FCC Outlines New Broadband Privacy Framework

Requires consumers to opt in to share info for most targeted ads

FCC chairman Tom Wheeler has come up with a proposal for new rules on protecting fixed and mobile broadband customer privacy, including the sites they visit and the applications they use, that would require opting in to sharing info for most targeted advertising.

By targeted advertising that means info that can be linked back to an individual.

In a briefing with reporters Wednesday, FCC officials outlined the proposal, which is scheduled to be voted at the FCC's March 31 meeting.

ISPs had pushed for a light touch, but the FCC signaled sector-specific privacy rules were required.

Except for sharing customer information for marketing of their own or affiliated communications services, which would be an opt out regime, "all uses and sharing of consumer data would require express, affirmative 'opt-in' consent from customers." That means targeted advertising.

ISPs can share aggregated, de-identified data, but seeks information on that issue. ISPs can only use that if it is not linked to a person and there is no effort to use it to re-identify the information.

Nothing would prohibit targeted advertising, but it would require a provider to get permission before sharing a customer's information for those targeted ads. A senior official said "opt in" was needed given how much info ISPs have and could share with others.

The FCC is seeking comment on how to define communications-related services, which would determine what categories would be opt in.

A senior official said that the new rules were not about prohibition, but permission, and pointed out that it was a Notice of Proposed Rulemaking, which meant a "path forward" on which they would seek comment, and consider those comments, as well as other proposals before it.

The new rules do not apply to information collected from consumers by edge providers or social media sites, even if owned by broadband providers.

"When consumers sign up for Internet service, they shouldn’t have to sign away their right to privacy," the FCC said in a fact sheet on the proposal.

The item seeks comment on whether some types of information, location for example, should get higher protections.

The chairman bills the proposal as about three things: Choice, transparency and security.

The FCC's outline of the proposal is below:

• “Consent Inherent in Customer Decision to Purchase ISP’s Services:  Under the Chairman’s proposal, customer data necessary to provide broadband services and for marketing the type of broadband service purchased by a customer would require no additional customer consent beyond the creation of the customer-broadband provider relationship. For example, your data can be used to bill you for telecommunications services and ensure your email arrives at its destination, and a broadband provider may use the fact that a consumer is streaming a lot of data to suggest the customer may want to upgrade to another speed tier of service.

•  “Opt-out:  Under the Chairman’s proposal, broadband providers would be allowed to use customer data for the purposes of marketing other communications-related services and to share customer data with their affiliates that provide communications-related services for the purposes of marketing such services unless the customer affirmatively opts out.

•  “Opt-in:  Under the Chairman’s proposal, all other uses and sharing of consumer data would require express, affirmative “opt-in” consent from customers.

“Your ISP’s Duty to Keep Your Data Secure

“Strong security protections are crucial to protecting consumers’ data from breaches and other vulnerabilities that undermine consumer trust and can put their health, financial and other sensitive personal information at risk. The Chairman’s proposal would put in place robust and flexible data security requirements for broadband providers, including an overarching data security standard.

• “The proposal would require broadband providers to take reasonable steps to safeguard customer information from unauthorized use or disclosure. 

• “ And, at a minimum, it would require broadband providers to adopt risk management practices; institute personnel training practices; adopt strong customer authentication requirements; to identify a senior manager responsible for data security; and take responsibility for use and protection of customer information when shared with third parties.

“Data Breach & Consumers’ Right to Know

‘Consumers have the right to know their data is being handled and maintained securely by their ISPs. They also have the right to know when their data has been compromised. In order to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information, the Chairman’s proposal includes common-sense data breach notification requirements. Specifically, in the event of a breach, providers would be required to notify:

• “Affected customers of breaches of their data no later than 10 days after discovery. 

• “The Commission of any breach of customer data no later than 7 days after discovery.

• “The Federal Bureau of Investigation and the U.S. Secret Service of breaches affecting more than 5,000 customers no later than 7 days after discovery of the breach."