FCC's new privacy rules target broadband providers - but not web giants like Google, Facebook

The US communications regulator is proposing new rules to stop broadband providers secretly tracking customers for targeted advertising.
Written by Liam Tung, Contributing Writer

FCC chairman Tom Wheeler: ISPs can piece together enormous amounts of information about customers.

Image: Mark Wilson, Getty Images

The head of the US communications regulator has unveiled a proposal for tougher security and privacy rules to be applied to broadband providers.

US Federal Communications Commission (FCC) boss Tom Wheeler on Thursday outlined a proposal that would require broadband providers such as Verizon and Comcast to obtain consent before collecting consumer data.

They would also have to explain clearly how they use that data for targeted advertising. The plan will also require providers to secure customer data and disclose data breaches.

The proposal comes on the heels of Verizon's $1.35m settlement with the FCC over the use of 'supercookies' in targeted advertising. Customers were not, until recently, given the choice to opt out.

The proposal doesn't outlaw data-sharing by broadband providers for all purposes. But it does place rules on providers for transparency, security and choice.

However, the FCC proposal does not apply to web companies such as Google, Twitter, and Facebook, on the grounds that web services firms have access to only a subset of their users' online activity.

The new regulatory push follows the FCC in February reclassifying broadband companies as utilities under the Telecommunications Act.

Wheeler said in a statement that broadband providers have unique access to customer information, enjoying an "unobstructed view of all their unencrypted online activity".

"Even when data is encrypted, broadband providers can still see the websites that a customer visits, how often they visit them, and the amount of time they spend on each website. Using this information, ISPs can piece together enormous amounts of information about their customers, including private information such as a chronic medical condition or financial problems," he said.

If the proposal is adopted, broadband providers would be allowed to share customer data with third parties for marketing, unless the customer opts out.

All other users and data-sharing would require an opt-in. Broadband providers will not need permission for activities related to the provision of broadband services, nor for marketing such services to the customer.

ISPs will also need to adopt risk-management practices to protect customer data. In the event of a breach they must tell affected customers within 10 days of discovery and the FCC within seven days. If the breach affects more than 5,000 customers, providers must inform the FBI and US secret service within seven days.

A vote on the proposal by the full Commission will be held on March 31. The public will have a chance to comment if the proposal is adopted.

More on data privacy

Editorial standards