FCC Adopts New Privacy Rule Limiting What ISPs Can Do With Your Personal Data

Image courtesy of FCC

Privacy is a complicated thing, especially online. While we all know companies like Google, Facebook, and Amazon — edge providers, in the parlance of regulators — collect and use our data, fewer of us think about how much the owners of the metaphorical pipes can see passing through them. So to that end, the FCC voted today to adopt rules designed to limit how much of internet subscribers’ data ISPs can sell, share, and trade, and to let customers have some more control over the uses of their personal information.

The 3-2 vote today neatly followed the script written by every high-profile proceeding — from net neutrality to LifeLine modernization — of the last few years, with chairman Tom Wheeler and commissioners Mignon Clyburn and Jessica Rosenworcel in favor, and commissioners Ajit Pai and Michael O’Rielly dissenting.

As we’ve explained before, while consumers have long-standing legal protections about phone and cable TV use data, there have (until today) been no such parallel laws for internet access data. The rule the FCC adopted today attempts to rectify that.

The rule has been in the making for some months, since the FCC voted at the end of March to first start considering privacy rules for ISPs.

The original proposal sought to place most consumer data into a category that would require explicit, affirmative opt-in consent from subscribers before it could be used.

After six months of internal discussion and public comment, FCC chair Tom Wheeler’s office circulated his final proposed version of the rule to the other four commissioners to discuss and finalize. That version of the rule, as we reported, still keeps the three buckets of opt-in and opt-out data, but with some tweaks about what goes in which bucket. The original draft proposed that all data not explicitly covered in one of two buckets of data usable on an opt-out basis be covered on an opt-in basis. But the final draft switches the default, and instead limits the opt-in bucket to a select handful of “sensitive” data points.

Those pieces of information that an ISP cannot share unless the customer explicitly grants permission include: financial information, health information, precise geolocation information (as from your phone GPS), social security numbers, information relating to children, web browsing history, app usage history, and the content of communication.

The final version of the rule also does not ban pay-for-privacy plans like that which AT&T tried for a while and Comcast has expressed interest in being permitted to try in the future.

That tweaking, and slight weakening, no doubt makes the final rule more palatable — or at least, less unpalatable — than Wheeler’s original proposal. However, that doesn’t make opponents by any measure pleased with the rule.

The commissioners speak in the same sequence about every issue. Clyburn, as usual, went first and began her remarks by pointing out that Americans basically desperately crave more clarity about privacy.

“91% of Americans believe consumers have lost control of how their personal information is collected and used by companies,” Clyburn said. “That is ninety-one percent. With news seemingly breaking every week about a cyber attack, massive data breaches, and companies collecting and selling customer data to government agencies, that number should come as no surprise to anyone.”

For that reason, she said, she emphatically supports giving consumers more notice, choice, and transparency with regards to how their privacy is handled.

“Today we substantially adopt the FTC’s framework on privacy,” she continued, “with some tweaks to account for the current era and unique position broadband providers occupy in our everyday lives.”

That call-out to the FTC is important; opponents of FCC action routinely point to existing FTC regulation regarding privacy and disclosure, and claim that the FCC cannot or should not set up a parallel or contradictory structure.

However, Clyburn did also speak out against the rule in part — not because of what is in it, but rather, because of what is not. There was originally some language about mandatory binding arbitration in the draft privacy proposal, which was removed along the way.

Clyburn spoke out strongly and urgently against mandatory binding arbitration clauses in customer agreements, arguing that they have a chilling, harmful, anti-consumer effect.

“I am disappointed that we did not join this vanguard in ensuring consumers are not unwittingly giving up their day in court when they sign up for communication services,” Clyburn said.

Rosenworcel pointed to security, when her turn came. She spoke to the security and challenges of the internet of things and connected devices, pointing to the massive DDoS attack, now believed largely to have been committed by unsecured webcams, that took giant chunks of the internet offline in the U.S. last week.

“Connection is no longer just convenience,” Rosenworcel said. “It fuels every aspect of modern civic and commercial life. Sitting outside this connectivity is consigning yourself to the wrong side of the digital divide.”

She also added that companies’ ability to store and use your data has grown exponentially. “The cost of data storage has declined dramatically,” she said. “The market incentive to keep data and slice and dice it to inform commercial activities are enormous and they are only growing to grow.”

And while Rosenworcel approved of the FCC’s attempt to bolster privacy regulation today, she also argued that more needs to be done for the future.

“Privacy policity discussions, including ours here today, frequently focus on three values: transparency, choice, and security,” she said. “But I think it is time to introduce a fourth: simplicity.”

“Consumers should not have to be network engineers to understand who is collecting their data, and they should not have to be lawyers to understand if their information is protected. So it is incumbent upon every policy-maker with privacy authority to think about how to make our policies more simple and more consistent.”

Rosenworcel ended by calling for a “21st century inter-agency privacy council” to work together across government agencies to protect consumers’ privacy as much as possible across the board.

