individually identifiable customer proprietary network informationexcept with the customer's consent or as required by law.
The FCC rule on broadband privacy extended these same requirements to ISPs:Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.
A telecommunications carrier shall disclose customer proprietary network information, upon affirmative written request by the customer, to any person designated by the customer.
The rules require carriers to provide privacy notices that clearly and accurately inform customers; obtain opt-in or opt-out customer approval to use and share sensitive or non-sensitive customer proprietary information, respectively; take reasonable measures to secure customer proprietary information; provide notification to customers, the Commission, and law enforcement in the event of data breaches that could result in harm; not condition provision of service on the surrender of privacy rights; and provide heightened notice and obtain affirmative consent when offering financial incentives in exchange for the right to use a customer's confidential information.
Now that Republicans have repealed this FCC rule, ISPs can sell their customers' browsing history and location data to third parties, mostly advertisers, without their knowledge or consent, which, among other problems, puts broadband customers at greater risk of identity theft.