The FCC adopted an order that formally recognized that the privacy rules passed by the Tom Wheeler FCC are cancelled and that the FCC will revert to the previous privacy rules that were in effect in the past. The action is mostly a clarification because Congress passed H.J. Res 34, the Congressional Review Act that nullified the actions of the last FCC.
This FCC means a number of things. For regulated telephone providers (both LECs and CLECs) it means that all of the previous rules that were generally referred to as a Customer Proprietary Network Information (CPNI) are back in effect. Those rules are codified in FCC Rules Section 64.2009(e) and (c). Those rules include:
- An obligation to not disclose telephone customer data without permission from the customer.
- An annual compliance certification to demonstrate compliance with the CPNI rules. This filing will be due next year again, filed no later than March 1.
- Compliance with various recordkeeping rules that would demonstrate compliance should a carrier ever be audited.
The FCC also reminded non-regulated ISPs that while they are not directly subject to the CPNI rules that they are still subject to Section 222 of the Communications Act that says that all carriers must take reasonable and good faith steps to protect customer privacy.
The rules passed by the last FCC would have brought all ISPs into the same regulations as telcos. And in doing so the rules went further than in the past and required that any service provider get customer buy-in before using their data. Customers were to have been provided with the option to allow ISPs to use data for any purpose, to allow ISPs to use data just for marketing to the customer, or customers could have opted out and chosen full privacy.
One of the big public fears that was voiced in opposition to the congressional action that reversed the privacy rules is that ISPs are now free to use customer information in any manner and that they could even go so far as to ‘sell the browsing history’ of customers on the open market. If ISPs misuse customer broadband data in too egregious of a manner I guess we’ll have to wait for a specific complaint using the Section 222 rules to see what level of protection data customers actually have.
All of the big ISPs have come out and said that they would never sell customer browsing data, and it’s probable that even under the older rules that are still in place that directly selling specific customer data might be illegal.
But we know that the big ISPs have all made plans to monetize customer data, and many of them have already been doing that for years. The most likely use of customer data will be for the biggest ISPs to engage in the same kind of advertising that is being done by Google and Facebook. The social media companies have built detailed profiles of their customers, something that advertisers find valuable. But the ISPs have a big advantage over the social media companies in that they know a lot more about customers including all of the web searches they make and all of the web sites they visit. The big ISPs all have branches of their business that are focusing on this kind of advertising, and even smaller ones like Altice recently purchased a company that creates targeted advertising based upon customer profiles.
There was an article in Forbes earlier this year by Thomas Fox-Brewster that speculated that targeted advertising is what the ISPs really want. They look at the gigantic revenues being earned by Google and Facebook and want a piece of that action. He doesn’t believe that the ISPs will directly sell data, which might invite retaliation from future regulators. But he does speculate that over time that customer information from the ISPs will leak into the public through the companies that use their data for targeted advertising. The web advertisers are not bound by any legal restrictions on using purchased data and over time, as they do various ad campaigns they could effectively build pretty detailed customer profiles based upon different a series of ad campaigns.
Certainly this is of concern to many people. People are free to avoid services like Facebook or Google if they want to maintain privacy, but it takes a lot of effort to hide from their ISP. And while ISPs are probably never going to market a database directly that shows a given customer’s browsing history, as they use our data for advertising purposes they are going to be providing bits of pieces about each of us, that over time can be reassembled to create incredibly detailed profiles. Folks who are savvy and concerned about this are going to thwart the ISPs as much as possible through the use of VPNs and other tools to hide their web activity. But it’s likely that most people won’t do this and I would expect over the next few years to see the ISPs pop onto the radar in a big way as advertisers.