Broadband providers would often be required to get customer permission to use and share personal data they collect under regulations proposed by the U.S. Federal Communications Commission.
Broadband providers have an unrivaled ability to track customers and collect personal data, and there currently are no specific rules covering broadband providers and customer privacy, FCC officials said Thursday.
The goal of the rules is to give broadband customers notice, choice and control over their personal data, FCC officials said during a press briefing.
"Your ISP handles all of your network traffic," FCC Chairman Tom Wheeler wrote in the Huffington Post. "That means it has a broad view of all of your unencrypted online activity -- when you are online, the websites you visit, and the apps you use."
On mobile devices, providers can track customers' physical locations, he added. "Even when data is encrypted, your broadband provider can piece together significant amounts of information about you -- including private information such as a chronic medical condition or financial problems -- based on your online activity," Wheeler said.
The proposed rules, to be debated during the FCC's March 31 meeting, would allow broadband providers to send information about new deals and deliver Web-browsing functionality without seeking further customer permission.
The proposal, which would go out for public comment if approved later this month, would allow broadband customers to opt out of data collection for the broadband providers' internal and affiliate marketing and other communications-related services. For all other purposes, including most sharing of personal data with third parties, broadband providers would be required to get customers' opt-in permission to use and share customer personal data.
The rules don't prohibit ISPs from using the personal information they collect, "only that since it is your information, you should decide whether they can do so," Wheeler wrote. "This isn’t about prohibition; it’s about permission."
Wheeler's proposal would also require Internet service providers to notify customers about data breaches of personal data, with affected users notified within 10 days of discovery of the breach. More than 40 U.S. states have data breach notification laws, but there's no national standard.
ISP trade groups have called on the FCC to avoid passing an extensive set of new rules that specifically target providers.
"Consumer information should be protected based upon the sensitivity of the information to the consumer and how the information is used -- not the type of
business keeping it, how that business obtains it, or what regulatory agency has authority over it," five ISP trade groups said in a letter to the FCC this month.
Some ISPs and trade groups have questioned the need for new rules by noting the that use of encryption and virtual private networks is growing among broadband users.
Sign up for CIO Asia eNewsletters.