The Federal Communications Commission today imposed new privacy rules on Internet service providers, and the Commission said it has begun working on rules that could limit the use of mandatory arbitration clauses in the contracts customers sign with ISPs.

The new privacy rules require ISPs to get opt-in consent from consumers before sharing Web browsing data and other private information with advertisers and other third parties. The rules apply both to home Internet service providers like Comcast and mobile data carriers like Verizon Wireless. The commission's Democratic majority ensured the rules' passage in a 3-2 vote, with Republicans dissenting.

Democratic Commissioner Mignon Clyburn was disappointed that the rules passed today did not include any action on mandatory arbitration clauses that prevent consumers from suing ISPs. But Chairman Tom Wheeler said that issue will be addressed in a separate rulemaking.

"As my colleagues have said, the time has also come to address another important consumer issue and that is the harmful impact of mandatory arbitration requirements that are imposed in the contracts of communications service providers," Wheeler said during today's FCC meeting. "To address this issue comprehensively, we have begun an internal process that is designed to produce a Notice of Proposed Rulemaking (NPRM) on this very important issue no later than February 2017."

That means the mandatory arbitration rulemaking would stretch into the next presidential administration and perhaps even after Wheeler's term as chairman, though it could still move forward if Democrats retain the White House. An NPRM would kick off a public comment period and result in final rules before the end of 2017.

In the case of privacy rules, the FCC passed the NPRM in March and the final rules today. Clyburn argued that the FCC could have imposed mandatory arbitration restrictions today, because the privacy NPRM sought public comment about whether to ban mandatory arbitration.

"In this privacy proceeding, we provided notice, we developed a record, and had an opportunity to give relief to millions of consumers nationwide, including the 99.9 percent of mobile wireless customers, who are forced to give up their day in court when they sign up for connectivity," Clyburn said. "In a rulemaking about transparent notice and choice to consumers for their privacy, I believe it is a natural fit, to ensure transparent notice and choice, in the context of dispute resolution."

“It is the consumer's information”

ISPs lobbied against the privacy rules, and Republican Commissioners Ajit Pai and Michael O'Rielly largely agreed with the ISPs' position. Internet providers shouldn't face stricter rules than websites like Google and Facebook, which are regulated separately by the Federal Trade Commission, they said.

Wheeler argues that ISPs are uniquely capable of collecting consumers' Internet traffic because they can monitor everything that goes over the connection and because it is difficult for customers to switch ISPs.

"It is the consumer's information, it is not the information of the network the consumer hires to deliver that information," Wheeler said. "What this item does is to say that the consumer has the right to make a decision about how her or his information is used."

Industry groups and ISPs could sue in an effort to stop the rules. Cable lobby group NCTA—The Internet & Television Association today said, "there is no lawful, factual or sound policy basis to justify a discriminatory approach that treats ISPs differently from some of the largest companies in the Internet ecosystem that engage in similar practices but operate under different regulatory standards.”

Under the FCC rules, ISPs that want to share consumer data with third parties such as advertisers must obtain opt-in consent for the most sensitive information and give customers the ability to opt out of sharing less sensitive information. Here's how the FCC describes the new opt-in and opt-out requirements:

Opt-in : ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, Social Security numbers, Web browsing history, app usage history, and the content of communications.

: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, Social Security numbers, Web browsing history, app usage history, and the content of communications. Opt-out : ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information—for example, e-mail address or service tier information—would be considered non-sensitive, and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.

: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information—for example, e-mail address or service tier information—would be considered non-sensitive, and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations. Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

ISPs must clearly notify customers about the types of information they collect, specify how they use and share the information, and identify the types of entities they share the information with.

No ban on pay-for-privacy

The rules do not ban controversial "pay-for-privacy" schemes that give customers less privacy unless they pay more. The most prominent example of such schemes was AT&T's Internet Preferences targeted ads program, which provided lower prices when customers agreed to have their Internet behavior tracked. AT&T recently ended that program.

Though pay-for-privacy plans will be allowed, ISPs will have to follow "heightened disclosure" rules for those programs so that consumers know more about how their data is used. The FCC said it will also "determine on a case-by-case basis the legitimacy of programs that relate service price to privacy protections. Consumers should not be forced to choose between paying inflated prices and maintaining their privacy."

ISPs will not be allowed to have "take-it-or-leave-it" offers, "meaning that an ISP can’t refuse to serve customers who don’t consent to the use and sharing of their information for commercial purposes," the FCC said.

There are also rules for "de-identified information" that isn't associated with specific consumers or devices. ISPs that want to use such data must "alter the customer information so that it can’t be reasonably linked to a specific individual or device," and when sharing data with third parties they must "contractually prohibit the re-identification of shared information."

ISPs with at least 100,000 customers will have 12 months after rules are published in the Federal Register to comply with the customer notice and choice requirements, while ISPs with fewer than 100,000 customers will be given an extra 12 months. ISPs will have 90 days to comply with new data security requirements and six months to comply with new data breach notification requirements.

On security, the FCC rules "require ISPs to take reasonable measures to protect customer data," but do not dictate which exact measures they should adopt.

For data breaches, ISPs will have to notify affected consumers within 30 days "after reasonable determination of the breach." For data breaches affecting at least 5,000 customers, ISPs must notify the FBI, Secret Service, and FCC within seven business days. For data breaches affecting less than 5,000 customers, ISPs must notify the FCC at the same time they notify consumers.