Those privacy requirements proposed by the Federal Communications Commission that the industry has been anticipating just got closer to reality. Today FCC Chairman Tom Wheeler said he would ask the full commission to vote on the new stricter broadband privacy rules he proposed earlier this year in a meeting scheduled for the end of the month. The rules require the internet service providers that we use for online and mobile device connections to notify consumers of data collection and use and, perhaps most controversial, obtain opt-in consent from consumers before using or sharing sensitive information.
The chairman initially proposed the rules in March, opening them to comment from stakeholders. The announcement today is another step in the long process that could turn the proposal into official rules.
"Over the past six months, we've engaged with consumer and public interest groups, fixed and mobile ISPs, advertisers, app and software developers, academics, other government actors including the FTC, and individual consumers to figure out the best approach," wrote Mr. Wheeler in an FCC statement today. "Based on the extensive feedback we've received, I am proposing new rules to provide consumers increased choice, transparency and security online."
If implemented, the rules would require ISPs to get "opt-in" consent from consumers before using and sharing what the agency deems to be sensitive data. That's not only information typically considered sensitive -- stuff like data associated with children, health and financial information, and email text content The opt-in requirement would apply to things like geographic location data, web-browsing history and app-usage data.
A sea of browsing history, app usage and location data is gathered and shared by mobile app publishers and countless third-party partners, and whether the FCC would require more specific notifications and opt-ins for such data practices than is already industry standard in the mobile sector is unclear. The details of the proposed rules have yet to be revealed.
"If you have a mobile device, your provider can track your physical location throughout the day in real time," wrote Mr. Wheeler in an FCC statement today. "Even when data is encrypted, your broadband provider can piece together significant amounts of information about you -- including private information such as a chronic medical condition or financial problems -- based on your online activity."
The FCC's inclusion of an opt-in standard for certain data uses could have a significant impact in a digital data environment in which industry has long relied on opt-outs and fought the idea of having to obtain opt-ins from consumers before gathering and using their information for ad targeting, marketing, and building consumer profiles. Other privacy guidelines such as the ad industry's own Digital Advertising Alliance require only that corporations respond to requests from consumers who opt out of data uses like ad targeting based on behavioral data.
The FCC proposal would require that ISPs need only allow consumers to opt out from uses of their non-sensitive data for marketing purposes, billing, or, for example, notifying them when they are nearing their mobile data limit.
What's different is that ISPs would need to get opt-in permission from consumers for uses of sensitive data. For instance, if ISPs such as Verizon or Comcast want to share information showing a consumer viewed cancer treatment websites with partners, they would have to obtain opt-in consent from consumers.
"It's also important to note that the proposed rules would not prohibit ISPs from using or sharing their customers' information -- they would simply require ISPs to put their customers in the driver's seat when it comes to those decisions," said Mr. Wheeler.
While the rules should strengthen consumer data protection, some privacy advocates believe they don't go far enough.
"The key difficulty I see with the proposal is the decision to treat sensitive information differently," said Pam Dixon, founder of World Privacy Forum. "Defining sensitive information in a big data world is an impossible task, as so many data points can be construed sensitive based on context. At the very least the definition of sensitive data needs to be much broader than, for example, the DAA [Digital Advertising Alliance] definition which is far too narrow to be effective. A best-case outcome would be a very broad definition of sensitive information," she concluded.
Mr. Wheeler made a point to stress that the Federal Trade Commission still has oversight of so-called "edge" providers that ISPs connect consumers to such as website operators like Facebook, email providers like Google or app platforms like Apple.
This new privacy arena for the FCC opened as a result of the agency's adoption of net-neutrality rules for broadband last year, giving it jurisdiction over ISP use of consumer data, the same way the agency has purview over how phone companies use our information.
"The FTC, which has protected consumers' privacy for decades in both the online and brick-and-mortar worlds, provided formal comment to the FCC on the proposed rulemaking, and I believe that our input has helped strengthen this important initiative," said FTC Chairwoman Edith Ramirez in a statement.
The FCC should have more impact than the Federal Trade Commission has had when it comes to safeguarding consumer privacy, mainly because the FCC has rulemaking authority while the FTC does not.