With S.J. Res. 34, Congress Allows Internet Providers to Sell Your Browsing History-Truth! & Misleading!
Summary of eRumor:
Congress has approved S.J. Res. 34, which would repeal an Obama-era internet privacy rule that prevented Internet service providers (ISPs) from selling customers’ browsing data.
The House and the Senate have both approved S.J. Res. 34 to repeal an Obama-era internet privacy rule that would have prevented Internet providers from selling their customers’ browsing data to outside firms, including those that make targeted online ads.
However, this rumor is also somewhat misleading given that it implies that internet providers mining or selling your browsing history is a new development. In reality, the rule was published in the Federal register in December 2016 and never went fully into effect. But S.J. Res. 34 marks a major shift away from internet privacy in federal policies, which is a big deal.
In making the internet privacy rule, the Federal Communications Commission (FCC) essentially applied “common carrier” privacy provisions of the Communications Act of 1934 to broadband internet providers. That means internet service providers wouldn’t have be able to monitor, mine, or sell customers’ personal browsing data, app usage, and geolocation information unless a customer gave them permission to by “opting in.” The rule, “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services,” summary states:
Today we adopt rules protecting the privacy of broadband customers. We also revise our current rules to harmonize our rules for all telecommunications carriers. In this Order, we first offer some background, explaining the need for these rules, and then discuss the scope of the rules we adopt. In discussing the scope of the rules, we define “telecommunications carriers” that are subject to our rules and the “customers” those rules are designed to protect. We also define the information protected under section 222 as customer proprietary information (customer PI). We include within the definition of customer PI three types of information collected by telecommunications carriers through their provision of broadband or other telecommunications services that are not mutually exclusive: (i) Individually identifiable Customer Proprietary Network Information (CPNI) as defined in section 222(h); (ii) personally identifiable information (PII); and (iii) content of communications. We also adopt and explain our multi-part approach to determining whether data has been properly de-identified and is therefore not subject to the customer choice regime we adopt for customer PI.
The rule required internet providers to get “opt-in approval” from customers for the use and sharing of sensitive personal information, and “opt-out approval” enabling private internet users to opt-out of personal information sharing. Additionally, the rule established requirements for customer notifications in the event of data breaches, including how they’re informed, the timeline, and follow-up steps.
Congress used a rule repeal process outlined under the Congressional Review Act (CRA) of 1996 to being the repeal process with approval of S.J. Res. 34. President Trump has to sign S.J. Res. 34 in order to complete the rule’s repeal, and the White House has indicated that it supports the repeal effort.
This has left some customers to question why internet providers are eager to mine and sell the personal browsing data of its customers. The simple answer is money. Platforms like Facebook and Google already make billions of dollars from selling personal usage and search history data to outside firms that often use it to make ads that are custom-tailored to users’ interests.