“Based on the extensive feedback we’ve received, I am proposing new rules to provide consumers increased choice, transparency and security online,” Wheeler said in a statement.
The new rules require Internet service providers (ISPs) to obtain opt-in consent for the collection of sensitive information, opt-out consent for any other information, and heightened disclosure for “pay for privacy” options. The FCC will vote on these rules on Oct. 27.
“Calibrating consent requirements to the sensitivity of the information aligns with consumer expectations and is in harmony with other key privacy frameworks and principles–including those outlined by the FTC and the administration’s Consumer Privacy Bill of Rights,” Wheeler said. “The proposed rules are designed to evolve with changing technologies, and would provide consumers with ways to easily adjust their privacy preferences over time.”
The FCC reconsidered its approach after advocates of the Federal Trade Commission’s technology neutral approach said that imposing strict rules on Internet service providers in particular was uncalled for because of the small amount of data that they collect compared to other online entities.
“Privacy isn’t the only value that consumers have,” said Neil Chilson, attorney-adviser to Commissioner Maureen Ohlhausen of the FTC.
Nancy Libin, partner at Jenner and Block, said the FCC should adopt a context-based approach to consumer privacy, which takes into consideration the customer’s relationship with the company. For example, since internet service providers are chosen by the consumer, the consumer would be more comfortable knowing that the chosen company has access to the consumer’s data. An Internet company that isn’t being paid for by the consumer should have more stringent privacy restriction because the consumer doesn’t have an implicit agreement with that company.
“The evolution of the Internet has shown that this approach has worked well,” Libin said.
The FCC updated its proposed rules to allow consumers to have more choice in who they share their data with, according to Wheeler.
When the Internet service providers collect information they must notify consumers as to what type of data they’re collecting, how they’re using it, and who they’re sharing it with when the consumer signs up for the service and whenever the policy changes.
The FCC identifies sensitive information as geo-location information, health records, information about children, financial information, Social Security numbers, app usage history, the content of communications, and Web browser history.
Libin said that a snippet of Web browsing history isn’t sensitive information to most users but a comprehensive collection of browsing history is a privacy concern.
The FCC would allow Internet service providers to share de-identified data with third parties.
Libin believes that once data is de-identified it would be difficult to link it back to a specific person; therefore,this doesn’t pose a privacy threat.
“Re-identification can be tricky,” Libin said. “You need an alternative data set to do it.”
The FCC would examine discounts that are offered to consumers who decide to allow companies to collect their data to ensure that inflated prices aren’t being marketed.
In the event of a data breach the Internet service providers would be required to notify customers within 30 days of the discovery, the commissioner within seven days of the discovery, and the Federal Bureau of Investigation within seven days if the breach affected more than 5,000 customers.
“The bottom line is that the information you share with your broadband provider is yours,” Wheeler said. “With the FCC’s new privacy protections, you will have the right to determine how it’s used.”