CHAIRMAN TOM WHEELER, FEDERAL COMMUNICATIONS COMMISSION / FCC PHOTOGRAPH

The U.S. Federal Communications Commission today voted 3-2 to approve rules requiring broadband Internet Service Providers to provide customers more control over the use of their personal information. The new rules require broadband providers to obtain permission from their customers prior to collecting data on a web browsing, app use, location and other personal information.

— The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice and security requirements for customers’ personal information:

Opt-in: “ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.”

Opt-out: “ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information—for example, email address or service tier information—would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.”

Exceptions to consent requirements: “Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.”

— Additional rules include:

• Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences;

• A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.

• Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such informatio.”

— FCC Chairman Tom Wheeler: “There is a basic truth: It is the consumer’s information. It is not the information of the network the consumer hires to deliver that information. What this item does is to say that the consumer has the right to make a decision about how her or his information is used.”

— AT&T Senior Executive Vice President of External and Legislative Affairs Bob Quinn: “At the end of the day, consumers desire services which shift costs away from them and towards advertisers. We will look at the specifics of today’s action, but it would appear on its face to inhibit that shift of lower costs for consumers by imposing a different set of rules on ISPs.”