As we have previously advised, the FCC’s proposed rulemaking to “protect the privacy of customers of broadband and other telecommunications services” (the “NPRM”) proposes sweeping changes to the ways that Internet Service Providers currently collect, use, secure, and disclose consumer data. The NPRM goes far beyond simply proposing to apply the privacy provisions of Section 222(c) of the Communications Act to broadband providers, and instead proposes sweeping new rules governing notice, choice and data security that will (if adopted) place ISPs under a significantly more burdensome regulatory framework than that which applies to edge providers.
Section 222(c) of the Act historically required carriers to protect the privacy of customer proprietary network information (“CPNI”), which is statutorily defined to cover only information that relates to the “quantity, technical configuration, type, destination, location, and amount of use of any telecommunications service.” Ignoring that definition, the NPRM proposes to re-interpret Section 222(a) as empowering the FCC to require ISPs to protect what is now called “customer proprietary information” or “CPI,” and then goes even farther to assert that Sections 201(b), 202(a) and 706 of the Communications Act give it authority to both limit ISPs’ use of CPI, and also require expansive notice provisions and increased security for a broad array of consumer data. The premised “need” for both the new limits on ISPs and requirements for notice and security stems from the supposition that “ISPs are the most important and extensive conduits of consumer information and thus have access to very sensitive and very personal information,” as well as the gap in protection that was created when the FCC reclassified broadband Internet access service as a Title II service, thus making ISPs “carriers” and removing them from the Federal Trade Commission’s jurisdiction.
Throughout the NPRM, the FCC goes to great lengths to compare its proposed framework to other existing privacy regimes. The NPRM states that it “focuses on transparency, choice, and data security in a manner that is consistent with … the FTC’s leadership, and the various sector-specific statutory approaches,” referring to the HIPAA Privacy Rule, the California Online Privacy Protection Act, state laws pertaining to customer choice, and data security under the Satellite and Cable Privacy Acts, and the Gramm-Leach-Bliley Act. In truth, however, the Commission adopts selected parts or principles of each of those regimes to support its own proposals, while omitting other parts of those laws that would undercut the Commission’s proposed rules and give ISPs more flexibility in data collection, use and protection by balancing the benefits of such use with consumer expectations and potential harm.
Here we take an in-depth look at whether the Commission has the legal authority to propose these rules. We also consider the potential impact of the Commission’s proposals for definitions, notice, choice, data security and breach notification, and certain impermissible practices.
The NPRM asserts that the FCC’s legal authority to adopt its proposed new rules is grounded primarily in section 222 of the Communications Act. For nearly twenty years, however-- until barely 18 months ago-- the FCC viewed that authority to be co-extensive with and limited to the specific provisions relating to CPNI and carrier-proprietary information contained in subsections (c) and (b) of that section, respectively. Only in late 2014, in a Notice of Apparent Liability charging a wireless Lifeline service provider with liability for a data breach involving information that was not CPNI—and which never became a final FCC order because the case was settled—did the FCC for the first time proclaim that it has independent authority to police a vast spectrum of telecommunications privacy matters that do not involve CPNI or carrier-proprietary information. The FCC found such authority in the introductory (“In General”) subsection 222(a), which simply states without elaboration that “every telecommunications carrier has a duty to protect the confidentiality of proprietary information of . . . other telecommunications carriers, equipment manufacturers, and customers…”. The FCC has asserted this newly discovered broader privacy jurisdiction twice more in the past year, in its Open Internet Order (on which this new NPRM is based) and in a brief reference in a June 2015 Lifeline order.
The FCC acknowledges its newfound discovery of overarching authority over telecom privacy matters, in conceding that “earlier Commission decisions focused primarily on Section 222(c)’s protection of CPNI, and could be read to imply that CPNI is the only type of customer information protected.” Indeed, a review of the FCC’s decisions from 1997 until scarcely a year ago reveal that it never recognized and even actively disclaimed any independent statutory authority under the “general” provision in subsection 222(a). That previous, narrower FCC interpretation seems to be borne out by the legislative history of section 222, which speaks only of CPNI and carrier-proprietary information and does not even mention subsection 222(a) or a broader jurisdiction to protect general information a carrier may have that pertains to a subscriber. The new NPRM, however, rationalizes that “those decisions simply did not need to address the broader protections offered by Section 222(a), and we do not so limit ourselves here.” (Of this assertion, Commissioner O’Rielly’s stinging dissent to the NPRM states: “My only consolation is that this Notice concedes that prior section 222 rulemakings had been confined to CPNI. Thus, parties had no notice that the Commission would find independent authority in section 222(a), and the TerraCom NAL was unlawful.”)
