The FCC made a major move yesterday in terms of consumer privacy. Unprecedented, really.

Under the new vote (3 to 2) the FCC voted new rules which require internet service providers (ISPs) to obtain customer’s explicit permission before the ISPs are allowed to share behavioral data with third parties. The goal is to bring ISPs closer to the regulations that traditional telephone companies find themselves under, and this FCC decision will have more than a few repercussions—big and small.

Phased in over the next two years, the regulations would draw some lines in the sand about what data broadband providers could use, and how. For instance, ISPs would not have to acquire a customer’s permission to share non-sensitive data; a person’s name, address, or type of data plan. But customers could opt out of sharing that information.

Plus, the bulk of data will be considered sensitive: Web browsing, or app usage history. Mobile location data. Basically the sorts of things that much of the internet economy—with its cookies, targeted ads, and more—have been built on. In recent years, “big data” on behavioral patterns of consumers has been a major source of revenue.

Photo Credit: Visual Content cc
Photo Credit: Visual Content cc

Still, this won’t be an overnight change. Targeted advertisement will probably not be going away. But the regulations mean there could (and, likely, will) be some changes to how users control their ISPs’ business practices. Expect to see more dialogue boxes, updated privacy policies, and other interactions with companies about where your data is going. Broadband providers would need to ensure that users are clear on what type of information is being collected, how it could be used, and the types of entities it’ll be shared with, not to mention notifying customers within 30 days of determining a data breach has occurred. They would also have to make sure that the data they are free to use or share is stripped of key identifying details, so it can’t be linked to a specific person or device.

To the three FCC commissioners who voted for this, it’s a no-brainer, finally putting the user in the driver’s seat.

It is the consumers’ information. It is not the information of the network the consumer hires to deliver that information,” FCC Chairman Tom Wheeler, a Democrat who proposed the rules, said. “The consumer has the right to make a decision about how her or his information is used.”

And as  Christin McMeley, Alex Reynolds and Adam Shoemaker write on the Privacy & Security Law Blog, it’s all part of their ascension as a privacy regulator. The FTC is in charge of social networks (making individual websites like Google and Facebook fall outside the FCC’s rules) but since the rise of net neutrality the FTC has ceded its ISP regulation to the FCC:

As a regulator of communications networks and services, one might expect that this includes internet communications, but this has not been the case, historically.  This is because the Communications Act was drafted by Congress to apply to separate and distinct services, which at the time were provided by separate companies, such as cable, telephone, and satellite providers.  At issue here are the regulatory classifications of two types of services defined in the Act: information services, governed by Title I of the Act; and telecommunications services, governed by Title II. The internet has historically been considered an unregulated Title I “information service” and Internet Service Providers were for the most part unregulated.

…In the year between the publication of the Open Internet Order in March 2015 and the Notice of Proposed Rulemaking (NPRM) in March 2016, the FCC signaled its intent to become a de facto privacy regulator. In particular, the FCC settled enforcement actions—using Section 222 and a host of other statutory provisions—against three companies alleging lax data security practices for a collective total of just under $30 million.

But all that enforcement has felt like a double standard to ISPs, and the more conservative pair on the Commission. The expanded definition of “sensitive data” for the new rule, building on the data distinguishing the FTC put forth, locks ISPs out of “very lucrative categories” of data collection that individual websites are not locked out of.

“If the FCC truly believes that these new rules are necessary to protect consumer privacy, then the government now must move forward to ensure uniform regulation of all companies in the Internet ecosystem at the new baseline the FCC has set,” said FCC Commissioner Ajit Pai.

Now companies like Verizon, Comcast, and AT&T can’t rely on user data to create subscriber profiles, and get ads tailored to an individual’s experiences, unlike Google or Facebook. It also sours the $85.4 billion deal between AT&T and Time Warner, who were hoping their combined resources would result in more forceful targeted advertising. Meanwhile some consumer advocates have complained that the rules don’t go far enough.

But still, though they might damper the deal before the ink is dry, there’s a long future ahead of the regulations yet. AT&T and other broadband providers have of course promised to be “reviewing the details of the final rules.” And even if they go unchallenged, there’s still two whole years before consumers will find their ISPs held to them.

In the meantime, privacy advocates celebrate, and the FCC enjoys its reign as privacy regulator.