FCC Looks at Consumer Data Security

FCC_New_LogoThe FCC will be voting on March 31 to release a Notice of Proposed Rulemaking (NPRM) concerning customer rights concerning their data on the Internet. More specifically, the NPRM is looking at the relationship between a customer and their ISP. It’s been assumed FCC Chairman Tom Wheeler already has the votes to get this passed.

The premise of the NPRM is that an ISP knows more about what a customer does than anybody else. They know what web sites you connect to and for how long, and even if you encrypt everything they know a lot about you. Most people don’t realize that an ISP has total knowledge of everything a customer does that is not encrypted. If they care to do so an ISP can record every keystroke made online.

And so the NPRM will be asking what rights customers should have as far as allowing their ISP to use or monetize the knowledge they gain about customers. The proposed rules are going to apply the same sorts of privacy rights to broadband that have been in place for telephone service. The privacy rules would not apply to social media sites, browsers or search engines, just to ISPs. The FCC’s reasoning is that customers voluntarily give their data to these edge series but they have not done so freely to their ISP.

The NPRM starts with the premise that consumers ought to have control over how their data is used by their ISP. Telephone customers have had similar rights for years. Here are the primary areas that will be covered by the NPRM:

Transparency. The FCC wants ISPs to inform people about the information they collect about them. They want ISPs to further tell customers how they use this data and if and how the data might be sold to others. And the FCC wants all of this written in plain English (good luck with that!)

Security. The FCC believes that ISPs have the responsibility to protect customer data. The NPRM wants to require ISPs to take reasonable steps to protect customer data.

  • This would mean new rules for ISPs. They would have to institute training practices for employees, adopt strong customer authorization practices, identify to the FCC the senior manager(s) responsible for data security, and take responsibility of customer data when it’s shared with a third party.
  • There would also be new rules about data breaches. Customers would have to be notified of data breaches within 10 days of discovery. The ISP would need to notify the FCC within 7 days of any breach. ISPs would have to notify the FBI and the US Secret Service of any breach of more than 5,000 customers.

Choice. The NPRM suggest that customers be given a choice to say what kind of data their ISP may use and under what conditions it can be shared with others. The FCC wants to categorize customer data into three categories:

  • First is the data that an ISP must have in order to serve customers. This would be things like name, address and other data needed to bill a customer. And because the product is broadband the FCC believes that an ISP has the inherent right to do things like measure your total data usage and other related network information.
  • Second, the FCC thinks that an ISP ought to be able to use a customer’s data to market other telecom products to them. But, like with telephone service, the FCC thinks customers should have the right to opt-out of ISP marketing activity.
  • Third, the FCC is then suggesting that customers would need to opt-in to give an ISP the right to use their data for any other purposes.

The FCC wants these to be rules about customer permission and protection of data and they are not prohibiting ISPs from gathering and using data as long as the customer approve of it. As is usual with this kind of NPRM we can expect a lot of comments both for and against the proposal. What I find most unusual about this NPRM is that it largely assumes that the FCC is going to prevail in its order to regulate broadband under Title II rules. If that gets order gets overturned then protection of customer data would probably revert back to the FTC.

Leave a Reply