The Federal Communications Commission has released its highly anticipated proposed privacy rules for broadband providers. The rules come in the wake of the Commission’s decision to reclassify broadband internet as a telecommunications service, which displaced the Federal Trade Commission as the main regulator of broadband providers’ privacy practices.

The proposal would adopt stringent and comprehensive privacy regulations for providers of broadband internet access service. The proposal also considers updating the privacy rules that apply to voice providers—and some of the privacy rules that apply to cable and satellite television providers—so that they are “harmonized” with the new broadband rules. The initial comment deadline is May 27, 2016. The reply comment deadline is June 27, 2016.

The Commission’s proposal is complex, but here is a brief overview of its main provisions:

Types of information covered. The proposal would impose limits on broadband providers’ collection and use of both customer proprietary network information (“CPNI”) and personally identifiable information that they acquire from their customers as a result of their provision of broadband service.

CPNI is a relatively narrow category of information about a customer’s use of and subscription to telecommunications services. The FCC cites the following as examples of what would be considered CPNI in the broadband context:

  • service plan information, including type of service (e.g., cable, fiber, or mobile), service tier (e.g., speed), pricing, and capacity (e.g., information pertaining to data caps)
  • geo-location information
  • device identifiers, such as MAC address
  • source and destination IP addresses and domain name information
  • traffic statistics, including packet sizes and spacing, monthly data consumption, average speed, and frequency of contact with particular domains and IP addresses.

Personally identifiable information, on the other hand, is an expansive category of information that has not historically been the subject of FCC rulemakings. The FCC proposes to define the term as “any information that is linked or linkable to an individual.” This covers even purportedly anonymous information if it “can be used on its own, in context, or in combination to identify an individual or to logically associate with other information about a specific individual.” Information commonly thought of as personally identifiable information, such as name, social security number, and IP address, would be covered. But so would other information, such as financial information, shopping records, information about disability, and sexual orientation.

The Commission asks for comment on whether it should promulgate similar regulations that would cover personally identifiable information gathered by telephone and interconnected VoIP service providers.

Additionally, the proposal would define “customer” so that information related to current broadband subscribers, former broadband subscribers, and applicants for broadband service would be covered. The proposal does not appear to contemplate changing the meaning of “customer” for the purposes of the voice, cable, or satellite privacy rules, but commenters may raise the issue.

Privacy policies. The proposal would require broadband providers to give customers a privacy policy at the point of sale, and make the policy persistently available on the providers’ website and mobile app. The policy would have to adequately inform customers about what covered information broadband providers collect, what providers do with that information, and when (and at a broad level of generality, to whom) it discloses that information. It would also need to inform customers of their right to prevent certain uses of their covered information, and inform customers about a simple way that they can exercise that right.

Broadband providers would also have to give customers advanced notice before implementing material changes to their privacy practices.

The FCC is investigating whether to require voice, cable television, and satellite providers to provide similar privacy policies and notices.

Types of consent required for use and disclosure of information.

No consent. The proposal would allow broadband providers to use covered information without consent for the purposes of providing broadband service; billing and collections; responding to certain emergency circumstances; providing customer support when the customer contacts the broadband provider; protecting from fraud or abuse; installing, repairing, and maintaining wiring; and marketing other broadband services (such as broadband with increased speed) to its customers.

Opt-Out Consent. The proposal would allow broadband providers to market other communications-related services to its customers, unless the customers opt out of receiving such communications. The proposal would also allow broadband providers to share covered information with the providers’ affiliates for marketing purposes, when the affiliate providers communications-related services. Note, however, that the FCC is considering a carve-out, where providers would need to obtain opt-in consent before using particularly sensitive categories of information, such as geo-location information and children’s information, even when the data is being used to market communications-related services.

Opt-In Consent. The proposal would require providers to obtain opt-in consent to use covered information for any other purpose, including sharing information with third parties and affiliates that do not provide communications-related services. As mentioned above, the FCC is also considering requiring opt-in consent for any use of information that it deems particularly sensitive.

Note that, under the proposal, including information in the providers’ privacy policy would not suffice to obtain consent. Instead, the provider would have to give its customers a notice and the chance to opt in or out at the moment the provider first intends to use or disclose the customer’s information in a way that requires consent. The proposal seeks comment on whether providers could give a single notice that covers multiple different uses of multiple different types of data, or whether providers would have to give a new notice each time they seek to use a new category of data or to use data in a new way that requires consent.

Although these consent proposals are similar to current voice provider requirements, they are different in a few key ways, such as how often and when consent needs to be obtained. The FCC asks for comment on whether the voice rules on consent should be harmonized with the broadband rules.

The FCC also asks for comment on changing the notice and consent requirements for cable and satellite video providers so that they align more closely to the proposed broadband rules, although cable and satellite video providers are subject to more stringent statutory obligations with respect to data collection and consent.

Prohibited data practices. The proposal would ban broadband providers from making all customers waive their privacy rights in order to receive service. It also asks for comment on prohibiting:

  • offering discounted broadband service in exchange for waiving privacy rights
  • the use of deep-packet inspection for purposes other than network management
  • the use of persistent identifiers to track customers on an ongoing basis
  • requiring customers to submit to arbitration of privacy disputes.

Data security. The proposal would require broadband providers to adopt reasonable data security practices that are “calibrated to the nature and scope of the broadband provider’s activities, the sensitivity of the underlying data, and technical feasibility.” Adopting risk management practices, instituting personnel training practices, adopting customer authentication requirements, having senior-level oversight of data security, and notifying consumers of changes to their accounts would be necessary, but not sufficient, to meet the data security requirement. The FCC also asks for comment on whether data security considerations require banning broadband providers from collecting certain types of particularly sensitive information, limits on how long covered information can be retained, and technical safeguards on how data should be destroyed.

The FCC suggests making broadband providers vicariously liable for the data security practices of other companies with whom they share covered information.

The rulemaking will also investigate whether similar data security requirements should be imposed on voice, cable, and satellite providers.

Data breach notification. The Commission proposes to require both broadband and voice providers to notify customers, law enforcement, and the FCC when the provider experiences a data breach involving covered information. Although the Commission notes that there should be some threshold for when a notification is required—such as a likelihood of harm to consumers or a certain number of affected consumers—the proposal does not say what the specific “trigger” for notification should be. In most cases, providers would have seven days from discovering the breach to notify the authorities and ten days to notify customers.

The rulemaking will also investigate whether similar data security requirements should be imposed on cable and satellite television providers.