FCC Chairman Tom Wheeler has released a proposal for regulations that would restrict the ways broadband service providers can use customer data. The goal is to give customers greater choice in how their data is used. The proposal includes three categories for broadband use of customer data:
- Consent Inherent in Purchase – Since customers already chose to purchase an Internet plan from that broadband provider, the provider has the right to use information such as Internet usage and billing to provide additional service for and marketing to their customers.
- Opt-out – When broadband providers wish to use or share customer data for the purpose of marketing other communications-related services, the customer must be offered the choice to opt out.
- Opt-in – Broadband providers may only use customer data in any other way if the customer has actively chosen to allow them to do so.
In tandem with these restrictions, the proposal also includes regulation on the security of customer data. Broadband providers would have to take reasonable steps to secure data as well as adopting risk management practices, instituting personnel training, adopting strong customer authentication requirements, identifying a senior manager responsible for data security, and taking responsibility for use and protection of customer information when shared with third parties.
In the event of a discovered security breach, the proposal would require broadband companies to:
- Notify affected customers within 10 days.
- Notify the FCC within seven days.
- Notify the FBI and the U.S. Secret Service of breaches affecting more than 5,000 customers within seven days.
The proposed restrictions would not apply to websites, such as Google or Facebook. The proposal argues that consumers could simply leave a site that is using their data, whereas leaving one’s Internet provider is a far more complicated process.
This proposal comes not long after a settlement between the FCC and Verizon Wireless, which required the telephone company to implement notification and opt-in practices in the use of their customers’ data. Both indicate that the FCC is taking a strong stance on consumers’ right to know what is being done with their personal data.