The U.S. Federal Communications Commission (FCC) has just issued long-awaited rules about how Internet Service Providers (ISPs) can use and share the personal information they capture while you’re using their internet connections. The rules are a whole lot tougher than the ISPs would like. While most privacy advocates seem pleased, others wanted the FCC to go even further, applying the same rules to powerful non-ISPs like Google and Facebook.
The FCC says it’s aiming to give consumers:
Increased choice, transparency, and security online… ISPs serve as a consumer’s “on-ramp” to the internet. Providers have the ability to see a tremendous amount of their customers’ personal information that passes over that internet connection, including their browsing habits.
Consumers deserve the right to decide how that information is used and shared – and to protect their privacy and their children’s privacy online.
To begin, broadband ISPs will have to tell customers what kind of information they’re collecting, how and when they share it, and the “types of entities” they share it with.
Where your personal information is sensitive, you’ll have to opt in before they can use or share it. What’s “sensitive”? Your precise geolocation; information about your children, your health, and your finances; social security numbers; web browsing and app usage histories; and the content of your communications. (Note that your ISP can use and share this info if you give them explicit permission – so watch out for those inviting, gently worded dialog boxes.)
For “all other individually identifiable customer information” – such as the tier of internet service you subscribed to – your ISP can use and share unless you opt out.
Your consent is “inferred” for its use of non-sensitive information “to provide and market services and equipment typically marketed with [your] broadband service… to provide the broadband service, and bill and collect for [it, and] to protect the broadband provider and its customers from [fraud].”
Your ISP can use “de-identified information” that has been disconnected from your identity – but only if they take strong precautions against re-identifying it. ISPs will no longer be permitted to refuse your business if you won’t opt in to their use of your private data. And if they want to give you a discount in exchange for your precious info, they’ll have to provide some to-be-determined form of “heightened disclosure”.
The New York Times quoted two US privacy advocacy organizations – the Center for Digital Democracy and Public Knowledge – as welcoming the new rules. Another, the Electronic Privacy Information Center (EPIC), has argued that the rules don’t go nearly far enough:
While ISPs are clearly engaged in invasive consumer tracking and profiling practices, they are not the only ‘gatekeepers’ to the internet who have extensive and detailed views of consumers’ online activities.
Indeed, many of the largest email, search, and social media companies far exceed the data collection practices of ISPs.
One dissenter from the FCC’s 3-2 vote, Republican FCC Commissioner Ajit Pai, wrote that “There is no good reason to single out ISPs – new entrants in the online advertising space – for disparate treatment.” “Selectively burdening ISPs,” he adds, “confers a windfall to those who are already winning” – companies like Google and Facebook, which face much less rigorous regulation by another agency, the US Federal Trade Commission.
Pai also argues that, as encryption spreads on the internet, less of your private data will remain visible to your friendly ISP anyhow.
You won’t be shocked to hear that the National Cable and Telecommunications Association called the new rules “profoundly disappointing… regulatory opportunism”. And you can just imagine what advertisers think.
OK, we’ll save you the trouble. Here’s Dan Jaffe, vice-president of government relations for the Association of National Advertisers, as quoted by AdExchanger:
This… terrible and unprecedented [proposal]… sweeps all browsing data into the category of ‘sensitive information,’ even if it’s just someone interested in their local weather or whether the orange juice with or without pulp is on sale.
Large ISPs will get a year to implement the new rules; smaller ISPs will get two years. That assumes the rules don’t get tossed out in court. Of course, with three Democrats voting “yes,” and two Republicans voting “no,” they might also get Trumped by a change of presidential administration… but we’ll know about that soon enough.