FCC Adopts Stricter Privacy Framework For ISPs

The FCC adopted new rules that will require ISPs to ask for permission before using and sharing “sensitive” customer information. New rules on data security and data breaches were also adopted.

A History Of Privacy Abuses From ISPs And Carriers

Over the past few years we’ve seen ISPs and wireless carriers try to track all users by default and use their information for commercial reasons. At first, much of this was secretive until it was uncovered, and companies such as AT&T and Verizon promised to give users an “opt-out” option from the smartphone browsing behavior tracking.

AT&T, which also used undeletable “supercookies” to track wireless users, went much further than that with its Gigapower service. Until recently, when it likely learned that the new FCC privacy framework was nigh, the company was charging an extra $30 per month to Gigapower customers if they didn’t want their browsing behavior to be tracked.

A recent report also unveiled that AT&T was secretly sharing customers’ private information with the DEA (and potentially the NSA) without a warrant. This marked yet another scenario in which AT&T proved to be a most reliable partner for intelligence agencies and went above and beyond what the law required of the company.

FCC’s Three Main Privacy Rules

The FCC’s new privacy framework is governed by three main privacy rules, or privacy categories:

1. Opt-in

ISPs will need explicit (opt-in) permission from customers to use and share information such as precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history, and the content of communications.  

2. Opt-out

“Non-sensitive” information such as the email addresses or service tier information of customers will be used and shared by ISPs automatically, unless the users “opt-out” of this sort of data sharing. (Presumably ISPs will make it available in customers’ online accounts, or when they sign the contracts.)

3. Exception To Consent Requirements

The third category of privacy rules involves information that is necessary for the service to function, so no additional consent will be required from customers other than the signing of the contract.

Other Rules Provided By The New Privacy Framework

Beyond these three main rules, ISPs will also be required to provide customers with clear information about how their data is collected, how it’s used, and with whom it’s shared, as well as how they can change their privacy settings.  

ISPs will also have to conform to industry best practices for data security. They will need to follow the FTC’s and the Consumer Privacy Bill of Rights’ guidelines and requirements for customer privacy and security, as well.

ISPs will have to notify both consumers and authorities when data breaches happen and when they have failed to protect their customers’ data. Consumers have to be notified within 30 days of the breach, while the FCC and the FBI will have to be notified within seven days of the data breach if it affects more than 5,000 customers.

The FCC noted that these new rules don’t apply to “edge” services that work on top of ISP’s networks, including the ISP’s own websites and online services. They apply only to broadband internet access services.

The rules further don’t apply to government surveillance or law enforcement. That could mean that ISPs may still collect as much data as they can on customers for the purpose of aiding intelligence or law enforcement agencies, but they won’t be allowed to use it for commercial purposes, as described by the new FCC privacy framework. However, it’s unclear whether this would cover AT&T’s recently reported “for-profit” data sharing with authorities.

When The Rules Go Into Effect

The data security requirements for ISPs will go into effect within 90 days after publication of the summary of the Order in the Federal Register, which could mean that ISPs don’t have to change too much about the security practices they’re already employing.

The data breach notification policy will have to be implemented within six months after the publication of the summary of the Order in the Federal Register.

The Notice and Choice requirements will become effective about 12 months after publication of the summary of the Order in the Federal Register for the big ISPs. Small ISPs will have an additional year to comply with the new opt-in and opt-out privacy rules.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • problematiq
    The most likely outcome is an additional plan you can pick that is higher cost with lower speeds/cap and all of the current ones adding the " I Opt in" into the EULA.
    I'm glad to see some changes attempting to allow us to chose where our data is used.
  • none12345
    I hope they have language specifically spelling out taht they cant just roll it into the EULA. Because if they can, then you have no choice, you either accept the ula or you dont get service.
  • problematiq
    18789763 said:
    I hope they have language specifically spelling out taht they cant just roll it into the EULA. Because if they can, then you have no choice, you either accept the ula or you dont get service.

    Well we could always go with a different IS.. Oh wait..
  • Tanyac
    Yep. This goes on here in Australia too with the big guys like Telstra and Optus doing the same things.

    Indeed, in Optus' case they go a step further and try to prevent customers protecting their privacy by interfering with attempts to use VPNs or encryption tools. Their mail servers can't be white listed so if you use a VPN you can't send or receive emails with Optus, and they have no security on their email anyway so why would you want to use Optus anyway. Their routers they provide (at least for NBN), are severely crippled and have most security options disabled.
  • thor220
    Just frickin make the Internet Infrastructure a utility already. It's obvious these companies have every intention to screw the customer over in every possible way they can. Capitalism only works when there is competition, if there is none it is the worst economic system you can have. Companies actively block competitors, refuse to improve service / product, and load money into the political system. It's the same thing for any monopoly anywhere.