I've Been Mugged Blog

Late last month, the U.S. Federal Communications Commission (FC) adopted new privacy rules to require high-speed Internet service providers (ISPs) to protect the privacy of their customers. The FCC announcement explained the new privacy rules:

"Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.

Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.

Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences;

A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.

Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information."

The new privacy rules prohibit “take-it-or-leave-it” offers, which means an ISP cannot refuse to serve customers who don’t consent to the use and sharing of their information for commercial purposes. The new rules also addressed the desire by ISPs to charge customers more fees for privacy. According to the FCC Fact Sheet:

"Recognizing that so-called “pay for privacy” offerings raise unique considerations, the rules require heightened disclosure for plans that provide discounts or other incentives in exchange for a customer’s express affirmative consent to the use and sharing of their personal information. The Commission will determine on a case-by-case basis the legitimacy of programs that relate service price to privacy protections. Consumers should not be forced to choose between paying inflated prices and maintaining their privacy.

ISPs like Comcast, AT&T, Charter, and Verizon opposed the stricter privacy rules. Google had argued for broader opt-out provisions and privacy rules the same as for websites, not stricter. The U.S. Chamber of Commerce, a political lobbying organization, opposed the stronger privacy rules the FCC proposed in March. Last week, Reuters reported:

"The final regulation is less restrictive than the initial plan proposed by FCC chairman Tom Wheeler in March and closer to rules imposed on websites by the Federal Trade Commission. Republican commissioners said the rules unfairly give websites the ability to harvest more data than service providers and dominate digital advertising."

FCC Chairman Wheeler released a statement on October 27 about the new broadband privacy rules:

"Last week, I visited Consumer Reports’ headquarters in Yonkers, New York, where I toured their product testing facility and met with senior leadership. When looking at a smart refrigerator that collects and shares data over the Internet, the discussion turned to privacy. Who would have ever imagined that what you have in your refrigerator would be information available to AT&T, Comcast, or whoever your network provider is?

The more our economy and our lives move online, the more information about us goes over our Internet Service Provider (ISP) – and the more consumers want to know how to protect their personal information in the digital age.

Today, the Commission takes a significant step to safeguard consumer privacy in this time of rapid technological change, as we adopt rules that will allow consumers to choose how their Internet Service Provider (ISP) uses and shares their personal data.

The bottom line is that it’s your data. How it’s used and shared should be your choice."

The last sentence cannot be over-emphasized. Consumers: it is our information -- property -- which ISPs use, sell, and make money with. Consumers should decide what data broadband and wireless providers share with marketers. Consumers must be in control.

And, there is more to come as the FCC oversees "pay-for-privacy" schemes by ISPs. So, thanks to the FCC and to Chairman Wheeler for fighting strongly for consumers' online privacy rights. What are your opinions of the new broadband privacy rules?