FCC Introduces New Sensitive Data Rules

By: Hollie Webb
Online Editor

FCC Chairman Tom Wheeler warns the public about ISP collection. | Source: Andrew Harrer/Bloomberg

FCC Chairman Tom Wheeler warns the public about ISP collection. | Source: Andrew Harrer/Bloomberg


Since the Federal Communications Commission passed its first major privacy regulations for broadband internet providers, reactions have been anything but neutral. While the New York Times lauded the new rules as “landmark protections for internet users,” a writer for Computer World described the changes as “toothless.” The vote to adopt the measures split three to two across party lines, with the FCC’s two Republicans dissenting.

The FCC’s involvement in broadband privacy issues started last year when the agency promulgated netneutrality rules and made internet service providers, known as ISPs, fall under the authority of the Communications Act. Under Section 222 of the Communications Act, the FCC already has the authority to protect the privacy of customer data collected by phone companies. Now, ISPs are viewed the same way. 

The newest rules require ISPs to obtain opt-in consent before using or sharing user data that is considered sensitive. FCC Chairman Tom Wheeler explained, “Information that would be considered ‘sensitive’ includes geolocation information, children’s information, health information, financial information, social security numbers, web browsing history, app usage history, and the content of communications such as the text of emails. All other individually identifiable information would be considered non-sensitive, and the use and sharing of that information would be subject to opt-out consent.” Email addresses and service-tier information are considered “non-sensitive.” Regardless of whether consumers do not choose to opt-in or choose to opt-out, ISPs will not be able to deny service on this basis.

Additionally, the new rules state that ISPs must give consumers notice about what information they collect and for what purpose it will be used. ISPs must also give notice within 30 days if some type of security breach occurs. Supporters of the measures include online privacy advocacy groups, such as the Center for Digital Democracy, whose executive director called it “the best day we’ve had on internet privacy.”

Critics of the rules seem to fall into two camps—those who think the regulations are too harsh to ISPs, and those who think they are not harsh enough. Falling squarely into the first camp, the Digital Marketing Agency issued a statement saying “Today the FCC took an action which discards the regulatory framework that has fostered the growth of the internet economy.” The Association of National Advertisers called the FCC ruling “potentially extremely harmful.” In a joint letter sent to the FCC, multiple advertising groups also said that the opt-in requirement would “stifle e-commerce and bombard consumers with unnecessary notices.”

At the other end of the spectrum, some are more worried that the opt-in notice will be buried in lengthy terms and conditions that most people never read. A related concern is that the opt-out feature will not be made easily accessible.

It is important to note that the regulations will not apply to websites or apps.  These “edge providers” are still governed by the rules of the FTC. One of the dissenting FCC commissioners, Ajit Pai, noted, “[D]ue to the FCC’s action today, those who have more insight into consumer behavior (edge providers) will be subject to more lenient regulation than those who have less insight (ISPs). This doesn’t make sense.” Chairman Wheeler pointed out in a public statement, however, that “[m]ost of us understand that the social media we join and the websites we visit collect our personal information, and use it for advertising purposes. Seldom, however, do we stop to realize that our ISP is also collecting information about us. What’s more, we can choose not to visit a website or not to sign up for a social network, or we can choose to drop one and switch to another in milliseconds. But broadband service is different. Once we subscribe to an ISP—for our home or for our smartphone—most of us have little flexibility to change our mind or avoid that network rapidly.”

For now, everyone will have to wait and see what effects the new rules actually have. The opt-in requirements will go into effect one year from when they are published in the Federal Register, while the breach rules will go into effect six months earlier.

Categories: News
Tags: FCC, Hollie Webb