The Federal Communications Commission ("FCC"), the nation's regulator of all things telecommunications, has turned its attention to privacy practices at the on-ramp to the internet. In a November 2, 2016, Report and Order, the FCC adopted rules applying the privacy requirements of the Communications Act of 1934 to "the most significant communications technology of today—broadband Internet access service." FCC Chairman Tom Wheeler issued astatement highlighting the increasingly central role that broadband providers have as a threshold to every aspect of life, noting that "the more our economy and our lives move online, the more information about us goes over our Internet Service Provider (ISP)—and the more consumers want to know how to protect their personal information in the digital age."
These rules can be seen as the Commission's next big move to stay on top of the ever-changing meaning of "communications" in the age where smartphones are ubiquitous, everything can be done online, and big data monitors it all. After the D.C. Circuit's June 2016 decision upheld the FCC's December 2015 decision to reclassify broadband internet providers as regulated telecommunications providers, the Commission saw its next logical step as ensuring that its newest common carriers were subject to effective privacy rules that ordinarily would be overseen by the Federal Trade Commission ("FTC"), as the regulator for general consumer protection affairs.
Three Categories of Private Information, Three Levels of Protection
The FCC summarizes the rules as creating three categories of information and clear guidance for both ISPs and customers about the transparency, choice, and security requirements for customers' personal information:
Sensitive Information: "Opt-In": Data such as precise geo-location, financial information, health information, children's information, Social Security numbers, web browsing history, app usage history, and contents of communications are some of the most sensitive information that crosses a customer internet connection. ISPs will be required to obtain affirmative "opt-in" consent from consumers to use and share sensitive information.
Non-Sensitive Information: "Opt-Out": The Commission identifies all other individually identifiable customer information such as email address or service tier information as "non-sensitive" and will permit the use and sharing of that information unless the consumer opts out. The Commission notes that this practice is "consistent with consumer expectations."
Service Provision Information: Inferred Consent: For information that is used in the provision of the broadband service or billing and collection, customer consent is inferred by the creation of the customer–ISP relationship.
Transparency and Fairness
The rules will also add transparency requirements that will mandate "clear, conspicuous and persistent notice about the information ISPs collect" as well as how it is used and shared and how customers can change their privacy preferences.
The rules also require "reasonable" data security practices and will provide "guidelines" on implementing industry best practices for security, customer authentication, and data disposal, as well as "common-sense" data breach notification requirements.
The rules explicitly prohibit "Take-It-or-Leave-It" offers that make use and sharing a condition of service. Chairman Wheeler's statement also called out the "harmful impacts" of mandatory arbitration requirements, pledging to produce proposed rules on these requirements early next year.
Too Much of a Good Thing, and Still Not Enough
As with much of the complicated internet ecosystem, well-meaning regulations do not necessarily translate into useful results. Consumers are already deluged with "click to accept" messages and privacy disclosures, and it is not clear that they will have the bandwidth to meaningfully interact with one more. Nor will these rules offer protection from "edge providers" or "Over-the-Top" services such as Google, Yahoo, Twitter, and Skype, as Commissioner Pai argues in a statement, potentially placing entities with similar access to customers' digital lives under very different privacy regimes.
A Nod to the FTC
In a nod to the occasionally conspicuous tension between the jurisdiction of the FCC over telecommunications privacy and the FTC over privacy almost everywhere else, the FCC press release includes a note that the rules are "limited to broadband service providers and other telecommunications carriers" and "do not apply to the privacy practices of web sites and other 'edge services' over which the Federal Trade Commission has authority." The FCC also clarifies that this order does not address the thorny issues of "government surveillance, encryption, or law enforcement."