On March 10th, 2016, Federal Communications Commission (“FCC”) Chairman Tom Wheeler released a Fact Sheet[i] summarizing key elements of a widely-anticipated Notice of Proposed Rulemaking (“NPRM”), soliciting public comment on new rules to regulate how broadband Internet service providers (“ISPs”) collect, use, and protect personal information about their customers.
The NPRM stems from last year’s Open Internet Order, in which the FCC reclassified broadband Internet access service as a “telecommunications service” under the Communications Act of 1934 (the ”Communications Act”). In addition to supporting the FCC’s justification for its network neutrality rules, this regulatory reclassification has subjected ISPs to a variety of common carrier obligations under the Communications Act, including Section 222, which requires telecommunications service providers to protect customer personal information. The purpose of the draft NPRM is to propose rules to implement Section 222 in the context of broadband Internet access service.
Scope of Proposed Rules
As described in the Fact Sheet, the rules that Chairman Wheeler has proposed would not prohibit ISPs from using or sharing customer information; rather, the proposed rules would govern how ISPs collect, store, use, and disclose certain types of customer information. And, while it offers few hints as to what types of customer information would be protected under the Chairman’s proposed rules, the Fact Sheet explicitly notes the limitations on the proposed rules’ reach.
According to the Fact Sheet, the NPRM does not propose rules that would apply to other services offered by ISPs (such as social media websites). Similarly, the Chairman has not proposed to exert the FCC’s authority over the privacy practices of third-party websites that are already subject to the jurisdiction of the Federal Trade Commission.
The FCC’s Proposed Framework
As detailed in the Fact Sheet, the rules proposed in the draft NPRM are framed around three core principles: customer choice, transparency, and security.
- Customer Choice. In describing the need for consumers to choose how their personal information is used, the Fact Sheet appears to draw from existing Section 222 regulations. Specifically, under the Chairman’s proposal, ISPs would provide customers with varying degrees of choice (i.e., no consent required, opt-out or opt-in), depending on how the customer’s personal information is used. For example, as described in the Fact Sheet, ISPs would not need to obtain a customer’s approval to use personal information to provide broadband service to the customer, but ISPs would need to provide customers with an opt-out mechanism to block the ISP from using personal information to market “communications-related services.” The proposed rules would require ISPs to obtain a customer’s express, affirmative opt-in consent for most other uses or disclosures of personal information.
- Transparency. Although specific details are sparse, the Fact Sheet indicates that the draft NPRM proposes transparency rules that would require ISPs to disclose in “an easily understandable and accessible manner” the types of information they collect, how they use that information, and the circumstances in which they will share customer information with third parties.
- Data Security. The Chairman has also proposed to require ISPs to take “reasonable steps” to safeguard customer information from unauthorized use or disclosure. According to the Fact Sheet, “reasonable steps” would include, at a minimum, adopting risk management practices, implementing appropriate personnel training, employing strong customer authentication procedures, identifying senior management responsible for data security, and “tak[ing] responsibility” for customer information shared with third parties. The Fact Sheet also indicates that the draft NPRM contains requirements for ISPs to notify customers, the FCC, and law enforcement following discovery of a security breach involving customer information protected under the proposed rules.
Although the Fact Sheet provides a glimpse into the Chairman’s proposed approach for regulating ISP privacy and data security practices, the details of the proposed rules are subject to review and modification by the other Commissioners (some of whom have already expressed concern over Chairman Wheeler’s approach) prior to the vote on the item that is currently scheduled for March 31, 2016.