In an apparent effort to bolster its legal authority to forge the broad privacy rules now proposed, the NPRM adds that the FCC “believe[s] that we can also find support in other sections of the Communications Act, including Sections 201 and 202 of the Communications Act, which prohibit telecommunications carriers from engaging in unjust, unreasonable, or unreasonably discriminatory practices.” The FCC has often equated section 201(b)’s prohibition of “unjust or unreasonable” practices to the FTC’s enforcement against “unfair and deceptive” acts and practices under Section 5 of the FTC Act. However, when the FTC brings an enforcement action against companies for “unfair” practices, it is limited to acts or practices (1) that cause or are likely to cause substantial injury to consumers, (2) which are not reasonably avoidable by consumers themselves, (3) which are not outweighed by countervailing benefits to consumers or to competition, and (4) which may be determined based on public policy considerations. Here, the FCC has given itself no such limitations and the proposed rules limiting an ISP’s use of consumer data could not meet such a test.
The Commission also claims to draw authority from Section 706 of the Telecommunications Act of 1996, which “requires the Commission to use regulating methods that remove barriers to infrastructure investment; and Section 705 of the Communications Act, which restricts the unauthorized publication or use of communications.” In his dissenting statement, Commissioner O’Rielly dismisses these claims of additional legal authority as “the familiar shotgun approach.”
Definitions: CPNI and PII
The Commission has, for the first time, proposed both an interpretation of “CPNI” and a definition for “personally identifiable information” or “PII.” CPNI is statutorily limited to “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship” (emphasis added). The FCC proposes to interpret that definition more broadly to include any information falling within a CPNI category "that the BIAS provider collects or accesses in connection with the provision of BIAS." The CPNI categories of information are also defined broadly to include (1) service plan information, including type of service, service tier, pricing, and capacity; (2) geo-location; (3) MAC addresses and other device identifiers; (4) source and destination IP addresses and domain name information; and (5) traffic statistics, while the proposal eliminates the exemption for "subscriber list information" contained in the statute.
In defining PII, the proposal encompasses information historically considered to be PII because it identified a specific individual – name, address, telephone number – but also information that is linked or linkable to a specific individual or device, such as an IP address or MAC address. In broadening the definition, the Commission states that its proposal “incorporates this modern understanding of data privacy, which is reflected in our recent enforcement actions, and tracks the FTC and National Institute of Standards and Technology (NIST) guidelines on PII.” However, the FTC does not define “PII” in such a broad way.
The FTC staff’s 2009 report on online behavioral advertising confirms that “[t]raditionally, PII has been defined as information that can be linked to a specific individual including, but not limited to, name, postal address, email address, Social Security number, or driver’s license number. Non-PII includes anonymous data that, without more, cannot identify a specific person.” While the report acknowledges that this distinction is becoming “less meaningful and should not, by itself, determine the protections provided for consumer data,” it does not attempt to re-define PII, but instead to apply additional protections to non-PII – in the case of online behavioral advertising, that means giving consumers choices about how non-PII is collected, tracked and shared. Similarly, the FTC’s 2012 Privacy Report does not redefine PII, but states that its privacy framework should apply to data that, “while not yet linked to a particular consumer, computer, or device, may reasonably become so.”
While it is true that the cited NIST report defines PII in a similarly broad fashion, it must be noted that NIST issues its guidance to all the federal agencies, and as a result, its advice must be broad enough to encompass health, finance, energy, communications, education and all other sectors. The NIST report itself states that the recommendations in the report “are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies, but other organizations may find portions of the publication useful.” Especially telling is the fact that NIST recognizes this definition is broad and therefore advises the agencies to take a risk-based approach to protecting PII, which is the subject of the report.
