ISPs and consumers are allowed to make an arrangement in which consumers receive a discount in exchange for allowing the ISP to use the consumers' information. However, said a senior FCC official, such agreements require explicit and affirmative opt-in authorization as well as "heightened disclosure." The ISP, in other words, must make it clear to the consumer what information it is using and the purposes for which it is using, as well as the fact that the consumer is agreeing to such an arrangement.

Agency officials said that it will review complaints regarding these offerings on a case-by-case basis.

What About Data Breaches?

Data usage requirements are not the only matters addressed in the proposal; it also contains requirements about data breaches.

ISPs would be required to follow certain rules regarding who they must inform when a data breach occurs and how long they have to make those notifications. From the date of discovery—i.e. the date on which the breach is discovered—the ISPs would have a maximum of seven days to notify the FCC, the FBI, and the Secret Service. They would have 30 days to notify their customers.

In addition, ISPs would also be required to take reasonable steps to prevent a breach in the first place. They would have to implement "up-to-date and relevant industry best practices," provide "robust customer authentication tools," and take other action to authenticate the identities of people claiming to be their customers and to ensure that their data stays relatively safe.

Finally, the carriers would also have to make sure that any deletion or disposal of data be carried out according to best practice guidance developed by the FTC as well as the consumer privacy bill of rights proposed by the White House.

The Next Steps

There will most likely be much commentary made regarding the proposal before the FCC meets later this month, comments both in favor of and against it.

According to Chairman Wheeler, ISPs have "a broad view of all of your unencrypted online activity – when you are online, the websites you visit, and the apps you use. If you have a mobile device, your provider can track your physical location throughout the day in real time. Even when data is encrypted, your broadband provider can piece together significant amounts of information about you – including private information such as a chronic medical condition or financial problems – based on your online activity."

However, when it comes to actually enforcing regulations, there is a big gap. The FTC regulates what so-called "edge providers"—companies such as Facebook, Google, Amazon, and Netflix—are and are not allowed to do with users' personal information as well as what those providers must tell their users about how they use it. In contract, the FCC regulates the actions of telephone and cable companies. This, says Consumerist, "adds up to one big patchwork of protections that leaves a lot of holes in the middle."

It is these holes that have been at the root of most public object to the proposal to date. Industry insiders and watchers have speculated that the FCC would take an approach similar to that adopted by the FTC, choosing a "must permit opt-out" approach over a "must require consumers to opt-in" one.

The FTC, however, seems to support the proposal.

"We know that consumers care deeply about their privacy, and I am pleased to see the FCC moving forward to protect the privacy of millions of broadband users across the country," FTC chairwoman Edith Ramirez stated. "The FTC, which has protected consumers' privacy for decades in both the online and brick-and-mortar worlds, provided formal comment to the FCC on the proposed rulemaking, and I believe that our input has helped strengthen this important initiative."

Unsurprisingly, the broadband industry has industriously opposed the regulations from the beginning, with particularly vociferous opposition coming from AT&T and Comcast. However, the FCC seems to be prepared for any legal challenges that may arise from that quarter. Agency officials emphasized how it considered all comments and feedback that it had received regarding the proposal when they were drafting it. They also made it clear that they drafted it under the authority of Section 222 of the Communications Act and explained why they did it.

There have been accusations levied at the FCC claiming that it is unfair of the agency to make companies like AT&T adhere to privacy regulations when it made no such demands on companies like Google and Amazon. In response, a senior agency official said: "What we're doing here is frankly what we've done for decades with communications networks, and that's a duty that Congress have given us, to say that when consumers are on their communications networks, they have certain statutory protections. We are implementing those statutory protections here," and then added, "We are looking at the relationship between the customer and the ISP, and we do think there are some specific protections customers deserve in that context." Consumers' relationships with the services they access through the ISP, in order words, have nothing to do with the matter.

Finally, privacy advocates are thrilled at the proposal.

"This proposal offers consumers the much needed safeguards and desired control over their own personal information. For the first time, ISPs would have to obtain customer consent for the use of web browsing and app usage history for advertising purposes," stated Katharina Kopp, deputy director of the Center for Digital Democracy. "Given the unique position of ISPs as gatekeepers to vast amounts of customer data, the FCC's proposed broadband privacy rule is a critical step in preserving a free and open Internet into the 21st century. We will work to ensure this proposal is effectively implemented and that ISP broadband consumers receive the privacy protections they deserve."

The FCC is expected to vote on the adoption of the proposal on October 27.