In pushing through new privacy rules governing ISPs, FCC Chairman Wheeler stressed
It is the consumer’s information. It is not the information of the network the consumer hires to deliver that information. The consumer has the right to make a decision about how her or his information is used.
Opt-In v Opt-Out
The new rules, which were approved in a 3-2 vote, dropped an earlier proposal that would have require consumer opt-in as a default standard and instead adopted the more lenient opt-out standard in which ISPs may freely use consumer data until the consumer opts-out.
The exception, however, are financial information, health information, precise geolocation information (as from your phone GPS), social security numbers, information relating to children, web browsing history, app usage history, and the content of communications.
ISPs must provide consumers with clear notice of:
- what types of information the ISP collects about its customers;
- Specify how and for what purposes the ISP uses and shares this information; and
- Identify the types of entities with which the ISP shares this information.
The rules also include heightened data security requirements.
“Take It or Leave It” v “Pay for Privacy”
The rules prohibit ““take-it-or-leave-it” offers, where the ISP refuses to serve customers who don’t consent to the use and sharing of their information for commercial purposes. Plans that offer pricing differentials based on consent to use of data will require heightened disclosure.
The rules did not include a ban on mandatory arbitration clauses, but the FCC did indicate it would revisit the issue in February.
Industry and marketing groups are threatening a legal challenge to the new rules, with the Internet & Television Association stating
there is no lawful, factual or sound policy basis to justify a discriminatory approach that treats ISPs differently from some of the largest companies in the Internet ecosystem that engage in similar practices but operate under different regulatory standards.