New rule: Internet providers must ask you before sharing your sensitive personal data

A woman works on her laptop in the Rose Main Reading Room of the New York Public Library this month.
A woman works on her laptop in the Rose Main Reading Room of the New York Public Library this month.
(Mark Lennihan / Associated Press)

Federal regulators on Thursday approved tough new rules requiring high-speed Internet service providers to get customer permission before using or sharing sensitive personal data, such as Web browsing or app usage history and the geographic trail of mobile devices.

Cable and wireless companies that offer broadband service would not have to first get a customer’s approval before using or sharing any non-sensitive data, such as a person’s name, address and type of data plan. Consumers would have to opt out of the sharing of that information.

But such information is limited — most customer data will be considered sensitive. And because the FCC gained privacy authority over broadband providers last year, those companies have not had to get permission to use or share any data.


The privacy regulations approved by the Federal Communications Commission on a partisan 3-2 vote will be phased in over the next two years.

Consumer advocates applauded the agency’s action.

“As the Internet has become ubiquitous, broadband providers have gained a unique, all-encompassing window into our daily lives,” said Jonathan Schwantes, senior telecommunications policy counsel for Consumers Union. “We think these new rules are strong, fair and necessary as we live more and more of our lives online.”

But the rules were strongly opposed by cable and wireless companies, including AT&T Inc., which wants to expand its media empire — and its trove of consumer data — with the proposed purchase of Time Warner Inc.

The broadband providers complained that they now will face tougher restrictions on the sharing of valuable customer data than Google Inc., Facebook Inc. and other Internet companies.

The FCC’s definition of sensitive data also includes the content of communications, Social Security numbers and information about financial activity, health or children.

FCC Chairman Tom Wheeler, a Democrat who proposed the rules, said broadband subscribers “will finally be in the drivers’ seat” in deciding how their sensitive personal information is used.


“It is the consumers’ information. It is not the information of the network the consumer hires to deliver that information,” Wheeler said. “The consumer has the right to make a decision about how her or his information is used.”

Wheeler and the two other Democrats who make up the commission’s majority, Mignon Clyburn and Jessica Rosenworcel, said consumers have fewer choices about how they access the Internet — either from their home or via mobile devices — and the agency was required to enact new rules for broadband providers under the expanded authority over the companies gained under net neutrality rules adopted last year.

The FCC’s rules don’t apply to individual websites or social networks, which are overseen by the Federal Trade Commission. Before the net neutrality rules, the FTC also oversaw Internet service providers.

The rules approved Thursday were softened from a proposal made by Wheeler in March that would have required customers to opt in before any of their personal information could be shared by their Internet service provider.

After complaints from the broadband industry, Wheeler proposed distinguishing between types of information, as the FTC does.

But the communications commission expanded on the FTC’s definition of sensitive data, including information about Web browsing and app usage.


That was a key reason why the FCC’s two Republicans, Ajit Pai and Michael O’Rielly, said they voted against the new rules. They said broadband providers should not face tougher privacy restrictions than Internet giants such as Google and Facebook.

“Consumers should not have to be network engineers to understand who’s collecting their data,” Pai said, calling the FCC’s actions “corporate favoritism.”

O’Rielly said there were “very lucrative categories” of consumer information that broadband providers will have more difficulty using and sharing than website operators. And the FCC’s privacy rules endanger the advertising-supported online ecosystem, he said.

“There is a trade-off,” O’Rielly said. “You are willing to trade your information for certain services.”

Broadband providers and industry trade groups said consumer privacy is important but that the FCC went too far.

Joan Marsh, AT&T’s senior vice president of federal regulatory policy, said the company was pleased that the FCC’s rules more closely resemble those of the FTC. But she said it was “illogical” that the FCC determined that sensitive data should include Web browsing and app history data.


“In this regard, the FCC’s order falls short of recognizing that consumers want their information protected based on the sensitivity of the information collected, not the entity collecting it,” she said.

The agency’s “divergent approach will ultimately serve only to confuse consumers, who will continue to see ads based on their web browsing history” from Internet companies, Marsh said.

Under the new rules, broadband providers also would have to notify customers about the type of information being collected, how it could be used and the types of entities with which the information is shared.

Broadband providers would be free to use or share any data that is stripped of key identifying details so it can’t be linked to a specific person or device.

The rules also require Internet service providers to notify customers within 30 days after determining that a data breach has occurred. The companies would have only seven days to notify the FCC of any data breaches and would have to notify the FBI and the Secret Service of breaches that affect more than 5,000 customers.

Also, Wheeler said the FCC has begun working on rules addressing the clauses in contracts consumers sign for Internet service that require disputes be settled through private arbitration instead of in court. Proposed rules are expected by February.


Consumer advocates and some lawmakers said tougher privacy restriction on broadband providers were needed.

“Broadband providers should not be allowed to collect massive and detailed dossiers about consumers without their consent,” said Sen. Edward Markey (D-Mass.).

Jeff Chester, executive director of the Center for Digital Democracy, said broadband providers want to track consumers’ online activity and make money from sharing that data with advertisers.

AT&T would gain access to data about consumers who watch content from HBO, CNN and other Time Warner properties, and that’s a big reason for the proposed deal, Chester said.

“The merger is really about data,” he said. “Using the Time Warner content as kind of a Trojan horse … to lure people in — children, families, adults, everybody — and build a very significant business in advertising.”


Follow @JimPuzzanghera on Twitter


10:10 a.m.: This article has been updated with information about when the rules will take effect, additional comment from FCC Chairman Tom Wheeler as well as reaction from Consumers Union and FCC Commissioner Michael O’Rielly.

8:40 a.m.: This article has been updated with a comment from AT&T and additional detail about what is considered nonsensitive information.

This article originally was published at 8:05 a.m.