FCC Chairman Tom Wheeler has announced that a proposed rulemaking is being circulated among the Commissioners that would establish privacy and data security requirements applicable to providers of broadband Internet access service (BIAS).  The Notice of Proposed Rulemaking (NPRM) itself will not be released to the public until the end of March when it is scheduled for a vote, but Chairman Wheeler released a summary of his proposal on Thursday.

In adopting the Open Internet Order, which reclassified BIAS as a telecommunications service subject to Title II of the Communications Act, the FCC determined that the privacy provisions of Section 222 of the Communications Act that govern how call detail and call record information are used and protected by providers of telecommunications services also would apply to BIAS providers.  The Commission concluded, however, that its rules implementing the privacy provisions of that Title were ill-suited for broadband privacy, and opted to forbear from applying those rules to BIAS providers.  Instead, the Commission stated that it would establish a new privacy framework applicable to BIAS providers, and last week’s announcement represents the start of that process.  

The summary claims that ISPs have “an unobstructed view of all of their [customers] unencrypted online activity,” and that a “consumer’s relationship with her ISP is very different than the one she has with a website or app.”  As with the net neutrality rules adopted in the Open Internet Order, the proposed FCC broadband privacy rules would apply exclusively to providers of BIAS and not to “edge providers” like Amazon and Facebook, online ad networks or others in the broadband ecosystem.  The summary notes that the proposed rules also would not apply to other types of online services offered by a BIAS provider, “such as operation of a social media website.”

BIAS providers have emphasized the importance of avoiding prescriptive rules that could stifle innovation and of harmonizing any new FCC broadband privacy obligations with the Federal Trade Commission’s existing privacy framework.  They maintain that Internet Service Providers do not have unique access to broadband customer data, citing a recent paper published by Georgia Institute of Technology professor Peter Swire titled “Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others,” and therefore should not be subject to privacy obligations that differ materially from those applied to others in the broadband ecosystem.

The FCC’s proposal is built on three principles:

  • Choice – consumers have a right to exercise meaningful control over the personal data collected by their broadband provider;
  • Transparency – consumers have a right to accurate disclosures of broadband providers’ privacy practices; and
  • Security – broadband providers have a responsibility to protect consumer data.

The proposed FCC framework would require that:

  • Customer data necessary to provide broadband services (such as billing) and for marketing the types of broadband services purchased by the customer (such as a larger data plan) would not require additional customer consent.
  • Customer data could be used by broadband providers to market other “communications-related services” and could be shared with their affiliates that provide other communications-related services for marketing such services, so long as the providers offer the customer an opt out opportunity.  Any other use or sharing of customer would require “express, affirmative opt-in consent.”
  • Broadband providers must take reasonable steps to safeguard customer information from unauthorized use or disclosure, including risk management practices, employee training, customer authentication requirements, the appointment of a senior manager to oversee privacy, and other practices.
  • Broadband providers would be required to notify customers, the FCC, and potentially the FBI and Secret Service of breach within 7-10 days of discovery.

Several key issues were left unaddressed in the summary, including the scope of broadband customer data covered and the treatment of de-identified information.  More visibility on these issues will likely need to wait until at least March 31 when the FCC holds its next open meeting, and where it is expected to vote on the NPRM.