FCC imposes new consumer privacy rules on ISPs

The US regulatory agency will require broadband providers to get the approval of customers before sharing their sensitive information.
Written by Stephanie Condon, Senior Writer

The Federal Communications Commission (FCC) on Thursday approved new rules governing how internet service providers handle their customers' information. For the first time, ISPs like Comcast, as well as mobile data carriers like Verizon Wireless, will be required to get a customer's permission before sharing their sensitive information.

The rules were first proposed back in March and are part of a new regulatory push that started after the FCC reclassifed broadband companies as utilities under the Telecommunications Act.

The new rules, approved in a three-to-two vote that came down along partisan lines, create tiers of information with different requirements ISPs must follow.

  • Opt-in: ISPs must obtain affirmative "opt-in" consent from consumers to use and share sensitive information. The rules specify that "sensitive information" includes precise geo-location, financial information, health information, children's information, social security numbers, web browsing history, app usage history and the content of communications.
  • Opt-out: ISPs can use and share non-sensitive information unless a customer opts out. This category includes individually identifiable information that doesn't fall into the "opt in" category, such as email addresses or service tier information.

The new rules also include requirements for ISPs to protect consumer information and keep customers informed of their practices. Specifically, they call on ISPs to give consumers clear and persistent notice about the information they collect, how it may be used with whom it may be shared and how customers can change their privacy preferences. It requires ISPs to engage in reasonable security practices and gives guidelines for steps they should consider taking, such as implementing customer authentication tools. Lastly, the rules require ISPs to inform consumers and law enforcement about data breaches.

The FCC noted that the rules don't apply when it comes to government surveillance, encryption or law enforcement. Additionally, they only apply to broadband service providers and other telecommunications carriers -- websites like Google and edge devices are off the hook in this case.

It's also possible ISPs may try to charge customers more if they refuse to "opt in" to certain practices. The rules prohibit ISPs from denying service to those who refuse to share their information, but it doesn't specifically ban so-called "pay for privacy" offerings.

Back in August, Comcast said in a filing with the FCC that it wants to give "discounts or other value to consumers in exchange for allowing ISPs to use their data." The filing said that the FCC has "no authority" to limit or prohibit these programs, which effectively allow the internet provider to turn over web histories to advertisers.

The new rules, however, do require "heightened disclosure" for these kinds of plans, and the FCC says it will review their legitimacy on a case-by-case basis. "Consumers should not be forced to choose between paying inflated prices and maintaining their privacy," the FCC said in a release.

Editorial standards