New privacy rules passed by the Federal Communication Commission Thursday require Internet service providers to ask permission of their customers to collect and use personal information.
Providers of fixed and mobile broadband will need to get opt-in consent for data such as their consumers’ Web browsing history, app usage, health and financial information, children’s information, precise geolocation information, and the content of online communications. Customers must also be notified how their information is used and what other parties the Internet service provider shares it with. Other non-sensitive consumer data could be used on an opt-out basis.
“Consumers care deeply about their privacy and so should we,” said Commissioner Mignon Clyburn Clyburn, who joined fellow Democrats Commissioner Jessica Rosenworcel and FCC Chairman Tom Wheeler in approving the measure with a 3-2 vote at the agency’s monthly meeting.
The two Republican Commissioners, Ajit Pai and Michael O’Rielly, expressed concerns that the FCC had overreached its authority and confused the issue. For instance, the FCC’s privacy rules differ from how the FTC handles the privacy of information collected by Web sites, apps and other Internet destinations. “In creating this disparate system of regulation, (the FCC) is both confusing consumers and likely to create an unlevel playing field,” Pai said.
Opt-in requirements could cause consumers to miss out on potential features and developments under the new opt-in requirements, O’Rielly said. “Broadband providers will be reluctant to extend, and may even forgo, valuable offers and discounts that consumers would want for fear,” he said.
Consumer advocates hailed the agency’s action. Various industry groups assailed it. “Consumers will be bombarded with opt-in notice requirements every time they search online, however innocuous the data they seek might be,” said the Association of National Advertisers in a statement. The group said it planned either a court challenge or congressional action to reverse the FCC’s rulemaking.
An interagency council including the FTC and FCC should attempt to make privacy rules uniform and consistent, Rosenworcel said. “The forces at work in the digital world today are only going to make privacy more complex for all of us to control,” she said.
While the new rules help in the “here and now,” Rosenworcel said, “we still have work to do.”
The opt-in rules go into effect one year after they are published in the Federal Register, which is likely to occur before the end of the year. Requirements that companies notify users about a data breach go into effect six months earlier.