FCC Chairman Tom Wheeler recently announced a proposal to “give broadband consumers increased choice, transparency security with respect to their data”.
“The information collected by the phone company about your telephone usage has long been protected information. Regulations of the Federal Communications Commission (FCC) limit your phone company’s ability to repurpose and resell what it learns about your phone activity.”, wrote Wheeler in an op-ed for The Huffington Post. “The same should be true for information collected by your ISP.”
Under Wheeler’s proposal, ISPs would only be allowed to use customer data for “the purposes of marketing other communications-related services and to share customer data with their affiliates that provide communications-related services for the purposes of marketing such services unless the customer affirmatively opts out.”
To do anything else with customer data, the ISP must have the customer affirmatively opt-in.
The proposal adds in that ISPs do not require the customer’s consent to use their data to provide the service that the customer purchased because consent is inherent in the customer’s decision to purchase the ISP’s services.
“… customer data necessary to provide broadband services and for marketing the type of broadband service purchased by a customer would require no additional customer consent beyond the creation of the customer-broadband provider relationship.”
Wheeler also wants ISPs to keep customer’s data secure and implement measures to safeguard it. At the very least, ISPs would be required to:
- Adopt risk management practices
- Institute personnel training practices
- Adopt strong customer authentication requirements
- Identify a senior manager responsible for data security
- Take responsibility for use and protection of customer information when shared with third parties
In the event of a data breach, ISPs would be required to:
- Notify affected customers of breaches of their data no later than 10 days after discovery
- Notify the FCC of any breach of customer data no later than 7 days after discovery
- Notify the FBI and the US Secret Service of breaches affecting more than 5,000 customers no later than 7 days after discovery of breach
The proposal makes sure to point out that “it’s about permission and protection, not prohibition”, it explains that ISPs won’t be prohibited from using or sharing customer data, for any reason. It simply wants customers to have a say in what happens to their data. They do this by either opting out or requiring their ISP to get their permission before doing anything.
For those of you wondering, this doesn’t mean that ISPs won’t hand over your data to law enforcement. Not only is that out of this proposal’s scope, so is the what other sites like Twitter or Facebook do with your data, along with other services your ISP may provide such as web hosting.
Wheeler concluded his op-ed with:
“Simply by using the Internet, you have no choice but to share large amounts of personal information with your broadband provider. You have a right to know what information is being collected about you and how that information is being used. That’s why establishing baseline privacy standards for ISPs is a common sense idea whose time has come. The bottom line is that it’s your data. How it’s used and shared should be your choice.”
The FCC is set to vote on this proposal on March 31.