Privacy groups want rules for how ISPs can track their customers

Some Internet service providers are building powerful tools to track customers, and the U.S. Federal Communications Commission needs to step in, privacy advocates say.

Some privacy advocates are calling on the FCC to create new regulations that limit how ISPs can track their customers across the Internet. The agency could release a proposal for ISP privacy rules as soon as this month, FCC Chairman Tom Wheeler said last week.

Some ISPs are deploying “invasive and ubiquitous” tracking practices as a way to deliver targeted advertising to customers, 12 privacy groups said in a letter to the FCC this week. In recent years, large ISPs like Comcast and Verizon have entered into advertising partnerships or launched their own advertising services that take advantage of ISP customer data, the letter said.

Because U.S. lacks a comprehensive privacy law, “there are very few legal constraints on business practices that impact the privacy of American consumers,” said the letter, signed by the American Civil Liberties Union, the Electronic Privacy Information Center and other groups. “The FCC has the opportunity to fill this void.”

Calls for FCC privacy regulation from privacy groups are setting up a showdown with ISPs and their trade groups, which have resisted agency action on privacy. For years, the Federal Trade Commission has taken enforcement action against companies, including ISPs, that violate their own privacy policies, critics of FCC action note.

“Rather than advocating for a comprehensive privacy policy that applies to all entities in the Internet ecosystem,” those privacy groups want the FCC to create new rules applying only to ISPs, said Anne Veigle, senior vice president of communications at USTelecom, a telecom and ISP trade group. “This effort will not give consumers the clear and consistent protections they should have and will only harm competition and innovation on the Internet.”

USTelecom, CTIA and three other ISP trade groups sent their own letter to the FCC on March 1, with the groups calling for the agency to keep the rules “flexible” and targeted on unfair or deceptive conduct, as the FTC does, instead of creating extensive new regulations.

“Consumer information should be protected based upon the sensitivity of the information to the consumer and how the information is used — not the type of business keeping it, how that business obtains it, or what regulatory agency has authority over it,” the trade groups’ letter said.

The move of the FCC toward new privacy rules for ISPs is related in part to the agency’s reclassification of broadband as a regulated, common carrier service as part of new net neutrality rules passed in February 2015. The FCC had other avenues for passing new privacy regulations, but reclassification of broadband moved the authority for policing broadband privacy from the FTC to the FCC, said Harold Feld, senior vice president at Public Knowledge, one of the privacy groups calling for strong new rules.

While the privacy groups haven’t proposed many specific rules for the FCC to adopt, they want the FCC to go farther than the FTC practice of filing complaints only after the agency saw a privacy violation.

The ISPs “have an obligation” to disclose more details about the information they collect and their uses of it, Feld said. The groups want the FCC to look at how ISPs are coming cable data from customer set-top boxes with other sources to “create very detailed user profiles for marketing purposes,” he added.

The privacy groups also want ISPs to get opt-in permission to use customer data for most purposes. “We want ISPs to secure clear permission from subscribers before using the data collected for any purpose other than to provide broadband service,” he said.  

But extensive new rules may not be necessary with more customers using encryption to protect their data, some critics said.

Even the privacy groups recognize that “the use of encryption only continues to grow,” said Debbie Matties, vice president for privacy at CTIA. “While many other companies providing services on the Internet have the ability to see and monetize this encrypted data, ISPs cannot. Different rules for ISPs would only confuse consumers and is not supported by the facts.”