The U.S. Federal Communications Commission has taken a major step toward new regulations requiring ISPs to get customer permission before using or sharing their Web-surfing history and other personal information.

The FCC voted 3-2 Thursday to approve a notice of proposed rule-making, or NPRM, the first step toward passing new regulations, over the objections of the commission’s two Republicans.

The proposed rules, which will now be released for public comment, require ISPs to get opt-in permission from customers if they want to use their personal information for most reasons besides marketing their own products.

Republican Commissioners Ajit Pai and Michael O’Rielly complained that the regulations target Internet service providers but not social networks, video providers and other online services.

“Ironically, selectively burdening ISPs, who are nascent competitors in online advertising, confers a windfall on those who are already winning,” Pai said. “The FCC targets ISPs, and only ISPs, for regulation.”

The proposed rules could prohibit some existing practices, including offering premium services in exchange for targeted advertising, that consumers have already agreed to, O’Rielly added. “The agency knows best and must save consumers from their poor privacy choices,” he said.

But the commission’s three democrats argued that regulations are important because ISPs have an incredible window into their customers’ lives.

ISPs can collect a “treasure trove” of information about a customer, including location, websites visited, and shopping habits, said Commissioner Mignon Clyburn. “I want the ability to determine when and how my ISP uses my personal information.”

Broadband customers would be able to opt out of data collection for marketing and other communications-related services. For all other purposes, including most sharing of personal data with third parties, broadband providers would be required to get customers’ explicit opt-in permission.

The proposal would also require ISPs to notify customers about data breaches, and to notify those directly affected by a breach within 10 days of its discovery.