Privacy Matters: Sensitivity-based Framework Circulated

As expected, FCC chmn Tom Wheeler circulated the proposed broadband privacy order Thurs. While it’s aligned with the FTC privacy framework, cable is not happy with the expanded definition of “sensitive data.” “The Chairman’s Fact Sheet describes a regime that departs from the FTC’s proven sensitivity-based approach to consumer privacy in several key respects. Specifically, in its treatment of web browsing data and first party marketing of ISP services, the FCC departs from past FTC practice in ways that violate principles of fair competition and deny consumers the benefit of a consistent approach to online privacy protection,” NCTA said. “If the Chairman insists on advancing this approach, we would hope that his fellow commissioners would ‘opt-out’ and seek a result more faithful to the FTC’s proven framework of protecting consumers.” Under the FCC’s proposal, data considered to be sensitive includes geo-location (typically the real-world location of a mobile phone or other device), children’s information, health information, financial information, social security numbers, web browsing history, app usage history, and the content of communications. ISPs would be required to obtain affirmative permission from consumers (opt-in consent) to use and share sensitive information. Because the privacy proposal doesn’t apply to edge providers, it could create a competitive disparity between ISPs and web companies.

While Google won’t be subject to the proposed rules, Google Fiber, as an ISP, would be required to follow the opt-in rules, an FCC senior official said during a press call Thurs. Google recently filed with the FCC to urge the agency to allow differentiation based on the nature of web browsing information, instead of all web browsing data. The senior FCC official said the rules are in harmony with other privacy principles, including those outlined by the FTC and the Administration’s Consumer Privacy Bill of Rights. Under the proposal, the use and sharing of non-sensitive information would be subject to opt-out consent requirements in most cases. All other individually identifiable customer information—for example, service tier information used to market an alarm system—would be considered non-sensitive and the use of sharing of that information would be subject to opt-out. Meanwhile, customer consent is inferred for certain purposes spelled out in the statute—the provision of broadband service, or billing and collection for example. The draft rules also require that ISPs to notify customers about what types of information that ISP collects about its customers. They would also be required to specify how and for what purposes the ISP uses and shares this information and to identify the types of entities with which the ISP shares this information. Public interest groups praised the approach. While the framework makes distinctions between sensitive and non-sensitive data, it defines sensitive data broadly, and doesn’t follow the ISP-backed approach, said Free Press policy counsel Gaurav Laroia. Public Knowledge urged the full FCC to approve Wheeler’s proposal. “Consumers should no longer have to choose between getting the broadband they need or having the privacy they deserve,” svp Harold Feld said in a statement.