On October 27, 2016, the U.S. Federal Communications Commission (the "FCC") adopted the Open Internet Order (the "Order"). The Order reclassified broadband Internet access service as a telecommunications service, thereby applying Section 222 of Title II of the Communications Act to Internet service providers (“ISPs”). Section 222 aims to protect consumers’ personal information collected by carriers. Under this section, carriers must “protect the confidentiality of [consumers’] proprietary information” from unauthorized use and unlawful disclosure.[1] The FCC, as mandated by Congress, has successfully overseen consumer privacy with regard to the telephone network for decades. Under the Order, the FCC will also enforce the consumer privacy provision of Section 222 against ISPs.

The new rules apply both to home Internet service providers and mobile data carriers. The rules do not regulate (i) privacy practices of websites or apps, (ii) other services of broadband providers (i.e. social media website operation), or (iii) government surveillance, encryption or law enforcement. The Order does, however, detail data security, data breach notification, notice and choice requirements, summarized as follows:

Data Security

Data security requirements will take effect 90 days after publication of the summary of the Order in the Federal Register ("Publication"). The Order provides guidelines about developing reasonable data security practices. Such practices must be proportional to the nature and scope of the ISP's activities, sensitivity of underlying data, size of provider, and technical feasibility.

Data Breach Notification

Data breach notification requirements will take effect six months after Publication. The notification requirement is triggered by an unauthorized disclosure of a customer’s personal information, unless the ISP determines that no harm is reasonably likely to occur. In the event of a reportable breach, providers must notify affected customers as soon as possible and no later than 30 days following the breach event. The ISP must notify the FCC at the same time as customers if the breach affects less than 5,000 customers. If the breach affects 5,000 or more customers, the ISP must notify the FCC, Federal Bureau of Investigation, and U.S. Secret Service within seven business days.

Notice and Choice

Notice and Choice Requirements will take effect 12 months after Publication. Small providers will have an additional 12 months to comply.

  1. Notice. ISPs must (i) tell customers about the collection, use, and sharing of their information during the service signup process and (ii) update customers when the ISP’s privacy policy changes in significant ways. The FCC has directed the Consumer Advisory Committee to develop a standardized privacy notice format that can serve as a "safe-harbor" for providers. ISPs must keep this information available on their website or mobile app.
  2. Choice. ISPs must obtain “opt-in” consent to use and share sensitive information such as precise geo-location, web browsing history, app usage, etc. With a few exceptions, customers must "opt-out" of use and sharing of non-sensitive information such as service-tier information. The Order prohibits an ISP from refusing to serve customers who do not consent to the use and sharing of their information for commercial purposes. Similarly, the rules require heightened disclosure for plans that provide incentives in exchange for a customer’s consent to the use and sharing of their personal information.

Overall, the Commission said, the rules are intended to secure data and provide customers with meaningful choice while still giving ISPs the flexibility to innovate. Commissioner Mignon Clyburn noted that in issuing the rules, the FCC “substantially adopt[s] the FTC’s framework on privacy, with some tweaks to account for the current era, and unique position broadband providers occupy in our everyday lives.”[2]