The FCC certainly is keeping busy this fall. After six months of mulling it over, commission chairman Tom Wheeler announced today that the final version of a privacy rule that would limit what your broadband carrier can do with your personal data is in fact real and on the agenda for the FCC’s October meeting later this month.
This one, like many other high-profile consumer protection actions the FCC has taken in recent years (net neutrality, anyone?) has proven contentious from the start. The proceeding has more than 250,000 comments, letters, notices, and filings attached to it, which is… pretty big.
So after all that, here’s an outline of what the FCC came up with.
Opting In, Opting Out, and What’s “Sensitive” Anyway
According to the fact sheet it released today (PDF), the Commission has, with some modification, stuck with Wheeler’s original three-bucket proposal from March.
Some data your ISP can use without asking, because it needs to. Some data it can use without asking, but it has to give you the ability to opt-out at any time. And some data it can’t use at all until and unless you specifically opt-in.
The opt-in bucket is where “sensitive” data goes. Information that the FCC will consider “sensitive” under this rule includes:
- Geographic location
- Children’s information
- Health information
- Financial information
- Social Security numbers
- Web browsing history
- App usage history
- The content of communications
Some of those data types — specifically, children’s information, health information, and financial information — have some privacy rules attached to them already.
However, those rules apply not just to what type of data it is but, specifically and crucially, to who is handling it. Doctors, lenders, and other entities have a legal mandate to handle certain kinds of sensitive or identifiable information in a particular way… but other parties do not, as we’ve seen before. This rule would limit where some of that data can go without your permission.
The opt-out bucket is for, basically, everything else. Some examples of non-sensitive data given by senior FCC officials included your name, your address, and your current service-level tier. Anything not on the delineated opt-in list, including your IP address, goes in that bucket.
There’s also another bucket of data, though: that which is anonymized. ISPs will be able to use “legitimately de-identified” data (and also aggregated data) outside of the opt-in and opt-out schemes. Senior FCC officials said that the FCC will require that the data be anonymized and be unable to be linked back to a single user in any way in accordance with existing FTC guidance from 2012. How well that actually works (survey says: not well at all) is another matter.
Your Money Or Your Privacy
The FCC’s proposal also speaks directly to the kind of pay-for-privacy, financial incentive program that AT&T just ended last week.
Opting in or out of having your data used in a certain way doesn’t actually mean anything if it’s not a real choice. So to that end, the FCC is forbidding ISPs from putting in any sort of “take it or leave it” approach.
That means that agreeing to opt in (or refusing to opt out) cannot be a mandatory part of getting service. Your ISP has to agree to let you sign up, and to keep serving you, even if you tell them to keep their hands off your private data.
However, pay-for-privacy agreements are not banned. In short, the FCC has decided not to stand in the way of “financial incentives.”
Arrangements whereby you receive a discount for allowing your ISP to do what it wants with your sensitive data are permitted, but they require explicit, affirmative opt-in consent and “heightened disclosure,” a senior FCC official said. That means you can basically agree to a $30 a month discount in exchange for your data, but first the ISP has to be very clear about what information it’s gathering and for what specific purposes, and to let you know you’re making that trade-off.
The Commission will review any complaints about these offerings on a case-by-case basis, FCC officials said.
Also, Data Always Gets Lost
While the ability to opt into and out of certain kinds of data usage is the keystone of the proposal, the rule also includes requirements related to data breaches.
If adopted, the rule would set up regulations around who an ISP has to tell when they suffer a data breach, and how long the ISP has to make the notification. From the date of discovery (so, the moment someone in IT says, “oh, CRAP”), an ISP will have, at most, 7 days to notify the FCC, the FBI, and the Secret Service of any identified breach, and 30 days to notify consumers.
The rule also requires that ISPs holding data take reasonable steps not to get breached. Each provider would be expected to implement “up-to-date and relevant industry best practices,” provide “robust customer authentication tools,” and take other steps to make sure that people are who they say they are and that their data remains comparatively safe.
