House Resolution (H.Res.230) narrowly passed in the House yesterday with a 215-205 vote. This resolution moves forward the Senate Joint Resolution 34 (S.J.Res.34) to undo regulations set forth by the FCC last year to restrict what ISPs can do with customer data. The vote came less than a week after the Senate passed S.J.Res.34. In five short months, what was a win for online privacy has all but reversed course.
Prior to the House voting, the White House made a statement that it strongly supported S.J.Res.34. The next stop for the resolution will be for President Trump to sign it into law.
Once signed into law, ISPs will be able to use or sell customer data however they want. This could include selling information for targeted advertising. At The Register, they outline one scenario: “Pharmaceutical companies in particular pay a lot of money for information on users looking for specific drugs, because they can potentially make thousands of dollars from getting people using their particular drug.”
This scenario may sound similar to what search engines and websites can already do but it’s different. With traditional online tracking you have to log into their service for them to collect and correlate information to you via a cookie. However, ISPs can still track your online activity without you logging into anything or using cookies. This is because what you are doing online must pass through the ISP. This is a big advantage for ISPs because you don’t have to log into anything or opt-in for them to collect the data.
Once S.J.Res.34 is signed into law it will nullify the following FCC online privacy regulations:
Specific broadband customer data was classified as sensitive data. This rule required ISPs to get an explicit opt-in from customers before they could share this data with third parties. Sensitive data included precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications. Customer data like email addresses and service tier information along with information used for billing and collections were exempt.
ISPs were required to transparently share with customers what data was collected and how it was being shared. This regulation also required ISPs to provide clear and persistent notice to customers on how they could change their privacy preferences.
ISPs had to put in place reasonable security measures to ensure customer data was safe. ISPs had to implement industry and FTC security best practices. This included robust customer authentication tools as well as adhering to proper disposal procedures of customer data.
Finally, ISPs had a “Common-sense data breach notification requirement” to encourage ISPs to protect customer data. Also, notifications to customers and law enforcement would be required if there was a failure to protect customer’s data.
Below is the summary of S.J.Res.34:
This joint resolution nullifies the rule submitted by the Federal Communications Commission entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.” The rule published on December 2, 2016: (1) applies the customer privacy requirements of the Communications Act of 1934 to broadband Internet access service and other telecommunications services, (2) requires telecommunications carriers to inform customers about rights to opt in or opt out of the use or the sharing of their confidential information, (3) adopts data security and breach notification requirements, (4) prohibits broadband service offerings that are contingent on surrendering privacy rights, and (5) requires disclosures and affirmative consent when a broadband provider offers customers financial incentives in exchange for the provider’s right to use a customer’s confidential information.