US regulator proposes stiffer privacy rules for broadband providers

Broadband customers in the US would gain new rights to control how their personal data is used and shared under Tom Wheeler's proposals, which are set to be voted on by the full FCC at a meeting on 31 March.

If the plans are adopted broadband providers would be under new obligations to obtain customers' "opt-in consent" to use or share their data in many circumstances.

The companies would be free to use customer data where it is "necessary to provide broadband services and for marketing the type of broadband service purchased by a customer". They would also be able to use or share their data "for the purposes of marketing other communications-related services" but would be required to stop doing so if customers "affirmatively opts out".

For all other uses and sharing of personal data broadband providers would "require express, affirmative 'opt-in' consent from customers", according to the proposals.

"When consumers sign up for internet service, they shouldn’t have to sign away their right to privacy," according to an FCC fact sheet containing a summary of Wheeler's proposals. "Consumers should have effective control over how their personal information is used and shared by their broadband service providers."

"The chairman’s proposal does not prohibit ISPs from using or sharing customer data, for any purpose. It simply proposes that consumers have choices – either to opt out in some instances or to require that the ISP first obtain customers’ permission before using and sharing the customer’s data in others," it said.

Under Wheeler's plans, broadband providers would also be subject to new disclosure obligations. They would have to inform customers of the data they collect about them, how it is used and when it could be shared with other companies. The disclosures must be outlined "in an easily understandable and accessible manner", according to the proposals.

Further new rules on data security would also apply if Wheeler's plans are adopted.

"The chairman’s proposal would put in place robust and flexible data security requirements for broadband providers, including an overarching data security standard," the FCC's fact sheet said. "The proposal would require broadband providers to take reasonable steps to safeguard customer information from unauthorized use or disclosure."

"And, at a minimum, it would require broadband providers to adopt risk management practices; institute personnel training practices; adopt strong customer authentication requirements; to identify a senior manager responsible for data security; and take responsibility for use and protection of customer information when shared with third parties," it said.

Broadband providers would also be subject to new "common-sense data breach notification requirements" under the plans.

"Specifically, in the event of a breach, providers would be required to notify: affected customers of breaches of their data no later than 10 days after discovery; The Commission of any breach of customer data no later than 7 days after discovery; The Federal Bureau of Investigation and the US Secret Service of breaches affecting more than 5,000 customers no later than 7 days after discovery of the breach," the fact sheet said.