In the last couple of years, it’s become more commonplace for ISPs to become private, often with data-mining capabilities, such as selling access to users’ data to data brokers.
A few years ago, a number of major ISPs such as Comcast, Time Warner Cable, AT&T, Verizon, and CenturyLink were sued for providing their customers with an online, or “fast lane,” to use their own servers to access websites and other services.
Now, the Federal Communications Commission (FCC) is proposing a rule to regulate what ISPs can do with the network that they own.
But the rules have yet to be finalized.
While it’s a step forward for privacy and security, the FCC rule would only require ISPs to inform users of data-sharing capabilities.
The agency is calling for the FCC to “establish standards for providers to publicly disclose data-transfer agreements and for the companies to publicly acknowledge the terms of such agreements.”
The FCC has been working on a privacy rule since at least 2014.
But in that process, the agency’s privacy commissioner, Michael Copps, has criticized the privacy protections as being too vague and “at odds with the evolving needs of consumers and online services.”
“We’ve taken a very broad approach to this, and there are no clear, consistent requirements on how to define privacy,” Copps said.
“The problem is that the definition of privacy doesn’t fit what consumers need.”
In 2016, the EFF and other privacy groups sued the FCC over privacy protections in the digital age, arguing that they would violate the First Amendment’s guarantees of free speech and press.
The FCC’s proposal will also not require ISPs and other network operators to tell users about the ways they share their data.
Rather, the rule would require the FCC and other regulators to establish “specific requirements” on the ways data-management companies and network operators “use, share, or disclose” users’ personal information.
That would be a step toward allowing greater transparency in the industry.
In the past, the FTC has required data-transmission companies to tell consumers how they use their data, but it has not required that providers or network operators disclose how they collect or use users’ information.
A key feature of the proposed rule would be the requirement for ISPs and network providers to disclose the terms and conditions of data transfer agreements.
For example, the new rule would set forth that a network provider will have to inform the consumer about any data-collection and data-processing arrangements it enters into with data brokers, or with data service providers.
But that information would have to be shared with users in a clear and transparent manner.
A network provider would also have to disclose information about any agreements it has with data brokerage firms.
That could include the terms, conditions, and restrictions for using the network.
And a data broker would have a right to disclose any agreements between the network provider and the data broker that it is in a position to negotiate, including agreements about how to protect the privacy and safety of the data that it collects.
The FTC’s proposal could also make it harder for consumers to find out about privacy issues in the data-sending process.
For instance, the proposal would require that a data-service provider must disclose in its privacy statement the terms that the provider may use to obtain and share user data.
That statement would need to include the following information: the type of data, such a user’s name, address, and email address; the specific purpose for which the data is being used; the purpose of the collection and processing of the information; the information that will be shared, whether the user will receive compensation, and how to remove the information.
For each data-communication agreement, the data service provider would have the right to amend the privacy statement to specify additional terms and requirements for future communications.
The proposal would also require data service companies to publish a list of data brokers and data service firms that they contract with.
“We are very pleased that the Commission is now taking a comprehensive approach to transparency in network management,” said David Rolfe, the head of privacy and government affairs at the Center for Democracy and Technology, a nonprofit consumer privacy advocacy group.
“This is a good first step in a much broader approach to consumer privacy that will ensure that consumers have a fair opportunity to have their privacy respected.”
A number of Internet service providers have already committed to the FTC’s plan to publish the terms they use to access and share users’ private data.
Verizon has already made public its “network security agreements” and “privacy policies,” while Comcast has announced plans to update its “privity policy” to reflect the new privacy rules.
The public will also be able to learn more about how the companies use user data in their privacy statements, by visiting the FCC’s website.
The new privacy rule will go into effect in 2020.