The Federal Communication Commission’s (FCC) long-awaited – and much debated – privacy rules for Internet Service Providers (ISPs) have now been adopted. The agency approved the rules by a 3-2 vote along political party lines last Thursday.
Several of the FCC requirements are particularly notable for being more restrictive than the Federal Trade Commission’s (FTC) standards for consumer online privacy. In this post we provide an overview of some of the new FCC rules and highlight key areas where the FCC’s requirements diverge from the FTC’s framework.
Requirements for ISPs
Although the full text of the FCC’s decision has not yet been released, an agency fact sheet provides details on some of the key requirements:
- Transparency. The rules require that ISPs, whether they offer mobile broadband or fixed broadband services, to: (1) notify customers about what types of information the ISP collects about customers; (2) specify how and for what purposes the ISP uses and shares this information; and (3) identify the types of entities with which the ISP shares this information.
- Consumer Choice. ISPs must obtain opt-in consent to use and share “sensitive information” such as precise geolocation information, web browsing history, app usage history, the content of communications, and health information. ISPs must also provide consumers an ability to opt out of the use and sharing of non-sensitive information. Certain exceptions to these consent standards are provided, including for example the use and sharing of certain de-identified data; non-sensitive information used to provide and market certain ISP services and equipment; the provision of service and billing; and to prevent fraudulent use of the provider’s network.
- Take-It-or-Leave-It Offers. ISPs cannot refuse to serve customers who do not consent to the use and sharing of their information for commercial purposes.
- Pay-for-Privacy. Heightened disclosure is required for plans that offer discounts or other incentives in exchange for opt-in consent. The FCC will examine plans on a case-by-case basis.
- Data Security and Breach Notification. ISPs must take reasonable measures to protect consumer data. ISPs also must notify consumers of data breaches within 30 days unless they determine that no harm is reasonably likely to occur.
The FCC’s implementation timelines vary for these rules. The data security requirements become effective 90 days after the final rules are published in the Federal Register. The breach notification requirements become effective 6 months after publication. The notice and choice requirements become effective one year from publication (two years for smaller providers).
The FCC’s Rules Are More Restrictive than the FTC’s Standards in Some Important Respects
Although the full details of the rules have not yet been released, we know that the FCC regulations will require opt-in consent for more categories of information than would be required under prior FTC guidance. For example, traditional “opt in” categories according to the FTC include Social Security numbers and children’s, financial, health and precise geolocation data. The FCC will also require ISPs to obtain opt-in consent before using and sharing subscribers’: 1) web browsing history; 2) app usage history; and 3) communications content.
Second, the FCC has prohibited take-it-or-leave-it offers, which are currently allowable under FTC standards.
Third, the FCC has imposed heightened transparency rules for companies that offer incentives in exchange for a customer’s express affirmative consent.
Not only do these rules go beyond FTC standards, but the FCC can impose forfeitures and other penalties for first-time rule violators, whereas the FTC cannot impose civil penalties against first-time rule violators.
We will update this post after the text of the decision is released.