The federal communications commissions issued last week new rules for broadband internet service providers (ISPs) to provide more controls for consumers on their information and protect their privacy.
You can go through the full release here, but here is the summary of the release
- Clear notice – ISPs should notify consumers of what types of information they are collecting, specify the purposes and identify who the data is shared with
- Breach notifications – If personal data is compromised in a breach, ISPs should notify affected customers immediately. Notification should be sent to FBI, FCC no later than 7 days if breach affects more than 5000 customers
- Opt-in – In a clear deviation from current norms in US online websites, ISPs would be required to obtain “opt-in” from consumers before using and sharing sensitive information. Sensitive information or CPNI includes
- Geo location of devices
- Children’s information
- Health information
- Financial information
- Social Security numbers
- Web browsing history
- App usage history
- Content of communication
- Opt-out – Customers would have ability to opt-out of sharing non sensitive information
- Prohibit “take it or leave it” – ISPs cannot refuse service to customers who opt-out from sharing information for commercial purposes. At the same time, they also cannot penalize customers with higher prices if they refuse to share information
- Need for strong security measures- FCC recommends best practices for protecting customer information, not limited to, management oversight, strong customer authentication tools and properly disposing the data in accordance to consumer privacy regulations.
The rules are stated to go in effect 90 days for data security, 6 months for data breach notifications. In the wake of GDPR regulation in Europe, there is a trend of regulators becoming diligent in protecting privacy and imposing mandates on enterprises to better protect consumer information. However, the FCC mandate does not seem to reflect all the needs of the consumer and particularly the industry.
Here is what is good and what can be improved part of the release
The Good Part
- Intent to protect consumers. With the opt-in regulations for sensitive data, FCC is forcing ISPs to get consumer consent before sharing or using the data for commercial purposes
- Breach notifications. Mandatory rules to notify customer in case of breach
- Recommendation for security best practices
- Rules for both broadband and voice. With the recent industry consolidation, rules target major ISPs as well as smaller providers and does not discriminate between broadband and voice offerings.
Need for improvement areas
- Definition of sensitive data – In a broader reach to protect privacy, FCC has included a wide swath of data as “CPNI” or sensitive. This includes any app usage data and information on content consumed. FCC needs to be more specific on the classification of sensitive data. SSN has more sensitivity than application usage data. Birth date or zip code could be more sensitive than website list browsed by a consumer. By not introducing micro segmentation of CPNI data, providers are burdened with enforcing controls on almost all of its data.
- Execution of “opt-in” notice – The intent for opt-in is to be appreciated, however there is no guideline on how opt-in notices would be provided. It can potentially be buried in a lengthy legal notice which are blindly accepted by consumers without fully reading.
- Parity with web companies – Web companies such as Google, Facebook are not bound by these FCC rules. They apply only to ISPs. There should be greater coordination among government agencies to harmonize privacy protections across all sets of providers, not just ISPs
FCC rules usher in the new dawn of consumer privacy protectionism in the US. It needs to be balanced with sensitivity to provider’s business, practicality in execution as well as enlarging the scope to internet companies handling personal information from their customers. We do expect the rulings to be challenged in court by the ISPs, especially by ones which are worried about losing advertising revenue. Data is the new gold, but acquiring the gold just became tougher.