Last week, the Federal Communications Commission (FCC) approved new privacy rules for ISPs which, on the face of it at least, look to be a big boost for online privacy in the USA.
The new rules, which were passed by the FCC Commission by a margin of 3 votes to 2, stipulate the opt-in and opt-out requirements customers can expect for the use of their online data.
They define certain data as sensitive, including exact geo-location, Social Security numbers, Web browsing history, communications content, health data, financial data, and any information related to children. ISPs are unable to use any of this data without people opting in to say they are happy for them to do so.
The new rules also give users the ability to opt out of allowing their ISP to use various other types of data they hold, including email addresses and the types of services being used online.
The ISPs themselves will have to provide “clear, conspicuous and persistent notice” about the data they are collecting and using. They will also need to adhere to “reasonable” data security practices, including notifying the authorities if they fall victim to a cyber-attack which compromises data.
They are due to take effect within the next 90 days, while the new rules governing the handling of data breaches must be implemented within six months.
On the face of it, that all sounds pretty good and sensible. But dig a little deeper, as many privacy advocates are now doing, and the positive picture becomes a little more distorted.
The main problem is with how ISPs are able to get their customers to opt-in. There is no detail of this in the new ISP rules and that is a very significant oversight.
Firstly, it means that there is absolutely nothing to stop the ISPs burying the opt-in in their terms and conditions. We have all been presented with terms and conditions when signing up for an online service, and the overwhelming majority of us will just agree to them with a single click, rather than read and understand them.
This means ISPs are simply going to obtain an opt-in by stealth. But the problems runs deeper too. Because if you don’t agree to terms and conditions, then usually you are unable to use the service they relate to. So, what this amounts to is users are likely to be told, opt-in or go and find another ISP.
The omission of specific rules about how the opt-in must be delivered is significant and is likely to render that element of the new rules next to meaningless.
There is a similar problem with the opt-out rules too. In this case, there is no detail about where and how prominent this option should be. The likelihood is that most ISPs will hide the option to stop all but the most persistent privacy-conscious user from finding it.
Then there is the discussion which is currently taking place over the scope of the rules. Because, while new rules governing how ISPs can use your data are essentially welcome, ISPs are far from the most significant threat to customer data privacy.
These rules are not being applied to websites and other online services, even though the FCC does have the authority over those areas. This omission was the reason for at least one of the dissenting votes from the FCC Commissioners; that of Ajit Pa.
He has said that this issue now passes over to the Federal Trade Commission (FTC), but are they likely to achieve stronger regulation? Their record suggests not.
All of which leaves US citizens is a confused position. On the one hand, the Government has shown a willingness to listen to public opinion about the importance of online privacy. But on the other hand, they have proved themselves incapable of passing regulations which actually do something to protect it.
And with commentators now speculating that the new rules could even have a counter-effect, and encourage ISPs to make more use of user data, with the security of hidden opt-ins and opt-outs to fall back on, the actually privacy situation in the US could even deteriorate still further as a result of the FCCs ill-thought-through and toothless regulations.