What the FCC privacy push means for consumers, Internet providers

The Federal Communications Commission has proposed new security and privacy standards for broadband providers. Industry groups complain the proposal goes too far.

In a move toward becoming a more robust privacy cop, the Federal Communications Commission this week released a draft framework for how broadband providers should safeguard consumer data.

The proposal aims to give individuals controls over how Internet providers and telecommunication companies collect and use their information. It would also put greater responsibly on broadband providers for securing personal information.

While critics say the FCC is going too far in trying to police online privacy and just layering more rules onto an already over-regulated industry, privacy advocates hailed the FCC's move as an important step forward toward improving consumer privacy and security.

"Given the importance and the urgency of making the communication sector is secure," said Harold Feld, senior vice president at the advocacy group Public Knowledge, "it certainly makes sense to have the FCC apply its expertise to this area."

One of the most significant aspects of the draft is the requirement that consumers must consent before companies can share their information with third parties for any reason other than marketing and billing. This "opt-in" policy differs from the current "opt-out" structure that many broadband providers adhere to.

Additionally, the framework calls on broadband providers to notify affected customers of a data breach within 10 days of discovering the issue and the FCC within a week.

The framework is part of the FCC's newly designated authority over broadband providers. Previously, broadband providers fell under the joint jurisdiction of the FCC and Federal Trade Commission (FTC). But that changed with the FCC’s ruling on net neutrality last year, which sought to prevent Internet service providers, or ISPs, from favoring or blocking online content.

Broadband providers were reclassified from a "utility" to a "common carrier," bringing them directly under the FCC's control and excluding them from the FTC's sphere of authority. The providers wouldn’t be subject to net neutrality requirements if they were still classified as a "utility."

What that means is now the FCC has the ability to exercise its rulemaking powers on broadband companies. Whereas the FTC relied on setting precedent with specific rulings following cases over corporate infractions, the FCC can proactively establish rules to address issues such as privacy.

"Its rulemaking authority gives it a tremendous advantage over the FTC," said Mr. Feld.

Penalties, Feld said, could include withholding federal subsidies from a provider if that provider fails to adequately protect its customers' information, requiring providers to implement a data security training program for its employees. The FCC can also require audits.

Fines, on the other hand, are likely to resemble past FCC action against companies. For instance, the agency fined Verizon Wireless $1.35 million for violating a transparency rule that requires ISPs to inform their customers about their network management practices.

Verizon used a pervasive tracking cookie for two years without disclosing it to their customers or obtaining consent for such a practice. AT&T is also currently contesting a $100 million fine from the FCC for cutting down the Internet speed of its unlimited data plan customers without properly notifying them. 

While the broadband aspect is recent, privacy enforcement isn't an entirely new role for the agency. In 2007, the FCC issued data protection requirements for telecom providers to avoid data breaches or "unauthorized disclosure," part of which was a requirement to notify customers of a breach.

In a recent letter to the FCC signed by 12 privacy groups, including Public Knowledge and the Electronic Privacy Information Center (EPIC), privacy advocates urged the agency to place the burden of ensuring privacy on companies instead of consumers.

"We think that privacy shouldn’t be a privilege. It should be for everyone. It should be a human right and be treated as such," said Claire Gartland, consumer protection counsel at EPIC. 

But as privacy advocates have cheered the FCC's draft privacy rules, the telecom industry is pushing back. Five telecoms, in a separate letter, argued for a looser framework.

Instead of mandating specific actions providers should take to protect various data, the letter said, the framework should lay out a privacy goal and let each telecom decide how to meet that. The letter also expressed a desire for breach notifications to customers and a data security program. Their suggestion for transparency about their data collection and sharing practices does not specify whether it would resemble something akin to a privacy policy or notice for each instance of such collection.

At the end of the month, the FCC will take the proposal to a vote and open a period for public comments, after which it will review and respond to the comments submitted. A final ruling will follow.