On March 31, 2016, the Federal Communications Commission (FCC) issued a Notice of Proposed Rulemaking (NPRM) of privacy and security regulations for Internet service providers (ISPs). The NPRM, In The Matter of Protecting the Privacy of Customer of Broadband and Other Telecommunications Service, available here, is intended to apply privacy requirements of the federal Communications Act (Act) to broadband Internet access services (BIAS). The FCC issued the NPRM through authority stemming from the 2015 Open Internet Order, which applies Section 222 of the Act to BIAS providers, making some material changes in how the FCC addresses privacy and data security for more traditional telecoms, such as landline phone service providers, but applying much of the same approach. The proposal redefines customer proprietary information for protection by BIAS providers, institutes opt-in/opt-out provisions for data use, defines and limits the use and sharing of aggregate data, suggests data security standards for BIAS providers, and sets forth a new data breach definition and new notification requirements. Throughout the NPRM, the FCC struggles with requiring third parties of BIAS providers to follow the same regulations as BIAS providers, such as whether to require third parties to follow the BIAS providers’ breach notification requirements and whether to hold BIAS providers vicariously liable for privacy failures of third parties. Defining the relationship between BIAS providers and affiliates proves to be similarly difficult when the FCC discusses data security regulations and limiting use, sharing, or disclosure of customer proprietary information.
Although the FCC repeatedly references comments and data from the Federal Trade Commission (FTC), its approach to regulating ISPs is an entirely different setup and contains more similarities to the Health Insurance Portability and Accountability Act (HIPAA) than to the FTC’s approach to regulating online services. Where the FTC primarily allows online services to follow self-regulatory standards, the FCC expressly states its concern that BIAS providers engage in a much greater flow of customer PI than other online services such as websites and even edge networks (e.g., Facebook) and that information is not necessarily provided knowingly or willingly. For these reasons, the FCC is approaching data security and privacy in a more hands-on and detailed manner.
It is worth noting that the Commission was far from unanimous, with Commissioners Pai and O’Rielly dissenting. Commissioner O’Rielly blasted the NPRM, writing in his dissent that regulating only one part of the Internet economy (i.e., ISPs but not edge networks) would “hamstring competition with the largest users of consumer data.” In addition, the Commission laid out in the NPRM at least 500 questions on which it seeks input from the industry and the public during the comment period.
The following summary of the potential changes reveals how a sectorial approach to ISPs may saddle them with significantly more burdensome data protection requirements than faced by other online service providers, including Facebook, Google, Uber, and other edge networks. Ultimately, the distinction and its advisability present a public policy question. However, the potential impact on ISPs, particularly regarding their ability to leverage big data for commercial advantage, is immense.
Expanding the Definitions of Customer Proprietary Network Information and Customer Proprietary Information
Customer Proprietary Network Information
The FCC proposes expanding the definition of customer proprietary network information (CPNI), excluding the telephone exchange service or telephone toll service portion of the existing definition and interpreting CPNI to include any information that the BIAS provider collects or accesses in connection with the provision of BIAS. This includes information that a BIAS provider causes to be collected and stored on customer premises equipment (CPE) or other devices, including mobile devices, in order to allow the carrier to collect or access the information. The definition will also include any information a BIAS provider attaches to a customer’s Internet traffic if it falls within one of the categories in Section 222(h)(1)(A). In order to provide clarity, the FCC proposes to delineate non-exhaustive examples of types of information that would be considered CPNI in the broadband context. Examples of types of information that would constitute CPNI include (1) service plan information, including type of service (e.g., cable, fiber, or mobile); service tier (e.g., speed); pricing; and capacity (e.g., information pertaining to data caps); (2) geolocation; (3) media access control (MAC) addresses and other device identifiers; (4) source and destination Internet protocol (IP) addresses and domain name information; and (5) traffic statistics.
