On October 27, 2016, the Federal Communications Commission (FCC or Commission) approved, by a 3-2 decision split along party lines, a controversial regulatory framework with new, more stringent privacy obligations governing the way in which broadband internet access service providers (ISPs) handle consumer information. As previously explained, the DC Circuit's decision to uphold the FCC's net neutrality order reclassifying broadband as a "telecommunications service" laid the groundwork for the agency's action. The text of the Order is not yet available, but certain details have been made public.
The hallmark of the new rules is informed consumer consent. As explained in the FCC's news release, the new framework will "ensure broadband consumers have meaningful choice, greater transparency and strong security protections for their personal information collected by internet service providers." Of course, not everyone is happy with the majority's decision. The vote on the yet-to-be-released Report and Order reflects a partisan divide about whether and how the FCC should play a role in setting and enforcing consumer privacy standards.
In a blog post on October 6, FCC Chairman Tom Wheeler characterized the new rules as flexible, noting that "[t]he proposed rules are designed to evolve with changing technologies, and [will] provide consumers with ways to easily adjust their privacy preferences over time." The determination of whether customer consent is required under the new framework will be "calibrated to the sensitivity of the information," an approach the FCC claims is consistent with the Federal Trade Commission's (FTC) and the Administration's Consumer Privacy Bill of Rights. Chairman Wheeler also noted that "[c]alibrating consent requirements to the sensitivity of the information aligns with consumer expectations."
As laid out in a Fact Sheet released after the meeting, the adopted rules create three categories of consumer consent:
Opt-In: ISPs will have to obtain affirmative permission from consumers opt-in consent to use and share sensitive information. The Order specifies categories of information that will be considered "sensitive," including:
- Precise geo-location (typically the real world location of a mobile phone or other device)
- Children's information
- Health information
- Financial information
- Social Security numbers
- Web browsing history
- App usage history
- The content of communication
Opt-out: Use and sharing of non-sensitive information would be subject to opt-out consent requirements in most cases. All other individually identifiable customer information for example, service tier information is considered non-sensitive and the use of sharing of that information will be subject to opt-out consent, consistent with customer expectations.
Exceptions to the Consent Requirements: Customer consent is inferred for certain purposes, including:
- Use and sharing of non-sensitive information to provide and market services and equipment typically marketed with the broadband service subscribed to by the customer.
- To provide the broadband service, and bill and collect for the service.
- To protect the broadband provider and its customers from fraudulent use of the provider's network.
The rules will also: (1) require greater transparency regarding how information collected about consumers will be used and shared with others; (2) ensure broadband providers use reasonable data security practices and industry best practices; and (3) adopt a commonsense approach to data breach notifications. In addition, companies will be prohibited from making "take it or leave it offers" denying service to "customers who don't consent to the use and sharing of their information for commercial purposes." The new rules will also require additional disclosure for discount plans "or other incentives in exchange for a customer's express affirmative consent." Finally, the decision will "harmonize" privacy rules currently applicable to traditional telecommunications carriers with those adopted for ISPs (i.e., more than just ISPs will be affected).
Consumer advocates applaud the new regime as giving consumers greater control over how ISPs in particular use their information; the ISPs themselves feel otherwise. They continue to express dissatisfaction with the double standard whereby ISPs will be governed by the FCC's ex ante privacy regime, while edge providers like Google, Facebook and Amazon are governed by the more flexible ex post "case-by-case" approach used by the FTC. In light of the controversy and discord, a court challenge seems likely.
To complicate matters, an August 2016 decision from the Ninth Circuit finding that the FTC Act's common carrier exemption is status-based and, as a result, the FTC has no jurisdiction over common carrier entities like AT&T has concerned many proponents of the FTC's privacy approach.
Of further interest, the decision spawned a potential further privacy FCC proceeding to review the use of mandatory arbitration clauses in contracts for telecommunications services. Championed by Commissioner Mignon Clyburn as a follow-on to an opinion piece she co-wrote with Senator Al Franken (D-MN), this issue has been left for a separate rulemaking ostensibly to commence early next year. But that may depend on who sits on the FCC at that time.
The FCC's Wireline Competition Bureau Chief indicated that it would take less than a month for the text of the Order and the new Rules to be released. We await the details, particularly as to how the promised "harmonization" will affect entities other than just ISPs.