The FCC (Federal Communications Commission) voted to require broadband/internet providers to get “explicit consent” before sharing data with marketing companies.  That means no more forcing people to “opt out” of obscure user agreements.  In other words, if they want to share our data with advertising companies, they’ll need to ask us… and we’ll have to say yes.

It’s a huge change from the world we live in now where user data is shared regularly with advertisers and marketing companies typically without consent.

“It’s the consumers’ information… how it is used should be the consumers’ choice. Not the choice of some corporate algorithm.” – FCC Chairman Tom Wheeler.

The new rules passed with a 3-2 vote.  It immediately brought out the ire of the advertising community. “They have clearly disregarded the heart of our discussions, that a vast amount of data that is browser and app use data is not sensitive data,” Dan Jaffe, Government Relations at The Association of National Advertisers in Digiday.

“This is unprecedented, misguided and extremely harmful.” – Dan Jaffe, Government Relations at The Association of National Advertisers in Digiday

One of the concerns raised by the proponents to the rules is that it regulates the broadcast distributors but it doesn’t address websites or social media.  So Comcast or Verizon can’t gather your data and sell it off, or use it for targeted ads, but Facebook and Google can.

AT&T filed comments with the FCC prior to the ruling stating that.  ““There is no sound reason to subject broadband providers to a different set of rules than other Internet companies,” James JR Talbot, Senior Legal Counsel for AT&T wrote.

This would only confuse customers and deny broadband providers the same opportunity other Internet companies have to participate in the fast-growing digital advertising market.” – AT&T via a regulatory filing with the FCC.

There’s question about the FCC’s authority in this area.  They claim regulatory authority over broadband companies (the distributors), but not the individual content companies (the suppliers).  The suppliers, like Google or Facebook, are under the auspices of the Federal Trade Commission (FTC), which has a different set of consumer protection regulations.  Under those rules, Google doesn’t have to ask permission first to gather data.  Facebook makes its use contingent on allowing the company to use the data it gathers.

“There is a basic truth: It is the consumer’s information. It is not the information of the network the consumer hires to deliver that information.  What this item does is to say that the consumer has the right to make a decision about how her or his information is used.” – FCC Chairman Tom Wheeler

Once the new rules are printed in the Federal Register, companies will have between 12 and 24 months to comply (depending on their size).  Other rules, such as data security requirements and protection against hackers/malware go into effect 90 days after publication.

The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice and security requirements for customers’ personal information:

  • Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.
  • Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.
  • Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

In addition, the rules include:

  • Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences.
  • A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.
  • Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information.