Customer Proprietary Information
The FCC also proposes to define the type of proprietary customer information that telecommunications carriers have to protect pursuant to Section 222(a). Customer proprietary information would include private information that customers have an interest in protecting from public disclosure, and such information would fall into either the CPNI category or the personally identifiable information (PII) category. Together, these categories are “customer PI” and include information the BIAS provider acquires in connection with its provision of BIAS. In defining PII, the FCC draws heavily from other federal regulations and guidance, resulting in a nonexclusive list of PII data elements, which among common elements also include mother’s maiden name; MAC address or other unique device identifiers; IP addresses; persistent online identifiers; eponymous and non-eponymous online identities; Internet browsing history; traffic statistics; application usage data; current or historical geolocation; and shopping records. PII would also include a BIAS customer’s name, postal address, and telephone number as PII, a deviation from the standard treatment of “telephone directory information,” as the FCC does not view the current collection standards for that type of information to be similar to the directories of customer information that telephone services maintain and publish.
What Is a Communications-Related Service?
The FCC seeks comment regarding the definition of “communications-related services” for allowing BIAS providers to use customer PI to market communications-related services to subscribers and to disclose customer PI to their communications-related affiliates for the purpose of marketing communications-related services subject to opt-out approval.
Under the proposed regulations, BIAS providers must notify customers of their privacy practices in a clear and conspicuous manner at the point of sale and on an ongoing basis through a link on the provider’s home page, mobile application, and any functional equivalent. BIAS providers will be required to:
- Provide a notice of their privacy practices that will specify and describe types of customer PI collected by virtue of its provision of broadband service; of how the BIAS provider uses, and under what circumstances it discloses, each type of customer PI it collects; and the categories of entities that will receive customer PI from the BIAS provider and the purposes for which the customer PI will be used by each category of entities;
- Advise customers of their opt-in and opt-out rights with respect to their own PI, and provide access to a simple, easy-to-access method for customers to provide or withdraw consent to use, disclose, or provide access to customer PI for purposes other than the provision of broadband services through a method that is persistently available and at no additional cost to the customer;
- Explain that a denial of approval to use, disclose, or permit access to customer PI for purposes other than providing BIAS will not affect the provision of any services to which the customer subscribes, except for a brief description in clear and neutral language describing any consequences directly resulting from the lack of access to the customer PI; and
- Explain that any approval, denial, or withdrawal of approval for the use of customer PI for any purposes other than providing BIAS is valid until the customer affirmatively revokes such approval or denial, and inform the customer of his or her right to deny or withdraw access to such PI at any time. The notification must also explain that the provider may be compelled to disclose a customer’s PI when other laws provide for such disclosure.
The notification must be comprehensible and not misleading, clearly legible in sufficiently large type, displayed in an area so as to be readily apparent to the customer, and completely translated into another language if any portion of the notice is translated into that language. In addition to these requirements, the FCC seeks comment on whether to adopt a provision similar to California’s Shine the Light law, which requires businesses, upon request, to provide to their customers, free of charge and within 30 days, (1) a list of categories of personal information disclosed by the business to third parties for the third parties’ marketing purposes; (2) the names and addresses of all the third parties that received personal information from the business in the preceding calendar year; and (3) if the nature of the third parties’ businesses cannot be reasonably determined by the third parties’ name, examples of the products or services marketed by the third party. See Cal. Civ. Code. §1798.83.
In order to ease the burden on both customers and BIAS providers, the FCC contemplates creating a standardized notice of privacy practices, which could provide a safe harbor for BIAS providers for the proposed law’s notice provision, and removing the current requirement to provide customers with periodic updates. However, under the FCC’s proposed rules, a BIAS provider would be required to provide notice of material changes to the privacy policies to customers prior to the material changes and also include specific terms within the material change update.
Levels of Customer Choice for Data Use and Disclosures
The FCC proposal sets forth three categories of data for use and disclosure. The first category does not require customer approval or permission. The second category requires BIAS providers to provide customers with notice and opportunity to opt out before using a customer’s PI or sharing a customer’s PI with an affiliate that provides communications-related services in order to market communications-related services to the customer. The third category requires BIAS providers to seek and receive opt-in approval from customers before using or sharing customer PI for all other uses.
