The Federal Communications Commission on Thursday unveiled a long-awaited proposal for regulating how broadband Internet service providers can use and share their customers’ information.

The three main components of FCC Chairman Tom Wheeler‘s proposed rules—which the commission will consider during its March 31 open meeting—involve ISPs’ use of customer data, their protection of that data from theft, and their obligations in the event of a data breach.

Under the rules, ISPs will be allowed to freely use only the customer data necessary for them to provide or market their services, such as a customer’s address for the purpose of mailing them their monthly Internet bill.

Customers can opt out of a second category of activity, in which their ISP uses their data to market its other services to them or shares that data with its affiliates to let affiliates can market their services. For example, Verizon could share its home broadband customers’ data with its Verizon Wireless subsidiary to let the wireless division market cellphone service to them.

“Consumers should have effective control over how their personal information is used and shared by their broadband service providers.”

ISPs must affirmatively seek permission from customers to use their data for any other purpose.

On a conference call with reporters, a senior FCC official argued that privacy rules for broadband companies had lagged behind technological development in recent years. “That is a gap the Chairman believes must be closed,” the official said.

The rules would require ISPs to “take reasonable steps” to protect customer data from theft, although what form those steps will take remains to be seen. An FCC fact sheet mentioned “risk management practices” and “strong customer authentication requirements.”

If hackers break into an ISP’s network and steal customer data, that company would have to notify affected customers within 10 days of discovering the breach and notify the FCC within seven days.

For breaches affecting more than 5,000 customers, the company would also have to tell the Federal Bureau of Investigation and the U.S. Secret Service, which typically investigate such incidents, within seven days.

The rules do not prohibit any specific uses of data, instead emphasizing customer authorization as the main safeguard.

Consumer advocates praised the proposal after its release, while industry groups called it worrisome and unnecessary.

“We applaud the Chairman for taking a decisive step to protect consumers,” Meredith Rose, a staff attorney at Public Knowledge, said in a statement. “This is an issue which touches the life of every connected consumer, and we are pleased to see the Chairman taking a stand on such a critical topic. ”

Gaurav Laroia, a policy counsel at Free Press, added in a statement, “Congress was wise to require that the FCC maintain special privacy protections for customers of all common carriers. It’s crucial for the FCC to modernize these protections and apply them to broadband.”

Sen. Ed Markey (D-Mass.), a longtime consumer advocate on the Senate Commerce Committee, which has jurisdiction over the FCC, praised Wheeler for introducing the rules, saying in a statement, “Internet service providers have a duty to protect the privacy of consumers who use the company’s wired and wireless infrastructure to connect to the world.”

But the Information Technology and Innovation Foundation called the rulemaking effort “misguided,” and Berin Szoka, president of the libertarian group TechFreedom, said in a statement that the FCC was ‘“solving’ a problem entirely of its own making.”

A senior FCC official told reporters on Thursday that the proposal “looks to the best practices of companies,” to existing data-protection laws, and to the enforcement activities of the Federal Trade Commission.

If the commission adopts the rule at its March open meeting, the public will then have several months to comment on the “Notice of Proposed Rulemaking,” during which time they can suggest how the rules should be crafted.

One question is whether, in addition to distinctions based on how data is used, there should be special rules for special kinds of data, like geolocation data produced by smartphones’ GPS sensors. A senior FCC official said that this was the kind of question on which the commission sought public comment.

While the goal is for the final rules to cover both fixed and mobile broadband providers, they may include provisions—such as protections for GPS data—that only apply to mobile network operators.

Another question is whether the rules should be written to specifically ban ISP programs that charge customers more money if they don’t opt into certain data collection. AT&T currently charges customers $29 per month if they don’t want to let the company scan their Internet traffic.

Asked about the AT&T program, a senior FFC official would only say that the agency sought comment on whether certain practices “raise specific concerns.”

“While broadband providers no doubt care about the privacy of their customers, there is also great financial incentive for them to collect and share customer information,” an FCC official said. “Consumers should have effective control over how their personal information is used and shared by their broadband service providers.”

Correction: The FCC’s March meeting will take place on March 31.

Illustration via Max Fleishman