On October 27, 2016 the FCC announced its adoption of an Order establishing a set of privacy regulations ("Broadband Privacy Rules") governing the use of consumer personal information by Broadband Internet Service Providers ("Broadband ISPs"). The newly adopted Broadband Privacy Rules follow the draft regulations initially proposed by the FCC in a March 2016 Notice of Proposed Rulemaking ("NPRM"), which were met with mixed reviews during the public comment period. A modified version of the rules was announced by FCC Chairman Tom Wheeler in early October 2016. The Broadband Privacy Rules, adopted by the FCC in a 3-2 party line vote, are a less stringent version of the NPRM and establish specific requirements for how Broadband ISPs may use and share their customers' personal information.
The Broadband Privacy Rules serve to apply Section 222 of Title II of the Communications Act to Broadband ISPs, which requires telecommunications carriers to protect the privacy of their customers' information. The FCC previously reclassified Broadband ISPs as providers of "telecommunications services" rather than "information services" in its 2015 Open Internet Order. The FCC has since sought to assert itself as a primary regulator of Broadband ISPs in the U.S., and the Broadband Privacy Rules will support this effort in the context of consumer privacy and data protection.
According to the FCC, the Broadband Privacy Rules are meant to provide consumers with "meaningful choice" and increased control over the use of their personal information provided to Broadband ISPs or generated through use of a Broadband Internet service. Importantly, the new rules apply to companies providing either fixed or mobile Broadband Internet services to consumers, but do not extend to other online services such as social media or online marketers, which remain subject to FTC regulation. Companies such as cable networks or mobile companies that offer both Broadband Internet service and other online or digital services will be subject to the regulations, but the rules will only extend to the Broadband services provided by those companies. The FCC has expressly excluded the privacy practices of websites or applications from the Broadband Privacy Rules, where the FTC has regulatory authority. In statements accompanying the rules, several FCC Commissioners emphasized the parallels between the new privacy regulations for Broadband ISPs and the approach and objectives of the FTC's privacy framework, aiming to protect and strengthen consumer privacy while facilitating digital commerce and the online advertising market.
The following is a summary of the key features of the Broadband Privacy Rules.
- Consumer Notice
At the heart of the Broadband Privacy Rules is a heightened consumer notice requirement for Broadband ISPs. Broadband ISPs are required to provide consumers with clear, immediate, and persistent notice as to what types of information the ISP collects about its customers, and how that information is collected. Broadband ISPs must also specify to consumers how and for what purposes the Broadband ISP uses and shares customer information, and identify the types of entities with which customer information is shared. The Broadband ISP are to provide this information when a customer signs up for service, notify customers of significant changes to their existing practices, and display their policies persistently on the Broadband ISP's website or mobile application.
- Consumer Choice
Furthermore, the Broadband Privacy Rules equally emphasize the nature and sensitivity of customer information, and feature different consent requirements depending on the type of consumer information at issue. To use and share "sensitive" customer information, Broadband ISPs are required to obtain affirmative permission from customers, commonly known as "opt-in" consent. The regulations outline several categories of "sensitive" customer information, including (i) precise geo-location data, (ii) children's information, (iii) health data, (iv) financial information, (v) social security numbers, (vi) web browsing history, (viii) application usage history, and (ix) the contents of communications. All other types information provided by the customer or collected by the Broadband ISP (described as "service-tier information") are considered non-sensitive. The regulations generally permit use or sharing of such non-sensitive customer information, but consumers must be given the means to "opt-out" of consent for use or sharing of their non-sensitive information.
The Broadband Privacy Rules also provide for limited exceptions to the notice and consent regime, including (i) use and sharing of non-sensitive information incidental to the services provided and marketed with the customer's service subscription, (ii) provision of Broadband services and billing and collection for such services, and (iii) to prevent fraudulent use of the Broadband ISP's network. In addition, the regulations prohibit Broadband ISPs from refusing to serve consumers who do not consent to the use and sharing of their information for commercial purposes.
- Information Security Requirements and Breach Reporting Requirements
The Broadband Privacy Rules also require Broadband ISPs to take "reasonable measures" to protect customer data from breaches and other vulnerabilities. Broadband ISPs must have data security practices and procedures that are "appropriately calibrated to the nature and scope of its activities, the sensitivity of the underlying data, the size of the provider, and technical feasibility." The regulations provide broad data security practices guidelines, including implementing "best practices" to manage security risk, "accountability and oversight of security practices", establishing "robust customer authentication tools", and proper destruction of customer personal data. Although the rules do not include a check-list of specific security requirements, the FCC emphasized that the security obligations are consistent with FTC data security requirements and the NIST cybersecurity framework. Additionally the Broadband Privacy Rules require Broadband ISPs to report incidents of unauthorized disclosure of customer data if the Broadband ISP determines that harm is reasonably likely to occur. Under this standard, in the event of a reportable breach affecting less than 5,000 customers, the Broadband ISPs must notify the affected consumer(s) within 30 days of determining that consumer harm is reasonably likely to occur, and simultaneously report the breach to the FCC. For breaches affecting 5,000 or more customers, the Broadband ISP must notify the FCC, the Federal Bureau of Investigation, and the U.S. Secret Service within 7 days of the company's determination that consumer harm is reasonably likely to occur.
- Additional Consumer Protections
Furthermore, the Broadband Privacy Rules feature protections for "de-identified" customer information which has been altered so it is no longer associated with individual consumers or devices. The regulations permit use of de-identified information by Broadband ISPs so long as they meet the FTC's three-prong de-identification standard, which includes (i) altering the customer information so that it can't be reasonably linked to a specific individual or device, (ii) publicly committing to maintain and use the information in an unidentifiable format not to attempt to re-identify the data, and (iii) contractually prohibiting the re-identification of shared information. Broadband ISPs are also required to provide heightened disclosure of service plans that provide discounts or incentives in exchange for a customer's consent to use or share their personal data, which the FCC will evaluate on a case-by-case basis.
The revised Broadband Privacy Rules reflect a range of comments provided by telecommunications companies and online service providers, privacy and public interest groups, as well as the Bureau of Consumer Protection of the U.S. Federal Trade Commission ("FTC"). Prior comments from various telecommunications providers sought to harmonize the FCC's regulations with the FTC's privacy framework, including adopting a "sensitivity-based" approach to customer notice and consent requirements as well as the FTC's standard for use of "de-identified" customer information. The FTC similarly sought to align the FCC's rules with its own approach to information privacy and consumer protection in May 2016 comments to the FCC's NPRM. While these and other suggestions consistent with the FTC's privacy framework have been incorporated into the adopted version of the Broadband Privacy Rules, the new rules do not reflect other concerns voiced by some companies and trade associations, such as certain restrictions on affiliate data sharing and marketing practices, or the data breach notification and reporting requirements. In contrast, consumer advocacy groups have applauded the new rules as an important step for transparency and accountability in the use of consumer data by telecommunications companies providing Broadband services.
Major Broadband ISPs will have twelve (12) months to implement the requirements of the Broadband Privacy Rules, while smaller providers will be given an additional twelve (12) months to achieve compliance. The security requirements of the Broadband Privacy Rules will go into effect ninety (90) days after the publication of the Order summary in the Federal Register, and data breach notification obligations take effect six (6) months from publication.