Category 1: Customer Approval Implied/Not Required
BIAS providers will not be required to secure customer approval for customer PI when the customer PI is required for provision of the telecommunications service from which the information is derived or for services necessary to or used in the provision of the telecommunications service. This language mirrors Section 222(c)(1) for CPNI. However, it is unclear how the “provision of” BIAS and “services necessary to or used in” BIAS are going to be defined. The regulations also expand the amount of information a BIAS provider may use in the provision of BIAS or services necessary to or used in BIAS. BIAS providers will be able to use all customer PI and can also use customer PI to market to the customer additional BIAS offerings that are in the “same category of service” when the customer already subscribes to that category of service from the provider. The FCC proposes to adopt Section 222(d) as tailored for broadband services, which contains statutory exceptions for use of CPNI without customer notice or approval. Examples of these exceptions include IP-enabled voice service in specific emergency situations and billing for the broadband services.
Category 2: Use and Disclosure of Customer PI for Marketing Communications-Related Services
- Expand the opt-out definition approval in the current CPNI rules (47 C.F.R. §64.2003(l)) to include customer PI; and
- Eliminate the 30-day waiting period currently required to make a voice customer’s opt-out approval effective so that a customer can opt out at any time and “with minimal effort.”
Opt-out information must be clearly disclosed, easily used, and continuously available. Questions remain about how affiliates and BIAS providers will be treated, especially with the provision of bundled services. The FCC seeks clarification of how customers view sharing of customer PI between BIAS providers and affiliates. As proposed, communications-related services would not include edge services offered by the broadband provider.
Category 3: Use and Disclosure of Customer PI for All Other Purposes
The FCC proposes to require BIAS providers to seek and receive opt-in approval from customers before using or sharing customer PI for all uses and sharing other than those that fall within categories 1 and 2, supra. BIAS providers will have to acquire opt-in approval before:
- Using customer PI for purposes other than marketing communications-related services,
- Sharing customer PI with affiliates providing communications-related services for purposes other than marketing communications-related services, and
- Sharing customer PI with all other affiliates and third parties. Third parties include joint venture partners and independent contractors.
The FCC seeks clarification of the purposes for which BIAS providers use customer PI and specifically whether the FCC should require opt-in consent for sharing geolocation data with affiliates. The primary concern in this category appears to be sharing customer PI in mobile contexts and allowing customers more control over the flow of their data to third parties.
Maintaining Customer Opt-In/Opt-Out Records
BIAS providers must:
- maintain records on customer PI disclosure to third parties for at least one year,
- maintain records of customer notices and approval for at least one year,
- adequately train and supervise their personnel on customer PI access,
- establish supervisory review processes, and
- provide prompt notice to the Commission of unauthorized uses or disclosures.
Data Security Standards
The FCC seeks to codify BIAS providers’ obligation found in Section 222(a) to “protect the security, confidentiality and integrity” of customer PI. The FCC seeks comment on defining these terms, while noting that HIPAA (healthcare sector) has defined the terms (42 C.F.R. §164.304) but the Gramm Leach Bliley Act (GLBA) (financial services sector) has not (15 U.S.C. 6801(b)). In order to protect data, every BIAS provider will be required to:
- Establish and perform regular risk management assessments and promptly address any weaknesses in the provider’s data security system identified by such assessments;
- Train employees, contractors, and affiliates that handle customer PI about the BIAS provider’s data security procedures;
- Ensure due diligence and oversight of these security requirements by designating a senior management official with responsibility for implementing and maintaining the BIAS provider’s data security procedures;
- Establish and use robust customer authentication procedures to grant customers or their designees access to customer PI; and
- Take responsibility for the use of customer PI by third parties with whom they share such information.
BIAS Provider Liability for Third-Party Downstream Privacy Violations
The FCC appears to be pursuing a theory of vicarious liability for BIAS providers that share customer data with third parties. However, the FCC is also exploring and requests input on using contractual commitments to fulfill protecting shared data in lieu of vicarious liability. Additional concerns of the FCC include whether mobile BIAS providers should use contractual relationships with mobile device or mobile operating systems (OS) manufacturers that manufacture devices and hardware that operate on a BIAS provider’s network to safeguard shared data.
