FCC ties Net providers' hands on personal data

WASHINGTON -- Federal regulators on Thursday approved new rules requiring high-speed Internet service providers to get customer permission before using or sharing sensitive personal data, such as Web-browsing or app-usage history.

Cable and wireless companies that offer broadband service would not have to first get a customer's approval before using or sharing any nonsensitive data, such as a person's name, address and type of data plan. Consumers would have to opt out of the sharing of that information.

But such information is limited -- most customer data will be considered sensitive -- and Internet service providers have not had to get permission to use or share that data.

The privacy regulations approved by the Federal Communications Commission on a partisan 3-2 vote will be phased in over the next two years.

Consumer advocates applauded the agency's action.

"As the Internet has become ubiquitous, broadband providers have gained a unique, all-encompassing window into our daily lives," said Jonathan Schwantes, senior telecommunications policy counsel for the nonprofit Consumers Union. "We think these new rules are strong, fair and necessary as we live more and more of our lives online."

But the rules were strongly opposed by cable and wireless companies and take some air out of the goals of AT&T's $85.4 billion bid for Time Warner, even before the ink on that deal has dried. The companies said they wanted to combine resources to move more forcefully into targeted advertising. Crucial to that ambition is information about AT&T's wireless and home broadband users, combined with Time Warner's viewer data and its huge audience.

Jeff Chester, executive director of the Center for Digital Democracy, said broadband providers want to track consumers' online activity and make money from sharing that data with advertisers.

AT&T would gain access to data about consumers who watch content from HBO, CNN and other Time Warner properties, and that's a big reason for the proposed deal, Chester said.

"The merger is really about data," he said. "Using the Time Warner content as kind of a Trojan horse ... to lure people in -- children, families, adults, everybody -- and build a very significant business in advertising."

AT&T, which has criticized the privacy regulations, said it was reviewing details of the final rules. It would not comment on how the rules would affect the proposed merger with Time Warner.

In a call Monday with investors, AT&T's chief financial officer, John Stephens, said the vast amount of data available from the combined company would allow "a greater value proposition to offer advertisers."

A trade association for the cable industry criticized the regulations Thursday as "profoundly disappointing."

"Today's result speaks more to regulatory opportunism than reasoned policy," said the National Cable and Telecommunications Association.

The broadband providers complained that they now will face tougher restrictions on the sharing of valuable customer data than Google Inc., Facebook Inc. and other Internet companies.

The FCC's definition of sensitive data also includes the content of communications, Social Security numbers and information about financial activity, health or children.

FCC Chairman Tom Wheeler, a Democrat who proposed the rules, said broadband subscribers "will finally be in the drivers' seat" in deciding how their sensitive personal information is used.

"It is the consumers' information. It is not the information of the network the consumer hires to deliver that information," Wheeler said. "The consumer has the right to make a decision about how ... information is used."

Wheeler and the two other Democrats who make up the commission's majority, Mignon Clyburn and Jessica Rosenworcel, said consumers have fewer choices about how they access the Internet -- either from their home or on mobile devices -- and the agency was required to enact new rules for broadband providers under the expanded authority over the companies gained under so-called net-neutrality rules adopted last year. Net neutrality is the principle that all Internet traffic should be treated equally, regardless of source, and without favor for particular products or websites.

The FCC's rules don't apply to individual websites or social networks, which are overseen by the Federal Trade Commission. Before the net-neutrality rules, the Federal Trade Commission also oversaw Internet service providers.

The rules approved Thursday were softened from a proposal made by Wheeler in March that would have required customers to opt in before any of their personal information could be shared by their Internet service provider.

After complaints from the broadband industry, Wheeler proposed distinguishing between types of information, as the trade commission does.

But the FCC expanded on the trade commission's definition of sensitive data, including information about Web browsing and app usage.

That was a key reason why the FCC's two Republican commissioners, Ajit Pai and Michael O'Rielly, said they voted against the new rules. They said broadband providers should not face tougher privacy restrictions than Internet giants such as Google and Facebook.

"Consumers should not have to be network engineers to understand who's collecting their data," Pai said, calling the FCC's actions "corporate favoritism."

O'Rielly said there were "very lucrative categories" of consumer information that broadband providers will have more difficulty using and sharing than website operators. And the FCC's privacy rules endanger the advertising-supported online ecosystem, he said.

"There is a trade-off," O'Rielly said. "You are willing to trade your information for certain services."

Broadband providers and industry trade groups said consumer privacy is important but that the FCC went too far.

Joan Marsh, AT&T's senior vice president of federal regulatory policy, said the company was pleased that the FCC's rules more closely resemble those of the Federal Trade Commission. But she said it was "illogical" that the FCC determined that sensitive data should include Web browsing and app-history data.

"In this regard, the FCC's order falls short of recognizing that consumers want their information protected based on the sensitivity of the information collected, not the entity collecting it," she said.

The agency's "divergent approach will ultimately serve only to confuse consumers, who will continue to see ads based on their Web-browsing history" from Internet companies, Marsh said.

Under the new rules, broadband providers also would have to notify customers about the type of information being collected, how it could be used and the types of entities with which the information is shared.

Broadband providers would be free to use or share any data that is stripped of key identifying details so it can't be linked to a specific person or device.

The rules also require Internet service providers to notify customers within 30 days after determining that a data breach has occurred. The companies would have only seven days to notify the FCC of any data breaches and would have to notify the FBI and the Secret Service of breaches that affect more than 5,000 customers.

Consumer advocates and some lawmakers said tougher privacy restriction on broadband providers were needed.

"Broadband providers should not be allowed to collect massive and detailed dossiers about consumers without their consent," said Sen. Edward Markey, D-Mass.

Information for this article was contributed by Jim Puzzanghera of the Los Angeles Times; by Brian Fung of The Washington Post; and by Cecilia Kang of The New York Times.

A Section on 10/28/2016

Upcoming Events