The FCC has voted along party lines to require ISPs to get their subs' permission to share their web surfing and app use histories and other "sensitive" data with third parties for marketing and other purposes. It was billed as based on transparency, consumer choice and data security.
The vote was 3-2, with one concurrence from Democratic commissioner Mignon Clyburn over the absence of a prohibition on mandatory arbitration clauses and two strong dissents from Republican commissioners.
ISPs and advertisers say that could take a big bite out of the free-content model that powers the internet, since it relies on targeted marketing to remain free.
The item also establishes deadlines for breach notifications, requires clear notification to customers of what data is being collected and how it is being used, and prevents “take-it-or-leave-it” offers—conditioning service on allowing data sharing.
ISPs would be required to take reasonable measures to secure the information.
The FCC will allow ISPs to provide incentives to customers for sharing that data, referred to by some as "pay for privacy" but will monitor the practice on a case-by-case basis and require heightened disclosure. It will also launch a new proceeding looking into the practice, which means it could ultimately decide to prevent it.
The FCC is using a "sensitivity" approach, requiring opt out for nonsensitive data and opt in for a category of sensitive information that includes geolocation, children’s information, health, financial, Social Security numbers, web browsing history, app use history (or the "functional equipment"), and the content of communications (texts and emails).
ISPs argue that is too broad a brush, specifically the inclusion of the web and app histories.
"When faced with the question, of should I support requiring companies to give consumers more notice, more choice, and more transparency, you hear no double speak from me," said Clyburn. "Simply put, additional consent here means that consumers will have more of a say in how their personal information is used—and I for one think that is a good thing."
"This is real privacy control for consumers," said commissioner Jessica Rosenworcel. "It helps in the here and now." But Clyburn recognized the disconnect between the FCC's approach and the Federal Trade Commission's regulation of edge providers like Google and Facebook, which are not under an opt-in mandate for browsing histories.
"[W]ith respect to the future of privacy, I think we still have work to do," she said. "Our domestic privacy policies largely rest on a foundation of old sector-specific laws. So continuing work to harmonize our privacy frameworks is hard—but deserves time and attention."
"Our digital footprints are no longer in sand; they are in wet cement," said Rosenworcel.
ISPs have argued that the FCC's approach is not as harmonized with the FTC's "sensitivity" approach as has been billed.
Rosenworcel recognized that concern, but said it came down to hard choices. "[T]he policies we adopt today are in many ways in sync with the approach taken by our colleagues at the Federal Trade Commission under Section 5 of the Federal Trade Commission Act. To the extent they are not, let’s face the facts—we are dealing with old laws, new technologies, and hard choices about existing regulatory schemes."
Republican commissioner Ajit Pai saw it very differently. "Nothing in these rules will stop edge providers from harvesting and monetizing your data, whether it’s the websites you visit or the YouTube videos you watch or the email you send or the search terms you enter on any of your devices," he said. Explaining his dissent, he called the order "one-sided rules that will cement edge providers’ dominance in the online advertising market and lead to consumer confusion about which online companies can and cannot use their data. I dissent."
Commissioner Michael O'Rielly dissented for a number of reasons, including what he said was a lack of authority and a failure to justify diverging from the FTC in applying opt in to web and app history use. He slammed the FCC's use of the ISP gatekeeper argument to explain the tougher rules. He said a court should overturn the order on that faulty gatekeeper argument alone.
O'Rielly also took aim at the item's requirement that ISPs have to have opt-in permission to market new services—opt out is still inferred for marketing elements of the current bundle. He said that would discourage the rollout of new services.
O'Rielly did find some bright spots, including that there will be a "reasonableness" approach to data security and a harm-based standard for breach notifications.
Wheeler said it was "seasonally appropriate" that the Republican members had brought up "Halloween-style" scare tactics.
He said this was about giving consumers control over how data was used by "faceless companies."
He called it a common sense step, which was to protect consumer network privacy. Control should be the choice of the consumer, not "some corporate algorithm."
Wheeler's opposite number at the FTC gave the item her seal of approval.
“I am pleased that the Federal Communications Commission has adopted rules that will protect the privacy of millions of broadband users," said Federal Trade Commission Chairwoman Edith Ramirez. "The rules will provide robust privacy protections, including protecting sensitive information such as consumers’ social security numbers, precise geolocation data, and content of communications, and requiring reasonable data security practices. We look forward to continuing to work with the FCC to protect the privacy of American consumers.”