Flexible Data Security Considerations
Although the FCC is considering very specific requirements for protecting data security, there are a few factors that BIAS providers may work with while implementing the data security requirements, such as the nature and scope of the BIAS provider activities and the sensitivity of the customer PI that is involved. For example, reasonable safeguards for small BIAS providers will differ significantly from those for large-scale BIAS providers, and BIAS providers regularly handling Social Security numbers and medical information will need to institute stronger protections than BIAS providers handling names and email addresses.
Limiting Data Collection, Retention, and Required Disposal
The FCC further seeks to institute data minimization procedures for customer PI, differentiating between sensitive customer PI and other customer PI. In addition to requesting information on whether certain data should be exempt from any collection and storage, the FCC is also contemplating harmonizing data retention requirements for BIAS providers with those of cable and satellite providers. For example, cable and satellite providers are required to destroy personal data if the information is no longer necessary for the purpose for which it was collected. 47 U.S.C. §§551(e); 338(i)(6).
Data Breach Notification Requirements
The FCC removed the “intent” requirement of the Section 222 breach definition and instead defines a breach as any instance in which “a person, without authorization or exceeding authorization, has gained access to, used or disclosed customer proprietary information.” The proposed notification requirements are stringent. BIAS providers must:
- Notify affected customers of breaches of customer PI no later than 10 days after the discovery of the breach, subject to law enforcement needs, under circumstances enumerated by the Commission;
- Notify the Commission of any breach of customer PI no later than seven days after discovery of the breach; and
- Notify the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USS) of breaches of customer PI reasonably believed to relate to more than 5,000 customers no later than seven days after discovery of the breach and at least three days before notification to the customers.
The FCC seeks to limit notification fatigue for customers and is considering both limitations based on risk of harm analyses, similar to those currently existing in some state breach notification laws, and a time limit that is more expansive, such as “without undue delay” instead of the currently proposed 10-day limit to notify customers. As indicated in BakerHostetler’s Data Security Incident Response Report, for the majority of breaches in 2015, it was approximately 40 days from the date of discovery to the date of notification.
Data Breach Notification Content Requirements
In a change from the less-specific existing breach notification rules in Section 222, the FCC provides that particular content must be included in breach notifications to customers:
- The date, estimated date, or estimated date range of the breach.
- A description of the customer PI that was used, disclosed, or accessed or was reasonably believed to have been used, disclosed, or accessed by a person without authorization or exceeding authorization as a part of the breach of security.
- Information the customer can use to contact the telecommunications provider to inquire about the breach of security and the customer PI that the carrier maintains about the customer.
- Information about how to contact the FCC and any state regulatory agencies relevant to the customer and the service.
- Information about national credit-reporting agencies and the steps customers can take to guard against identity theft, including any credit monitoring or reporting the telecommunications provider is offering customers affected by the breach of security.
Last, the FCC sets forth practices with privacy implications that “may be prohibited” by the final rule. These practices include offering higher-priced broadband services for heightened privacy protections and the use of deep packet inspection for purposes other than network management. In other words, the FCC may be poised to outright prohibit offering consumers less-expensive broadband if they consent to have their usage data used to tailor interest-based ads for them. Commissioner O’Rielly points out that this “is a popular program offered by a major provider” and challenges the Commission’s concern that consumers “may not understand what they are trading.” In addition, the FCC also seeks comment on whether persistent identifiers should be subject to heightened privacy protections beyond even opt-in usage proposals already made. Finally, the FCC asks whether it should prohibit mandatory arbitration of consumer disputes, which enable companies to avoid class action litigation.
The FCC’s proposals would result in BIAS providers having constraints on their data practices, such as those related to interest-based advertising, that do not apply to other digital service providers like Google and Facebook, at least to the extent they remain edge networks and not providers of BIAS. To the extent BIAS providers want to compete on an equal footing with edge networks, should the rulemaking take effect as proposed, they would need to segregate their BIAS and non-BIAS service offerings and related data. Further, the FCC’s approach to privacy reflects a Californiaesque or European-style approach to what is treated as protected data and the level of consent required to collect, use, and share such data. The FCC is seeking public comment on this NPRM through May 27, 2016 and reply comments thereafter are due by June 27, 2016.