The Federal Communications Commission (FCC) has adopted rules that require broadband Internet Service Providers (ISPs) to protect the privacy of their customers. The new rules will provide consumers with better control of how broadband ISPs use and share their data. The rules also require broadband ISPs to better protect personal information. The ISPs impacted include those providing fixed and mobile broadband to people's homes.

The choices a consumer has for the use of their personal information is based on the sensitivity of the information.

Consumers won't see any immediate changes as implementation will occur over the next year or more. The summary of the rules have to be printed in the Federal Register which could take up to a month. Once published, the implementation countdown starts.

Note that these rules do not have any impact on websites or apps because the Federal Trade Commission has rule-making authority for them.

The following is a summary of the rules from the FCC's fact sheet.

Clear Notice About the Collection, Use and Sharing of Information

The ISP is required to

  • Notify customers about what types of information the ISP collects about its customers.
  • Specify how and for what purposes the ISP uses and shares this information.
  • Identity the types of entities the ISP shares this information with.

This information must be provided when a customer signs up for the service. Customers must be updated when the ISP's privacy policy changes in significant ways. The policy must also be available on the ISP's website or mobile app.

This requirement will become effective approximately 12 months after the rules are published in the Federal Register. Small ISPs will have an additional 12 months to comply.

Consumer Choice

The choices a consumer has for the use of their personal information is based on the sensitivity of the information.

Opt-In. Consumers will have to give permission for the ISP to use and share these types of sensitive information:

  • Precise geo-location (typically the real-world location of a mobile phone or other device)
  • Children's information
  • Health information
  • Financial information
  • Social Security numbers
  • Web browsing history
  • App usage history
  • The content of communication

Opt-Out. For all other individually identifiable customer information, the ISPs can use and share unless the customer opts-out.

Inferred customer consent. Customer consent is assumed to be given for certain purposes including:

  • Use and sharing of non-sensitive information to provide and market equipment and services typically provided with the broadband service subscribed to by the customer.
  • To provide broadband service including billing and collecting for the service.
  • To protect the broadband provider and its customers from fraudulent use of the provider's network

This requirement will become effective approximately 12 months after the rules are published in the Federal Register. Small ISPs will have an additional 12 months to comply.

Data Security

ISPs must take reasonable measures to protect customer data. The FCC Order provides guidelines about steps the ISP should consider:

  • Implement up-to-date and relevant industry best practices, including managing security risks.
  • Provide appropriate accountability and oversight of its security practices.
  • Implement robust customer authentication tools.
  • Properly dispose of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.

This requirement will go into effect 90 days after the rules are published in the Federal Register.

Data Breach Notification

ISP's must notify customers when an unauthorized disclosure of their personal information has occurred. When a reportable breach occurs, ISPs must notify affected customers as soon as possible but not later than 30 days after determination of the breach.

This requirement will go into effect approximately 6 months after the rules are published in the Federal Register.