FCC tells ISPs to get customer permission before sharing sensitive info

The U.S. Federal Communications Commission has passed rules requiring broadband providers to receive opt-in customer permission to share sensitive personal information, including web-browsing history, geolocation, and financial details with third parties.

The FCC on Thursday voted 3-2 to adopt the new broadband privacy rules, which also include requirements that ISPs promptly notify customers of serious data breaches.

Broadband customers need transparency and control over how their data is used, said Jessica Rosenworcel, one of three Democratic commissioners voting for the rules. Broadband providers are increasingly sharing customer data with third-party companies such as advertising networks and analytics firms, she said.

"Our digital footprints are no longer in sand, they are in wet cement," she said. "The monetization of data is big business. The market incentives to keep our data and slice and dice it to inform commercial activity are enormous."

The new FCC privacy rules are slightly watered down from an agency proposal from earlier this year that would have required broadband providers to get opt-in permission before sharing most customer information with other companies.

The final rules would instead require customers to tell their ISPs to stop sharing nonsensitive personal information, such as age, gender, and race. Backers of the new rules say they were necessary after the FCC reclassified broadband as a regulated, common-carrier service in new net neutrality rules passed in February 2015. Reclassification of broadband moved the authority for policing broadband privacy from the Federal Trade Commission to the FCC, privacy groups have said.

Backers of the new rules say they were necessary after the agency reclassified broadband as a regulated, common-carrier service in new net neutrality rules passed in February 2015. Reclassification of broadband moved the authority for policing broadband privacy from the Federal Trade Commission to the FCC.

The FCC's two Republican members, as well as several ISPs, objected to the new rules. The regulations would do nothing to stop web-based companies like Google, Facebook, Yahoo, and Twitter from collecting and sharing the personal data of their users, said Commissioner Ajit Pai.

"This is not data-driven decision making," Pai said. "It's corporate favoritism."

Nothing in the rules will stop Google, Facebook, and other "edge" internet providers from "harvesting and monetizing your data," he added. The tougher privacy rules for ISPs will lead to consumer confusion, he said.

Consumers "shouldn't have to be network engineers to understand who's collecting their data, and they shouldn't need law degrees to determine whether their data is going to be protected," Pai added,

The rules require ISPs to take reasonable measures to protect the security of customer data and notify customers of data breaches when the ISPs believe there is a reasonable likelihood of customer harm. 

The new rules also require ISPs to provide customers with clear notices about the information they collect, how it may be used, and with whom it may be shared.