The broadband Internet service providers (ISPs) that give consumers access to the Internet can see exactly how their customers use the Internet, what websites they visit and the apps they use. They are therefore able to create detailed profiles about those customers’ lives with few restrictions and without giving consumers the opportunity to control how their information is used.
Although this information is not used maliciously by the ISPs, it is often used to help deliver ads across customers’ many screens, such as televisions, tablets, smartphones and laptops.
The Federal Communications Commission (FCC) has recently proposed new privacy rules to give consumers more control about how their data is used and shared by ISPs. The proposed rules are based on providing choice, transparency and security to consumers:
- Choice: Consumers have the right to exercise control over what personal data their broadband provider uses and under what circumstances it shares their information with third parties or affiliated companies.
- Transparency: Consumers deserve to know what information is being collected about them, how it’s being used, and under what circumstances it will be shared with other entities.
- Security: Broadband providers have a responsibility to protect consumer data, both as they carry it across their networks and wherever it is stored.
There are three levels of consent proposed.
- No additional consent is required to obtain customer data necessary to provide the services the consumer has purchased, bill for services and market additional services (such as upgraded data services) to the customer.
- Unless the consumer chooses to opt out, broadband providers could use customer data to market related communications services and share customer data with their affiliates who provide communications-related services for the purpose of marketing those services.
- All other sharing of consumer data would require the customer to affirmatively opt-in and agree to their data being shared.
The proposed rules would also require broadband providers to take reasonable measures to keep customer data secure and to notify customers of data breaches within seven to ten days of discovery of the breach.
According to an analysis by the Cooley law firm, the proposed new rules, “will affect the online advertising ecosystem in ways that are significant but as yet unclear. Companies that partner with ISPs or use ISP-collected information in developing profiles for targeted advertising are likely to see that information flow effectively ended if the FCC adopts the rules as proposed.” Ad networks controlled by the ISPs would also be affected.
Cooley says that the FCC is considering a total ban on three types of practices:
- ISPs could not inspect the content of customers’ on-line transmissions, presumably except for network purposes.
- Some types of tracking technology, such as “supercookies” that cannot be easily disabled, would be prohibited.
- ISPs could not offer “financial inducements” to collect and use customer data, such as offering lower prices to customers who consent to sharing their data.
Privacy policies of individual websites, such as social media sites and ecommerce sites, would not be affected by the rules, and the proposed rules do not related to issues such as encryption or government surveillance.
The final rules may differ from what has been proposed, and the FCC is currently seeking public comment on what rules should be adopted.