November 1, 2016
Like other privacy nerds all over the land, I’ve been anxiously awaiting the results of the Federal Communications Commission’s vote on some stringent new privacy rules for internet service providers (ISPs). Last week, we got news that the vote passed, and now it’s time to start taking stock of what this means for digital advertisers, publishers, and the US privacy landscape overall. Here’s what you need to know:
- The opt-in requirement represents a sea change in US privacy management. Until now, the US approach to data collection has largely been opt-OUT oriented. The FCC ruling changes that. The commission is requiring broadband internet access service (BIAS) providers – that is, mobile carriers and ISPs – to gain explicit opt-IN before making their personal data available for ad targeting. It’s important to note that de-identified data and “non-sensitive” data don’t fall under the opt-in requirement. These data can continue to be shared as it is today, and can be used for the providers own business and marketing purposes without the consent requirement.
- Speaking of “sensitive” data… there’s a lot more of it to consider now. Historically, sensitive personal data has been limited to financial data, health data, data about minors, and a few other categories. The new rules broaden the definition significantly to include data that’s become the lifeblood of online advertising:
- Precise geolocation
- Web browsing history
- App usage history
- The content of the communication
- The rules bake in some other consumer protections, too. For example, ISPs are banned from “take-it-or-leave-it” practices – that is, they can’t refuse service to customers who decide NOT to opt in. It also requires ISPs to notify consumers about data breaches within 30 days of discovery, an important step for breach remediation and fraud prevention. Finally, tiered pricing models – a cheaper plan in exchange for data collection, for example – aren’t banned under the rules, but they do require heightened disclosure.
- By no means will the ISPs take this lying down.Expect long, protracted legal battles as the BIAS providers file lawsuits against the FCC over the upcoming months. They’ll argue that the order unfairly limits their growth, that it effectively makes so-called edge providers (companies like Google and Facebook) monopolies, and that the rules will create more confusion on the part of consumers, not less. That last argument isn’t likely to hold water, since consumers clearly understand that they pay ISPs for a service, and get services from Facebook and Google for free.
What it means: Privacy is rocking the foundations of global business.
The ruling shines a harsh light on the data practices that have been building up since the early days of the consumer internet. In fact, our 2017 privacy prediction report, published today, highlights six key issues global markets will have to brace for in the coming year:
- Surveillance technology is ubiquitous and getting better. We’ll all become accidental spies, for authorities and for surveillance marketers.
- People who seek better privacy will be able to find it – at a cost.
- Over-aggressive regulation will actually stifle the digital ecosystem, without offering real consumer protections
- As kids get increasingly “mobile,” the hammer will fall on companies that jeopardize minors’ privacy, inadvertently or otherwise
- Privacy policies will have to change because regulators and the courts won’t accept heavy-handed use of loopholes and legalese as an excuse for privacy infractions.
- A shortage of privacy professionals qualified to act as CPOs and DPOs under GDPR will create opportunity for vendors to pick up the slack – but only if they shore up their own privacy practices.
As one of several analysts on Forrester Privacy research team, I encourage you to review our predictions and let us know your thoughts. And, as always, don’t hesitate to reach out to learn more about how we can help your firm prepare for any of these impending changes.