Federal regulators have approved unprecedented new rules to ensure broadband providers do not abuse their customers' app usage and browsing history, mobile location data and other sensitive personal information generated while using the Internet.
The rules, passed Thursday in a 3-2 vote by the Federal Communications Commission, require Internet providers, such as Comcast and Verizon, to obtain their customers' explicit consent before using or sharing that behavioral data with third parties, such as marketing firms.
Also covered by that requirement are health data, financial information, Social Security numbers and the content of emails and other digital messages. The measure allows the FCC to impose the opt-in rule on other types of information in the future, but certain types of data, such as a customer's IP address and device identifier, are not subject to the opt-in requirement. The rules also force service providers to tell consumers clearly what data they collect and why, as well as to take steps to notify customers of data breaches.
"It's the consumers' information," said FCC Chairman Tom Wheeler. "How it is used should be the consumers' choice. not the choice of some corporate algorithm."
The fresh regulations come as Internet providers race to turn their customers' behavioral data into opportunities to sell targeted advertising. No longer content to be the conduits to websites, social media and online video, broadband companies increasingly view the information they collect on users as they traverse the Web as a source of revenue in itself.
With its move, the FCC is seeking to bring Internet providers' conduct in line with that of traditional telephone companies that have historically obeyed strict prohibitions on the unauthorized use or sale of call data.
But the Internet era has brought new challenges, in some cases creating different categories of personal information - and ways to use it - that did not exist in the telephone era. And as the line increasingly blurs between traditional network operators and online content companies, regulators have struggled to keep pace.
For example, Verizon's acquisitions of AOL and Yahoo are both aimed at monetizing Internet usage beyond the straightforward sale of broadband access. With greater insights into customer behavior, the company could market additional services or content to its wireless subscribers as part of a bundle, policy analysts say. That arrangement could allow Verizon to effectively earn money twice from the same subscriber - once for the data plan, and then again when the customer consumes Verizon-affiliated content.
Although Thursday's vote by the FCC requires companies, such as Verizon, to obtain explicit permission from consumers when it shares sensitive personal data with outside firms, it does not require broadband providers to ask permission before using the data themselves.
For instance, Verizon would be able to use a wireless subscriber's usage history to recommend purchasing a larger mobile data plan. It could also use the customer's information to market its home Internet service, Verizon FiOS, even though FiOS is a separate product operated by a different part of the company. In neither case would Verizon have to ask for the subscriber's affirmative consent.
But Verizon would have to allow consumers the chance to opt out of having their usage history shared with other Verizon businesses that do not sell communications services, such as AOL or Yahoo, according to the rules.
Consumer advocates say it's a step in the right direction, even if they would have preferred stricter requirements.
"It's not so far off the mark that it guts the provision," said Harold Feld, a senior vice president at the consumer advocacy group Public Knowledge. "It still provides sufficient protections for consumers to regard this as a positive step."
The FCC measure received some pushback from telecom providers in the run-up to the vote, over complaints that telecom companies would now be treated differently from websites, such as Google and Facebook, which also use personal data for advertising purposes on a tremendous scale.
"There is no sound reason to subject broadband providers to a different set of rules than other Internet companies," wrote AT&T in a regulatory filing last week. "This would ... deny broadband providers the same opportunity other Internet companies have to participate in the fast-growing digital advertising market."
But the FCC may have little jurisdiction - or appetite - for regulating the data practices of individual Web companies; Wheeler has repeatedly declined to extend new regulations to the sector.
Republican officials at the FCC opposed the new privacy rules, saying the different expectations for Internet providers and websites will create confusion among consumers.
"If the FCC truly believes that these new rules are necessary to protect consumer privacy, then the government now must move forward to ensure uniform regulation of all companies in the Internet ecosystem at the new baseline the FCC has set," said FCC Commissioner Ajit Pai, who suggested that the Federal Trade Commission could accomplish the task.