FCC Broadband Privacy Proposal Shifts Toward FTC Model

Opt-in regime 'calibrated' to sensitivity of info
Author:
Publish date:
DataPrivacyGraphicRESIZED.jpg

FCC chairman Tom Wheeler has unveiled a revised version of his broadband privacy proposal that no longer requires a consumer to opt-in to most info sharing with third parties, including targeted advertisers, but bases opt in vs. opt out on the sensitivity of the information rather than how it is used.

The proposal also requires persistent, repeated and clear notifications of how that information is being shared and how it is being used, and how users can opt in and opt out of sharing.

Read more about the FCC's broadband privacy proposal.

Wheeler explicitly included Web browsing history and app use history as sensitive information subject to opt in consent because of the unique relationship between ISPs and their customers, according to a senior FCC official. Geolocation is also considered sensitive info.

That means that ISPs would have to get opt-in consent to share web browsing and app use and geolocation info with third-party marketers.

Including Web browsing history as opt-in means there remains a gulf between how ISPS and edge providers are treated under privacy regs. Google's has no such restriction on use of that history, a point a senior FCC official made on a call with reporters about the item, though he added that Google Fiber in its ISP role would be subject to the opt-in regime.

A cable executive source speaking on background, also talked about that disparity, saying that while it appeared that the FCC was adopting the FTC approach, it was sufficiently broadening the definition of sensitive data--to include Web browsing, for example, such that the opt-in regime would create a huge disparity between how the FTC governs the edge and the FCC treats ISPs

The new proposal is billed as more in line with the Federal Trade Commission's approach, including the FCC's plan to "calibrate" privacy protections "to the sensitivity of the information, in line with approaches taken by other privacy frameworks, including the FTC’s and the Administration’s Consumer Privacy Bill of Rights."

A senior official said he believed the item was “very much” in alignment with the FTC’s framework, but says the FCC did tailor that to the special relationship ISPs have.

That announced pivot came as Wheeler put it on the agenda for a vote at the Oct. 27 public meeting and after various parties, including the FTC, suggested a sensitivity approach was the best way to go

Under the plan, ISPs must:

• "Notify customers about what types of information the ISP collects about its customers;

• Specify how and for what purposes the ISP uses and shares this information; [and]

• Identify the types of entities with which the ISP shares this information."

Currently defined as sensitive data that need opt-in consent, according to the proposal, are: "Geo-location (typically the real-world location of a mobile phone or other device); children’s information, health information, financial information, Social Security numbers, Web browsing history, app usage history [and] the content of communications."

The FCC will also create a voluntary privacy notice form that will serve as a "safe harbor" for compliance, which is also similar to the FTC approach.

The proposal also prohibits “take-it-or-leave-it” offers, "meaning that an ISP can’t refuse to serve customers who don’t consent to the use and sharing of their information for commercial purposes."

Providers can offer financial incentives for use of information so long as they are clear about what information they want to use, why, and get opt in consent from their customers. But the FCC can look at such offers on a case-by-case basis.

The proposal does not include a checklist of data protection requirements, but does have guidelines on best practices on protection and disposal of data.

The proposal includes breach notifications within 30 days of an ISP determining a breach has occurred, and the FCC no more than seven days. The FBI and Secret Service have to be alerted to breaches affecting more than 5,000 customers, also within seven days.

ISPs can share aggregated, de-identified data, so long as it cannot be re-aggregated. Wheeler got major pushback from ISPs and others over his original proposal, which was to require subs to affirmatively agree the sharing of their online information -- like where they have been surfing -- to third parties for marketing and other purposes. Former officials in the Obama Administration and a former high ranking Democratic congressman got together this week to root Wheeler on in what they anticipated was his move toward a more FTC-based approach to protecting consumers' personal information online.

The FCC's new broadband privacy proposal was being hailed Thursday by privacy groups, suggesting the item may notnot pivoted sufficiently away from the opt-in regime for troubled ISPs.

"We laud the timely development of a rule that would require ISP customer permission before much of their personal information may be used or shared," said Katharina Kopp, deputy director of the Center for Digital Democracy. "This proposal offers consumers the much needed safeguards and desired control over their own personal information. For the first time, ISPs would have to obtain customer consent for the use of web browsing and app usage history for advertising purposes."

The FCC's new broadband privacy proposal was being hailed Thursday by privacy groups, suggesting the item may notnot pivoted sufficiently away from the opt-in regime for troubled ISPs.

"We laud the timely development of a rule that would require ISP customer permission before much of their personal information may be used or shared," said Katharina Kopp, deputy director of the Center for Digital Democracy. "This proposal offers consumers the much needed safeguards and desired control over their own personal information. For the first time, ISPs would have to obtain customer consent for the use of web browsing and app usage history for advertising purposes."

Related