New FCC Privacy Rules Outline ISP Responsibilities Around Customer Data

1 comment

This week, ProPublica outlined the Federal Communications Commission’s newly proposed privacy rules for Internet Service Providers, which in some ways update consumer privacy protections, but also potentially makes users pay a premium for privacy.

These are 5 of the main proposal highlights:

  1. No sharing of customer data with third parties without permission

Internet providers cannot share customer information with third parties without permission.

Customers need to opt in to have their data (name, address, location, and Internet activity) shared with a third party unless they have opted in to having their data shared.

  1. Network activity can’t be linked to a name, phone number or ID number

The old rules protected a user’s name or phone number from being attached to metadata such as the duration and frequency of customer calls and their location. The new proposal goes further, forbidding ISPs from linking a person’s name or phone number to their Internet activities or location using a unique identifying number (not just their name or phone number).

  1. Requiring users to opt-in for cookies tracking customers on behalf of subsidiaries

Verizon was sued by the FCC for using a hidden unkillable (ie. “zombie”) number to track cell phone users which it said violated customers’ privacy. In its settlement with the FCC, Verizon agreed to pay $1.35 million and allow customers to opt in to any future uses of zombie cookies to track cell phone activity – but it didn’t specify that it couldn’t track activity on behalf of its subsidiary Aol.

The new rules would stop both companies from being able to use zombie cookies without opt-in.

  1. AT&T will still be able to charge customers for a more private version of its high-speed “Gigapower” plan

The version of Gigapower costs $70 a month for customers agreeing to let AT&T track the web pages they visit and search queries. Users have to pay $100 a month if they want to protect their privacy.

  1. The proposal doesn’t cover content, only metadata, so unencrypted data is still fair game.

If a customer visits an unencrypted website, the Internet provider could still view and share the contents of that website without consent.

Proposed Regulations Make Consumer Rights Activists Happy, and ISPs Upset

Yewande Ogunkoya, from the Center for Digital Democracy, wrote: “The proposed FCC opt-in for most consumer transactions can provide a foundation where data is under a person’s control—not a broadband company or some unknown third party. It’s a major step forward for the US, which has lagged behind other countries when it comes to protecting consumer privacy rights.”

Bob Quinn, senior vice president of AT&T’s federal regulatory division, has a different opinion. Earlier this month, he wrote a blog post that defended the previous privacy safeguards, explaining that ISPs have their own privacy policies describing what information is collected, how it’s collected and how it’s used.

Quinn also explained that the Federal Trade Commission’s framework (which had authority before the Title II Order gave the FCC power to regulate Internet services) had the tools needed to effectively police privacy. “I would note that the FTC, to my own eyes, has been an active and aggressive regulator enforcing consumer protections in enforcement actions versus the likes of Google, Facebook, Snapchat and a host of other companies.” The FTC’s protections, he wrote, were equal to or stronger than privacy enforcement in Europe despite EU courts striking down the safe harbor provisions governing data transfers between the US and Europe because of unsure data privacy in the US.

He made a fair point that ISPs may be unfairly targeted when it comes to user privacy when it’s companies like Google and Apple who are major users of customer data for targeted advertising on their mobile operating systems. Under the new rules, they’ll continue to be able to use unique identifiers to profile users without an explicit opt-in.

The FTC is still the body that has authority over the privacy practices of wesites like Twitter and Facebook. And the new proposal doesn’t address any issues around surveillance, encryption or law enforcement.

The proposal will be voted on by the FCC at the Mar. 31 Open Meeting, and, if adopted, would be followed by a period of public comment.

Add Your Comments

  • (will not be published)

One Comment

  1. Both benefits from consumer and internet services provider. How can they know that customer abide with this rule, what the government going to action?