New FCC rules mean broadband providers can’t track or share a customer’s online activity without permission. But the rules have some major shortcomings, not least that they don’t apply to online services.

Under the new rules, Internet service providers must:

• get prior permission from customers (ie an opt-in system) to use or share a range of sensitive information including location, health details, financial details, browsing history, message content and app usage;
• stop using or sharing any other data (except that specifically required for providing service) if a customer requests it (ie an opt-out system);
• tell customers within 30 days of discovering a data security breach and tell the FCC, FBI and Secret Service within 7 days of a breach affecting at least 5,000 customers.

One obvious limitation is that providers can bury away a permission clause in service terms and conditions, though providers can’t refuse to deal with a customer just because they refuse to agree to such a clause. Another is that the measure doesn’t affect the likes of Google or Facebook as these aren’t under the FCC’s authority.