Little seems to be standing in the way of Comcast, Verizon, and other internet service providers selling your personal information without your permission after the Federal Communications Commission took a first step toward delaying its own rules protecting consumer privacy and security.
Last October the agency passed a set of rules that would have required internet providers to take new steps to protect your private data from hackers. That same regulatory package would have required ISPs to notify you if someone hacked your data and to get your active permission before selling your data. The FCC suspended the data security rules from that package that would have taken effect Thursday1.
The FCC and the Federal Trade Commission, which regulates the privacy and security practices of websites like Google and Facebook, also issued a joint statement that signaled a seeming intention to jettison the privacy rules as well before they take effect later this year. (Neither agency responded to a request for comment.)
"The Federal Communications Commission and the Federal Trade Commission are committed to protecting the online privacy of American consumers," FCC chairman Ajit Pai and FTC chairman Maureen K. Ohlhausen said. "We believe that the best way to do that is through a comprehensive and consistent framework."
Ajit Pai, chairman of the FCC, has opposed the rules all along, saying he believes websites and internet providers should follow similar privacy and security practices. He contends that multiple sets of rules will lead to confusion among consumers. The upshot for consumers: Your internet provider has less obligation now than it would have to protect you from hackers. And providers seem to be facing few legal roadblocks standing in the way of selling your personal data to advertisers.
Rather than spelling out specific steps that internet providers should follow to protect customer data, last year's privacy and security order called for internet providers to provide "reasonable data security." The order made it clear that internet providers wouldn't be held liable for all data breaches and provided some guidance that it described as consistent with the Federal Trade Commission's privacy rules. It also suggested that providers look to other privacy laws, such as the the Health Insurance Portability and Accountability Act (HIPAA). Industry groups objected, claiming the FCC's new rules were too vague and inconsistent with the FTC's regulations.
Protecting internet privacy has also traditionally fallen to the FTC. But in 2015, the FCC reclassified internet providers as utility-like "common carriers," a change that enabled the agency to enforce net neutrality rules banning internet providers from discriminating against or favoring particular websites or apps. Last year as result of a lawsuit filed by AT&T, a federal court decided that because internet providers now qualify as common carriers, the FTC no longer has authority over them. Responsibility for regulating how internet access providers manage privacy instead fell to the FCC, while the way websites like Facebook and Google manage privacy remained the FTC's responsibility.
Shortly after the court's decision, the FCC set about creating a set of stricter privacy rules. The biggest and most controversial difference between the FCC's newer rules and the FTC's rules was the ban on selling customer data without your permission, set to take effect as early as December. Your internet provider has a view of your most intimate online activities. Although Google uses encryption to prevent prying eyes from seeing your online searches, your internet provider can see what websites you visit, when you visit them, and how much time you spend there.
In 2012, Verizon began tracking its wireless customers' activities across the internet. It then used that data to target ads on the various sites it owns, such as the Huffington Post. Eventually the company gave customers the option to opt out of that tracking, and later it limited tracking your behavior on Verizon-owned sites only. The FCC's newer rules would ban Verizon or any other provider from similar data collecting without getting customers' permission, unless the Congress or the FCC delay or overturn them before they go into effect.
Pre-existing FCC rules already ban providers from tracking customers without at least notifying them, but unless the new, more stringent rules take hold, telcos will have much more freedom to sell your data. Regulations letting both internet access providers and websites sell your data may be consistent. But that doesn't mean they make sense.
1Correction (March 2, 2017, 10:37 AM: An earlier version of this story incorrectly stated that the FCC had suspended the entire online privacy order. The stay applies only to the data security guidelines set to take effect Thursday.
