FCC Privacy Rules Would Offer Significantly Expanded Definition of Sensitive Information
ISPs will be required to get express, opt-in consent before using or sharing eight categories of sensitive information, under the privacy rules circulated (see 1610060021) by FCC Chairman Tom Wheeler to his fellow commissioners Thursday for a vote at the Oct. 27 commissioners meeting. But ISPs wouldn’t have to seek consent on all of the data Wheeler proposed in an NPRM (see 1603310049). The early reaction to the plan was mostly positive, even from advocates of strong privacy rules. But NCTA and USTelecom had concerns.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“Over the past six months, we’ve engaged with consumer and public interest groups, fixed and mobile ISPs, advertisers, app and software developers, academics, other government actors including the FTC, and individual consumers to figure out the best approach,” Wheeler said in a blog post. “Based on the extensive feedback we’ve received, I am proposing new rules to provide consumers increased choice, transparency and security online.”
The eight categories of sensitive information are: geo-location, children’s information, health information, financial information, Social Security numbers, web browsing history, app usage history and the content of communications, according to an FCC fact sheet.
A senior official said the FCC developed the list of categories based on the more than 250,000 comments it received. “For the last seven months, we have been listening and learning and speaking with a broad range of stakeholders to figure out the best approach,” the official said. “You’ll find that the things we have considered sensitive have a lot of support in the record.”
Other data use doesn’t require consumer consent. “All other individually identifiable customer information -- for example, service tier information used to market an alarm system -- would be considered non-sensitive and the use and sharing of that information would be subject to opt-out, consistent with customer expectations,” the FCC said.
The Wheeler proposal also would prohibit “take-it-or-leave-it” offers, “meaning that an ISP can’t refuse to serve customers who don’t consent to the use and sharing of their information for commercial purposes,” said the fact sheet.
The draft order would allow ISPs to offer plans under which consumers would agree to share their data for lower-cost broadband. But Wheeler proposed heightened disclosure requirements for these plans, the fact sheet said. “The Commission would determine on a case-by-case basis the legitimacy of programs that relate service price to privacy protections,” the FCC said. “Consumers should not be forced to choose between paying inflated prices and maintaining their privacy.”
The draft order also requires ISPs to give customers information about the types of data they're collecting, how the provider uses and shares the data, and the types of entities with which the company shares the information, the fact sheet said. It would direct the Consumer Advisory Committee to develop a “proposed standardized privacy notice format that is voluntary and would serve as a ‘safe-harbor’ for those providers who choose to adopt it,” the FCC said.
Wheeler proposed “common sense” rules for data breaches, the fact sheet said. Providers would be required to notify affected customers as soon as possible, no later than 30 days after the discovery of a breach, and notify the commission within seven business days, the FCC said. ISPs also would have to notify the FBI and the U.S. Secret Service of breaches affecting more than 5,000 customers no later than seven business days after discovery.
FTC
In comments on the NPRM, the FTC raised questions about the FCC’s approach and whether it would create major differences between how ISPs and other companies are regulated (see 1606020062). “We believe it is very much in alignment with the [FTC’s] framework as they have applied it and as they have described it in their landmark 2012 report,” a senior FCC official said of the draft. “We do, of course, take account of the particular relationships that ISPs have with their customers when we consider how to apply that framework.”
“We know that consumers care deeply about their privacy, and I am pleased to see the FCC moving forward to protect the privacy of millions of broadband users across the country,” FTC Chairwoman Edith Ramirez said in a statement. “The FTC, which has protected consumers’ privacy for decades in both the online and brick-and-mortar worlds, provided formal comment to the FCC on the proposed rulemaking, and I believe that our input has helped strengthen this important initiative.”
USTelecom questioned why the FCC needs to develop its own standard for what data should be considered sensitive rather than rely on the FTC. The FCC "which has no expertise with regard to determining the content of speech, is now attempting to redefine what consumers may regard as sensitive,” said President Walter McCormick in a news release. “In this regard, consumers would be better served if the FCC were to defer to the expertise of the FTC in this area, and the two agencies were to pursue a uniform approach.”
NCTA raised similar concerns. "The Chairman’s Fact Sheet describes a regime that departs from the FTC’s proven sensitivity-based approach to consumer privacy in several key respects," the group said. "In its treatment of web browsing data and first party marketing of ISP services, the FCC departs from past FTC practice in ways that violate principles of fair competition and deny consumers the benefit of a consistent approach to online privacy protection. If the Chairman insists on advancing this approach, we would hope that his fellow commissioners would ‘opt-out’ and seek a result more faithful to the FTC’s proven framework of protecting consumers."
Public Knowledge Senior Vice President Harold Feld said the FCC’s revised approach may offer more protection than the earlier proposal. “Information that would have been useable with opt out -- because it involved a carrier marketing its own telecommunications service -- may now require opt in because the information is sensitive,” Feld emailed. “On the whole," he said, the revised rule “makes up for increasing the quantity of information a carrier can collect and share with only opt out by increasing the quality of what requires opt in.”
The Center for Digital Democracy said much depends on the final rules. "Because we know that ISPs’ big data analytical capabilities can turn seemingly non-sensitive information into highly private information about our lives, and because all our browsing data and the content of our communications is incredibly sensitive to begin with, we had asked the FCC to avoid drawing distinctions between ‘sensitive’ and ‘non-sensitive’ categories of information,” said Katharina Kopp, deputy director. “Still, we believe that the proposal’s framework can work for consumer privacy provided the FCC’s definition of ‘sensitive’ is robust and meaningful.”
Color of Change said it met with the FCC about how data collection has disproportionately harmed minorities and those with low incomes and "to ensure that sensitive information and personal data is not used as a proxy for protected class information and fair game for the highest bidder,” according to a news release. “In this order, the FCC has acknowledged it is unacceptable to allow a two-tiered system of Internet privacy based on the ability to pay, and it has safeguarded individuals from being identified and targeted based on data accumulated online.”
Consumer Watchdog said the FCC is right to significantly expand the scope of the information that's considered sensitive beyond the financial, health and precise location data in the FTC’s framework. "If the 'sensitive/non-sensitive' distinction remains in the new privacy regulations approved by the Commission, we will work with the FCC to support the broadest, most robust and meaningful understanding of what 'sensitive' information is," said John Simpson, the group’s Privacy Project director, in a news release.
“Strong rules means making sure that all consumers can afford to keep their personal information private,” said House Commerce Committee ranking member Frank Pallone, D-N.J. “No one -- no matter their income -- should be forced to choose between privacy and staying connected.” Earlier, Pallone urged strong privacy protections. Sen. Ed Markey, D-Mass., a member of the Commerce Committee, said the FCC was on the right track. “Every click an American makes online paints a detailed picture of their personal and professional lives, and this sensitive information should be protected by strong broadband privacy standards,” he said.
Other industry reaction was mostly positive. Karen Zacharia, Verizon chief privacy officer, said based on information made available by the FCC, the agency is moving the rules in the right direction and closer to the FTC’s approach. “Verizon is much more than an ISP,” she said in a statement. “For a company like Verizon, which offers a diverse set of products and services across the internet ecosystem, this movement towards a harmonized approach is particularly important.”
“The FCC should go beyond similarity and adopt privacy standards that are harmonized with the FTC’s successful privacy framework,” said Jonathan Spalter, chairman of Mobile Future. “We appreciate that the FCC is apparently moving to a privacy framework for mobile broadband providers that is more consistent with the FTC’s approach to online privacy.”