FCC Chairman Tom Wheeler proposed new rules on Thursday that would require internet service providers like Time Warner and Comcast to disclose how they use customers' personal data, and ask permission before sharing this information with outside organizations. Wheeler outlined the broad strokes of this plan in March, when the FCC voted to accept public comment on the proposed rules. Six months later, the comments are in and the full Commission will review the new plan at its monthly meeting on October 27th.
Under the new rules, ISPs would be required to tell customers about the type of information they collect, how and why they share it and which companies they share it with. In general, ISPs have access to data that includes when and where customers access the internet, which sites they visit and which apps they use. ISPs would have to make this information available to new customers when they sign up for service and provide updates whenever the policies change.
Additionally, ISPs would have to obtain opt-in consent to share "sensitive" information including personal geo-location data, browsing history, app usage, social security numbers, the content of any communications, and information about children, health or finances. This means providers would need to get customers' permission before distributing this information to outside parties. Non-sensitive data -- the FCC uses "service tier information used to market an alarm system" as an example -- would be opt-out, meaning it's automatically open to sharing.
ISPs would be able to de-identify customers' personal information and then share it outside of the rules for obtaining consent. However, the FCC says that information has to pass a three-step test to ensure it's not re-identified, outlined as follows:
- Alter the customer information so that it can't be reasonably linked to a specific individual or device
- Publicly commit to maintain and use information in an unidentifiable format and to not attempt to re-identify the data
- Contractually prohibit the re-identification of shared information
The new rules would also require ISPs to implement up-to-date security practices and notify customers of a breach within 30 days; companies would have to notify the FCC within seven days.
Many ISPs were not happy with Wheeler's proposed rules in March, arguing that they gave companies like Facebook and Google, which also collect user data, an unfair advantage. These websites are overseen by the Federal Trade Commission, rather than the FCC. FTC Chairwoman Edith Ramirez commented on today's announcement, saying she was pleased with the FCC's new proposal.
"The FTC, which has protected consumers' privacy for decades in both the online and brick-and-mortar worlds, provided formal comment to the FCC on the proposed rulemaking, and I believe that our input has helped strengthen this important initiative," she said.