Internet providers will be barred from monitoring the sites that subscribers visit, unless they give permission to do so, in a rule that FCC Chairman Tom Wheeler plans to present to fellow commissioners on October 27.
Cable and phone companies would have to tell customers what information they collect, how they use it, and the types of entities with whom they share it, according to a fact sheet the FCC released today.
ISPs would be required to make these disclosures when someone signs up for service, and any time there’s a significant change in policy. It would also have to be available on a website or mobile app.
The rules would apply to ISPs such as Comcast and Verizon, but not service providers including Google, Facebook, and Netflix. The Federal Trade Commission sets privacy policies for them.
The FTC’s rules would also apply to services, such as a social media site, run by an ISP. So, for example, the FCC rules would affect Google Fiber which directly provides broadband service to homes and businesses, but not to the company’s search service.
Wheeler’s proposal would not affect government surveillance, encryption or law enforcement.
It also just applies to residential and commercial ISPs, not packagers including the services you’d find in public places such as Starbucks.
Aside from that, consumers would have to give permission before an ISP could use what the FCC considers “sensitive” data. That would include the content of communications, web browsing and app usage history, geo-location, information about children, health, and finances, and Social Security numbers.
People also could ask ISPs to stop using other non-sensitive information — especially data that identifies them. That wouldn’t include information needed to provide or bill for the service.
ISPs can’t refuse to provide service to those who want to keep their data private. The FCC would consider on a case-by-case basis instances where an ISP provides discounts to those who let them use personal information — and would look askance at plans that effectively require people to pay for privacy.
If there’s a data breech, the ISP would have to notify those affected as soon as reasonably possible, at least within 30 days. It also would have seven business days to tell the FCC — and, if more than 5,000 people are affected, the FBI and Secret Service.
Wheeler’s plan follows a 3-2 vote along party lines in March to begin the proceedings. Opponents said that FCC privacy rules could make it hard for ISPs to offer innovative services.
Internet activist groups were quick to applaud the proposal.
“Continuing to allow broadband providers to exploit their market power to harvest our sensitive private information without even asking permission is not only anti-consumer, but blatantly unfair,” says Public Knowledge SVP Harold Feld.
ISPs and advertisers including Google “have pushed the FCC to declare the most sensitive and most profitable subscriber information — user web-browsing and application history — ‘non-sensitive.’ he adds. “Consumers should no longer have to choose between getting the broadband they need or having the privacy they deserve.”
Free Press Policy Counsel Gaurav Laroia says the proposal “follows the law, and stems from the agency’s rightful decision to treat broadband as a common-carrier service. The companies that carry all of our speech online and bring us to every destination on the internet have no business profiting from all the information they gather without our consent.”