One of the little noted aspects of Federal Communications Commission (“FCC”) Chairman Wheeler’s Open Internet proposal is to extend to customers of broadband Internet access services the privacy protections currently afforded customers of telephone services. The protections, which govern data known as Customer Proprietary Network Information or CPNI, will be among the Title II provisions of the Communications Act that the Chairman intends to apply to broadband providers once broadband is reclassified as a telecommunications service. These privacy rules likely supplant the privacy protections currently enforced by the Federal Trade Commission (“FTC”). The FTC does not have jurisdiction over providers of telecommunications services (also known as common carriers).
What this means for the broadband providers, so-called edge providers that deliver content over the Internet, and broadband consumers is hard to predict at this point. The public information provided thus far does not specify whether the CPNI rules would be extended to broadband services in their entirety, or whether the FCC would seek to tailor those rules in some way. The full CPNI rules, however, would impose a host of new obligations on broadband providers, including:
- Adopting specific plans to protect customer privacy and certifying to the FCC that those plans are being followed;
- Notifying law enforcement of breaches of customer privacy;
- Obtaining customer consent before using customer information obtained from providing one service, say Internet access, to market another service, say video or mobile voice service, that the customer does not currently purchase; and
- Enabling consumers to bring complaints to the FCC, or potentially the courts if there are damages, for failing to comply with the rules.
The extension of CPNI rules to broadband providers also would have consequences for data protection. The FCC recently imposed substantial fines on two telecommunications service providers for failing to secure sensitive customer information stored on third-party servers. The FCC not only found that the failure to provide adequate protection of personal information violated the CPNI rules, but also concluded it was an unjust and unreasonable act under section 201 of the Communications Act – another Title II provision that Chairman Wheeler proposes to apply to wireline and wireless broadband Internet access providers. Furthermore, in an action more reminiscent of FTC actions, the FCC found that the companies’ failure to comply with their written policies and representations regarding safeguarding data, and failing to notify all affected customers of the breach, also constituted unjust and reasonable practices. The FCC determined that each customer that had its information breached constituted a separate violation, resulting in a potential fine of $9 BILLION, which was reduced to $10 million, in part because the FCC had not previously found that such actions violated the Communications Act.
Applying CPNI rules to broadband Internet service likely will enhance consumer protections but may impose significant regulatory burdens on broadband providers, particularly smaller companies like wireless Internet service providers. For broadband Internet access providers, after-the-fact enforcement by the FTC will be replaced by prescribed rules coupled with potentially steep financial penalties.