Recently, the U.S. Federal Communications Commission (FCC) voted to approve historic new rules that will require broadband internet service providers to extend privacy and security protections to users. These rules, which have now been released in full, give you the protections and respect for your privacy that the industry has too often failed to provide on its own.
One of the major benefits of the new rules are its protections for your web browsing data. Last summer, we reported that mobile broadband providers have been using “supercookies” to track people’s web browsing habits. The tracking has been happening surreptitiously, without providers asking you to opt-in and, in some cases, without even giving you a way to opt-out. Yet web browsing habits can reveal deeply personal details about your life. The new rules therefore require broadband providers to get your affirmative consent before using your “sensitive” data. It couldn’t have happened at a better time. Two of the companies tracking people via supercookies, AT&T and Verizon, have pending mergers that would greatly expand their access to your personal information.
What’s in the rules
The good news doesn’t stop there. The new rules further protect your privacy and security by requiring that providers:
- transparently disclose to you information about their privacy practices;
- get your opt-in consent before using or sharing “sensitive” data — including the content of your communications, your web browsing data, and your app usage history;
- give you the chance to opt-out from sharing and use of your other, “non-sensitive” data, such as your tier-level of service;
- take “reasonable measures” to protect your security; and
- notify you if there is a data breach that can cause you harm.
These are impressive protections, but the rules are not perfect. The FCC received more than 275,000 comments on its proposal, including Access Now’s response. We support broad and flexible classifications for the data covered; effective consent for the use and sharing of your data; workable security standards; data breach notification triggered by harms other than just financial; and more. The FCC took note of and adopted many of our recommendations in its final rules, but in some cases, the rulemaking process has resulted in watered down provisions. For example, the original proposed rules did not differentiate between “sensitive” and “nonsensitive” data. That new distinction creates ambiguity in the final rules, and it means different types of data will be treated differently.
What they signal: Your privacy matters
Nevertheless, these rules are a huge win for privacy in the U.S. Using social media platforms may have made more of us aware of the myriad privacy and security risks we face online, but broadband service providers have uniquely powerful, privileged access to our personal information. They are the ones that transfer our internet traffic, and they have direct access to every intimate thing we do and say online. This access will only grow as we begin to use devices that are internet-enabled, and the data generated in an “Internet of Things” world will be even more intimate.
With these new rules, the FCC has sent an important message, not just to broadband providers but to all companies, about the fundamental importance of protecting our privacy and security. Further, this victory may have wide-reaching impact. U.S.recognition of data privacy may reinforce recognition worldwide of the value of frameworks like this that protect internet users.
For these reasons, we’re strongly encouraged by the release of these new rules, and vigorously support their implementation.