The new privacy rules are aimed at giving broadband customers “increased choice, transparency and security for their personal data”, the regulator claimed.
Providers of both fixed and mobile services will need to get customers to opt-in for use of data, including Web browsing history, app usage, health and financial information, children's information, geolocation information, and the content of online communications.
They will also be made to inform customers how this information is being used and if third parties are being given access to it.
Some data, such as email addresses or service tier information, will be deemed “non-sensitive”, meaning ISPs are free to use and share this unless customers choose to opt-out.
FCC chairman Tom Wheeler said: “Today, the Commission takes a significant step to safeguard consumer privacy in this time of rapid technological change, as we adopt rules that will allow consumers to choose how their Internet Service Provider (ISP) uses and shares their personal data. The bottom line is that it’s your data. How it’s used and shared should be your choice.
“Over the past six months, we’ve engaged with consumer and public interest groups, fixed and mobile ISPs, advertisers, app and software developers, academics, other government actors including the FTC, and individual consumers, to figure out the best approach. Based on the extensive feedback we’ve received, we crafted today’s rules to provide consumers increased choice, transparency and security online.”
The rules, which were voted in by 3-2 by the FCC board on Thursday (27 October) are a scaled back version of the FCC’s original proposals, but still met opposition from carriers.
One of the biggest criticisms from the industry is that the rules do not apply to OTT players. The scope has been limited to broadband service providers and other telecommunications carriers.
Joan Marsh, an AT&T senior vice president, said in a blog post that the FCC approach was “illogical,” adding that “consumers want their information protected based on the sensitivity of the information collected, not the entity collecting it.”