On March 31, 2016, the FCC voted along party lines (3-2) to issue a notice of proposed rulemaking (NPRM) to establish privacy rules for Broadband Internet Access Service (BIAS) providers. These proposals, if adopted, could impose prescriptive and complex privacy obligations that would be among the most extensive in the country.
As our Communications group’s client advisory explains, if adopted, the NPRM would:
- Broadly define key terms. For example, the NPRM would define customer Proprietary Information as an umbrella term that includes both customer proprietary network information (CPNI) and personally identifiable information.
- Impose detailed content, form, timing, and placement requirements for privacy policies, with separate notice requirements for material changes.
- Adopt the legacy three-tiered consent framework from the voice-centric CPNI rules, with a few notable changes.
- Impose prescriptive data security rules, which would address specific data security practices require that providers generally “protect the security, confidentiality and integrity of customer PI . . . by adopting security practices appropriately calibrated to the nature and scope of the BIAS provider’s activities, the sensitivity of the underlying data, and technical feasibility.”
- Broaden the definition of breach to include inadvertent breaches and cover all customer personal information (not just CPNI), and expand breach notification obligations for both BIAS and voice providers.
- Require that BIAS providers be accountable for third party misuse of customer personal information.
- Prohibit BIAS providers from offering BIAS contingent on the waiver of privacy rights by consumers.
While the proposals are generally focused on broadband privacy, as the advisory explains, some of the issues on which the FCC seeks comment could have a far wider impact. Comments are due May 27, 2016, and reply comments are due June 27, 2016.