The rules, passed by a 3-2 vote last October, require Internet service providers to obtain consumers’ opt-in consent before drawing on their Web-surfing data or app usage history for ad targeting. The privacy order also imposes other requirements on broadband providers, including provisions regarding data breach notifications and data security.