The Federal Communications Commission voted 3 to 2 along party lines yesterday to implement privacy requirements for Internet service providers. If your ISP wants to, say, sell your web browsing history to Facebook, it will need to get your permission first. Facebook, on the other hand, will still be running under the Federal Trade Commission’s looser rules, since it’s an edge provider and isn’t regulated by the FCC.
We don’t know what the rules actually say – that’s a secret, despite the open vote – but a revised summary released afterwards clears up a few outstanding questions.
The post-vote summary was largely identical to the pre-vote summary released earlier this month. Grammatical tweaks aside, there were some changes to reporting requirements, more details about what ISPs can do with your private data for their own purposes, and a promise to “address mandatory arbitration requirements in contracts for communications services” early next year. The concern is that the legal boilerplate ISPs flash at customers unfairly restricts their legal rights. The summary implies that subscribers will be able to take advantage of the FCC’s existing dispute resolution process, regardless of whether a mandatory arbitration clause is in effect.
ISPs will have to get positive, opt-in permission from customers to share or sell sensitive information to third parties. The definition of sensitive information remains the same, and includes precise geolocation data, web browsing and app usage history and the content of communications, as well as things like social security numbers and medical information.
Non-sensitive information, such as a customer’s service tier, is assumed to be shareable unless customers specifically ask that it not be. In some cases, for example if an ISP wants to sell extra services to a subscriber or do routine things like send bills or troubleshoot a line, that consent is inferred regardless. Or so it seems – it’ll be interesting to read the actual text of the rules to see how the FCC proposes to draw those lines.
Telephone companies will have to play by the same rules – the FCC said that call records and such are also considered sensitive information.
Absent legal and procedural challenges – not a good assumption, actually – the meat of the new privacy rules will take effect in a little over a year, with small ISPs given two years to comply.