internet privacy rule

The U.S. Senate voted today to allow internet service providers to sell consumers’ personal information without their consent.
By a vote of 50 – 48, the Senate today approved a measure that would repeal a rule recently put in place by the Federal Communications Commission requiring internet service providers to seek customers’ consent before selling or sharing their personal information to third parties, such as advertisers.
If approved in the House, internet providers could soon be allowed to sell their customers’ most sensitive information – including their browsing history, precise geographic location, details about their health and finances and more – to advertisers, without customers’ consent.
U.S. Sen. Bill Nelson (D-FL), one of the Senate’s most outspoken advocates for consumer privacy, led the charge to block the measure. In a floor speech yesterday, Nelson warned his colleagues that weakening privacy protections would harm consumers.
“We are talking about taking privacy rights away from individuals if we suddenly eliminate this rule,” Nelson said. “This is a gold mine of data, the Holy Grail, so to speak.”
“It is no wonder that broadband providers want to be able to sell this information to the highest bidder without the consumer’s knowledge or consent,” Nelson continued. “And they want to collect and use this information without providing transparency or being held accountable. Is this what you want to inflict upon your constituents in your state by changing this rule about their personal, sensitive privacy?”
The measure, approved today on a party-line vote, now heads to the House of Representatives for consideration.
Below is the text of Nelson’s floor speech yesterday, and here’s a link to watch an excerpt of his remarks: https://youtu.be/8L52XauLvi0.
U.S. Sen. Bill Nelson
Remarks on the Senate Floor
March 22, 2017 

Sen. Nelson: Mr. President, we’re talking about away privacy rights from individuals if we suddenly eliminate this rule.
Do you want a large company that’s an internet provider that has all the information personally sensitive information because of what you have been doing on the internet, do you want that company to be able to use it for commercial purposes without your consent. That’s the issue.
Now, if you want to protect people’s privacy, I would think that you would want to require that an individual who has paid money for the internet provider to provide them with the internet and then you get on that internet and you go to whatever site you want and you do business, you do personal business, you do banking, you go on the internet and you buy things, you talk about your children’s school, about when you’re going to pick up your children, maybe what your children want to wear to school, you want to talk about anything that’s personal on the internet.
Now, do you want that internet provider to have access to that information to be used for commercial purposes without your consent? If you asked that question to the American people, they’re going to give you a big, resounding no.
Now, should the internet provider use that information if you give your consent? Then that’s fair game. If you give your consent so that they can alert you before a certain date that you might want to give a certain gift to your wife at her birthday and they might have all that information, but maybe you don’t want them to have all the information about where your children go to school.
Personally sensitive information is what we’re talking about.
And, therefore, the whole issue here is, do you want the internet provider to be able to use that information without the person’s consent or do you want the person to have to actually effectively opt-in in order to give the internet provider that consent?
To me, this is a clear-cut case of privacy. Now, you can fancy it up, talking about FCC rules and so forth, and we’ve got the author of telecom acts, Senator Markey here is going to talk about this and the protections that were put in for telephones. But then — back then, remember, it was just you call from this number to this number on such and such a day for such and such a period of time. Even that was protected.
But now, just think about this. We’re talking about all the personal transactions that you do every day through the internet.
So, Mr. President, I rise today in opposition to this resolution brought under the Congressional Review Act to disapprove Federal Communications Commission’s broadband consumer privacy rules.
And, Mr. President, I would think that the distinguished senator sitting in the chair, who values privacy, as he does, that this is going to be something that he would be concerned about as well as every other senator in this chamber, because you know if you ask your constituents, do you want your privacy invaded without your consent, you know what the answer is going to be.
Americans care about their online privacy. They want to have control over how their personal information is exploited by third parties. In fact, a recent survey by the PEW Research Center found that 91% of adults — 91% of adults — feel they have lost control of how their personal information is collected and then used.
And that same study found that 74% of Americans believe it is very important that they be in control of who can get information about them. And a majority believe that their travels around the internet — the sites they visit and how long they spend there in that location — is sensitive information that should be protected.
