The FCC adopted new rules that will require ISPs to ask for permission before using and sharing “sensitive” customer information. New rules on data security and data breaches were also adopted.
A History Of Privacy Abuses From ISPs And Carriers
Over the past few years we’ve seen ISPs and wireless carriers try to track all users by default and use their information for commercial reasons. At first, much of this was secretive until it was uncovered, and companies such as AT&T and Verizon promised to give users an “opt-out” option from the smartphone browsing behavior tracking.
AT&T, which also used undeletable “supercookies” to track wireless users, went much further than that with its Gigapower service. Until recently, when it likely learned that the new FCC privacy framework was nigh, the company was charging an extra $30 per month to Gigapower customers if they didn’t want their browsing behavior to be tracked.
A recent report also unveiled that AT&T was secretly sharing customers’ private information with the DEA (and potentially the NSA) without a warrant. This marked yet another scenario in which AT&T proved to be a most reliable partner for intelligence agencies and went above and beyond what the law required of the company.
FCC’s Three Main Privacy Rules
The FCC’s new privacy framework is governed by three main privacy rules, or privacy categories:
1. Opt-in
ISPs will need explicit (opt-in) permission from customers to use and share information such as precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history, and the content of communications.
2. Opt-out
“Non-sensitive” information such as the email addresses or service tier information of customers will be used and shared by ISPs automatically, unless the users “opt-out” of this sort of data sharing. (Presumably ISPs will make it available in customers’ online accounts, or when they sign the contracts.)
3. Exception To Consent Requirements
The third category of privacy rules involves information that is necessary for the service to function, so no additional consent will be required from customers other than the signing of the contract.
Other Rules Provided By The New Privacy Framework
Beyond these three main rules, ISPs will also be required to provide customers with clear information about how their data is collected, how it’s used, and with whom it’s shared, as well as how they can change their privacy settings.
ISPs will also have to conform to industry best practices for data security. They will need to follow the FTC’s and the Consumer Privacy Bill of Rights’ guidelines and requirements for customer privacy and security, as well.
ISPs will have to notify both consumers and authorities when data breaches happen and when they have failed to protect their customers’ data. Consumers have to be notified within 30 days of the breach, while the FCC and the FBI will have to be notified within seven days of the data breach if it affects more than 5,000 customers.
The FCC noted that these new rules don’t apply to “edge” services that work on top of ISP’s networks, including the ISP’s own websites and online services. They apply only to broadband internet access services.
The rules further don’t apply to government surveillance or law enforcement. That could mean that ISPs may still collect as much data as they can on customers for the purpose of aiding intelligence or law enforcement agencies, but they won’t be allowed to use it for commercial purposes, as described by the new FCC privacy framework. However, it’s unclear whether this would cover AT&T’s recently reported “for-profit” data sharing with authorities.
When The Rules Go Into Effect
The data security requirements for ISPs will go into effect within 90 days after publication of the summary of the Order in the Federal Register, which could mean that ISPs don’t have to change too much about the security practices they’re already employing.
The data breach notification policy will have to be implemented within six months after the publication of the summary of the Order in the Federal Register.
The Notice and Choice requirements will become effective about 12 months after publication of the summary of the Order in the Federal Register for the big ISPs. Small ISPs will have an additional year to comply with the new opt-in and opt-out privacy rules.