The Federal Communications Commission (FCC) on Thursday proposed new rules that regulate how Internet Service Providers (ISPs) can use and share customer data, which privacy and technology advocates called a "decisive step to protect consumers."
The proposed rules (pdf), to be voted on at the commission's March 31 meeting, would require ISPs to disclose how users' online activity may be collected and require them to increase safeguards against hacking and identity theft, or other unauthorized breaches.
It's the FCC's first major regulatory undertaking after its vote in February 2015 designating the internet to be a public service. By reclassifying ISPs as utilities under Title II of the Communications Act, the FCC was required by law to create privacy rules for them.
Providers will still be able to use customer data or share it with affiliates to market other communications services, but the rules would give users the ability to opt out of such programs—and if the ISPs want to use customer data for any other purpose, they would have to obtain "affirmative 'opt-in' consent" from users.
"Given the central role the internet plays in our daily lives and the amount and sensitivity of the data we share online, consumers need to be put in the driver's seat," said Katharina Kopp, director of privacy and data at the Center for Democracy and Technology, an advocacy group. "Giving individuals the opportunity to affirmatively consent to uses of their broadband data for purposes unrelated to providing communications services is fair and will give them some much needed control."
ISPs have an "unobstructed view" of users' unencrypted activity on the internet, FCC chairman Tom Wheeler noted in a fact sheet on the proposal. Even when activity is encrypted, the providers can still see what websites users visit and how long they spend on them.
"When consumers sign up for internet service, they shouldn't have to sign away their right to privacy," Wheeler wrote.
Another advocacy group, the Electronic Privacy Information Center (EPIC), noted that the focus on ISPs "misses a vast amount of data collection activities by other service providers" such as search engines, social media platforms, and other websites, and urged the commission to establish a broader framework of guidelines based on the code of fair information practices.
However, according to the FCC, websites like Facebook and Twitter are under the jurisdiction of the Federal Trade Commission (FTC), which cannot create rules for online privacy.
Still, the new rules are "a decisive step to protect consumers," said Meredith Rose, a staff attorney at Public Knowledge, a digital rights group. "This is an issue which touches the life of every connected consumer, and we are pleased to see the chairman taking a stand on such a critical topic."
Gaurav Laroia, a policy counsel at Free Press, said in a statement, "Congress was wise to require that the FCC maintain special privacy protections for customers of all common carriers. It's crucial for the FCC to modernize these protections and apply them to broadband."
"As the gatekeepers to the internet, ISPs like AT&T, Comcast and Verizon are uniquely positioned to access almost all of our internet traffic, including information about the sites we visit and the messages we send," Laroia said. "That's especially true when internet users aren't encrypting their conversations or taking other steps to protect themselves from prying."
Following the March 31 vote, the FCC will open the rules to public comment. The approval process is expected to take several months.