The Federal Communications Commission adopted, by a 3-2 vote, new privacy and data security rules for broadband Internet service providers. Although the official Order is not yet available, the new privacy rules are summarized in an FCC press release and fact sheet.
In general, the privacy rules will establish a framework of customer consent required for ISPs to use and share their customers' personal information that is calibrated to the sensitivity of the information. The new rules will incorporate the controversial inclusion of browsing history and apps usage as sensitive information, requiring opt-in consent. The Federal Trade Commission, which oversees privacy compliance for companies that do not provide telecommunications services (including other kinds of Internet companies), does not currently treat browsing history or apps usage as sensitive. The rules also include data security and breach notification requirements.
The data security requirements will go into effect ninety days after publication of the summary of the Order in the Federal Register, which will probably occur within the next ten days.
The data breach notification requirements will become effective approximately six months after publication of the summary of the Order in the Federal Register.
The Notice and Choice requirements will become effective approximately twelve months after publication of the summary of the Order in the Federal Register. Small providers will have an additional twelve months to comply.
The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency (i.e., notice), choice and security requirements for customers' personal information:
- Opt-in: ISPs will be required to obtain affirmative "opt-in" consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children's information, social security numbers, web browsing history, app usage history and the content of communications.
- Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer "opts-out." All other individually identifiable customer information - for example, email address or service tier information - that is not in one of the sensitive categories listed above, would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent.
- The rules will prohibit "take-it-or-leave-it" offers, meaning that an ISP cannot refuse to serve customers who do not consent to the use and sharing of their information for commercial purposes.
- Exceptions to consent requirements: Customer consent is inferred for the use of customer information for certain purposes specified in Section 222 of the Communications Act, including the provision of broadband service and billing or collection. For these uses, and for marketing telecommunications services, no additional customer consent is required beyond the creation of the customer-ISP relationship.
ISPs will be required to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences.
ISPs, whether they offer mobile broadband or fixed broadband to people's homes, must:
- Notify customers about what types of information the ISP collects about its customers.
- Specify how and for what purposes the ISP uses and shares this information.
- Identify the types of entities with which the ISP shares this information.
- Immediate and persistent notification.
The FCC's Consumer Advisory Committee has been directed to develop a standardized privacy notice format for ISPs that will be voluntary, but may provide a safe harbor if adopted.
Security and Breach Notification
The rules will require that ISPs engage in "reasonable" data security practices. The rules will provide guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.
The rules will also contain data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information.
The scope of the rules is limited to broadband service providers and other telecommunications carriers in their provision of those services. The rules do not apply to the privacy practices of web sites and other "edge services" over which the Federal Trade Commission has authority. The scope of the rules do not include other services of a broadband provider, such as the operation of a social media network or a website, and do not address issues such as government surveillance, encryption or law enforcement.