The FCC has voted to enact a new rule that will force broadband companies to get consent from customers before they sell information about those customers’ online movements, history, and other actions.
The new rule will require broadband companies to have customers opt in to the sale or sharing of their online histories as part of marketing or ad deals. It includes restrictions on the way that providers can share users’ location data and other information and also ensures that they will have to tell consumers exactly what data they collect and what they do with it. The changes do not apply to how broadband providers can use customer information in their own marketing, though.
Here’s what the new rules require:
- Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.
- Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.
- Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.
The new regulations also require that broadband providers have “common-sense” data breach notifications and reasonable security practices.
The vote by the FCC makes distinctions between broadband providers and phone carriers and other service providers. Before the vote, providers and others had urged the FCC to align its rules with existing ones from the FTC on usage of customer data for marketing.
“Under the FTC’s recommended approach, web browsing and app usage data should be considered sensitive only to the extent they are otherwise categorized as sensitive information. The FTC specified that sensitive information should include the content of communications and the traditional categories of sensitive data (e.g., Social Security numbers and children’s, financial, health and precise geolocation data),” a filing on the topic from AT&T says.
“Thus, for example, web browsing and app usage data that involves the content of a consumer’s electronic health records or that could reveal information about someone’s sensitive health condition should be considered sensitive. However, the fact that someone has accessed CNN.com or ESPN.com should not be considered sensitive, and companies should be free to use such non-sensitive web browsing and app usage data for marketing purposes so long as they obtain opt-out consent.”
Not surprisingly, the vote did not sit well with marketers and advertisers.
“Today the FCC took an action which discards the regulatory framework that has fostered the growth of the Internet economy and supports much of the content and services consumers enjoy every day. The FCC’s decision is bad for consumers and bad for the U.S. economy. There are no winners in this action; only losers. In short, the FCC got this wrong,” Emmett O’Keefe, senior vice president of advocacy at the Direct Marketing Association, said in a statement.
Image from Flickr stream of Josh Hallett. CC By 2.0 license.