FCC Broadband Privacy Proposal Shifts Toward FTC Model

Opt-in regime 'calibrated' to sensitivity of info
Author:
Publish date:
0502_Washington_FCCHeadQuarters.jpg

FCC chairman Tom Wheeler has unveiled a revised version of his broadband privacy proposal that no longer requires a consumer to opt in to most info sharing with third parties—including targeted advertisers—but instead bases what it considers opt-in vs. opt-out customer information on the sensitivity of that information, rather than how it is used.

Given how much of that information is classified as sensitive and does require opt in consent (see below), that may not be a large enough pivot for concerned ISPs.

Wheeler, for instance, explicitly includes web browsing history and app-use history as sensitive information subject to opt-in consent because of the unique relationship between ISPs and their customers, according to a senior FCC official.  That means opt in for targeted ad use based on browsing and apps.

That means that ISPs would have to get opt-in consent to share web browsing and app use and geolocation info with third-party marketers.

Including Web browsing history as opt-in means there remains a gulf between how ISPS and edge providers are treated under privacy regs. Google's has no such restriction on use of that history, a point a senior FCC official made on a call with reporters about the item, though he added that Google Fiber in its ISP role would be subject to the opt-in regime.

A cable executive source speaking on background, also talked about that disparity, saying that while it appeared that the FCC was adopting the FTC approach, it was sufficiently broadening the definition of sensitive data--to include Web browsing, for example, such that the opt-in regime would create a huge disparity between how the FTC governs the edge and the FCC treats ISPs

The new proposal is billed as more in line with the Federal Trade Commission's approach, including the FCC's plan to "calibrate" privacy protections "to the sensitivity of the information, in line with approaches taken by other privacy frameworks, including the FTC’s and the Administration’s Consumer Privacy Bill of Rights."

A senior official said he believed the item was “very much” in alignment with the FTC’s framework but says the FCC did tailor that to the special relationship ISPs have.

That announced pivot came as Wheeler put it on the agenda for a vote at the Oct. 27 public meeting and after various parties, including the FTC, suggested a sensitivity approach was the best way to go

Under the plan, ISPs must:

• "Notify customers about what types of information the ISP collects about its customers;

• "Specify how and for what purposes the ISP uses and shares this information;

• "Identify the types of entities with which the ISP shares this information."

Currently defined as sensitive information that needs opt-in consent, according to the proposal, are:

  • Geo-location (typically the real-world location of a mobile phone or other device)
  • Children’s information
  • Health information
  • Financial information
  • Social Security numbers
  • Web browsing history
  • App usage history
  • The content of communications

The FCC will also create a voluntary privacy notice form that will serve as a "safe harbor" for compliance, which is also similar to the FTC approach.

The proposal also prohibits “take-it-or-leave-it” offers, "meaning that an ISP can’t refuse to serve customers who don’t consent to the use and sharing of their information for commercial purposes."

Providers can offer financial incentives for use of information so long as they are clear about what information they want to use, why, and get opt-in consent from their customers. But the FCC can look at such offers on a case-by-case basis.

The proposal does not include a checklist of data protection requirements but does have guidelines on best practices on protection and disposal of data.

The proposal includes breach notifications within 30 days of an ISP determining a breach has occurred, and the FCC no more than seven days. The FBI and Secret Service have to be alerted to breaches affecting more than 5,000 customers, also within seven days.

ISPs can share aggregated, de-identified data, so long as it cannot be re-aggregated. Wheeler got major pushback from ISPs and others over his original proposal, which was to require subs to affirmatively agree the sharing of their online information—like where they have been surfing—to third parties for marketing and other purposes. Former officials in the Obama Administration and a former high ranking Democratic congressman got together this week to root Wheeler on in what they anticipated was his move toward a more FTC-based approach to protecting consumers' personal information online. 

The FCC's new broadband privacy proposal was being hailed Thursday by privacy groups, suggesting the item may notnot pivoted sufficiently away from the opt-in regime for troubled ISPs.

"We laud the timely development of a rule that would require ISP customer permission before much of their personal information may be used or shared," said Katharina Kopp, deputy director of the Center for Digital Democracy. "This proposal offers consumers the much needed safeguards and desired control over their own personal information. For the first time, ISPs would have to obtain customer consent for the use of web browsing and app usage history for advertising purposes."

Related