On March 31, 2016 at its Open Meeting, the Federal Communication Commission (FCC or Commission) voted along party lines (3-2) to launch a notice of proposed rulemaking (NPRM) to establish privacy rules for broadband Internet Service Providers (ISPs). As we explained in our blog post in anticipation of this vote, this rulemaking stems from the 2015 Open Internet Order and is intended to seek comment on how the Commission should apply Section 222 of the Communications Act of 1934, as amended, to broadband Internet access service (BIAS).
While the text of the NPRM—and the approximately 500 questions contained within it—has not yet been released, a Commission press release, fact sheet, and prior statements outline the NPRM in broad strokes. (We will follow up with more information once we have the item in hand.)
As a threshold issue, in the NPRM, the FCC seeks comment on definitions for both broadband customer proprietary network information (CPNI), as well as the broader category of “proprietary information” contained in Section 222(a).
In addition, the NPRM seeks comment on proposed rules reflecting three “core principles”: choice, transparency, and security. With respect to choice, the NRPM creates three categories of data use and sharing policies, similar to the existing framework:
- Implied Consent. Consent “inherent” in customer decision to purchase an ISP’s service. This data is necessary to provide the broadband service and requires no additional consent beyond the creation of the relationship
- Opt-out. Broadband providers would be allowed to use customer data for marketing other communications-related services and to share information with their affiliates, unless the consumer affirmatively opts out.
- Opt-in. All other uses and sharing of consumer data would require express, affirmative consent from consumers.
As for transparency, the NPRM proposes to require ISPs to provide clear, conspicuous and persistent notice about what information they collect, use, and share with third parties.
The NPRM also proposes the following data security requirements:
- Data security requirements. The NPRM will propose both a general standard for data security as well as specific practices to “reasonably secure” customer data.
- Data breach notification. All telecommunications providers—including traditional carriers and broadband providers—will be required to notify law enforcement and consumers when CPNI or proprietary information is accessed without authorization. This provision appears to significantly expand the breach notification procedures applicable to traditional telecommunications carriers today.
Finally, while the Commission’s earlier Fact Sheet stressed that the Commission’s proposal would not bar any specific practices, comments from Commission staffers suggest that the NPRM may in fact seek comment on whether certain privacy-related ISP practices should be prohibited, such as deep packet inspection, financial inducements, and persistent tracking.
The two Republican commissioners sharply criticized these proposals as anti-consumer choice, overly regulatory and costly to businesses. They also criticized the proposals for going beyond the approach used by the FTC, and, as a result, creating differing obligations depending upon the entity’s regulatory status.
Importantly, the NPRM only covers proposed requirements for broadband providers, and does not address or apply to the privacy practices of edge services (e.g., websites), which fall within the jurisdiction of the Federal Trade Commission, or other services that an ISP offers (e.g., a social media website). Further, the press release states that the NPRM does not address government surveillance, encryption, or law enforcement issues.
The text of the NPRM likely will be released in the coming days, and the FCC will begin accepting comments following the NPRM’s publication in the Federal Register. We’re tracking and will follow up when we learn more.