Turn-of-the-century common carrier regulation is about to be imposed on providers of broadband internet services in the United States; all that remains to be determined is the details, and there are a lot of them in dispute. On February 4, 2015, Chairman Tom Wheeler of the Federal Communications Commission ("FCC") announced that the FCC would be taking the "nuclear option" of reclassifying broadband as a telecommunications service. Broadband providers familiar with their current regulatory posture may be wondering how the reclassification will affect them. For the marquee elements of the plan—the much-discussed principles of no blocking, no throttling, and no paid prioritization—little can be said with certainty at this point. The impact on providers' privacy and data security obligations, however, is much more tractable, and broadband providers should begin reorienting their company's privacy and security thinking and practices from the familiar Federal Trade Commission ("FTC") oversight to the less familiar FCC paradigm.
FTC Rules: Avoiding Unfair and Deceptive Practices
Broadband providers are no strangers to the need for robust protection of customer information. Like other businesses, broadband providers have been subject to the general authority of the FTC, most notably Section 5 of the FTC Act, which prohibits "unfair" or "deceptive" practices. Under this framework, the FTC takes enforcement action, generally, when a business fails to live up to privacy and security promises, or otherwise fails to reasonably protect the privacy and security of consumer data. Recently, the FTC has been active in pursuing companies engaging in lax security practices. In addition to the general enforcement authority of Section 5, the FTC also imposes privacy and security-related obligations on broadband providers through more specific subject-area regulations, such as the treatment of credit report information under the Fair Credit Reporting Act and the collection of personal information about children under the Children's Online Privacy Protection Act. Each of these laws provide enforcement authority of general applicability that is not based on the unique context of the carrier/customer relationship that the FCC's rules are designed to address.
FCC Rules: Familiar Principles, New Requirements
Like the existing FTC oversight, FCC regulations also have strong and demonstrable consumer privacy protections. The FTC's more reactive approach, however, contrasts with the FCC's more compliance-based rules. The centerpiece of the FCC's rules for protecting privacy is the Customer Proprietary Network Information ("CPNI") rules detailed in Section 222 of the Communications Act. CPNI is information about the customer's service and use of that service that is available to the broadband provider solely by virtue of the provider–customer relationship, including not just information on customer bills but information related to the type of services, quantity, location, destination, and amount of use of the broadband service, i.e., the websites visited. Protection of CPNI means preventing unauthorized access as well as carefully securing customer consent for the use or sharing of this information for marketing purposes. Broadly, the CPNI rules include requirements to:
- Adopt specific plans to protect customer privacy and annually certify that the plans are being followed;
- Take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI, including through "pretexting" and attacks on the company's database;
- Notify law enforcement of breaches of customer privacy;
- Provide notification and obtain customer consent via "opt-in" or "opt-out" before using customer information from an existing service relationship to market a new service;
- Maintain records of sales and marketing campaigns that use CPNI or disclose it to affiliates; and
- File annual certifications summarizing compliance with these rules.
These requirements may well be familiar to large broadband providers that also operate telecommunications businesses, such as wireless or home phone service, VoIP, or data access services.
In addition to these long-standing compliance-based rules, the FCC appears to have recently been exploring its ability to engage in broader, more FTC-style enforcement. In October 2014, the FCC released a $10 million fine against telecommunications providers TerraCom and YourTel for failing to "employ reasonable data security practices" to protect customers' proprietary information and for engaging in "deceptive and misleading practices" by misrepresenting to customers the adequacy of their data protection procedures. See our Alert, "FCC Issues Massive $10 Million Fine in its First-Ever Data Security Enforcement Action," concerning these fines. The TerraCom decision used an expansive definition of "proprietary information" that included not only the statutory term "CPNI" but also "privileged information, trade secrets, and personally identifiable information." To the extent that the Commission continues to pursue this enforcement approach, the practical differences between these two agencies' regulatory approaches may begin to diminish going forward.
Not All That is Internet Is Telecommunications
In the regulatory sea change that is reclassification, broadband providers should be careful not to assume that all internet-related service offerings will be subject to the FCC's regulations, much less the rigid CPNI protection and reporting requirements. As the FCC is fond of repeating, "the heart of 'telecommunications' is transmission." Services other than transmission, such as content provision (i.e., websites), will continue to be unregulated "information services" that remain exempt from the FCC's common carrier jurisdiction and subject only to the general unfair and deceptive practices oversight of the FTC.
From Theory to Practice
The FCC is expected to adopt the proposed Open Internet rules, including the privacy requirements for broadband providers, at its February 26, 2015, open meeting, at which time the general authority of the Commission to regulate the privacy and data security practices of broadband providers will be established. The precise details of how these rules will actually apply to current and future business practices, however, will be shaped by an ongoing conversation between providers and the FCC. Further, some broadband service providers have already signaled that they may challenge the FCC's decision in court. Unlike prior FCC decisions on this subject, however, on this occasion the FCC may have finally crafted proposed rules that will survive judicial review.