Commissioner Pai, meanwhile, punted immediately back to the FTC and edge providers. He called the FTC’s regulations “a technology-neutral framework for online privacy,” saying it applied to everyone: “It did not matter whether an edge provider or internet service provider obtained your data.”

Some of that has to do with laws about who covers common carriers, as we’ve seen with AT&T going back and forth between FCC and FTC oversight. When net neutrality reclassified all broadband — fixed and mobile — as Title II common carriers, that changed who could do what.

(Commissioner O’Rielly, later in his remarks, explicitly called privacy a problem of the FCC’s own creation due to reclassification, and reiterated his stance that doing so was a violation of basically everything.)

While he agreed that the FCC should harmonize as much as possible with existing FTC regulations, Pai said, he was “disappointed but not surprised” when FCC leadership (Wheeler) “circulated an order that departed so dramatically from these principles.”

While commissioners Clyburn and Rosenworcel applauded how similar to the FTC framework the FCC rule is, commissioner Pai focused on every instance where it is different before going back to talking about edge providers, which the FCC cannot regulate.

“Privacy rules for ISPs are important and necessary,” Pai said, “but it is obvious that the more substantial threat for consumers are not the ISPs.” Citing recent news stories about Yahoo, Google, Apple, Twitter, and others, Pai complained that regulating ISPs more stringently than those providers “does not make any sense,” concluding “the cold reality that Americans should remember is this: nothing in these rules will stop edge providers from harvesting and monetizing your data … so if the FCC truly believes that these new rules are necessary to protect consumer privacy, then the government now must move foreword to ensure uniform regulations of all companies in the internet ecosystem at the new baseline the FCC has set. And that means the ball is now squarely in the FTC’s court.”

O’Rielly, meanwhile, started out by banging on his most familiar drum: The FCC does not actually have authority to do anything and always reads all regulations wrong. Once getting past his objection to the Federal Communications Commission regulating the modern mechanisms of communication, however, O’Rielly dove into the same FTC vs FCC waters first navigated by Pai.

“The order falls back on the tired refrain that broadband providers are gatekeepers and [that] in this role they are able to see more information about their customers than edge providers,” O’Rielly said, then calling that a “ridiculous notion” that has been “thoroughly debunked.” The rule should be overturned on the “faulty gatekeeper propositions” alone, O’Rielly said.

There also has been “no evidence of privacy harms and businesses have been able to provide great value to customers and consumers in the forms of discounts, convenient features, and other new innovative services,” O’Rielly continued. “Requiring opt-in consent for [the sensitive data categories] will destroy that value and upend years of expectations, burdening, rather than benefitting, most consumers.”

Additionally, that sensitive data is already covered, O’Rielly argued, since there are already laws on the books covering health and financial data. (However, those laws apply not just to the data, but to WHO has it — and ISPs have not explicitly been covered entities.)

Anyway, O’Rielly continued, making customers opt-in to data use will guarantee that many fewer of them share their data. What supporters see as a key feature of the rule, O’Rielly sees as a bug. He cited a comment to the proceeding that said opt-out consent regimes find about 82% of consumers permitting their data to be used, but that when reversing to an opt-in model, 18% or fewer of consumers may consent.

“This is not consumer choice,” O’Rielly said, “it’s recognition of apathy.”

Chairman Wheeler spoke last, and flat-out rebuffed gloom-and-doom arguments. “It’s seasonally appropriate that we have heard these Halloween-style scares and fears and hypotheses laid out,” he began, “when there is a basic truth” at play that opponents are ignoring.

“It is the consumer’s information,” Wheeler emphasized. “It is not information [belonging to] the network that the consumer hires to deliver that information. And what this item does is to say that the consumer has the right to make a decision about how her or his information is used.”

To illustrate the point, Wheeler spoke to seeing a smart refrigerator when he visited the testing labs at our parent company, Consumer Reports, last week.

The fridge, Wheeler said, collects information about what’s stored inside and shares it via the internet. “Now even when that data only goes to the refrigerator owner’s mobile device,” he continued, “It is known by AT&T or Comcast or whoever the ISP is” that consumer subscribes to. “So the ISP knows what goes in and out of a refrigerator!”

He then called the new rule “significant,” “rational,” and simple, reiterating his thesis that the information belongs to the consumer, full stop.

Before calling the vote, Wheeler also spoke to the issue of mandatory binding arbitration, promising that the FCC will put forward a proposal for managing and addressing the problem of mandatory binding arbitration no later than February of next year.

Our colleagues down the hall at Consumers Union, the policy and mobilization arm of Consumerist parent company Consumer Reports, applauded the decision. Jonathan Schwantes, senior telecom policy counsel, said, “As the Internet has become ubiquitous, broadband providers have gained a unique, all-encompassing window into our daily lives. Consumers deserve to know – and have a say in – who is collecting certain information about them and how it’s used. We think these new rules are strong, fair and necessary as we live more and more of our lives online. We’re also pleased that the Commission has committed to addressing arbitration clauses across telecommunications products in the coming year, and we look forward to working with them on this important consumer issue.”

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.