The Federal Communications Commission released the full text of its anticipated privacy rules for internet service providers (ISPs), telecommunications carriers, and interconnected VOIP providers.

Broadly speaking, these rules require covered providers to:

  1. notify customers of their uses of data;
  2. permit customers to opt-in to uses of sensitive data and opt-out of uses of non-sensitive data;
  3. establish an information security program to comply with data security requirements; and
  4. notify customers, the FCC, and federal law enforcement within short timelines in the event of a data breach.

Additionally, while the rules prohibit ISPs from offering customers “take it or leave it” propositions (i.e., making a customer’s access to telecommunications service contingent on giving up personal information) the rules do allow providers to offer “financial incentives” for the expanded use and disclosure of personal information.

Effective Dates

Sections of the rules will come into force at different times, in part because some rules require Paperwork Reduction Act review.

  • 30 days after publication in Federal Register
    • 64.2001 (Basis and Purpose)
    • 64.2002 (Definitions)
    • 64.2010 (Business customer exemption)
    • 64.2011(a) (BIAS Financial incentive for waiver of privacy rights)
    • 64.2012 (Effect on state law)
  • 90 Days after publication in Federal Register
    • 64.2005 (Data security requirements)
  • After notice of OMB approval and effective dates in Federal Register
    • 64.2003(Notice Requirements)
    • 64.2004 (Customer Approval)
    • 64.2006 (Data Breach Notification)
    • 64.2011(b) (BIAS Financial Incentive for Opt-In)

Please stay tuned for a fulsome summary of the item and in-depth analysis. You can view our previous entries covering the FCC’s privacy rules here, here, and here.