New Privacy Rules Protect Internet Users
New rules to protect online privacy will allow internet users to choose whether and how internet service providers (ISPs) use or share personal information. The Federal Communications Commission adopted the rules by a 3-2 majority vote.
Similar rules already protect the privacy of customers who purchase telephone or cable services from telecommunications companies. The FCC has regulated some aspects of internet services (particularly to assure net neutrality), but this is the first the time FCC has regulated privacy on the internet.
The rules respond to the growing practice of collecting and selling data about customers to companies that target their advertising to particular customers. The rules are seen as “a major blow to some of Washington’s most politically powerful companies, including AT&T, Verizon and Comcast, which had hoped to use their privileged access to user data to build lucrative businesses by targeting advertising across multiple devices.”
Privacy advocates view the new rules as empowering consumers to retain control of their personal information. Companies that sell internet services, however, are likely to challenge the rules, which they view as encroaching on their opportunity to maximize their revenues.
Categories of Information
According to the FCC’s press release, the new rules create three categories of information:
- Sensitive information. When information is classified as sensitive, the ISP cannot share it unless the consumer “opts in,” or expressly consents to the ISP’s intended use of the information. Sensitive information includes “precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.”
- Non-sensitive information. When information is classified as non-sensitive, the ISP will be able to use or share it unless the customer takes affirmative steps to “opt out” by notifying the ISP that it should not use or share the information. Non-sensitive information includes all individually identifiable customer information that isn’t sensitive, including email addresses and service tier information.
- Information for which consent is not required. An ISP will be able to use information for certain specified purposes, such as providing services or billing, without regard to the customer’s express consent.
The rules also require ISPs to:
- Notify customers about how information will be used and shared, and how customers can change their privacy preferences.
- Take reasonable measures to safeguard customer data from theft and misuse.
- Notify customers and law enforcement agencies of data breaches.
The rules apply to ISPs that offer broadband services within the FCC’s jurisdiction. Consumers outside of the United States and those who use dial-up service will not be protected by the new rules.
Impact of the New Rules
The new rules make it possible for customers to shield personal information such as browsing histories and location data from disclosure to third parties. Internet users who do not want their web surfing or location to be disclosed will benefit from the rules. One privacy advocate warned that, without the rules, a “surveillance infrastructure” would have been “hard-wired … into the internet itself.”
Businesses that operate ISPs contend that the new regulations will limit their revenues and thus prevent them from lowering prices, although they offered little evidence that anything other than competition from other ISPs influences their pricing strategies. Businesses will be free to offer discounts to consumers who consent to the release of sensitive data.
Limitations of the Privacy Rules
The rules apply only to ISPs, not to website owners or other “edge service” providers. If an ISP operates a website (such as a social media site), the rules do not apply to that website. And the rules do not prevent an ISP from using a customer’s usage data to target advertising of its own communications services, including upgrades like larger mobile data plans.
Internet users will still be subject to targeted advertising if they give personal information to website owners that sell user data to advertisers. Google and Facebook, for example, make billions of dollars by collecting and selling user data. Google contends that browsing histories should not be regarded as “sensitive information,” a view that is opposed by consumers who don’t want anyone to know what websites they view in the privacy of their own homes.
Companies that operate ISPs complain that it is discriminatory to impose privacy rules on their businesses and not on websites. The solution to that complaint might be a new set of privacy rules that govern website owners, but it’s not clear that the FCC has the authority to regulate them. The Federal Trade Commission arguably has authority to create similar rules for websites as part of its consumer protection mandate, but no such rules are on the horizon.
The extent to which website owners have access to a broad range of sensitive information about website visitors, however, depends on the nature of the website and the steps that internet users have taken to safeguard their privacy. Consumers who are privacy-minded can avoid websites that collect personal information or can browse those websites using a privacy mode. They can also choose not to do business with websites that sell sensitive information. By contrast, subscribers to an ISP had little power to protect the privacy of their personal information prior to the FCC’s new rules.