In truth, the FCC has not really adopted the modern definition of PII, but has instead adopted a definition that is similar to the European concept of “personal data.” While there is some merit to including personal data within a risk-based framework of protection, it is not only incorrect, but irresponsible to attempt to define PII so broadly within the United States, given the various statutes that contain private rights of action and statutory damages for impermissible uses or disclosures of “PII.”
Transparency and Choice
ISPs have long been subject to various privacy regimes governing the privacy notices they provide to consumers, as well as the choices they must provide their customers with respect to the use and disclosure of such information, whether as a result of other federal and state statutory obligations or through participation in self-regulatory programs. Compliance with these privacy regimes, along with the incentive to engender customer trust in a more competitive environment, has resulted in better privacy practices and far fewer privacy complaints and enforcement actions than we have seen with some of the larger edge providers. Notwithstanding these facts, the NPRM proposes to place significantly more data use restrictions on ISPs, including:
- Use of CPI without additional consent would be allowed for only very narrow and proscriptive categories of CPI, including the provision of service; to initiate, render, bill and collect for service; to protect the rights or property of the provider or other users; for inbound marketing referral and administration services initiated by the customer (e.g., to respond to a customer’s inquiry when the customer calls the ISP); to support PSAP and emergency personnel queries; as otherwise required by law; and the ISP’s marketing of additional broadband internet service offerings in the same category of service that the customer already subscribes.
- Notice to the customer with the choice to opt-out of the marketing of other communications-related services and the sharing of customer data with affiliates that provide communications-related services for the purposes of marketing such services.
- All other uses of data would require the opt-in consent of the customer.
These limitations are in stark contrast to existing guidance from the FTC, state law requirements, self-regulatory programs, as well as proposals advanced in the administration’s consumer privacy bill of rights. For example, the 2012 FTC Privacy Report, cited throughout the FCC’s NPRM, would permit use of the data with no additional customer notice not only for the business purposes enumerated above, but also for the ISP’s marketing of its own good and services, so long as such activities do not involve the tracking of the customer’s online activities. Any marketing that involves tracking of customer data would generally require notice to the customer with the choice to opt-out of such tracking, unless “sensitive” data (e.g., health/medical information, financial information, etc.) was involved, in which case opt-in consent would be required.
The FCC, citing the 2012 FTC Privacy Report, states that ISPs are in a unique position to collect customer data and therefore should be subject to heightened privacy requirements vis-à-vis edge providers. However, the FTC Privacy Report did not call for any such heightened provisions, but stated that, to the extent ISPs were to comprehensively track consumers’ online activities, it would raise heightened privacy “concerns.” Additionally, the FTC Privacy Report found that “[t]hese are complex and rapidly evolving areas, and more work should be done to learn about the practices of all large platform providers, their technical capabilities with respect to consumer data, and their current and expected uses of such data.” To address these concerns, the FTC held a workshop in 2012 where various representatives from industry and consumer advocacy groups provided their perspective thru comments and presentations. Notably, in the end, no staff report was issued and no recommendations were made to more broadly limit ISPs’ or other large platform providers’ collection, use or protection of consumer data. Today, increased use of technologies such as encryption and VPNs mean ISPs have access to less data than they did in 2012, while the use of mobile apps has increased, giving edge providers access to more data. This change in the marketplace further supports the argument that the FCC’s proposed limitations are not only unnecessary but arbitrary, in part because burdening ISPs with the proposed new rules is unlikely to provide any added protection for consumers who will still be sharing personal information with edge providers who are not subject to the same rules.
The Commission’s proposal to adopt a rigorous data security and breach notification regime also raises numerous questions and concerns. An overarching concern with this proposal is the imposition of another data breach notice regime on top of the nearly fifty different state notice regimes that exist today. The FCC fails to justify the need for more regulations in an area already thoroughly regulated by state law. Further, a more fundamental question is whether source and destination IP addresses and domain names (which are necessary for routing Internet traffic) are CPI, the disclosure of which alone would constitute a breach under the proposed rules.
