October 6, 2016 - 11:55 am
By Tom Wheeler | FCC Chairman

The Internet is an indispensable part of our daily lives. At home, at work and on the go, we are constantly tethered to an Internet connection to shop, check email, read news and post on social media websites.

Seldom do we stop to realize that our Internet Service Provider – or ISP – is collecting information about us every time we go online. Your ISP handles all of your network traffic. That means it has a broad view of all of your unencrypted online activity – when you are online, the websites you visit, and the apps you use. If you have a mobile device, your provider can track your physical location throughout the day in real time. Even when data is encrypted, your broadband provider can piece together significant amounts of information about you – including private information such as a chronic medical condition or financial problems – based on your online activity.

The problem is, there are currently no rules in place outlining how ISPs may use and share their customers’ personal information. In fact, 91 percent of American adults say consumers have lost control over how their personal information is collected and used by companies, according to Pew Research Center. In today’s digital world, consumers deserve to be able to make informed choices about their privacy and their children’s privacy online. After all, it’s your data—shouldn’t you have a say over how it’s used?

The Federal Trade Commission uses its enforcement authority to make sure Internet companies like Google and Facebook respect consumers’ privacy, and the Federal Communications Commission is charged with protecting privacy for the customers of telecommunications carriers.  For decades the FCC has required telephone companies to protect the information associated with a phone call. FCC regulations limit how your phone company can repurpose and resell what it learns about your phone activity without your consent. Similar rules don't exist for broadband service today. That’s a gap that must be closed – consumers who use the network of the 21st century deserve similar protections.

Earlier this year, the FCC launched a proceeding aiming to extend similar privacy protections to the information collected by your broadband provider. Our goal throughout the process has been straightforward: to give consumers the tools they need to make informed decisions about how ISPs use and share their data, and the confidence that ISPs are taking steps to keep that data secure, all while providing ISPs the flexibility they need to continue to innovate.

Over the past six months, we’ve engaged with consumer and public interest groups, fixed and mobile ISPs, advertisers, app and software developers, academics, other government actors including the FTC, and individual consumers to figure out the best approach. Based on the extensive feedback we’ve received, I am proposing new rules to provide consumers increased choice, transparency and security online. I have shared this proposal with my colleagues and the full Commission will consider these proposed privacy rules at our upcoming monthly meeting on October 27.

Under the proposed rules, an ISP would be required to notify consumers about what types of information they are collecting, specify how and for what purposes that information can be used and shared, and identify the types of entities with which the ISP shares the information.

In addition, ISPs would be required to obtain affirmative “opt-in” consent before using or sharing sensitive information. Information that would be considered “sensitive” includes geo-location information, children’s information, health information, financial information, social security numbers, web browsing history, app usage history, and the content of communications such as the text of emails. All other individually identifiable information would be considered non-sensitive, and the use and sharing of that information would be subject to opt-out consent.

Calibrating consent requirements to the sensitivity of the information aligns with consumer expectations and is in harmony with other key privacy frameworks and principles – including those outlined by the FTC and the Administration’s Consumer Privacy Bill of Rights. The proposed rules are designed to evolve with changing technologies, and would provide consumers with ways to easily adjust their privacy preferences over time.  

The proposed rules also require ISPs to take reasonable measures to protect consumer data from breaches and other vulnerabilities. If a breach does occur, the rules would require ISPs to take appropriate steps to notify consumers that their data have been compromised.

To be clear, this proposal focuses on information collected from consumers when they use broadband services, such as residential or mobile connections. It would not apply to the privacy practices of websites or apps, over which the Federal Trade Commission has authority. And that is true even when a website or app is owned by a broadband provider. It’s also important to note that the proposed rules would not prohibit ISPs from using or sharing their customers’ information – they would simply require ISPs to put their customers in the driver’s seat when it comes to those decisions.

The bottom line is that the information you share with your broadband provider is yours. With the FCC’s new privacy protections, you will have the right to determine how it’s used.