The FCC just passed sweeping new rules to protect your online privacy

"Under the Federal Communications Commission’s new rules, consumers may forbid Internet providers from sharing sensitive personal information, such as app and browsing histories, mobile location data and other information generated while using the Internet . . .

Internet providers and Republican FCC commissioners complained that limiting the data collection of Internet providers gave an unfair advantage to other companies such as Google and Facebook that already make billions of dollars collecting data on users and selling it to advertisers."

New FCC regulations for internet providers now require obtaining subscribers' consent prior to selling data about their online behavior to third-party marketers. Though, it's unclear whether the rules will deter ISPs from continuing to condition the provision of services on user assent in their terms of service or privacy policies. 

Similar to how the EU's General Data Protection Regulation ("GDPR") particularizes user consent as a basis for compliance, the FCC's new rules require ISPs to obtain affirmative "opt-in" consent from consumers to user and share "sensitive" information (e.g., precise geo-location, financial information, health information, children's information, SSNs, web browsing history, app usage and the content of communications).

ISPs will still be allowed to use and share "non-sensitive" information, unless a customer "opts-out." And, some categories of individually identifiable customer information are considered "non-sensitive," such as a user's email address. Still, the rules stipulate that the sharing and use of such information must be "consistent with consumer expectations." Interestingly, it seems here that the FCC is tearing a leaf out of the European Commission's book, since the GDPR, too, requires data controllers to acquire valid user consent in a piecemeal manner, consistent with data subjects' reasonable expectations. To elaborate, the consent must directly refer to the specific purposes for which the data was initially collected. Should the purposes behind collection change, thereby straying beyond the contours of users' reasonable expectations, additional consent will subsequently be required.