The agency concludes that Section 222(a) requires ISPs to protect the security, confidentiality, and integrity of CPI that ISPs receive, maintain, permit access to, or disclose. Further, upon discovery of a “breach” of CPI, ISPs would be required to: (1) notify affected customers no later than 10 days after the discovery of the breach, unless superseded by law enforcement; (2) notify the FCC of any breach of CPI no later than 7 days after discovery, and (3) (for breaches of breaches of CPI “reasonably believed” to affect more than 5,000 customers) notify the FBI and U.S. Secret Service no later than 7 days after discovery of the breach, and at least 3 days before notification to the customers.
Under the proposed rules a “breach” is defined more broadly than existing rules applicable to voice service. Specifically, the new rules eliminate any element of intent, and define a breach as “any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed customer proprietary information.” Although the Commission seeks comment on whether a harm-based approach is warranted in determining whether consumer notice is required (as discussed below), the proposed rules do not contain any such language. As such, ISPs should ask what current uses and disclosures of the broad swath of data falling within the definition of “customer proprietary information” could trigger such notifications if there is a data “breach.” More significantly, the FCC’s proposed reporting timeframe would force providers to potentially rush to provide notices without sufficient opportunity to analyze, assess and quantify the impact of any breach that may occur.
Further, while acknowledging that forty-seven states already have data breach notifications on the books, and that the FTC has already called for legislation to establish a national breach notice law, the FCC proposes to impose upon ISPs a new national reporting regime that would operate alongside of (and sometimes in conflict with) those state regimes. If adopted, this proposal would burden ISPs with operations in multiple states with duplicative, and potentially conflicting, data breach notice obligations for regulators and consumers. Moreover, consumers receiving multiple notices, at different times, with sometimes differing information may be confused or overwhelmed with such information. Thus, the FCC’s proposal, while framed as an attempt to enhance transparency to consumers, may instead lead to customer confusion and questions.
Apparently recognizing the potential for its own regulatory overreach, the agency seeks comment on whether breach reporting should employ a harm-based standard. Under such an approach (which several states do employ) disclosure is not required if, after an appropriate investigation, the covered entity determines that there is not a reasonable likelihood that harm to the consumers will result from the breach. The FCC also asks whether such a standard could be calibrated to the sensitivity of the information, or whether the likelihood of harm should trigger accelerated notice to consumers. We believe that the use of a harm-based standard is certainly a reasonable means of mitigating the impact of this proposal, and should be adopted in some form by the FCC. If adopted, the agency should also adopt a calibrated enforcement and compliance regime to reflect the potential for disclosures that present no actual harm to consumers and thus require no notice.
Impermissible Practices: Arbitration
In its earlier Order reclassifying Internet service as telecommunications, and again in this NPRM, the Commission registered its disapproval of clauses requiring consumers to arbitrate all disputes with ISPs. In the NPRM the Commission took it a step further by seeking comment on “whether to prohibit [ISPs] from compelling arbitration in their contracts with customers.” Not only would such a proposal run counter to the trend of using arbitration clauses in consumer contracts for dispute resolution, federal law would likely preempt any FCC rule disfavoring or prohibiting arbitration. The Supreme Court has held that Federal Arbitration Act preempts laws and rules that disfavor arbitration, disproportionately affect arbitration agreements, or interfere with fundamental attributes of arbitration. Moreover, any FCC prohibition on arbitration would further discriminate in favor of edge providers such as Netflix which has a mandatory arbitration clause and class action waiver in its consumer contracts, but would not be subject to any FCC rule prohibiting such clauses.
The NPRM, if adopted as proposed, would impose onerous and costly regulatory burdens on ISPs, while leaving much of the remaining online world free to operate under a significantly less restrictive regime. Further, the FCC’s proposal reflects a fundamental shift in established consent regimes that have been employed successfully by many companies operating in this space. This proposed new regime, if left unchanged, will dramatically shift the competitive environment and increase ISPs’ operational and compliance costs.
All ISPs large and small, including cable operators and telecom carriers, should engage the FCC through comments and other advocacy to urge the Commission to walk back from this proposal. DWT stands ready to assist you. Initial comments on the NPRM are due May 27, 2016; reply comments are due June 27, 2016. Several parties have sought an extension of these filing periods.