FCC Launches Privacy Rulemaking
A proposal to commence rulemaking on internet service providers’ privacy obligations was approved 3-2 by the Federal Communications Commission last week. FCC Chairman Wheeler explained that the rules were needed because
A consumer’s relationship with her ISP is very different than the one she has with a website or app. Consumers can move instantaneously to a different website, search engine or application. But once they sign up for broadband service, consumers can scarcely avoid the network for which they are paying a monthly fee.
The FCC proposal follows three principals:
- Choice: Consumers have the right to exercise meaningful and informed control over what personal data their broadband provider uses and under what circumstances it shares their personal information with third parties or affiliated companies.
- Transparency: Consumers deserve to know what information is being collected about them, how it’s being used, and under what circumstances it will be shared with other entities. Broadband providers must provide accurate disclosures of their privacy practices in an easily understandable and accessible manner.
- Security: Broadband providers have a responsibility to protect consumer data, both as they carry it across their networks and wherever it is stored.
The new rules would prohibit ISPs from sharing subscriber information with third parties without express consent which would include IP address and internet activity. This would prohibit practices such as Verizon’s “zombie cookie” (a hidden unkillable cookie) used to track cellphone users. It would not prohibit direct marketing by the ISP.
As with the Federal Trade Commission, the FCC believes security is a necessary element of privacy protection.
And, at a minimum, it would require broadband providers to adopt risk management practices; institute personnel training practices; adopt strong customer authentication requirements; to identify a senior manager responsible for data security; and take responsibility for use and protection of customer information when shared with third parties.