The FCC passed new privacy rules last week and the new rules are largely aimed at Comcast, AT&T, Verizon and other large ISPs. Most small ISPs do not participate today in the practices that the new rules are aimed at stopping. For the most part the rules won’t affect smaller companies much other than having more annual pieces of paper to file at the FCC saying that you follow the rules – and you probably already do.
The rules are aimed at protecting customers from abuse by ISPs, who by definition have the most access to a customer’s data. An ISP knows every web site visited, every web purchase made, every email and every instant message sent.
This is probably the FCC’s biggest use so far of its new Title II authority over broadband. The FCC knows this is going to be challenged in court, so the new rules don’t go into effect for a year, giving the lawsuits a chance to resolve.
I’m not going to repeat all of the specifics of how this works, but rather concentrate on what it means to the industry as a whole:
Customers have a right of privacy. The new rules create a new right that a customer’s data – where they search on the web, what they say in emails and texts – all belong to them. Each customer now has the right to decide if the ISP can use it. Today an ISP knows everything a customer does on the web that is not encrypted, and even with encryption they know the web sites visited. But the FCC now makes it clear that this customers can keep this personal information private if they so desire.
ISPs need to ask for permission to use customer data. The new rules compel ISPs to explicitly ask for permission to use customer data. I suspect ISPs are not going to be allowed to bury this choice inside a terms of service.
I would expect that big ISPs are going try to entice people to be able to use their data. They might offer lower prices or entice people by forwarding coupons to them from around the web for things they are interested in. But at the end of the day it’s the customer’s choice to allow or not allow their ISP to use the data. And there might be nuances. ISPs might ask to track where customers go on the web but not read emails. The rules would allow options for the ISP.
ISPs must say what they do with customer data. If somebody gives an ISP permission to use their data the ISP must disclose how they are going to use it. Are they using it only for their own marketing efforts or are they going to sell it to others? Right now, consumers don’t know what information is being collected by their ISPs, nor what’s being done with it.
ISPs will have to protect customer data. The new rules also place more responsibility on ISPs to protect customer data from hackers. This is perhaps the one area of the new rules that will have the most impact on smaller ISPs. ISPs must use best industry practices and also notify customers when there has been a data breach. And they must notify the FBI if a breach involves more than 5,000 customers.
This does not affect edge providers. The new rules only apply to ISPs. They do not apply to ‘edge providers’ like social media sites or search engines. Those companies are still allowed to use customer data in any manner they want since customers come to them voluntarily. So Facebook and Google are still free to use customer data since people use those sites voluntarily. This is the killer for the giant ISPs because they see how much money the edge providers make from using customer data from advertising and other uses. But it’s not clear if the FCC has any authority over edge providers.
Another big gap is the Internet of Things. As we saw in the recent giant denial of service attack, the devices used in the Internet of Things – thermostats, cameras, smart appliances, etc. – are not well protected. IoT companies also are capable of gathering a lot of information about customers. This will become a much bigger issue as people start using devices that include artificial intelligence like the Amazon Echo. It would be natural for the FCC to declare that IoT providers are also ISPs of a sort and regulate them that way. I expect that nothing will be done with IoT until this set of rules makes it through the court challenges.