On Wednesday, November 2 just one week after adoption - the Federal Communications Commission (FCC or Commission) released its Consumer Broadband Privacy Report and Order (R&O). The R&O is substantial and rich in detail, clocking in at nearly 220 pages. Consistent with a previously released Fact Sheet, the R&O imposes significant restrictions on the use of sensitive customer proprietary information by retail broadband internet access service providers (ISPs). The new rules continue to garner the ire of ISPs who complain that the ruling creates a "separate-but-unequal" system of privacy governance. Under the new regime, website operators with access to much of the same sensitive information (e.g., website use) are subject to the Federal Trade Commission's ex post case-by-case regulatory review, whereas ISPs must now learn and implement an extensive set of specific stringent ex ante rules. As a result, experts believe the R&O is susceptible to challenge in the courts. Even if the R&O is not so challenged, which seems unlikely, the Presidential election results call into serious question the survivability of the framework at least in its present form.
The lengthy ruling (reflecting the vast number and varied nature of the comments filed in the proceeding) provides the rationale for and a breakdown of the rules, and the legal authority for the FCC's action. As expected, the R&O expands the scope of the privacy rules to include ISPs in the definition of "telecommunications carrier," and revises the current privacy rules for traditional voice telecommunications carriers to harmonize them with those adopted for IPS. As previously discussed, the new rules interpret Section 222 of the Communications Act (Act) as requiring protection of "customer proprietary information" (CPI), which the FCC defines to include three types of information: (1) individually identifiable Customer Proprietary Network Information (CPNI), such as broadband service plans, geo-location, IP address and domain name identifiers; (2) personally identifiable information, which includes "any information that is linked or reasonably linkable to an individual or device"; and (3) content of communications, which includes "any part of the substance, purport or meaning of a communication or any other part of a communications that is highly suggestive" of the same. The Commission also explains how that information can be properly de-identified, adopting the FTC's three-part test: (1) the information must not be linked or reasonably linkable to an individual or device; (2) carriers must publicly commit to not re-identifying the data; and (3) carriers must prohibit by contract any recipients of the information from trying to re-identify the data. In addition, the R&O uses what the FCC calls the "three foundations of privacy transparency, choice and security" to create a number of other consumer protection rules for ISPs.
Finally, the Commission weighs in on "particular practices that raise privacy concerns," including "take-it-or-leave-it" broadband service offerings which the agency prohibits and customer incentives, wherein ISPs discount service in exchange for the ability to use subscriber information upon which the FCC imposes heightened disclosure and affirmative consent requirements. The Commission also notes that it will start a rulemaking on mandatory arbitration, and exempts enterprise customers of telecommunications services (other than broadband internet access service [BIAS]) from the new privacy and data security rules.
Particular Practices That Raise Privacy Concerns
Prohibition on "Take-It-Or-Leave-It" Offers. Using the case-bycase approach espoused in the 2015 Open Internet Order, one big move the Commission made in the R&O was to prohibit ISPs from "conditioning the provision of broadband service on a customer surrendering his or her privacy rights."
Thus, ISPs may not refuse to provide, or terminate service, to consumers that fail to waive their right to keep their information private. With this decision, the FCC was clearly addressing the concern expressed in the record that "take-it-or-leave-it" offers represent an illusory option, presenting no real choice to consumers. Moreover, the Commission expressed the concern that this practice is particularly bad for low-income consumers who might feel forced, due to their financial circumstances, to accept such an offer. Finding the "take-it-or-leave-it" option contrary to telecommunications carriers' "duty to protect the confidentiality of proprietary information of, and related . . . customers," the Commission also found that the "take-it-or-leave-it" approach does not qualify as customer approval under the rules, which does not allow telecommunications carriers to use, disclose or permit access to CPNI absent customer approval. To give it teeth, the FCC went a step further, finding that requiring consumers to relinquish control of their right to their customer PI in order to receive service would be a violation of the Act's prohibition of unjust and unreasonable practices, opening the ISP up to substantial enforcement action. In making this determination, the Commission used a totality of the circumstances approach, reviewing a non-exhaustive list of factors, including "end-user control, free expression, and consumer protection."
Heightened Requirements for Consumer Incentive Deals. Citing a mixed record, the Commission took a different approach with regard to consumer incentive deals, i.e., "pay-for-privacy." In an attempt to ensure that such deals are neither "predatory nor coercive in persuading consumers to give up their rights," the FCC implemented heightened disclosure and affirmative customer consent requirements.
Many commenters in the proceeding asserted that there are certain benefits to consumers, and that it is not uncommon even in brick and mortar stores for consumers to receive benefits in exchange for the use of their personal information. Indeed, commenters in the record suggested that these programs can increase online usage and help low-income consumers. The Commission alluded, however, to the difficulty consumers have valuating their personal data. Consequently, if consumer incentive deals are presented in a coercive way, consumers may unknowingly give away the rights to their information. In light of these findings, the FCC requires that ISPs "provide a clear and conspicuous notice of the terms" both at the time of the offer and the time of the acceptance which must include information explaining the type of customer information that will be collected, how it would be used and the types of entities with whom it will be shared. The FCC also asserted it would closely monitor the development of these financial incentive plans, promising to review the practice if it results in consumers being compelled to choose between surrendering their information and paying high, inflated prices.
One aspect of the R&O that may have been hard-fought was the idea that ISPs should be prevented from requiring customers to "waive, or otherwise restrict their ability to file complaints with or otherwise contact the Commission regarding violations of their privacy rights." The FCC asserted that it "continues to have serious concerns about the impact on consumers from the inclusion of mandatory arbitration requirements as a standard part of many contracts for communications services." Ultimately, the Commission delayed action on this point, promising to begin a rulemaking in February of 2017 on the use of mandatory arbitration requirements in the context of consumer broadband contracts.
Import of Election
The life of this detailed privacy regime, at least in its present form, may be short. The rules have already been mentioned, along with the FCC's Open Internet ruling on which they are based, as a target for reversal or at least modification by a Republican-controlled FCC. In addition, rather than announcing a blanket effective date, the Commission charged its Wireline Competition Bureau with "provid[ing] advance notice to the public of the precise date after PRA approval when the Commission will begin to enforce compliance with each of the new rules." Commissioner Ajit Pai, who could serve as Acting Chair for a substantial portion of 2017, opposed the R&O, favoring more of a case-by-case FTC-type approach. Regardless of who ultimately chairs the FCC, however, the future of the detailed framework released in the R&O is uncertain.