On November 2, 2016 the Federal Communication Commission’s (FCC) released its long-awaited – and much debated – Report and Order adopting privacy rules for Internet Service Providers (ISPs). In the Order, the FCC applied the Communications Act’s privacy requirements to broadband Internet access service (BIAS), which it called “the most significant communications technology of today.”
Several of the FCC requirements are particularly notable for being more restrictive than the Federal Trade Commission’s (FTC) standards for consumer online privacy. In this post we provide an overview of some of the new FCC rules and highlight key areas where the FCC’s requirements diverge from the FTC’s framework.
Requirements for ISPs
- Privacy Notices: The rules require that privacy notices: (1) notify customers about what types of information the ISP collects about customers; (2) specify under what circumstances a carrier discloses or permits access to customer proprietary information (Customer PI), including the categories of entities that receive disclosure/access and the purposes for which the customer PI will be used by those entities; and (3) inform customers how they can exercise privacy choices, in particular what customers’ opt-in and opt-out rights are regarding their own PI and how customers can provide or withdraw consent.
Privacy notices must be made available: (1) at the point of sale; and (2) on the carrier’s website and account management app (if applicable). The FCC declined to require periodic notices.
ISPs must also provide advance notice of “material changes” to their privacy notices, listing the changes being made and customers’ rights with respect to those changes. The FCC did not specify what constitutes “advanced notice.”
- Consumer Choice. ISPs must obtain opt-in consent to use and share “sensitive information” such as precise geolocation information, web browsing history, app usage history, the content of communications, and health information. ISPs must also provide consumers an ability to opt-out of the use and sharing of non-sensitive information. Certain exceptions to these consent standards are provided, including for example the use and sharing of certain de-identified data; non-sensitive information used to provide and market certain ISP services and equipment; the provision of service and billing; and to prevent fraudulent use of the provider’s network.
- Take-It-or-Leave-It Offers. ISPs cannot refuse to serve customers who do not consent to the use and sharing of their information for commercial purposes.
- Pay-for-Privacy. ISPs offering financial incentives in exchange for consent to use, disclose, and/or permit access to customer PI must provide a clear and conspicuous notice of the terms of any financial incentive program that is explained in a way that is comprehensible and not misleading.
- Data Security and Breach Notification. ISPs must take reasonable measures to protect consumer data. ISPs must notify the FCC of all breaches that are reasonably likely to cause customer harm and must notify the FBI and Secret Service when the breach affects 5,000 or more customers. ISPs must notify consumers of data breaches within 30 days unless they determine that no harm is reasonably likely to occur.
The FCC’s implementation timelines vary for these rules, in part because some rules require Paperwork Reduction Act review. The data security requirements become effective 90 days after the final rules are published in the Federal Register. The breach notification requirements become effective six months after publication. The notice and choice requirements become effective one year from publication (two years for smaller providers).
The FCC’s Rules Are More Restrictive than the FTC’s Standards in Some Important Respects
The FCC regulations require opt-in consent for more categories of information than would be required under prior FTC guidance. For example, traditional “opt in” categories according to the FTC include Social Security numbers and children’s, financial, health and precise geolocation data. The FCC will also require ISPs to obtain opt-in consent before using and sharing subscribers’: 1) web browsing history; 2) app usage history; and 3) communications content.
Second, the FCC has prohibited take-it-or-leave-it offers, which are currently allowable under FTC standards.
Third, the FCC has imposed heightened transparency rules for companies that offer incentives in exchange for a customer’s express affirmative consent.
Not only do these rules go beyond FTC standards, but the FCC can impose forfeitures and other penalties for first-time rule violators, whereas the FTC cannot impose civil penalties against first-time rule violators.