ISPs Must Ask Before Collecting Personal Data

John Lister's picture

Internet service providers such as cable companies will no longer be allowed to use or sell personal data about customers without permission. The ban includes details about the sites and apps that a customer uses.

It's part of a new set of rules issued by the Federal Communications Commission (FCC) after a 3-2 vote in favor by commissioners. The rules will be formally published soon, at which point ISPs will have a year to comply, though smaller providers will have a further 12 months after that.

Providers will have to tell customers what data they collect, how they use it, and who if anyone they pass it on to. There's also a new "opt-in" category of particularly sensitive information which providers can't collect or pass on unless customers actively give permission for them to do so.

Finance And Health Data Protected

This opt-in category includes a customer's precise location; information about children, health, finance or social security numbers; details of the sites or apps a customer uses; and the content of any online communication such as emails. (Source:

Providers can't force customers to give permission by threatening to not accept their business unless they do. However, they could put clauses in their terms and conditions that say the customer gives permission, leaving it up to the customer to read the fine print and ask for such clauses to be removed. (Source:

Most other data will fall into an opt-out category which means providers can use and share the data unless the customers tells them not to. There's also a limited category of data which companies can always collect and use such as keeping a record of a customer's contact details to send them bills or market relevant services.

Website Owners Unaffected

The rules don't affect companies that run websites and other online services such as search engines or social media. That's because the FCC only governs Internet service providers, with content providers instead being an issue for the Federal Trade Commission.

Other rules taking effect mean Internet service providers must develop and maintain policies to protect the data they collect against hacking and other breaches. If a breach happens, they'll have a maximum of 30 days to tell customers. If a breach affects at least 5,000 customers, the provider must tell the FCC, the FBI and the Secret Service within seven days.

What's Your Opinion?

Do the rules go far enough? Did the FCC pick the right types of data for the "opt-in" category? Will the rules make much difference considering they don't affect the likes of Facebook and Google?

Rate this article: 
Average: 5 (4 votes)


Dennis Faas's picture

I'm not sure how effective this will be. Google (and other websites) already track users - and they do it very well. Plus, they have a massive tracking network that spans almost the entire Internet, which would make it very difficult to not be tracked.

On the other hand, ISPs help 'fill in the gap' for those who surf anonymously because they can track IP addresses even if users clear their cookies, plus they have gender and age information readily available which can be shared.

With all the info, they then pass it on to other marketing companies, which then (I believe) gets fed back to Google and/or Double Click for the purpose of serving up relevant ads. Based on that, I'm not sure how effective this ISP 'ban on sharing personal data' will be, given that other websites will remain unaffected in their massive IP tracking.

Lastly, I am not sure how the consumer would be able to prove that their ISP is or is not in fact tracking them. It would be virtually impossible, given what I already mentioned.

matt_2058's picture

This looks like something to placate the watchdogs. Really, there's nothing to this ruling. It still allows passing on personally identifying information. That's what needs to stop, otherwise, a computer probably connects the dots before a webpage finishes loading. Major players have 12 months to comply, and small ISPs have even more time? What is so hard about "stop collecting information"?

And I believe you're right on target with trying to prove non-compliance. The only way to prove something like that is to be on the inside and claim whistle-blower status. I can think of half a dozen places I'd like to work...small local put a stop to violations of their own policies(contract with customer) and laws. I know of a contractor using the drivers license database info for their business, not in the performance of state business. Gotta be somewhere inside to prove it.