FCC wants ISPs to get customer permission before sharing personal data

The proposed rules would also require broadband providers to report data breaches

Broadband providers would often be required to get customer permission to use and share personal data they collect under regulations proposed by the U.S. Federal Communications Commission.

Broadband providers have an unrivaled ability to track customers and collect personal data, and there currently are no specific rules covering broadband providers and customer privacy, FCC officials said Thursday.

The goal of the rules is to give broadband customers notice, choice and control over their personal data, FCC officials said during a press briefing.

"Your ISP handles all of your network traffic," FCC Chairman Tom Wheeler wrote in the Huffington Post. "That means it has a broad view of all of your unencrypted online activity -- when you are online, the websites you visit, and the apps you use."

On mobile devices, providers can track customers' physical locations, he added. "Even when data is encrypted, your broadband provider can piece together significant amounts of information about you -- including private information such as a chronic medical condition or financial problems -- based on your online activity," Wheeler said.

The proposed rules, to be debated during the FCC's March 31 meeting, would allow broadband providers to send information about new deals and deliver Web-browsing functionality without seeking further customer permission.

The proposal, which would go out for public comment if approved later this month, would allow broadband customers to opt out of data collection for the broadband providers' internal and affiliate marketing and other communications-related services. For all other purposes, including most sharing of personal data with third parties, broadband providers would be required to get customers' opt-in permission to use and share customer personal data.

The rules don't prohibit ISPs from using the personal information they collect, "only that since it is your information, you should decide whether they can do so," Wheeler wrote. "This isn’t about prohibition; it’s about permission."

Wheeler's proposal would also require Internet service providers to notify customers about data breaches of personal data, with affected users notified within 10 days of discovery of the breach. More than 40 U.S. states have data breach notification laws, but there's no national standard.

ISP trade groups have called on the FCC to avoid passing an extensive set of new rules that specifically target providers.

"Consumer information should be protected based upon the sensitivity of the information to the consumer and how the information is used -- not the type of
business keeping it, how that business obtains it, or what regulatory agency has authority over it," five ISP trade groups said in a letter to the FCC this month.

Some ISPs and trade groups have questioned the need for new rules by noting the that use of encryption and virtual private networks is growing among broadband users.

But broadband customers shouldn't have to rely on encryption or VPNs to protect their personal data against sharing by providers, FCC officials said.

The move of the FCC toward new privacy rules for ISPs is related in part to the agency's reclassification of broadband as a regulated, common-carrier service in new net neutrality rules passed in February 2015. Reclassification of broadband moved the authority for policing broadband privacy from the Federal Trade Commission to the FCC, privacy groups have said.

Under common-carrier rules, "the information collected by the phone company about your telephone usage has long been protected information," Wheeler wrote.  FCC rules "limit your phone company’s ability to repurpose and resell what it learns about your phone activity. The same should be true for information collected by your ISP."

Privacy advocate Jeffrey Chester, executive director of the Center for Digital Democracy, called the proposed rules a "major step forward" for privacy in the U.S.

"Today, Americans have really no privacy when they go online, use mobile phones, or stream videos," he said. "They face a growing threat to their privacy as cable and phone company broadband ISPs construct a powerful and pervasive data gathering apparatus."

Join the CSO newsletter!

Error: Please check your email address.

More about FCCFederal Communications CommissionFederal Trade Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place