ISPs long ago realized that customer data is valuable, and are continuing to develop ways to monetize that information. For example, last month, AT&T explained that a major factor in its decision to bid on Time Warner was the lure of new possibilities in targeted advertising. Last year, Comcast bought targeted advertising firm Visible World for similar reasons.
Efforts by ISPs to monetize user data have triggered concerns among privacy watchdogs and the FCC. On October 27, 2016, the FCC adopted new rules to control when and how this information can be used and shared. "It's the consumers' information. How it is used should be the consumers' choice" said FCC Chairman Tom Wheeler.
According to the FCC, the rules "do not prohibit ISPs from using or sharing their customers’ information – they simply require ISPs to put their customers into the driver’s seat when it comes to those decisions.” The new rules require specific notices to consumers about:
- The types of information the ISP collects from them
- How the ISP uses and shares the information
- The types of entities with whom the ISP shares the information
The rules also require ISPs to give a degree of control to the consumer. ISPs will be required to obtain consumer consent (an "opt-in") before sharing certain categories of "sensitive" information, including:
- Health information
- Financial information
- Children’s information
- Social Security numbers
- Web browsing history
- App usage history
- Content of communications
For other categories of information (those not deemed “sensitive," such as an email address or service level), ISPs must still offer users the opportunity to “opt-out” of the use and sharing of their information, with some exceptions. Customer consent can be inferred for certain uses, such as providing services and for billing and collection activities.
ISPs are prohibited from rejecting a customer for refusing to provide a requested consent. Because it is more profitable for the ISP if the customers permit data use and sharing, the rules permit an ISP to give customers a discount or other financial incentive to provide a requested consent.
The FCC has made it clear that its rules “do not regulate the privacy practices of websites or apps, like Twitter or Facebook, over which the FTC has authority.” Websites and apps currently collect much more data than ISPs, so the practical impact of the rules on consumer privacy is likely to be limited.
The new rules impose a requirement that ISPs implement reasonable data security practices, including robust customer authentication and data disposal practices. The rules also include a data breach notification requirement, which preempts those in existence in 47 states, but only to the extent that the FCC rules are inconsistent with a state's requirements.
The rules become effective with respect to different sections at different times, with all of the rules likely becoming enforceable within one year.
This action by the FCC creates just one more piece in the mosaic of statues, regulations, and treaties that together comprise privacy and data security law.