The Washington PostDemocracy Dies in Darkness

The FCC wants to protect your data from your own Internet provider

(Photo by Alex Wong/Getty Images)

Federal regulators on Thursday proposed a broad new set of privacy rules for Internet providers, in a major bid to give Web users some of the same privacy protections online as they receive from their telephone providers.

The government’s proposal would limit how carriers such as Verizon, Comcast and T-Mobile can handle their Internet subscribers’ personal information — including their Web browsing habits, which apps they use and other sensitive data.

If approved, the rules would significantly expand the Federal Communications Commission’s role as a privacy watchdog, giving it new ways to oversee an industry that increasingly relies on customer data as a source of business.

Under the proposal from FCC Chairman Tom Wheeler, Internet providers would have to seek explicit permission from their customers before sharing their data with third parties, such as marketers and advertisers.

The rules would still let Internet providers use customer data to market new products to their own subscribers — though consumers could opt out of that practice. For example, Verizon could use data on its FiOS customers to advertise its cellular service to those same customers, senior agency officials told reporters Thursday.

Internet providers would also have to provide easy access to written privacy policies, and take steps to safeguard the personal data from hackers.

The messy battle to protect your data from your own Internet provider

The FCC’s unprecedented foray into the realm of online privacy stems directly from the agency's decision last year to enact stiff rules on net neutrality. Those rules subject Internet providers to regulations that were originally written for the telephone industry. And among them are a set of privacy requirements that the FCC is now adapting to fit the broadband industry.

“Today, I’m proposing to my colleagues that we empower consumers to ensure they have control over how their information is used by their Internet Service Provider,” FCC chairman Tom Wheeler wrote in a blog post.

Until now, regulators have largely held Internet providers accountable on privacy issues by cracking down when a carrier violates its own privacy policy or marketing materials. But with the FCC proposal, the government is laying out for the first time a series of concrete obligations for broadband firms that go beyond transparency and truth-in-advertising: It wants providers to give users specific choices about how their information is used.

Internet providers are becoming more interested in using customer data for advertising purposes. For example, AT&T operates a program in some markets that gives consumers a monthly discount on Internet service in exchange for letting AT&T track their Web history. And Verizon’s recently launched streaming video app, Go90, is integrated with AOL’s substantial digital advertising technology, which could benefit from greater insight on how consumers behave online. Whether businesses like these should be regulated more heavily is something the FCC intends to ask the public about if the proposal moves forward at the agency’s monthly meeting on March 31.

How much is your privacy worth? $350 a year, according to AT&T

The proposal is already generating pushback from the broadband industry. In a blog post Wednesday, AT&T argued that its data collection practices are little different from those of Google and Facebook, which are online services the FCC has repeatedly vowed not to regulate.

“There is no basis for treating ISP data as somehow ‘proprietary’ or subjecting ISPs to unique privacy requirements,” the company said.

FCC officials argued Thursday that Internet providers’ control over large digital networks gives them far more knowledge about a consumer’s behavior than what a single Internet company could gather alone.

“An ISP handles all of its customers’ network traffic, which means it has an unobstructed view of all of their unencrypted online activity – the websites they visit, the applications they use,” the FCC said in a factsheet on the proposal.

The FCC’s expanding privacy jurisdiction also raises fresh questions about the proper role of other regulators in monitoring privacy violations. The Federal Trade Commission, for instance, has long been considered the government’s top privacy watchdog. But whereas the FTC has only a limited ability to establish new rules, the FCC is different because it can create binding obligations on Internet providers. But the FCC should not stray too far from the FTC’s approach, Verizon said in a statement Thursday.

“We believe any new rules put forward by the FCC should align with the successful approach that the FTC has used for years across the entire ecosystem,” the company said.

Consumers need to be able to trust that Internet providers will be responsible with their data, said Laura Moy, a visiting assistant professor at Georgetown Law.

“Broadband is not something we want people to have to choose whether or not to use — and that means we need to expect all Americans are going to be sharing very sensitive information with their broadband provider,” she said.