When the Federal Communications Commission (FCC) voted last Thursday (Oct. 27) to accept new privacy rules for ISPs, the move was heralded by many as an important step forward in U.S. privacy protections. But a closer look at the particulars shows a decision that has so many exceptions \u2014 and and that makes it easy for ISPs to hide customer permission deep within lengthy terms and conditions documents \u2014 it amounts to a big backward step for privacy, one that will likely embolden any ISPs that was inclined to violate privacy anyway.The FCC made changes to the privacy requirements of Section 222 of the Communications Act for broadband ISPs. On the bright side, here\u2019s part of a statement of FCC Commissioner Mignon Clyburn, who voted for these changes: \u201cWhy has this Commission, received more than a quarter of a million filings, of which the vast majority show support for the adoption of strong privacy rules? Because consumers care deeply about their privacy \u2014 and so should we. Ninety-one percent of Americans believe, consumers have lost control of how their personal information is collected, and used by companies. That\u2019s ninety-one percent. With news seemingly breaking every week, about a cyberattack, massive data breaches, and companies collecting and selling customer data to government agencies, that number should come as no surprise to anyone. So when faced with the question, of should I support requiring companies to give consumers more notice, more choice, and more transparency, you hear no double speak from me. Simply put, additional consent here means, that consumers will have more of a say, in how their personal information is used \u2014 and I for one, think that is a good thing.\u201dI applaud the sentiment, but what came forth from the commission will do little to nothing to advance privacy. Yes, ISPs must now get explicit permission from consumers to release their data, but nowhere is there a prohibition on such permission being hidden in a 29-page T&C form that requires a one-click acceptance to begin the ISP service.In short, it\u2019s either \u201caccept this agreement\u201d or get ISP service elsewhere \u2014 which will be hard to do if every major ISP insists on similar language. If the FCC wanted to truly protect privacy, it would have prohibited ISPs from including this opt-in as part of the agreement to provide services \u2014 it should have given consumers the right to reject such data sharing and still retain the right to have broadband service. Alas, that didn\u2019t happen.Here\u2019s how the FCC described the core changes regarding opt-in: \u201cISPs are required to obtain affirmative \u2018opt-in\u2019 consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children\u2019s information, social security numbers, web browsing history, app usage history and the content of communications.\u201dLet me offer a simple layman\u2019s definition of \u201cknowing and affirmative opt-in.\u201d Ten seconds after the consumer signs, ask him about the particulars of the agreement. For example, \u201cDid you just agree that your ISP can sell your email patterns to your bank, your insurance company and your ex-spouse\u2019s lawyer?\u201d If the answers all amount to, \u201cI have no idea. I just clicked the box so I can stream movies,\u201d that was not a knowing and affirmative opt-in.The FCC also created a box of data requiring customers to opt out, should they not want their data shared. \u201cISPs would be allowed to use and share non-sensitive information unless a customer \u2018opts-out.\u2019 All other individually identifiable customer information \u2014 for example, email address or service tier information \u2014 would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.\u201dThe problem with the opt-out area is that there is no requirement for it to be easy to find and to use. And with no such requirement, just how well hidden do you expect your typical ISP to make it?The FCC also pointed out that these changes don\u2019t even impact a lot of the most germane Internet companies. \u201cThe rules do not apply to the privacy practices of web sites and other \u2018edge services\u2019 over which the Federal Trade Commission has authority. The scope of the rules do not include other services of a broadband provider, such as the operation of a social media website, or issues such as government surveillance, encryption or law enforcement.\u201dThat little exception was enough to prompt FCC Commissioner Ajit Pai to dissent from the decision.\u201cPrivacy rules for ISPs are important and necessary, but it is obvious that the more substantial threat for consumers are not the ISPs,\u201d Pai said,\u00a0according to a report in the Consumerist. \u201cCiting recent news stories about Yahoo, Google, Apple, Twitter, and others, Pai complained that regulating ISPs more stringently than those providers \u2018does not make any sense,\u2019 concluding \u2018the cold reality that Americans should remember is this: nothing in these rules will stop edge providers from harvesting and monetizing your data. So if the FCC truly believes that these new rules are necessary to protect consumer privacy, then the government now must move forward to ensure uniform regulations of all companies in the internet ecosystem at the new baseline the FCC has set. And that means the ball is now squarely in the FTC\u2019s court.\u201dPai, while overstating the privacy protections the FCC has delivered, does raise an important issue. But the FCC kicking the ball over to the Federal Trade Commission \u2014 another government commission that is no stranger to toothless regulations \u2014 isn\u2019t going to help.If the U.S. government doesn\u2019t like these practices, then it should ban them. If it wants them to happen only when consumers fully understand them and willingly give their permission, then that permission must be separated from T&C documents, must be short (say fewer than 40 words long) and must be written in plain English. Better yet, ban it entirely unless the customer phones in and requests it on a recorded line.This all said, I think few Americans have fully absorbed how much of their most intimate data is already out there, for sale to any advertiser. If the data is retained somewhere, it can be stolen. Therefore, the opt-in would have to remind consumers that agreeing to this data being retained might also make it available to identity thieves and terrorists.Will these new FCC rules make even an incremental improvement in privacy? To be honest, I doubt it. But that\u2019s not the biggest problem here. With the FCC\u2019s blessing to bury opt-out inside lengthy T&C documents and hide them behind a checkmark, many ISPs are going to be emboldened to push the privacy limit even further. Yes, this incremental move could end up making much worse the problem the FCC ostensibly was trying to solve.