The head of the Federal Communications Commission on Thursday released a long-awaited proposal to protect consumers’ Internet privacy, but it would not bar any data collection practices.
The plan would require broadband providers to obtain consumer consent, disclose data collection, protect personal information, and report breaches. Broadband providers currently collect consumer data without consent and some use that data for targeted advertising, which has drawn criticism from privacy advocates.
The proposal submitted by FCC chairman Tom Wheeler does not prohibit Internet providers from using or sharing customer data, for any purpose. The FCC would not extend the broadband provider privacy rules to sites such as Twitter, Google, or Facebook.
A coalition of groups, including the American Civil Liberties Union and Center for Digital Democracy, has urged the FCC to write sweeping privacy protections for broadband users in the United States.
Jeffrey Chester, executive director of the Center for Digital Democracy, praised the proposal as “a major step forward for the United States, which has lagged behind other countries when it comes to protecting consumer privacy rights.”
Get Data Sheet, Fortune’s technology newsletter.
The National Cable and Telecommunications Association said it was “disappointed by Chairman Wheeler’s apparent decision to propose prescriptive rules on (Internet service providers) that are at odds with the requirements imposed on other large online entities.” The group said it hopes the FCC will be guided by “facts and not demonstrably false claims and fears.”
The FCC has authority to set privacy rules after it reclassified broadband providers last year as part of new net neutrality regulations. A federal appeals court has not ruled on a court challenge to that decision.
Wheeler’s proposal will go to a vote by the commission at its March 31 meeting. A final vote on new regulations would follow a public comment period during which the FCC is asking for possible “additional or alternative paths to achieve pro-consumer, pro-privacy goals.”
In some cases, broadband providers would be required to get consumers to “opt in.” Providers would need to tell consumers what information is being collected, how it is being used and when it will be shared.
Providers would also be required protect data under a data security standard. Consumers would need to be notified of breaches of their data no later than 10 days after it was discovered.