Additionally, it requires that any data deletion or disposal be done in a manner consistent with best practice guidance developed by the FTC , and in accordance with the White House’s proposed consumer privacy bill of rights.
So Now What?
You can safely expect to hear a lot of commentary — both for and against the proposal — in the coming days.
Your ISP has “a broad view of all of your unencrypted online activity – when you are online, the websites you visit, and the apps you use. If you have a mobile device, your provider can track your physical location throughout the day in real time,” Wheeler said in a blog post today.
“Even when data is encrypted, your broadband provider can piece together significant amounts of information about you – including private information such as a chronic medical condition or financial problems – based on your online activity,” he continued before addressing the big enforcement gap that exists.
See, the FTC has authority over what “edge providers” — companies like Facebook, Google, Amazon, and Netflix — can and can’t do with your personal data, and what they need to disclose to you about the ways in which they use it. The FCC, on the other hand, has authority over what telephone and cable companies can do. It all adds up to one big patchwork of protections that leaves a lot of holes in the middle.
Those holes, and that friction, have become the target of most of the public objection to the FCC’s proposal so far. As recently as Monday, insiders and watchers speculated that the FCC would adopt an FTC-style approach, abandoning the “must require consumers to opt-in” tack in favor of a “must permit opt-out” one.
Despite D.C. insiders and the broadband industry making much hay over the FTC/FCC turf war, however, the FTC seems largely supportive of the proposal.
“We know that consumers care deeply about their privacy, and I am pleased to see the FCC moving forward to protect the privacy of millions of broadband users across the country,” FTC chairwoman Edith Ramirez said in a statement today. “The FTC, which has protected consumers’ privacy for decades in both the online and brick-and-mortar worlds, provided formal comment to the FCC on the proposed rulemaking, and I believe that our input has helped strengthen this important initiative.”
The broadband industry has been hugely, overwhelmingly, against the proposed limits from the start. The vote even to consider making a rule was contentious, and since then we’ve seen repeated objections from carriers — notably AT&T and Comcast — to the mere idea.
The Commission is clearly prepared to face down legal challenges that industry may bring. Several times in the fact sheet, and during a press call with reporters, FCC officials stressed that the commission took into account all the comments and feedback it received to the proceeding when crafting the rule. They also made clear under what legal authority (section 222 of the Communications Act) they have crafted the rule, and why.
As to charges from AT&T and others that it’s not fair for the FCC to make privacy demands of them and leave companies like Google and Amazon alone, a senior FCC official said, “What we’re doing here is frankly what we’ve done for decades with communications networks, and that’s a duty that Congress have given us, to say that when consumers are on their communications networks, they have certain statutory protections. We are implementing those statutory protections here.”
He added, “We are looking at the relationship between the customer and the ISP, and we do think there are some specific protections customers deserve in that context.” The relationship consumers have with services they access through that ISP doesn’t enter into it.
Privacy advocates, meanwhile, are cheering the FCC on. “This proposal offers consumers the much needed safeguards and desired control over their own personal information. For the first time, ISPs would have to obtain customer consent for the use of web browsing and app usage history for advertising purposes,” Katharina Kopp, deputy director of the Center for Digital Democracy, said in a statement.
“Given the unique position of ISPs as gatekeepers to vast amounts of customer data, the FCC’s proposed broadband privacy rule is a critical step in preserving a free and open Internet into the 21st century,” Kopp added. “We will work to ensure this proposal is effectively implemented and that ISP broadband consumers receive the privacy protections they deserve.
Usually the FCC votes (as often as not, 3-2) to adopt these big-ticket proposals three weeks after Wheeler’s office announces he’s circulating them. However as we saw last month, when the vote on final proposal to replace set-top boxes was scrapped at the last minute, surprises can still happen.
Provided that talks among the commissioners do not go pear-shaped again, you can expect the FCC to vote whether to adopt this rule on Oct. 27.
Editor's Note: This article originally appeared on Consumerist.