In 2015, the Federal Communications Commission (FCC or global Commission) issued its Open Internet Order, applying Section 222 of the federal Communications Act to broadband Internet access services (BIAS), and in doing so took jurisdiction over privacy and data security matters for Internet Service Providers (ISPs). In doing so, it declined requests by some advocacy groups to take jurisdiction over online service providers that do not offer broadband access, even if they offer services that, in ways, arguably look like a communications provider – so-called “edge networks” like Facebook, Google, and Yahoo!. Indeed, doing so would have stretched the global Commission’s jurisdiction even beyond the significant expansion required to regulate BIAS. Having taken on BIAS, the commission needed to address that the FCC’s privacy and data protection regulatory scheme was designed to address traditional telephone carriers, and the expanded jurisdiction necessitated refinement of the approach to address BIAS and the different kinds of data involved between data services and telephonic services. On March 31, 2015, the FCC issued a Notice of Proposed Rulemaking (NPRM) in proceeding 16-39 (In the Matter of Protecting the Privacy of Customers of Broadband and other Telephonic Services) for the privacy and data security regulatory scheme for ISPs, a copy of which is available here. In short, the proposal would create a very burdensome privacy protection scheme that applies to BIAS but to no other types of online services. As a result, BIAS providers will have a much more difficult time providing interest-based advertising and other services that take advantage of big data, even if in doing so they can provide consumers lower-cost broadband. Much of the proposal calls for express opt-in consent to ancillary use and sharing of consumer data, but the Commission questions whether some practices like exchanging discounts for consent should be banned outright.
Key aspects of the NPRM are:
- The NPRM would regulate customer proprietary information (customer PI), defined as both customer proprietary network information which the NPRM proposes to expand beyond the telephone services definition to include any information the provider collects or accesses in connection with provision of BIAS, including service and traffic data, IP addresses, device IDs, and other unique identifiers, as well as personally identifiable information (PII) collected by the BIAS provider, which also includes unique identifiers. Unlike telephone services, directory data and phone numbers are not exempt from restrictions.
- BIAS providers must provide transparency through privacy policies that explain data collection, use and sharing, and the consumer’s choices. Great detail is given about how and when this must be done.
- Choice is the most controversial aspect of the scheme. The NPRM would require explicit opting in for all but the most narrow use and sharing:
- Consent is implied for use and sharing that is necessary to provide broadband (but not ancillary) services – “for example, to ensure that a communication destined for a certain person reaches that destination.”
- Providers and their affiliates that provide communications services may use customer PI to market (but not to provide) communications-related services (but not ancillary services like edge network services), subject to the customer’s ability to opt out of such use and sharing.
- All other use and sharing requires explicit opt-in consent, obtained subsequent to the sale (i.e., subscription to BIAS services) and prior to first use or disclosure requiring opt-in consent. Although the FCC invites comment on the details of how opt-in consent should work, the NPRM proposes that providers notify consumers at the time consent is sought “of the types of customer PI for which the provider is seeking customer approval to use, disclose or permit access to; the purposes for which the provider is seeking customer approval to use, disclose or permit access to; the purposes for which such customer PI will be used; and the entity or types of entities with which such customer PI will be shared.”
- The NPRM proposes specific data security practices based on the HIPAA Security Rule (including assessments) and breach notification obligations for BIAS providers.
Rather than taking a flexible approach based on key data privacy and security principles and concepts of reasonableness and consumer expectations, the FCC’s proposed regulatory approach is very specific, limits data usage and sharing absent consent, and requires very detailed data security and breach notifications. It proposes to mandate express opt-in consent for types of data usage, such as for interest-based advertising, that edge networks and other online services that do not offer broadband will not have to follow. The FCC’s approach differs significantly from the technology-neutral approach to privacy and data protection of the Federal Trade Commission (FTC), which had historically been the sole privacy data protection regulator for BIAS. The FTC’s authority to regulate privacy and data protection under Section 5 of the FTC Act is limited to prohibiting deception and unfairness, with unfairness requiring a consumer injury not outweighed by benefit to consumer or competition. As a result, the FTC’s approach is to prohibit express misrepresentations concerning data practices and to look at reasonable consumer expectations under particular circumstances to determine whether a practice is implicitly deceptive absent notice and/or consent. Consent, even when necessary, may typically be in the form of opting out, except for highly sensitive information. The FCC, however, arguably has much broader authority, and the proposed rules exercise that putative authority in creating a new sectorial privacy and data protection scheme for ISPs where the default is limitation on data usage and sharing absent consent, which is proposed to be opt-in consent for all but the most limited circumstances. Further, the FTC proposes that such consent must be separate from the consumer’s subscription agreement and potentially not bargained for by offering discounts. As noted in dissents by Commissioners Pai and O’Rielly, the result will be vastly different rules for different types of online services, with consumers being subject to different privacy principles and data protection schemes depending on the type of platform and service they are using online. And the practical impact will be to put BIAS providers at a competitive disadvantage over non-BIAS providers in the area of digital advertising, which relies on targeted consumer, and other emerging commercialization of big data, than would otherwise be the case. As Commissioner O’Rielly concludes, “applying heightened standards to one segment of the Internet economy will hamstring competition with the largest users of consumer data.”
In conclusion, the FCC’s proposals would result in BIAS providers having constraints on their data practices, such as those related to interest-based advertising, that do not apply to other digital service providers like Google and Facebook, at least to the extent they remain edge networks. To the extent BIAS providers want to compete on an equal footing with edge networks, should the rulemaking take effect as proposed, they would need to segregate their BIAS and non-BIAS service offerings and related data. Further, the FCC’s approach to privacy reflects a Californiaesque or European-style approach to what is treated as protected data and the level of consent required to collect, use, and share such data. Industry and the public may make comments until May 27, 2016, and reply comments thereafter are due by June 27, 2016.
For a more detailed analysis, see Internet Service Providers Face New Regulatory Environment in the FCC’s Privacy and Security Proposal by the same authors. The conclusions and insights expressed in this post and the corresponding analysis are those of the authors and do not necessarily reflect the opinions or positions of BakerHostetler or any of its clients.