Today, the FCC formally adopted on a 3-2 party-line vote an order that enacts a new privacy and security regime for Internet service providers (ISPs). While it may be several days before the official order and the text of the rules is released, the FCC has published an updated fact sheet describing key elements of the rules. In this post, we summarize the changes to the fact sheet and provide first-impression takeaways from the open meeting.

Today’s developments did little to assuage fears that the Commission’s proposed rules, based upon a false premise of ISPs acting as “gatekeepers” of consumer data, will submit ISPs to more burdensome regulations than other actors in the Internet ecosystem. Although edge providers remain free from these new constraints at this time, the risk that other regulators may extend these same principles to edge providers in the near future remains a real possibility.

New Details Revealed

During today’s open meeting, FCC staff presented an oral summary of the new rules. This overview, along with the updated fact sheet, confirms that the FCC has retained key elements of the rules first proposed in its Notice of Proposed Rulemaking that initiated the process leading up to today’s vote. Several significant additions to these rules were revealed today, including:

Implementation Deadlines. ISPs will have a relatively short time to comply with the rules after they are published in the Federal Register:

  • 90 days to comply with data security requirements;
  • 6 months to comply with data breach notification requirements; and
  • 12 months to comply with notice and choice requirements (smaller providers have an additional 12 months).

Choice. The activities for which inferred consent from the consumer is required now include:

  • use and sharing of non-sensitive information to provide and market services and equipment typically marketed with customer’s broadband service; and
  • providing broadband service; billing and collecting for that service; and protecting the broadband provider and its customers from fraudulent use of the provider’s network.

This list reflects an important change in the FCC’s position: first party marketing (i.e. marketing by the ISP directly to the consumer) is now explicitly permitted with respect to services “typically marketed with the broadband service subscribed to by the customer.” At the very least, subject to the language of the order, we interpret this to mean that ISPs are permitted to market bundled services using non-sensitive information.

Data Breach. The FCC has modified the trigger for the 30-day deadline to notify customers of a breach.

Now, ISPs will be required to notify customers within 30 days after “reasonable determination of a breach”—not 30 days after discovery. Furthermore, the notification requirements are now differentiated based on the size of the breach. If more than 5,000 customers are affected, ISPs must notify the FBI, Secret Service, and FCC within 7 business days, while if fewer than 5,000 customers are affected, ISPs must notify only the FCC, and may do so at the same time that customers are notified.

Thus, while the timeframe for notifying consumers has been somewhat relaxed, an ISP will have to notify consumers and report to authorities all breaches of both sensitive and non-sensitive information, unless it determines that no harm is reasonably likely to occur.

Harmonization of Broadband and Voice Rules. The FCC revealed that the new privacy rules will apply to voice services, thereby treating call detail record information as sensitive within the context of voice service offerings.

Arbitration. There had been some concern that this order would include a ban on ISPs using mandatory arbitration clauses in subscriber service agreements. Commissioner Clyburn reiterated at the meeting that she believes requiring consumers to forego judicial proceedings and instead arbitrate is anti-consumer. The updated fact sheet indicates the FCC will proceed by separate rulemaking in February to address the use of mandatory arbitration clauses.

First-Impression Takeaways

While we’re still waiting for the full text of the rules, it’s already clear that these rules are game-changing.

The FTC May Change Its Privacy Framework. In her remarks, Commissioner Clyburn noted that the FCC made “some tweaks” to the Federal Trade Commission’s (FTC) privacy framework to account both for the “unique position” of broadband providers, as well as to account for the “new era.” Similarly, Commissioner Rosenworcel noted that, to the extent there are differences from the FTC framework, we must “face facts, we are dealing with old laws, new technologies and hard choices about existing regulatory regimes.” The FCC’s conscious decision to create a different standard for ISPs likely will have repercussions across a range of Internet-adjacent industries, especially edge providers. Commissioner Pai explained that, although the FCC has specifically disclaimed authority over edge providers, it is “intentionally setting itself on a course collision [with the FTC] with the intention to up the burdens on edge providers and technology companies.” In other words, the standard the FCC created for ISPs today could prompt the FTC to reevaluate its stance on “sensitive” categories of information.

The Questionable Basis for Singling Out ISPs. To tout the positive benefits of the new rules to consumers, Chairman Wheeler used the example of a smart refrigerator that can analyze how much and what type of food a consumer has. He claimed that, when the refrigerator sends that data to the customer, the ISP also knows what’s in its customer’s refrigerator and implied that the FCC’s rules would protect a customer in that situation. This claim tracks the Chairman’s earlier writings about the ubiquity and power of ISP’s position, as well as others’ claims that ISPs act as “gatekeepers” with a “unique window into our private lives.” This focus on the ISPs’ role, however, ignores the role of the ultimate destination of the data sent by a smart refrigerator and other connected devices, the manufacturer, cloud provider, or other edge provider that receives, processes, and shares that information. This is only one example of the interconnectedness of the Internet, where ISPs, advertisers, content providers, service providers, and many others all have access to consumer data. In such an environment, a regulatory regime that singles out ISPs as the sole player subject to a uniquely heightened regulatory regime seems untenable and untethered from the real world.