On Nov. 2, 2016, the FCC released its long-awaited broadband privacy Order and rules by a 3-2 vote. The Order comes nearly 18 months after the Commission moved to reclassify broadband internet access service (“BIAS”) as a common carrier telecommunication service under Title II of the Communications Act, and over the strenuous dissent of both Republican commissioners. The Order adopts policies and rules that alter the telecommunications privacy ecosystem based on three core goals articulated by the FCC: transparency, choice, and security. And while ostensibly adopting rules consistent with other privacy frameworks, the Order departs significantly from those existing regimes, applying heightened standards for both internet service providers (“ISPs”) and traditional telecom carriers. The FCC justified these departures in large part by its continued – and erroneous – argument that ISPs have access to more information than other entities operating in the online ecosystem. The two Republican commissioners vigorously dissented and with the upcoming change in administration the new majority could consider overturning the Order and rules.
The FCC argues that the new rules will “make certain that BIAS providers are protecting their customers’ privacy while encouraging the technological and business innovation that help drive the many benefits of our increasingly Internet-based economy,” and boasts that the new rules protect the privacy of broadband customers. In reality, however, consumer privacy arguably is no more protected under the new rules than it was under the prior framework, as evidenced by Commissioner Rosenworcel’s statement that seems to belie the assertion that ISPs are in a unique position because of the data they can access:, she acknowledges that “service providers, advertising networks, and companies specializing in analytics have access to your personal information. Lots of it. For a long time.” Commissioner Pai asserted that the new and more restrictive rules do nothing to address the vast amounts of information that edge providers collect, use and share. In fact, both Commissioners Pai and O’Rielly argue that the FTC’s existing framework should have been sufficient for both ISPs and edge providers, but if the majority was correct that such rules are needed, Commissioner O’Reilly points out that “the ball is now squarely in the FTC’s court” to return consumer privacy to a level playing field.
To further complicate matters, the FCC released three separate fact sheets-- one upon release of the NPRM, another with its circulation of a draft order, and lastly one upon release of the final Order. Each fact sheet paints a somewhat inaccurate picture of the impact of the new rules, making it all the more imperative to understand the details of the FCC’s new privacy requirements and obligations, which we summarize below. We will be providing additional analysis of the FCC’s new rules and the implementation challenges that may lie ahead in future posts and in a two part webinar series that will take place on Nov. 29 and Dec. 6.
Background & Scope
The FCC set the stage for its radically expanded rules by opening the Order with a lengthy background section on the FCC’s long history of protecting consumer privacy as well as the perceived need for specific privacy rules that encompass BIAS. Specifically, pursuant to its statutory mandate under Section 222 of the Act, the FCC points to its history promulgating and enforcing rules related to customer proprietary network information (“CPNI”). Now that BIAS has been reclassified under Title II of the Act, the FCC asserts that imposition and enforcement of new and more expansive privacy protections invoking its authority under Section 222 is in the public interest and necessary for the protection of consumers because ISPs are the “on-ramp” to the Internet and thus have untethered access to all their customers’ Internet traffic that other actors in the Internet ecosystem do not enjoy. The FCC wrestles with the many industry comments challenging this assumption, but ultimately concludes that edge providers only have a “slice” of any individual consumer’s information, and therefore enhanced, sector-specific privacy rules are necessary to address the distinct characteristics of ISPs and these newly-defined telecommunications services.
Next, the FCC parses Section 222 of the Act to determine the scope of its new rules. The FCC adopts a definition of “telecommunications carrier” that encompasses all carriers providing telecommunications services subject to Title II, which under the 2015 Open Internet Order now includes BIAS. The FCC adopts a broad definition of “customer” to ensure that both current and former customers of ISPs, as well as new applicants, are covered by the new rules.
The FCC includes three types of customer proprietary information (“PI”) within the scope of the new BIAS privacy rules: CPNI, which the FCC defines in accordance with Section 222; personally identifiable information (“PII”), which the FCC defines as any information that is “linked or reasonably linkable to an individual or device;” and a new category, “content of communications,” which the FCC defines circularly as “any part of the substance, purport, or meaning of a communication or any other part of a communication that is highly suggestive of the substance, purpose, or meaning of a communication.” The FCC then devotes lengthy discussion to what qualifies as CPNI in the BIAS context and examples of how ISPs may obtain CPNI in the Internet ecosystem. Of particular note, CPNI in the broadband context includes IP addresses, general geolocation data, consumer premises equipment, and information from customer’s bills, yet contains no exemption for “subscriber list information” because ISPs do not publish directories – despite the cited reference to a prior FCC decision that subscriber list information need not be published to enjoy the exemption.
