The FCC today ruled that when it comes to your personal information, Internet service providers (IPS) are more like telephone companies and less like websites — and so it has limited ISP’s ability to make money by digitally stalking you and selling that data.
The ruling represents a rare win for consumers; a rare moment when federal regulators have placed a speed bump before corporations trading in their consumers’ most intimate information. The FCC essentially ruled that consumers’ data belongs to them, not to the corporations that collect it.
In doing so, the FCC drew a distinction between ISPs like Verizon or Comcast and websites like Google or Yahoo. The sites will continue to collect and sell just about any level of information; ISPs, because of their intimate relationship with consumers, will now have to obtain permission before using and sharing some kinds of data and grant consumers permission to opt out of other kinds of data usage and sharing.
Data defined as “sensitive” will require explicit opt-in from consumers. The FCC’s examples of sensitive data include:
- Precise geo-location (typically the real-world location of a mobile phone or other device)
- Children’s information
- Health information
- Financial information
- Social Security numbers
- Web browsing history
- App usage history
- The content of communication
Most other kinds of “non-sensitive” data – such as email addresses — can be collected, stored and shared without obtaining permission, but consumers must be given a method to opt out of it. Critically, ISPs are not allowed to refuse service to consumers who decline to participate in data usage and sharing. The FCC calls this “take it or leave it,” and it will be prohibited.
“The rules ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs,” the FCC said.
Consumer groups cheered the ruling.
“This rule represents a significant step forward in protecting internet users, who have no choice but to expose massive amounts of information to broadband providers. It reflects the reality that where we go online is private and the people we pay to carry it should treat it as private,” said Chris Calabrese, Vice President of Policy at the Center for Democracy and Technology.
The rule still allows ISPs to use data to market their own products to consumers, the CDT noted. And it doesn’t specifically mention IP addresses or machine MAC addresses, so it’s unclear those will fall under the “sensitive” category.
Internet service providers oppose the rule, saying it discriminates against them by treating them differently from websites.
“The Commission’s decision to break with the FTC’s proven privacy framework in favor of a cobbled-together approach that abandons principles of fair competition is profoundly disappointing,” said NCTA: The Internet & Television Association, in a statement. “Instead of creating a consistent and uniform approach to privacy that consumers can easily understand, today’s result speaks more to regulatory opportunism than reasoned policy. We strongly agree with the bipartisan Commissioners’ comments that the federal government should develop a common approach to online privacy, as there is no lawful, factual or sound policy basis to justify a discriminatory approach that treats ISPs differently from some of the largest companies in the Internet ecosystem that engage in similar practices but operate under different regulatory standards.”
The rules are set to take effect for larger ISPs in 12 months; smaller ISPs have an additional 12 months to comply. But plenty of observers believe the FCC will likely be sued over the rules. So, stay tuned.