On September 20, 2016, the Internet Commerce Coalition (ICC), whose members include internet service providers, technology companies, and technology trade associations, filed an Ex Parte letter to the Federal Communications Commission (FCC), urging the agency to distinguish between sensitive and non-sensitive customer information in establishing privacy rules that would apply to broadband internet access service providers. The letter was written in response to several filings by privacy groups and advocates made in In re Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, Notice of Proposed Rulemaking, FCC 16-39, WC Docket No. 16-106 (2016) (NPRM), which proposed a uniform standard for the treatment of sensitive data and "data that does not pose a risk to customers".
In the NPRM adopted on March 31, 2016, the FCC proposed applying the privacy requirements of Section 222 of the Communications Act, which apply to telecommunications carriers, to broadband internet access service providers. According to FCC Chairman Tom Wheeler, the proposed privacy guidelines set forth in the NPRM are designed to provide consumers with increased choice, transparency and security when sharing their data with broadband internet service providers. Under the proposed privacy rules, broadband internet service providers would be required to obtain opt-in consent for the use or sharing of customer data with third parties for any purpose other than providing the services to its customers or for marketing purposes (which would be subject to opt-out consent). Privacy groups have supported this strict approach to opt-in consent, and encourage the FCC to require opt-in consent for the collection and use of information in all forms, including de-identified, aggregate information. The ICC, however, argues that such a mandate runs afoul of well-established U.S. privacy laws and guidelines.
In its letter, the ICC rejects the argument raised by the privacy groups that Section 222 of the Communications Act expresses Congress's intent that all information collected by telecommunications carriers is sensitive and therefore should be treated using the same standards. Referring to the plain language of the statute, the ICC argues that the definition of consumer proprietary network information (CPNI) in fact only covers certain data, not all data, that telecommunications carriers collect, excluding, for example, billing address and "subscriber list information." Moreover, while CPNI includes aggregate data, Section 222 applies less stringent requirements to such data. The ICC finds further support for its position from other well-established privacy frameworks, such as the Electronic Communications Privacy Act, which applies different standards for subscriber information and contents of electronic communications; the Family Educational Rights and Privacy Acts, which distinguishes between "directory information" subject to opt-out requirements and "education records" subject to opt-in requirements; the Health Information Portability and Protection Act, which regulates different types of patient data in different ways; and the Gramm-Leach-Bliley Act, which prohibits the disclosure of personally identifying account numbers to third parties, but allows the disclosure of other types of personal and financial data.
The ICC encourages the FCC to adopt an approach that is consistent with federal privacy statutes and with that taken by the Federal Trade Commission (FTC), which makes distinctions between sensitive and non-sensitive data. While privacy groups argue that a sensitivity-based approach to data would be difficult to enforce, the ICC points to ISPs' overwhelming participation in self-regulatory frameworks and the success in enforcing the FTC regulations, industry codes and best practices, and privacy laws. Finally, the ICC rejects a uniform opt-in obligation for broadband internet access service providers collecting information from consumers, from a practical standpoint, as it would be difficult to obtain and would impose onerous tracking requirements. According to the ICC, obtaining opt-in consent is not easy, as many consumers elect not to opt-in only because they lack the motivation to make a choice and fail to fully understand the consequences of not opting in.
If the FCC adopts the privacy rules as proposed in the NPRM or by many of the privacy groups, broadband internet access service providers would be subject to complicated and rigid obligations in the collection and use of customer data, that would be among the most stringent of the current privacy frameworks in the United States. Such requirements may pose compliance challenges to broadband internet access service providers and because of the inconsistencies with the FTC framework and other privacy principles, may create confusion over the applicability of the different standards. Although broadband internet access service providers may be most directly affected by adoption of the proposed rules, other internet company may be indirectly affected if they share information with broadband providers, or other agencies follow the FCC's lead. The FCC is expected to adopt some form of new privacy rules by the end of the year. Cooley has recently reported on the FCC proposal and its potential implications for online advertising, and will continue to monitor the proposal and provide updates.