The FCC then expounds on the importance of protecting PII and provides a number of illustrative examples of PII in the BIAS context, which also includes IP addresses, device identifiers and other persistent identifiers. Lastly, the FCC discusses its amorphous standards for what it believes to encompass “content” of communications, but provides little clarity as to the boundaries of what may constitute such content.
“De-identified” data is not subject to the new rule regime, and – in one of the few pleasant surprises – is actually subject to the same three-part test espoused by the FTC. If an ISP can meet this test, an ISP may use the data as it chooses, without obtaining customer consent. Unfortunately, for most ISPs it may be impossible to de-identify some PII and CPNI to the FCC’s satisfaction for its own internal uses, thereby limited the effectiveness of the test in some instances.
As indicated above, the Order and the new rules do not apply to edge providers, nor do they apply to information obtained through non-telecommunications services offered by ISPs, including the ISP’s website and, presumably, data acquired from third parties.
Harmonization between Phone and Broadband Rules
The new rules entirely supersede the existing CPNI rules. While in many ways the new rules are more onerous than the current rules, as described below, they also eliminate some existing CPNI rules, including the present authentication and annual certification rules. The general rationale for doing away with the specific authentication rules is that while such authentication measures are "encouraged," they should be replaced with a more flexible "reasonable measures" approach in order to "adapt their practices to new threats" as conditions change.
ISPs must provide notices of their privacy policies at the point of sale prior to the purchase of service, and also make them clearly, conspicuously, and persistently available on carriers’ websites and via carriers’ apps that are used to manage service. The FCC declined to mandate a standardized form or format for privacy policies, but requires each notice to “adequately inform customers of their privacy rights . . . clearly and conspicuously provide information in language that is comprehensible and not misleading, and be provided in the language used by the carrier to transact business with its customer.” While a specific format is not specified, the rules contemplate a multi-stakeholder proceeding to develop a standardized form that, if used by an ISP, will constitute a safe harbor.
In addition, the rules require ISPs “to provide advance notice of material changes to their privacy policies to their existing customers, via email or other means of active communication agreed upon by the customer.” The FCC defines a “material change” as any change that a reasonable customer would consider important to their decisions on their privacy. This definition is quite broad, and could include almost any changes made by the ISP.
In what is sure to be one of the more controversial sections of the Order, the FCC adopts rules that require express consent (“opt-in” approval) from a customer before the use and sharing of “sensitive” customer PI. The rules specify types of information deemed to be sensitive and subject to opt-in approval, including (1) the same types of information the FTC considers sensitive: precise geo-location, health, financial, and children’s information, and Social Security numbers; (2) the additional information that the FTC recommended should be treated as sensitive in the broadband context: content of communications; and (3) additional information that is currently treated as opt-out unless the content, website or app itself relates to sensitive information: web browsing and application usage histories and their functional equivalents. It is the last and new category of “sensitive” information that was the subject of much last minute lobbying by edge providers who recognize that consumer advocates will now turn to the FTC to harmonize their guidance. While the FCC states that it considered an opt-out regime for use of the use of web-browsing and app usage history (similar to the FTC’s approach), it ultimately determined that many consumers will want to exercise affirmative choice regarding the use and sharing of this information.
In order to obtain customer consent to use sensitive PI, ISPs may solicit customer approval at the point of sale, and may engage in later solicitations of consent after the point of sale. ISPs must actively contact their customers in subsequent solicitations to ensure that customers are adequately informed. The solicitations must be clear and conspicuous, comprehensible and not misleading, and contain the information necessary for a customer to make an informed choice regarding her or his privacy.
The FCC recognizes that ISPs will also collect non-sensitive customer PI and that there are significant benefits to customers and businesses from some use and sharing of such non-sensitive customer PI. However, the FCC found that ensuring choice for not only the sharing, of such non-sensitive customer information, but also an ISP’s internal use of such information, is necessary to protect the confidentiality of customer PI under Section 222(a). Erroneously citing the FTC’s current privacy framework, which permits the internal use of such information, including first party marketing, the FCC requires ISPs to obtain the customer’s “opt-out” approval to use, disclose, or permit access to non-sensitive customer PI.
In adopting these opt-in and opt-out requirements, the FCC stated that it understands that carriers must use and share customer PI in order to provide the underlying telecommunications service, to bill and collect payment for that service, and for certain other purposes. Therefore, the new rules provide limited exceptions to the opt-in and opt-out requirements to allow carriers to use and share information for congressionally-delineated purposes in the Communications Act, and as otherwise required or authorized by law. For example, no additional customer consent is needed in order for an ISP to use and share customer PI in order to provide the telecommunications service. Similarly, there are exemptions for the use of such information to market “communications” services typically bundled with the telecommunications service(s) to which a customer subscribes, as well as analytics and research.
