Today, the Federal Communications Commission (FCC) voted to extend crucial privacy protections to broadband users. The new rule empowers consumers to control how broadband providers use and share their information. The Center for Democracy & Technology (CDT) worked with the FCC, civil society, and other stakeholders throughout the process to ensure that the final rule offered meaningful privacy protections.
“This rule represents a significant step forward in protecting internet users, who have no choice but to expose massive amounts of information to broadband providers. It reflects the reality that where we go online is private and the people we pay to carry our communications should treat them as private,” said Chris Calabrese, CDT’s Vice President of Policy.
The rule requires broadband providers to get opt-in consent before using or sharing customers’ “sensitive” information for purposes other than providing broadband service. This information includes the content of communications, location information, and web browsing and app usage history. In order to use “non-sensitive” information, providers must obtain opt-out consent. Although CDT does not support distinguishing between “sensitive” and “non-sensitive” information in the broadband context, we are pleased that the FCC’s definition of “sensitive” information is broad.
The rule does allow broadband providers to use de-identified data without users’ consent, but imposes strong de-identification requirements and standards, placing the burden on providers to ensure that information is not re-identified. “The FCC’s promise to enforce strong de-identification requirements is essential to protecting customers’ anonymity,” Calabrese said. “Absent effective, proven de-identification methods, third parties have both the incentive and the ability to re-identify information.”
The rule does make changes that allow ISPs to use consumer information to market their own products without any avenue for opt-out for the consumer. “While we would prefer consumers be able to opt out of sharing this information, the narrow product types covered by the exception – only including offerings of cable, wireless, internet, and phone services – make the overall rule a major net gain for the privacy of broadband customers,” said Calabrese.
The rule does not explicitly mention IP and MAC addresses, but CDT urges the FCC to interpret the rule going forward to include such information within the definitions of web browsing and app usage history.
The broadband privacy rule sets an important standard for protecting internet users. CDT will work to support and expand the protections in the rule, as well as baseline privacy laws that will uniformly protect consumers throughout the digital ecosystem.