FCC Approves Broadband Privacy Rules to Protect Consumers. Here's What Comes Next.

Bigger cable and telco companies will have a year before the major provisions of the privacy rules take effect

Alex Wong

The Federal Communications Commission (FCC) has voted to approve new broadband privacy rules that will give consumers greater control over how their personal information is collected and shared by internet service providers (ISPs). But consumers won't see the changes right away.

The ISPs will have about a year to adopt to the most sweeping changes in how they handle data.

The new privacy rules will force companies such as AT&T and Comcast to convince consumers to "opt in" before using and sharing many kinds of personal data for advertising and marketing purposes.

The proposal had been revised since being introduced in the spring, but the rules remained unchanged in recent days. The measure passed by a 3-2 vote among the FCC's commissioners. They split along party lines.

Consumers Union, the policy and mobilization arm of Consumer Reports, praised today's action. “As the Internet has become ubiquitous, broadband providers have gained a unique, all-encompassing window into our daily lives," said Jonathan Schwantes, senior telecom policy counsel for Consumers Union. "Consumers deserve to know—and have a say in—who is collecting certain information about them and how it’s used. We think these new rules are strong, fair, and necessary as we live more and more of our lives online.”

Stricter Rules for ISPs Than for Websites

The new regulations face opposition from ISPs and telecommunications trade associations. They argue that broadband providers should be governed in the same way as internet companies such as Google and Facebook, which are regulated by the Federal Trade Commission (FTC). ISPs have been overseen by the FCC since 2015, when these companies were classified as "common carriers," analogous to landline phone companies.

The Internet & Television Association was one of several organizations criticizing the FCC action. “The Commission’s decision to break with the FTC’s proven privacy framework in favor of a cobbled-together approach that abandons principles of fair competition is profoundly disappointing," the group said in a published statement. "Today’s result speaks more to regulatory opportunism than reasoned policy, ”

AT&T said that it “has long been committed to a clear and transparent approach to ensuring that the privacy rights of our customers are protected" and it acknowledged the need for regulation.

But, the company said, the new framework treats personal data differently from guidelines established for internet companies by the FTC, and therefore, "falls short of recognizing that consumers want their information protected based on the sensitivity of the information collected, not the entity collecting it."

AT&T predicted the rules would confuse consumers who would continue to see ads based on their web browsing history, even after being told that such data was no longer being collected without their consent.

Comcast released a lengthy statement that read, in part, that "once again a divided FCC chose a path that unfortunately will likely do more harm than good for consumers, competition, and innovation in the all-important internet ecosystem.

Apparently anticipating such criticism, Wheeler argued just before the vote that ISPs required a higher level of regulation than even web giants such Facebook because they have greater power over consumer data—by recounting an observation from his recent visit to Consumer Reports.

"Last week when I was visiting Consumer Reports' famous testing lab, I looked at a smart refrigerator that collects information about what's inside and shares it over the internet," he said. "Now even when that data only goes to the refrigerator owner's mobile device, it is known by AT&T, or Comcast, or whoever the internet service provider [is]. So the ISP knows what goes in and out of a refrigerator. So today what we're doing is taking a commonsense step, and that's to move forward to protect consumer network privacy. It's significant because before today, there were no protections."

Broadband Privacy Timeline

The rules will go into effect on a staggered scheduled.

First, the summary of the new rules has to be printed in the Federal Register, which will take between two weeks and a month. Once that happens the clock starts ticking.

The most important elements of the new rules are arguably the "notice and choice" requirements that give consumers the power to decide whether their personal information can be used for marketing purposes. The biggest companies will have 12 months to start complying with those rules. Smaller companies will have 24 months.

However, other provisions of the broadband privacy rules go into effect sooner. For example, ISPs have to meet the data security requirements for protecting against hackers and malware within 90 days. And rules that require ISPs to quickly notify both regulators and consumers when breaches occur take effect in six months.

A committee within the FCC will work to develop a standardized privacy statement that can used by ISPs to communicate with consumers. But ISPs will also be able to write their own privacy policies.

James K. Willcox

I've been a tech journalist for more years than I'm willing to admit. My specialties at CR are TVs, streaming media, audio, and TV and broadband services. In my spare time I build and play guitars and bass, ride motorcycles, and like to sail—hobbies I've not yet figured out how to safely combine.