While the FCC prohibits ISPs from engaging in “take it or leave it” offerings that conditions – or effectively condition – the provision of broadband on the customer consenting to use or sharing of a customer’s PI, the FCC did recognize that there are benefits to consumers of allowing BIAS providers the flexibility to offer innovative financial incentives. Therefore, the FCC requires heightened disclosure and affirmative customer consent requirements to help ensure that a customer’s decision to allow sharing of proprietary information in exchange for financial incentives is based on his or her informed consent. The disclosure must include information about what customer PI the provider will collect, how it will be used, with what types of entities it will be shared, and for what purposes. Additionally, the disclosure must be provided both at the time the program is offered and at the time a customer elects to participate in the program. In adopting these requirements, the FCC states that it will closely monitor financial incentive regimes, particularly if allegations arise that service prices are inflated such that customers are essentially compelled to choose between protecting their personal information and higher prices.
Stating that the duty to protect the confidentiality of customer PI is one of the most important requirements entrusted to ISPs, the FCC adopts a systematic approach that it claims will protect consumers’ confidential information by requiring ISPs to take reasonable measures to secure customer PI. To comply with the FCC’s requirement, a provider must adopt security practices appropriately calibrated to the nature and scope of its activities, the sensitivity of the underlying data, the size of the provider, and technical feasibility. Through this approach, providers have some flexibility and control over their data security practices but must adhere to the FCC’s standard of reasonableness that stresses context and adaptability to evolve over time. Therefore, depending on the nature of its operations, an ISP may comply with the FCC’s requirements by utilizing its own tailored mechanism to protect customer PI. However, the FCC does provide a number of “best practices” that it deems to be “exemplary” in nature to serve as a guidepost for ISPs, including smaller ISPs, in developing their own security regimes.
In order to ensure that affected customers and the appropriate federal agencies receive notice of data breaches that could result in consumer harm, the FCC adopts rules requiring IPSs to notify affected customers, the FCC, and the FBI and Secret Service unless the carrier is able to reasonably determine that a data breach poses no reasonable risk of harm to the affected customers. The FCC defines a breach as any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed customer PI. In adopting breach notification requirements, the FCC recognizes that over-notification to customers can itself result in harm, and therefore states that it adopts a harm-based notification process. It concludes that such notification will empower customers to protect themselves against further harm, help the FCC identify and confront systemic network vulnerabilities, and assist law enforcement agencies with criminal investigations.
Unfortunately, this is another area where what the Commission says does not actually reflect the reality of the result. In defining “harm” the Order includes not only financial, economic and identity theft – as most state breach notification statutes do – but also “physical and emotional harm,” “reputational damage, personal embarrassment, or loss of control over the exposure of intimate personal details.” It creates a rebuttable presumption that breach of sensitive customer PI poses a reasonable likelihood of customer harm requiring notification. As a result, the harm that the FCC states it was avoiding – over-notification – is likely.
Specifically, unless the ISP reasonably determines that there is no reasonable risk of harm to the affected consumers, the new rules require notification of a breach to the FCC, the FBI and the Secret Service within seven (7) business days, and at least three (3) business days before notifying customers, if the breach affects 5,000 or more customers. For breaches affecting fewer than 5,000 customers, ISPs must notify the FCC without unreasonable delay and no later than thirty (30) calendar days following the carrier’s reasonable determination that a breach has occurred. ISPs must notify affected customers without unreasonable delays and in any case within 30 days. Because a carrier may not fully understand the circumstances and impact of a breach initially, the FCC expects carriers to supplement their initial breach notifications to the Commission, FBI, and Secret Service, as appropriate.
As part of the breach notification to customers, carriers must include information that helps the customer understand the scope of the breach, the harm that might result, and whether the customer should take any action in response. While the FCC does not spell out the requirements of the customer breach notification, it does provide a number of examples of what it expects would be included. Additionally, the rules require customer notification by means of written notification to the customer’s address of record or email address, or by contacting the customer by other electronic means agreed to by the customer for data breach notification purposes.
The FCC concludes that its current informal complaint resolution process is sufficient to address customer concerns or complaints with respect to the privacy and data security rules. However, the FCC stated that it has serious concerns about the impact on consumers of mandatory arbitration requirements as a standard part of many contracts for communications services. The FCC plans to initiate a rulemaking in February 2017 on the use of mandatory arbitration requirements in consumer contracts for broadband and other communications services. That plan may also change with the new administration.
