In a recently issued Notice of Proposed Rulemaking, the FCC asked for comments on proposed rules that would apply the traditional privacy requirements of the Communications Act to providers of broadband Internet access services. This proceeding is an outgrowth of the FCC’s decision last year in the Open Internet Order to reclassify broadband as a telecommunications service, subject to certain requirements under Title II of the Communications Act. Specifically, Section 222 of the Act imposes privacy obligations on telecommunications carriers and, in this proceeding, the FCC is considering whether to apply those rules, or other rules that might be more applicable to protect consumers, to providers of Internet access services.
The proposed rules focus on transparency, choice and data security. According to the FCC, adoption of the rules will ensure that consumers (i) have the information needed to understand what data broadband providers are collecting and what they do with that information, (ii) can decide how their information is used, and (iii) are protected against the unauthorized disclosure of their information.
- Transparency. The FCC expects that broadband providers’ privacy policies would include disclosure of what information they collect and for what purpose, what information is shared and with whom, and how consumers can opt in or out of use and sharing of their personal information.
- Choice. The proposed rules allow the use of personal information as needed to provide broadband services and for other purposes that make sense within the context of the service provider-customer relationship. They also allow service providers to use customer personal information to market other communications services unless the consumer opts out of such usage, but require specific opt-in approval from customers before broadband providers can share customer information with third parties that do not offer communications services. The proposed rules include mechanisms to document customer opt-in and opt-out choices and provisions on how to notify customers of privacy policies.
- Data Security. Broadband providers would be required to ensure the security, confidentiality and integrity of any customer information they receive. This would include requirements for regular risk management assessments and training of employees that handle customer information. The NPRM also proposes to require broadband providers to notify affected customers within ten days of the discovery of a data breach that triggers customer notification requirements, and seeks comment on whether broadband providers should also notify customers after discovery of conduct that could reasonably be tied to a breach. Further, the NPRM proposes to require broadband providers to notify the FCC of all data breaches, and to notify other federal law enforcement of breaches that impact more than 5,000 customers. The NPRM proposes to require notification to federal law enforcement within seven days of discovery of such a breach, and three days before notification to the customer, and would allow law enforcement to seek delay of customer notification. Broadband providers would be required to keep records of any data breaches and notifications for a minimum of two years.
The FCC suggested that it broadly wants to protect personally identifiable information, which, in the broadband context, would include any information that is linked or linkable to an individual and is acquired by the service provider in connection with its provision of broadband services. This could include: (1) service plan information, including type of service (e.g., cable, fiber, or mobile), service tier (e.g., speed), pricing, and capacity (e.g., information pertaining to data caps); (2) geo-location; (3) media access control (MAC) addresses and other device identifiers; (4) source and destination Internet Protocol (IP) addresses and domain name information; and (5) traffic statistics. The FCC seeks comments on whether other types of information should also be protected, including port information, application headers, application usage and customer equipment information.
The FCC acknowledged that there are existing state privacy laws that could overlap with the proposed rules. To resolve any conflicts, the proposed rules would preempt state laws that were inconsistent with the FCC’s rules—with the FCC making preemption determinations on a case-by-case basis. In addition, the rules would prohibit broadband providers from conditioning the offering of service, or the continuation of services, on a customer’s agreement to waive privacy rights guaranteed by law or regulation.
The proposed rules, like the Open Internet Order itself, drew dissents from Republican Commissioners Pai and O’Rielly. They question the FCC’s jurisdiction to regulate Internet service providers, suggest that the Federal Trade Commission has established standards and precedents to protect consumer privacy, and question whether any rules can be effective that are not also applied to edge and content providers, such as Netflix and Twitter. The Open Internet Order is currently being appealed in the United States Court of Appeals for the DC Circuit, and a decision is expected within the next three months.
Comments on the proposed rules are due May 27, 2016. Reply Comments are due June 27, 2016.