On March 31, 2016, a 3-2 majority of the U.S. Federal Communications Commission ("FCC") approved a Notice of Proposed Rulemaking ("NPRM") to establish a set of regulations governing the data collection, use, and sharing practices of broadband Internet service providers ("Broadband ISPs"). The proposed rules were first announced in early March by Chairman Tom Wheeler, and are currently in a period of public comment until May 27, 2016. According to the factsheet accompanying the NPRM, the proposed rules are meant to apply the existing privacy and security requirements of the Communications Act of 1934 (as amended by the Telecommunications Act of 1996) to Broadband ISPs. Upon adoption, the rules will establish a discrete set of privacy and security standards for Broadband ISPs and serve as the FCC's formal authority to guide its privacy enforcement efforts of such providers. Following the close of the current comment period and the reply comment period on June 27, 2016, the FCC will vote on a final version of the rules, which may be revised in light of comments received during the comment and reply periods.
According to the FCC, the proposed privacy regulations are intended to provide "clear guidance" as to what customer data is collected by Broadband ISPs, and how that data is used and shared with third parties. The core principals of the rules are familiar concepts in privacy and security oversight and regulation, including (a) transparency for consumers regarding information collection and use practices of Broadband ISPs; (b) choice for consumers and meaningful control over what personal data is used by Broadband ISPs and shared with third parties; and (c) security requirements for Broadband ISPs to protect consumer data when transferred and stored.
The regulations will establish a set of relatively specific requirements for Broadband ISPs specifically related to consumer choice and information security. Broadband ISPs would be allowed to (i) use customer data in the course of providing services to consumers; and (ii) use and share customer data with certain third parties for marketing purposes unless consumers affirmatively "opt out". Any other use of customer data by Broadband ISPs, however, would require affirmative "opt-in" consent from customers. The proposed rules will also include an overarching data security standard requiring Broadband ISPs to take reasonable steps to safeguard customer data from unauthorized use or disclosure. The foundations of this standard would consist of (i) adopting risk management practices; (ii) training personnel; (iii) requiring strong customer authentication; (iv) designating a senior manager responsible for data security; and (v) assuming responsibility for data security of third parties with whom the Broadband ISP shares customer data. The new rules would also include strict data breach reporting obligations for Broadband ISPs, including a notification deadline of ten (10) days from the date of discovery to affected consumers and seven (7) days to the FTC.
The FCC has demonstrated its general privacy and security enforcement capabilities in several recent enforcement actions, including those related to telephone subscriber privacy, consumer data breach incidents, and the use of "supercookies" in violation of consumer privacy. In 2015, the FCC moved to reclassify Broadband ISPs as providers of "telecommunications services" rather than "information services," to bolster its authority to enforce net neutrality regulations on Broadband ISPs. Notably, because Section 5 of the Federal Trade Commission Act expressly excludes the ability to regulate "common carriers" from the FTC's authority (which includes "telecommunications service" providers), this reclassification effectively eliminated the FTC's jurisdiction over Broadband ISPs. The FCC has since sought to distinguish itself as the primary data protection authority for Broadband ISPs in the U.S., largely through enforcement of Section 222(c)(1) of the Communications Act and the FCC's rules that implement its provisions. Shortly after the reclassification of Broadband ISPs, however, the FCC separately determined that these regulations should not be applied to Broadband ISPs because they contemplate telephone services rather than Broadband Internet. The proposed rules are the FCC's first attempt to promulgate a discrete set of standards to govern the privacy and security practices of Broadband ISPs since announcing its plans to do so in April 2015.
The current public comment period has brought forth a range of criticism from major telecommunications companies, smaller service providers, and public interest groups opposing the proposed structure and practicality of the FCC's proposed rules. Specifically, several critics have taken issue with the proposed rules' opt-in and opt-out regimes as inconsistent with existing privacy practices or the practices required of other types of telecommunications services. Similarly, some organizations have argued that the application of this framework in the contexts of marketing to customers and internal sharing with affiliates would stifle innovation and competition in the online advertising market. Others have criticized the proposed rules' seemingly contradictory approach to that of Section 222(c) of the Communications Act, which requires the approval of the customer before a telecommunications carrier can use the customer's Customer Proprietary Network Information ("CPNI") for anything other than "(a) the telecommunications service from which such information is derived, or (b) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories." For certain telecommunications providers, such as those that operate both Broadband and traditional voice services, for example, the proposed rules present practical compliance challenges that may bring about significant business and operational issues.
As the FCC emerges as a central regulator for Broadband ISPs in the U.S., its reach and capacity for enforcement remain to be seen. Once adopted, the FCC's proposed privacy rules will provide the Commission with a primary tool to regulate the privacy and security practices of Broadband ISPs. The regulations will also serve as informal guidance for organizations seeking to align their privacy and security practices with "reasonable" standards in regulated industries. Exactly how the new rules will be implemented, levied, and enforced, however, is one of several unanswered questions surrounding the proposed regulations. The relatively strict requirements imposed by the regulations may also be impractical or present challenges for Broadband ISPs with potentially varied compliance capabilities. The notification timeline and reporting obligations in the proposed rules are shorter and more onerous than most existing Federal and State data breach notification laws in the US. The strict requirements may also generate tension between the FCC and the U.S. Federal Trade Commission's (FTC) methods of privacy and security enforcement, and the interplay of the two agencies in the arena of consumer privacy and security.