Tom Wheeler, the chairman of the Federal Communications Commission, has proposed what could become the largest and most stringent set of privacy regulations on the US technology industry to date.

The rules, if passed, will prohibit Internet service providers from selling customer data without consumers' prior consent and limit the kinds of products Internet providers can market to customers based their online activity. Wheeler's announcement comes even as consumer privacy dominates the news with a courtroom battle over whether the government can compel Apple to help crack the encryption on a customer’s phone to advance a terrorism investigation.

Wheeler appears to think the government has a role to play in protecting user privacy, stating in a blogpost on Thursday that FCC regulations "limit your phone company's ability to repurpose and resell what it learns about your phone activity. The same should be true for information collected by your ISP."

New rules

According to the FCC's fact sheet, the proposed rules will prohibit service providers from providing or selling user data to third parties like advertisers and data brokers without a customer's explicit opt-in consent. Internet providers will, however, be allowed to leverage subscriber data “with their affiliates that provide communications-related services." In other words, if you’re an AT&T broadband subscriber, the telecom could target you with advertising for AT&T affiliate mobile products, “unless the customer affirmatively opts out.” Just what that opt-in process looks like remains unclear. Right now companies routinely acquire consent by having users quickly agree to unread terms of service contracts.

“Internet providers have to collect some data to provide you Internet service,” says Gaurav Laroia, an attorney with the advocacy group Free Press. “They need to know the IP address of the sites you’re visiting in order to route that traffic. The rule that the FCC is proposing is going to be on the scope of the use of that data."

AT&T, which sells subscriber data and rolled out a service at the beginning of 2015 that charges customers to opt-out of data tracking, opposes the new rules. "Given the realities of this complex market, there is no basis for treating ISP data as somehow 'proprietary' or subjecting ISPs to unique privacy requirements,” wrote Bob Quin, AT&T vice president of federal regulatory affairs in a blogpost opposing the proposal.

Tackling privacy

Data privacy is typically considered the domain of the Federal Trade Commission. Yet the FTC’s treatment of how companies handle or mishandle customer privacy has largely taken the shape of issuing fines for harming or misleading customers. That's what the FCC had largely done in its forays into examining consumer privacy, too, until now. Now it wants to use its ability craft rules to address the issue more sustainably.

The FCC’s authority to regulate how Internet providers handle user data was clarified after the commission moved to reclassify the Internet under the same set of network neutrality rules that apply to legacy phone companies. That happened after it hosted a very public debate on the topic, during which a record breaking five million people commented on the agency’s official proceeding.

Most of those comments were negative, which led the commission to rewrite its proposal to be more in line with public opinion. “This time around I don’t know if millions of people will write in, but as with SOPA and with net neutrality, the reason we got so many people active is that we were actually losing at first,” said Matt Wood, legal counsel at Free Press. “It seems that they’re starting at a much better place then they were on net neutrality.”

The proposed privacy rules will be released at the open commission meeting on March 31, after which the FCC will solicit public opinion on the proposal. If they are as strong as Wheeler suggests they will be, the agency may very well enact the strongest consumer privacy protections in the U.S. since the Snowden disclosures in 2013.