I hope the senators are going to pay attention to this because we’re talking about sensitive personal information.
Do you know that your geolocation is something that you are transmitting over the internet? Do you want that, your location and where you’ve been, do you want that to be in the hands of somebody who could use that for commercial purposes? I don’t think so.
And so that’s why this past October the FCC provided broadband subscribers with tools to allow them to have greater control over how their personal online information is used, is shared and then is sold.
The FCC has been protecting telephone customer privacy for decades and it updated its long-standing privacy protections to protect the privacy of broadband customers.
In fact, it is safe to say that what the FCC did last October was the most comprehensive update to its consumer privacy and data protection rules in decades.
The FCC put in place clear rules that require broadband providers to seek their subscribers’ specific and informed consent before using or sharing sensitive personal information and to give broadband customers the right to opt out of having their non-sensitive information used and shared if they chose to do so.
The FCC also gave broadband subscribers additional confidence in the protection and security of their data by putting in place reasonable data security and breach notification requirements for broadband providers.
Simply put, the FCC decided to put American consumers — each one of us who pay these monthly fees for their broadband service – to put us in the driver’s seat of how our personal online data is used and shared by the broadband provider. That we’ve been paying a monthly fee to use their service. Is that too much to ask? I don’t think so.
And understand, please, that broadband providers know a lot about every one of us.
In fact, it may be startling the picture that your broadband provider can develop about your daily habits and then sell that to the highest bidder.
Your home broadband provider can know when you wake up every day, either by knowing the time each morning that you log onto the internet to check the weather us in news of the morning or through a connected device in your home.
And that provider may know immediately that you’re not feeling well. You kind of feel sick, assuming you peruse the internet like moves us do to get a quick check on your symptoms. In fact, your broadband provider may know more about your health and your reaction to illness than you are willing to share with your doctor.
Think about that. Personal privacy? You let this go to the highest bidder, personal privacy of sensitive information is going to be out the window.
Your home broadband provider can build a profile about your listening and viewing habits, given that moves us today access music, news, video programming over broadband. Your broadband provider may have a better financial picture of you than even your bank or your brokerage firm or your financial advisor because they see every website that you visit across every device in your home and can build a thorough profile about you through these habits.
And if you live in a connected home — the home of the future and the future is now, by the way — if you live in a connected home, they may know even more detail about how you go about your day-to-day activities. Your mobile broadband provider knows how you move about through the day, your geolocation. They know through information about that geolocation and the internet activity, all of that – through guess what? Through this mobile device.
Don’t you think this is connected to the internet? And that’s not to mention the sort of profile that a broadband provider can start to build about our children from their birth.
It’s a gold mine of data. The Holy Grail, so to speak. It is no wonder that broadband providers want to be able to sell this information to the highest bidder without the consumer’s or consent and they want to collect and use this information without providing transparency or being held accountable.
Is this what you want to inflict upon your constituents in your states by changing this rule about their personal sensitive privacy? I don’t think — you better know what you are doing what you vote tomorrow, and this vote is coming about noon tomorrow. You better know.
As a country, we have not stood for this in the past, this kind of free utilization of information by entities that may want to have a unique look at who we are.
We place stringent limits on the use of information by our doctors. We place stringent limits by our banks. And when it comes to our children, I mean, that ought to be off limits.
Broadband providers can build similar profiles about us and in fact many may be able to provide more detail about someone than any one of those entities can. Passing this Senate resolution will take consumers out of the driver’s seat and place the collection and use of their information behind a veil of secrecy, despite rhetoric surrounding our debate today suggesting that eliminating these commonsense rules will better protect consumers’ privacy online or will eliminate consumer confusion.
Don’t fall for that argument, senators.
In fact, the resolution will wipe out thoughtful rules that were the product of months of hard work by the expert agency on regulating communications networks of all kinds. These rules were crafted based upon a thorough record developed through an extensive multi-month rule-making proceeding. The FCC received more than a quarter of a million of filings during this proceeding.
