As we discussed in our earlier blog post, on March 31, 2016, the Federal Communications Commission (FCC or Commission) voted along party lines (3-2) to launch a notice of proposed rulemaking (NPRM) to establish privacy rules for Broadband Internet Access Service (BIAS) providers.  These proposals, if adopted, could impose prescriptive and complex privacy obligations that would be among the most extensive in the country.

Today we release a client advisory that provides a deep dive into the item and its key proposals and questions.  Comments on the NPRM are due on May 27, 2016, and reply comments are due on June 27, 2016.

The NPRM, if adopted, would:

  • Broadly Define Key Terms.  The Commission proposes to codify its definitional framework from the TerraCom/YourTel Notice of Apparent Liability, which defines customer Proprietary Information (customer PI) as an umbrella term that includes both customer proprietary network information (CPNI) and personally identifiable information (PII).  Under the proposed framework, a “customer” would include current and former, non-paying and paying customers, as well as “applicants” for service.  Broadband CPNI would include, for example, service plan information, geo-location information, media access control (MAC) addresses, source and destination Internet Protocol (IP) addresses and domain names, and traffic statistics.  PII would include “any information that is linked or linkable to an individual.”  The Commission has identified 30 data elements that would constitute PII.
  • Require Privacy Notices.  The Commission proposes that BIAS providers post privacy notices at the point of sale and on an ongoing basis on the provider’s homepage, mobile app, and any functional equivalent.  In addition, it proposes detailed content, form, timing, and placement requirements for those notices, with separate notice requirements for any material changes to privacy policies.
  • Adopt the Legacy Consent Framework, with Changes.  The Commission largely adopts its three-tiered consent framework from its voice-centric CPNI rules.  Under this framework, some uses of CPNI require no additional customer approval, while others require opt-in or opt-out approval.  However, there are a few notable changes.  First, the Commission proposes to limit the circumstances in which opt-out approval is sufficient by redefining “communications-related services.”  Second, the proposal would revise the methods for obtaining approval, requiring BIAS providers to obtain approval subsequent to the point of sale when the provider actually intends to first use or disclose customer PI in a manner that would require approval.  Third, BIAS providers would be required to make available to customers a “persistently available” means of denying or granting approval, “such as through a dashboard or other interface.”  As with its previous rules, the broadband-centric rules would require providers to document their compliance, although the Commission does not propose to require annual certification.
  • Impose Prescriptive Data Security Rules.  The proposed rules would impose a general data security standard by requiring providers to “protect the security, confidentiality and integrity of customer PI . . . by adopting security practices appropriately calibrated to the nature and scope of the BIAS provider’s activities, the sensitivity of the underlying data, and technical feasibility.”  The proposal would also include specific data security practices, drawing heavily from the Commission’s recent data security consent decrees.  These practices include conducting regular risk management assessments; requiring training for employees that interface with customer PI; appointing a senior official with responsibility for implementing and overseeing data security procedures; developing robust customer authentication and notification processes; and taking responsibility for the use of customer PI by third parties that handle the provider’s customer PI.
  • Broaden the Definition of Breach and Expand Breach Notification Obligations for Both BIAS and Voice Providers.  The proposed rules would also broaden the definition of “breach,” to include inadvertent breaches and covering all customer PI (not just CPNI).  In addition, the rules would expand breach notification to apply both to voice providers and to BIAS providers, and to require notification to the Commission as well as to consumers and law enforcement (for breaches affecting 5,000 of more consumers).  Customer breach notifications would be required to meet detailed requirements with respect to their content and method of delivery.
  • Require BIAS Providers to Be Accountable for Third Party Misuse of Customer PI.  The Commission proposes to require BIAS providers to take responsibility for the use of customer PI by third parties with whom they share information, and seeks comment on whether to hold providers vicariously liable for misuse or whether to require BIAS providers to pass through the obligations to those third parties.
  • Prohibit Certain Contractual Arrangements.  The proposal would prohibit BIAS providers from offering BIAS contingent on the waiver of privacy rights by consumers.  The Commission also seeks comment on whether to prohibit other arrangements, such as offering higher-priced BIAS in exchange for heightened privacy protections or including mandatory arbitration clauses in customer contracts.

While the proposals in the NPRM generally are focused on broadband privacy, some of the issues on which the FCC seeks comment could have a far wider impact.  For example, the Commission seeks comment on whether to “harmonize” its BIAS proposals with both the existing voice-centric CPNI rules, as well as with the Commission’s other privacy regimes, including privacy rules for cable and satellite providers.  In addition, the Commission seeks comment on whether to require providers to pass through its proposed privacy and security obligations by contract to third-parties that obtain customer PI, such as joint venture partners, independent contractors, mobile device manufacturers, and operating system developers.  Thus, while the thrust of the NPRM is to develop privacy rules for BIAS, this proceeding could have wide-ranging impact on the entire communications ecosystem, including legacy voice, voice-over-Internet Protocol (VoIP), cable, satellite, equipment manufacturers, operating system developers, application developers, and those providers’ vendors and independent contractors.