Yesterday the Federal Communications Commission (FCC) revealed its revamped broadband privacy regulations. In March, the FCC initially proposed privacy rules which were highly criticized by everyone from the Federal Trade Commission (FTC) to small business owners. The new rules contain less regulation and they more closely resemble the FTC approach to privacy. In fact FTC Chairwoman Edith Ramirez already issued a statement regarding the FCC privacy proposal in which she applauds the FCC for listening to the FTC’s input and reiterates that the FTC has “decades” of experience in regulating privacy.
The rules would require internet service providers (ISPs) to explain the following to a customer when the customer signs up for service:
- what information is collected;
- how and for what purpose the ISP uses and/or shares the information; and
- who the ISP shares the information with.
The FTC’s influence is most evident in the guidelines for protecting customer information. The regulations, which are meant to be flexible and allow for changes in technology, require the ISP to engage in “appropriately calibrated” and “reasonable” practices to protect consumer data.
Examples of appropriately calibrated practices include:
- up-to-date and relevant industry best practices;
- appropriate accountability and oversight of its security practices;
- implementation of robust customer authentication tools; and
- proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights
Under the rules, ISPs would be required to obtain “opt-in” consent to use sensitive customer information including:
- children’s information
- health information
- financial information
- Social Security numbers
- web browsing history
- app usage history
- the content of communications
Data Breach Requirements
The FCC regulations also seek to protect consumers during a data breach by requiring ISPs to engage in “common-sense” breach practices. This breach requirement would be “triggered by the ISP’s determination that an unauthorized disclosure of a customer’s personal information has occurred, unless the ISP establishes that no harm is reasonably likely to occur.” While there is little explanation of how the ISP should make the breach determination, or what “harm” means, the FCC does provide a breach timeline for the ISP to follow.
Specifically, the FCC says that if the ISP determines there has been a breach, a provider is required to notify:
- customers no later than 30 days after discovery;
- the FCC no later than 7 business days after discovery; and
- the FBI and the U.S. Secret Service no later than 7 business days after discovery of the breach if the breach affects more than 5,000 customers.
The proposed regulations make a point of noting they do not regulate the privacy practices of websites or apps (where the FTC is currently regulating) and they do not address government surveillance or encryption.
The FCC is scheduled to vote on the proposed regulations on October 27th.