They listened to the American people. The agency received extensive input from stakeholders from all quarters of the debate, from the broadband providers and telephone companies to the public interest groups, and from academics to individual consumers.
And we’re going to wipe all of this away at noon tomorrow with a vote that you can do it by 50 votes in this chamber?
I don’t think this is what the people want.
On top of this, the rules are based on long-standing privacy protections maintained by the FCC for telephone companies. As well as the work of and the principles advocated by the Federal Trade Commission and advocated by state attorneys general and others in protecting consumer privacy.
The FCC rules put in place basic safeguards for consumers’ privacy based on three concepts that are widely accepted as the basis for privacy regulation in the United States and around the world. Notice, choice – individual choice, consumer choice – and security, those three, and they are not the radical proposals that some would have you believe they are.
First, the rules require broadband providers to notify their customers about what types of information it collects about the individual customers when they disclose or permit access to that information and how customers can provide consent to that collection and disclosure.
Secondly, the rules give consumers choice by requiring broadband providers to obtain a customer’s affirmative opt-in — in other words, I give you my consent before you can use or share my sensitive personal information. Sensitive information includes a customer’s — as I mentioned earlier — precise geographic location. I don’t think you want some people to know exactly where you are. Your personal information of health, financial, information about your children, your Social Security number. How many laws do we have protecting Social Security numbers? The content that you have accumulated on the web, web browsing, and application usage information.
For information considered nonsensitive, broadband providers must allow customers to opt out of use and sharing of such information. And broadband providers must provide simple and persistently abatable means for customers to exercise their privacy choices.
And third, broadband providers are required to take reasonable measures to protect customers’ information from unauthorized use, disclosure or access. They must also comply with specific breach notification requirements. In other words, if somebody has busted the internet and stolen all this information from a site, don’t you think that you ought to be notified that your personal information was hacked? Well, that’s one of the requirements.
So then I ask my colleagues what in the world is wrong with requiring broadband providers to give their paying customers clear, understandable and accurate information about what confidential and potentially highly personal information these companies collect, what is wrong about getting their consent to collect that information from their subscribers? What is wrong with telling customers how their information is collected when they use their broadband service? What’s wrong with telling customers with whom they share this sensitive information? What’s wrong with letting customers have a say in how their information is used? What’s wrong with recognizing that information about a consumer’s browsing history and app usage is sensitive and personal information that should be held to a higher standard before it is shared with others? What’s wrong with all that?
What’s wrong with seeking a parent’s consent before information about their children’s activities or location is sold to the highest bidder? Do we as parents not go out of our way to protect our children’s well-being and their privacy?
Trying to overturn this rule is what’s wrong. What’s wrong with protecting consumers from being forced to sign away their privacy rights in order to subscribe to a broadband service? I want your internet service. Have I got to sign away the rights to my private information, my private sensitive information? What’s wrong with making companies take reasonable efforts to safeguard the security of consumers’ data? What’s wrong with making companies notify their subscribers when they have had a breach?
Again, I ask my colleagues what in the world is wrong with giving consumers increased choice, transparency and security online?
Supporters of the joint resolution fail to acknowledge the negative impact that this resolution is going to have on the American people. This legislation is going to wipe away a set of reasonable, commonsense protections, and I want to emphasize that. Is it common sense to protect our personally sensitive private information? Of course it is. But we’re just about in a vote at noon tomorrow, with a majority vote, not a 60-vote threshold, a majority vote here, we’re just about to wipe all of that out.
It will open our internet browsing histories and application usage patterns up to exploitation for commercial purposes by broadband providers and third parties who will line up to buy your information.
It will create a privacy-free zone for broadband companies with no federal regulator having effective tools to set rules of the road for collection, use and sale of that uniquely personal information of yours. It will tie the hands of the FCC because they can’t go back. Once this rule is overturned, they can’t go back and redo this rule. It will tie the hands of the Federal Communications Commission and eliminate the future ability to adopt clear, effective privacy and data security protections for you as a subscriber. And in some cases, even for telephone subscribers.
