Late last week, Federal Communications Commission chairman Tom Wheeler proposed sweeping new data privacy and security rules for broadband internet service providers. The proposal represents the FCC's first major regulatory act involving internet service providers (ISPs) since the February 2015 decision to treat ISPs as utilities under Title II of the Communications Act. Under the long-anticipated proposal, ISPs' ability to use customer information, including customer browsing habits to narrowly target advertising, will be significantly curtailed.
The rules address three areas:
Data Privacy: While an ISP will still have the authority to use its customers' data for billing and for marketing its own broadband services, the proposed rules mandate that customers be given a choice as to whether an ISP can use customer data for other purposes. Specifically, customers will have the right to opt out of allowing ISPs to use their data for marketing services other than broadband, or sharing data for marketing purposes with affiliates that provide communicates services. Further, ISPs will be prohibited from sharing customer data for any other purpose – such as targeted advertising – unless the customer specifically opts in.
Data Security: The proposed rules purport to impose robust and flexible data security requirements on broadband providers, including an overarching data security standard. Under the new framework, ISPs must take reasonable steps to safeguard customer information from unauthorized use or disclosure. Such reasonable steps include, at a minimum, the adoption of risk management practices, the implementation of personnel training practices, adoption of strong customer authentication requirements, identification of a senior manager for data security, and the taking of responsibility for use and protection of customer information when shared with third parties.
Breach Notification Period: Finally, the proposed rules impose specific notice requirements in the event of a data breach – 10 days after discovery of a breach for the ISP to notify the customer, 7 days to notify the FCC, and 7 days to notify the FBI/Secret Service in the event of a breach affecting more than 5,000 customers.
These new rules, if passed into law, will represent the first time that the FCC has imposed data privacy rules on ISPs, and would constitute some of the strongest privacy regulations of any segment of the technology and telecommunications industry – even more stringent than privacy oversight of web sites such as Twitter and Facebook (which are specifically excluded from the scope of the FCC's proposed rules), over which the Federal Trade Commission has authority. However, the FTC is an enforcement agency that lacks the rulemaking authority of the FCC.
The FCC's proposed rules announcement came just three days after news broke that Verizon had been hit with a $1.35 million fine in conjunction with the FCC's investigation of its use of "supercookies" – files that could not be deleted or blocked – to track cell phone customers' browsing on the internet without their permission, and use that information for targeted advertising. The settlement required Verizon to adhere to certain data security and privacy requirements strikingly similar to those in the FCC's proposal – namely, the requirement that customers must "opt in" prior to Verizon's sharing customer data with third parties for purposes such as targeted advertising, and the requirement of either customer opt-in or opt-out prior to Verizon's sharing of customer data with Verizon affiliates.
The FCC will vote on the proposed rules on March 31, 2016, and if approved, such rules will be subject to public comment before being finalized.