Enterprise Voice Customer Exemption
Recognizing that its existing voice CPNI rules include customer authentication obligations as a required data security practice but allow business customers to bind themselves to authentication schemes that are different than otherwise provided for by the rules, the revised rules continue an exemption for carrier contracts with enterprise customers for telecommunications services other than BIAS from compliance with the new privacy and data security rules if the carrier’s contract with the customer specifically addresses the issues of transparency, choice, data security, and data breach; and provides a mechanism for the customer to communicate with the carrier about privacy and data security concerns. However, even if the exemption applies, the carrier will still be subject to the statutory requirements of Section 222.
In an effort to provide certainty to carriers and customers, the FCC addresses a timeline in which carriers must implement the privacy rules adopted in the Order. The FCC reiterates that until the rules become effective, Section 222 applies to all telecommunications services, including BIAS, and the existing rules continue to apply to telecommunications services other than BIAS and to interconnected VoIP. Based on the ordering clauses in the Order, the following is a timeline of the effective dates of the rules:
- After notice of OMB approval and effective dates in Federal Register:
- 64.2003(Notice Requirements)
- 64.2004 (Customer Approval)
In an apparent attempt to minimize disruption to ISPs’ business practices, the FCC won’t require ISPs to obtain new consent from all customers upon the implementation of the new rules. Rather, for BIAS, the will treat as valid or “grandfathered” any consumer consent that was obtained prior to the effective date of the rules and that is consistent with the new requirements. For example, if a BIAS provider obtained a customer’s opt-in consent to use that individual’s location data to provide coupons for nearby restaurants and provided adequate notice regarding his or her privacy rights, then the customer’s consent would be treated as valid. However, if the customer consent was not obtained in the manner contemplated by the new rule, a new opportunity for choice is required.
Recognizing that small carriers may face increased difficulties in implementing the new rules, the rules allow small carriers an additional twelve months to implement the notice and customer approval rules. For purposes of the extension, the FCC defines small BIAS providers as providers with 100,000 or fewer broadband connections and small voice providers as those with 100,000 or fewer subscriber lines as reported on their most recent Form 477, aggregated over all the providers’ affiliates.
In implementing these new broadband privacy and data security rules, the FCC recognizes that they may be at odds with state law. Therefore, the FCC states that its intent is to only preempt state privacy laws, including data security and data breach laws, to the extent that they are inconsistent with any rules adopted by the FCC. The FCC attempts to ground its authority to preempt state law in a variety of ways. However, its preemptive authority is likely to be challenged in court, as ambiguity remains as to exactly how preemption would effectively occur.
The FCC’s defense of its legal authority to adopt and implement the broadband privacy rules is sure to be one of the most scrutinized aspects of the Order and will undoubtedly be challenged in court if the rules survive in the new administration. This summary will not attempt to give a full picture of how the FCC seeks to justify its actions. That said, the FCC asserts that its actions are well-grounded in its statutory authority, including but not limited to Section 222 of the Act. Essentially, the FCC repeats its conclusions from the Open Internet Order that Section 222 applies to BIAS providers. In particular, the FCC concludes that Section 222(a) imposes on ISPs an enforceable duty to protect the confidentiality of customer PI as it now defines that term, and that the new rules faithfully implement that mandate. The FCC points to the CPNI provisions of Section 222(c) for its authority to adopt revised, expanded rules applying those provisions to ISPs and traditional voice carriers alike, and relies on section 222(a) for its additional rules for newly-defined customer PI that does not fall within the statutory definition of CPNI.
To bolster its claims of legal authority, the FCC relies on a variety of other sections of the Communications Act. In addition to citing Section 222, it argues that Sections 201(b) and 202(a) of the Act provide additional authority to protect against privacy-related practices that are unjust or unreasonable, or unjustly or unreasonably discriminatory. It also claims that, with respect to mobile BIAS and other mobile telecommunications services, the new rules are independently supported by its authority under Title III of the Act to protect the public interest through spectrum licensing. Lastly, the FCC states that the rules are consistent with the purposes of Section 706 of the 1996 Act.
The FCC’s new broadband privacy and data security rules represent a significant departure from the status quo for ISPs. While this summary provides a high-level overview of the contents of the Order, DWT will provide further guidance, with specific analysis, of the provisions on an ongoing basis through a series of future posts, including any available information on changes that may be brought about by a new administration. Stay tuned for further announcements.