The rules, passed in a 3-2 vote, were vigorously opposed by internet providers, including clauses that allow them to use such data only if consumers “opt-in.” Another flashpoint was over just what data falls under the new requirements, as it defines sensitive data to include browsing, geo-location and app usage, in addition to things such as financial information and personal data like Social Security numbers.
Commissioners Ajit Pai and Michael O’Rielly opposed the move. O’Rielly even concluded that the FCC lacked authority to adopt the rules.
FCC chairman Tom Wheeler called the criticisms “Halloween-style scares and fears and hypotheses.”
“What this item does is to say that the consumer has the right to make a decision about how her or his information is used,” he said.
He said that what the FCC was doing was a “common sense step to move forward to protect internet privacy.”
“Before today there were no protections,” he said, adding that they were extending to the internet the same concepts that they have extended to the telephone network.
Another issue is in the scope of the rules. Opponents, including Pai and O’Rielly, said that it saddles ISPs with a set of more onerous rules than those imposed on websites, which have to comply with privacy rules imposed by the Federal Trade Commission. They have generally had a narrower definition of what requires consumer consent, including thing like health and financial information.
The rules also require that Internet providers disclose how Internet providers use consumer information, and to identify the types of entities with which they share the data. They also set out guidelines for what Internet providers are required to do in the event of a data breach.
The rules did not address mandatory arbitration clauses in user agreements with consumers. That will be part of another proceeding.