On Thursday, Federal Communications Commission (“FCC”) Chairman Tom Wheeler circulated a highly anticipated broadband data privacy and security Notice of Proposed Rulemaking (“NPRM”) to the other Commissioners, slating the proposals for a full Commission vote at the agency’s March 31 Open Meeting. The rules would apply to internet service providers (“ISPs”), but organizations throughout the online data ecosystem will want to pay close attention to this rulemaking and be prepared to comment on the FCC’s proposals.
Although the full details of the NPRM are still unknown, the FCC released a fact sheet providing a high-level overview of what we can expect to see in the document. In the fact sheet, the FCC highlights the unique relationship consumers have with their ISPs, stating that “[a]n ISP handles all of its customers’ network traffic, which means it has an unobstructed view of all of their unencrypted online activity—the websites they visit, the applications they use. If customers have a mobile device, their provider can track their physical and online activities throughout the day in real time.”
The fact sheet goes on to state that “even when data is encrypted, broadband providers can still see the websites that a customer visits, how often they visit them, and the amount of time they spend on each website,” warning that with this information, “ISPs can piece together enormous amounts of information about their customers—including private information such as a chronic medical condition or financial problems.”
According to the fact sheet, the NPRM:
- Sets out to give consumers control over how their personal information is used and shared by their broadband service providers.
- Separates the use and sharing of information into three categories:
- Inherent Consent: customer data necessary to provide broadband services and for marketing the type of broadband service purchased by the customer will require no additional customer consent beyond the creation of the customer-broadband provider relationship.
- Opt-Out Consent: unless the customer opts-out, broadband providers will be allowed to use customer data for the purposes of marketing other communications-related services and to share customer data with their affiliates that provide communications-related services for the purposes of marketing such services.
- Opt-In Consent: Will require express, affirmative “opt-in” consent from customers for all other uses and sharing of consumer data
- Requires broadband providers to take “reasonable steps” to safeguard customer information from unauthorized use or disclosure, including, at a “minimum”: 1) adopting risk management practices; 2) instituting personnel training practices; 3) adopting strong customer authentication requirements; 4) identifying a senior manager responsible for data security; and 5) taking responsibility for the use and protection of customer information when shared with third parties.
- Sets out specific data breach notification requirements, including notifying affected customers of breaches of their data within 10 days of discovery, and notifying the FCC of a breach no later than 7 days after discovery.
The NPRM will be voted on by the full Commission at the March 31 Open Commission Meeting and, if adopted, will be followed by a period of public comment.