To be sure, there are those who disagree with the FCC’s broadband consumer privacy rules, and there is an avenue for those complaints. These same companies who are pushing the joint resolution have filed for reconsideration of the rules at the FCC, and there is a judicial system. That is the appropriate way. Go back and get the FCC to amend, if you all are so concerned, or let the judicial system work its will, but don’t do it in one fell swoop in a majority rule here in this body tomorrow at noon.
In fact, the critics of the FCC’s rules have an open proceeding at the FCC in which they can argue on the record with an opportunity for full public participation to change and alter these rules. If the FCC did it, you got a new FCC, a new chairman, a new majority on the FCC, let them be the ones to amend the rules after all the safeguards of the open hearings, of the comment period, all of that.
By contrast, what we are using here to invade our privacy is a blunt congressional instrument called the Congressional Review Act. It means that all aspects of the rules adopted by the FCC must be overturned at once, including changes to the FCC’s telephone privacy rules. It would deny the agency the power to protect consumers’ privacy online, and it would prevent the FCC — get this — prevent them, the FCC, the regulatory body, who now has a new chairman and a new majority, it would prevent the FCC from ever adopting even similar rules. I don’t think that’s what we want to do because it doesn’t make sense, and that’s exactly what we are about to do.
I also want to address the argument that the FCC’s rules are unfair to broadband providers because the same rules do not apply to other companies in the internet ecosystem. Supporters of this resolution will argue that the other entities in the internet ecosystem have access to the same personal information that the broadband providers do. They argue that everyone in the data collection business should be on a level playing field.
Well, I ask my colleagues whether they have asked their constituents that question directly. Do Americans really believe that all persons who hold data about them should be treated the same? I venture to guess that most Americans would agree with the FCC, that companies who are able to build detailed particulars about you and build those particular pictures about your lives through unique insights because of what you do every day in their internet usage, shouldn’t those companies be held to a higher standard?
In addition, the FCC’s rules still allow broadband providers to collect and use their subscriber’s information. The providers merely need to obtain consent from those activities when it comes to their subscribers’ highly sensitive information. The FCC also found that the broadband providers, unlike any other companies in the internet ecosystem, are uniquely able to see every packet of information that a subscriber sends and receives. Every packet of information that you send or receive over the internet while on their networks.
So if you’ve got a provider and they’re on your iPhone and you’re using them, they’re seeing everything. That’s not the case if you go to Google, because Google only sees what you do while you’re on Google. But the internet provider, the pipe that is carrying your information, they see everything that you do.
Supporters of the joint resolution also hold out the superiority of the Federal Trade Commission’s efforts on protecting privacy. They argue that they should only be one privacy cop on the beat. But, folks, that ignores reality. The FTC doesn’t do everything. There are a number of privacy cops on the beat. Congress has given the FCC, the FTC, the FDA, NHTSA regulatory authority to protect consumers’ privacy.
You better get this clear because the FCC is the only agency to which Congress has given statutory authority to adopt rules to protect broadband customers’ privacy. The FTC, the Federal Trade Commission, does not have the rule-making authority in data security, even though commissioners at the FTC have asked Congress for such authority in the past. And given recent court cases, the FTC now faces even more insurmountable legal obstacles to taking actions, protecting broadband consumers’ privacy. So don’t be fooled by this argument that folks are telling you over here that it ought to be the FTC, the Federal Trade Commission.
As many have pointed out, elimination of the FCC’s rules will result in a very wide chasm where broadband and cable companies have no discernible regulation, while internet edge companies abide by the FTC enforcement efforts. And without clear rules of the road, broadband subscribers will have no certainty of choice about how their private information can be used and no protection against its abuse. No protection, my fellow Americans, of your personal, sensitive, private data.
And that’s why this senator supports the FCC’s broadband consumer privacy rules, and I want to encourage my fellow senators, you better examine what you’re about to do to people’s personal privacy before you vote to overturn this rule tomorrow. And I would urge my colleagues to vote against the joint resolution.
Mr. President, I yield floor.