The Nitty-Gritty Details About the Privacy Win at the FCC

Last week, internet users won a huge victory for online privacy at the FCC. At its October meeting, the Commission took a tremendous stride forward and voted 3–2 to adopt broadband-privacy rules.

As we’ve written, these rules stand on the same legal foundation as Net Neutrality, built on the reclassification of broadband internet access providers as telecommunications carriers under Title II of the Communications Act. Properly treating these providers as carriers means restoring people’s rights, under the law, to service that’s affordable, nondiscriminatory — and protected from the carriers’ prying eyes.

After a proceeding that lasted almost seven months, the FCC fulfilled its obligation under Section 222 of the Communications Act to ensure that broadband providers like Comcast and AT&T protect their customers’ privacy and don’t profit from all the information they gather on customers without their consent.

A range of protections

On Wednesday the FCC released the full text of its new broadband-privacy rules and here’s what we know so far: ISPs must now get their customers’ permission before they surveil, sell or share any of their sensitive information for marketing purposes.

The FCC rightly defined this “sensitive” information category broadly, and included specific kinds of content in it — like information pertaining to one’s health, finances and children. But the Commission also rightly decided to protect all web-browsing history, app-usage data, the contents of communication, precise geolocation information, and the functional equivalents of these private details.

The remaining “non-sensitive” customer information will be subject only to opt-out consent, which flips the default setting: The ISP can share or use this kind of information unless the customer tells it not to. This category will include information like a customer’s email address and service tier.

Many of the corporate opponents of these rules pointed to the fact that the regulations don’t apply to websites. They were right, to the extent that these broadband providers and their lobbyists suggested that companies like Google and Facebook can and do make use of private information too.

But as we explained throughout the course of this rulemaking, it makes a lot more sense for the FCC to take the steps it can today — and protect against ISPs’ privacy violations — than it does to sit around and wait for Congress to pass a better, more comprehensive privacy law for the whole internet.

Plus, since broadband ISPs are the on-ramp to the internet, they have a view of almost all of our activities online as they route that traffic. Giving internet users more control over how their information is used makes perfect sense under the law — and makes a difference in the real world too.

All of this means that unless you actively opt in to sharing for your sensitive data, your broadband ISP won’t be able to use information about what you say and do online to profile you for ads, upsell you additional products or make money from selling your information to third parties.

Your access to the internet won’t be contingent on agreeing to share your personal information either, and you’ll be able to change your privacy settings via a clear and consistent privacy interface designed by industry and consumer advocates.

Curbing economic exploitation

The new rules also ban the worst and most coercive “pay-for-privacy” schemes that leave customers no effective choice but to give up their privacy for access to the internet — what the Commission called “take it or leave it” offers. We’ve written about the harms of forcing people — especially those in vulnerable communities struggling to get access in the first place — to make the impossible decision between giving up their privacy or having access to the internet.

Fortunately, the FCC took a step in the right direction, and though it fell short of an outright ban it’s committed to keeping a watchful eye on broadband ISPs and evaluating these plans on a case-by-case basis for price gouging and other kinds of coercion.

The FCC also recognized that not all privacy violations are going to come from an ISP’s purposeful sharing of its customers’ information.

As we’ve seen again and again in other sectors, data breaches coming from hackers or company errors can have wide-reaching and harmful impacts on people, especially when it comes to disclosure of their personal information. The agency mandated that broadband providers observe up-to-date industry best practices on protecting their customers’ data and follow Federal Trade Commission best practices on disposing of their information safely.

The broadband-privacy protections will be implemented over the next two years after the rules are published in the Federal Register. The data-security requirements will go into effect within 90 days; then in 12 months customers of large broadband ISPs will be able to control their privacy settings, with customers of small ISPs following a year later.

Industry fought these rules hard. Almost all the major broadband providers, plus Google, the ad industry and lobbyists, opposed these changes. The FCC reported almost a quarter-million filings in the docket — with the vast majority of them in favor.

The decision isn’t perfect, and the details will continue to be tweaked over the next year. We’ll be there to ensure that these privacy safeguards stay strong and reflect the will of the people who demanded them.