Internet Service Providers Would Need Customer Permission To Share Sensitive Data Under FCC Proposal

Published on

Cable and wireless companies would need customer permission before sharing sensitive personal data, including the contents of emails, Web browsing history, financial information and a mobile device’s geographic location, under a proposal released Thursday by the head of the Federal Communications Commission.

But AT&T Inc., Charter Communications Inc, Verizon Communications Inc. and other providers of high-speed Internet service would not have to get a user’s approval before sharing any “non-sensitive” data, such as a person’s name, address and type of data plan, according to revisions FCC Chairman Tom Wheeler made to tougher restrictions he proposed in March.

That earlier proposal, which was criticized by the broadband industry, would have required customers to opt in before any of their personal information could be shared by their Internet service provider.

Wheeler’s new plan distinguishes between types of information, which broadband providers had urged, and only makes the sharing of sensitive data subject to prior customer approval. Customers would have to opt out of the sharing of non-sensitive data.

In all cases, broadband providers would have to notify customers about the type of information being collected, how it could be used and the types of entities with which the information is shared.

“The bottom line is that the information you share with your broadband provider is yours,” Wheeler said in a blog post on the FCC’s website Thursday. “With the FCC’s new privacy protections, you will have the right to determine how it’s used.”

The proposal is scheduled to be voted on by the FCC at its Oct. 27 meeting and are likely to be approved because Wheeler and his fellow Democrats have a majority. 

The new rules would apply only to broadband providers, which are under the FCC’s oversight, and not to individual websites or social networks, the agency said.

Consumer advocates welcomed the new privacy restrictions, even though they were not as stringent as Wheeler originally proposed.

“The proposed rules will, for the first time, require broadband providers to actually ask consumers for permission before exploiting sensitive private information and tracking them online,” said Harold Feld, senior vice president for the digital rights group Public Knowledge.

John Simpson, director of the privacy project for the Consumer Watchdog advocacy group, said he was happy that the proposal has a broad definition of sensitive information that includes a person’s Web browsing history, which is particularly valuable data.

“I would have preferred that they not make that distinction [between sensitive and non-sensitive information] and that they treat all data as something that needs to be ‘opt-in,’” he said. “However, what they have done is a tremendous step forward.”

Wheeler’s proposal expands on the the Federal Trade Commission’s definition of sensitive information, which includes any data about children, financial and health information, Social Security numbers, and geolocation. In addition to adding Web browsing data, Wheeler also wants to deem a person’s mobile app usage sensitive. 

Walter McCormick, president of USTelecom, a trade group whose members include AT&T and Verizon, said he was pleased that Wheeler decided that “the sensitive nature of the information being shared should be the determining factor in what is afforded increased protection.”

But the group is concerned that the FCC, “which has no expertise with regard to determining the content of speech, is now attempting to redefine what consumers may regard as sensitive,” he said. McCormick wants the FCC to defer to the FTC on what is regarded as sensitive data. 

The FCC gained privacy authority over broadband providers in 2015 after the agency approved rules for online traffic known as net neutrality. The regulations put the providers in the same legal category as more highly regulated conventional telephone companies.

Wheeler’s original proposal in March was lauded by consumer advocates as much-needed protection for the vast and potentially lucrative trove of data collected about customers as they surf the Internet, send email or use mobile apps.

But broadband providers complained that Wheeler’s plan to require customer permission before using any personal information departed from the longstanding views of the FTC, which had privacy oversight of the companies before the FCC’s net neutrality vote.

In May, the FTC’s staff told the FCC that the proposed rules did not “reflect the different expectations and concerns that customers have for sensitive and non-sensitive data” and “could hamper beneficial uses of that data.”

Those comments were among about 250,000 the FCC received on the proposed rules over the last six months. Wheeler said the “extensive feedback” led him to propose changes to his plan.

Broadband providers would be free to do what they want with data that is stripped of key identifying details so it can’t be linked to a specific person or device.

For example, federal officials consider healthcare information to be “de-identified” if 18 specific types of data are removed, including name, phone number, email address, Social Security number and all address details except for the first three digits of the person’s ZIP code.

But the providers must commit not to try to link the data back to the specific customer or device and prohibit anyone who receives the information from doing that as well.

The proposed rules also would ban broadband providers from refusing service to customers who won’t allow the sharing of their data.

Providers would be allowed to offer discounts or other incentives to customers to lure them to give consent to share more personal information, but would face “heightened” disclosure requirements for such plans. The FCC would review such “pay for privacy” offerings on a case-by-case basis.

Under Wheeler’s proposal, broadband providers would have to notify customers within 30 days after determining that a data breach has occurred.

The providers would have only seven days to notify the FCC of any data breaches, and notify the FBI and the Secret Service of breaches that affect more than 5,000 customers.

Latest Videos

Latest Releases

In The News

Latest Report

Support Consumer Watchdog

Subscribe to our newsletter

To be updated with all the latest news, press releases and special reports.

More Releases