After months of public discourse and debate, the FCC Commission voted along party lines to adopt new privacy rules initially outlined in a Fact Sheet which was circulated to FCC Commissioners by FCC Chairman Wheeler. The new rules as described in an updated Fact Sheet limit the ability of broadband Internet access service providers to use and share “sensitive” information such as financial information, web browsing history, and children’s information, among other things, while allowing so-called “pay for privacy” plans. Industry participants continue to criticize the new rules as parallel or contradictory structures that place greater limitations on FCC regulated companies than FTC regulated companies which are subject to long established privacy rules that are less stringent. FTC Chairwoman Ramirez lauded the FCC’s announcement for its “robust privacy protections,” despite potential conflicts that may be driven by the differences in what is allowed or not under the FCC and FTC privacy constructs.
The practical implications of the FCC’s actions are that broadband Internet service providers will likely need to not only obtain opt-in consent before using or sharing sensitive information, but will also be required to capture and retain proof of such consent. Customer opt-out requests to prohibit the use and sharing of non-sensitive information as defined by the FCC will also need to be captured and retained. The newly adopted rules also: require providers to meet the FTC’s three-part litmus test in order to re-identify de-identified data; prohibit the refusal of service to customers who do not consent to the use and sharing of information for commercial purposes; and require heightened disclosure for plans that provide discounts or other incentives in exchange for a customer’s express affirmative consent to the use and sharing of their personal information.
The opt-in rules go into effect one year after they are published in the Federal Register, which is likely to occur before the end of the year. Requirements that companies notify users about a data breach go into effect six months earlier.
Tip: Broadband ISPs will need to carefully review these new rules and determine how they will implement the heightened consent requirements.