The news, which was heralded last week as a big win for online consumer privacy, is that the Federal Communications Commission (FCC) has imposed limits on what ISPs and carriers can do with customer data, including location data, without opt-in consent.
Here’s an excerpt from the FCC statement on the new rules:
The FCC’s Open Internet Order reclassified broadband Internet access service as a telecommunications service. Section 222 of Title II of the Communications Act requires telecommunications carriers to protect the privacy of their customers’ information.
The rules require that ISPs, whether they offer mobile broadband or fixed broadband to people’s homes, to:
- Notify customers about what types of information the ISP collects about its customers.
- Specify how and for what purposes the ISP uses and shares this information.
- Identify the types of entities with which the ISP shares this information.
Opt-in consumer consent is required when ISPs seek to use or share “sensitive information,” which includes:
- Precise geo-location (emphasis added)
- Children’s information
- Health information
- Financial information
- Social Security numbers
- Web browsing history
- App usage history
- The content of communication
Non-sensitive information is subject to opt-out requirements in most cases. The rules also prevent imposition of so-called “take-it-or-leave-it” offers, where a carrier or ISP can refuse service if data sharing isn’t accepted by the consumer.
Significantly, ISPs and carriers can collect, use and share “de-identified” consumer information, where “data that have been altered so they are no longer associated with individual consumers or devices.” If doing so, ISPs must meet a pre-existing test laid out by the FTC. This provision potentially still allows for targeting and attribution of classes or categories of people rather than individuals, which is how most location-intelligence and mobile ad targeting platforms work today.
Two parties, among others, that might be dramatically impacted by these rules are Verizon and AT&T. Both are ISPs and are both buying media companies for cross-device content distribution and ad targeting, Yahoo and TimeWarner respectively.
Another significant dimension to all this is that these rules don’t apply to “the privacy practices of websites or apps, like Twitter or Facebook, over which the Federal Trade Commission has authority.” Stay tuned for whether we get a similar, opt-in consent regimen from publishers and app developers. Location usage already requires that per Apple and Google.
All this sounds very sweeping indeed. The issue, however, is how prominent the disclosures and communication with consumers needs to be. As a skeptical article in Computerworld points out, if the FCC or the courts permit “consent” to be buried deep within terms and conditions, it will be ineffectual:
Yes, ISPs must now get explicit permission from consumers to release their data, but nowhere is there a prohibition on such permission being hidden in a 29-page T&C form that requires a one-click acceptance to begin the ISP service.
It will now be up to a subsequent FCC ruling or litigation to determine how visible and accessible the disclosures and consent must be. This is the key to the question of how tough or meaningful these new rules will be — for both consumers and ISPs/carriers.