On April 1, 2016, the Federal Communications Commission (FCC) released a Notice of Proposed Rulemaking (NPRM) that proposes to establish privacy requirements for broadband Internet access service (BIAS) providers. The FCC states that its proposed regulations would "ensure that consumers (i) have the information needed to understand what data the BIAS provider is collecting and what it does with that information, (ii) can decide how their information is used, and (iii) are protected against the unauthorized disclosure of their information."
The NPRM comes a year after the FCC released its Open Internet Order reclassifying BIAS from an "information service" to a "telecommunications service" subject to Title II of the Communications Act. As with the Open Internet Order, the FCC Commissioners voted on the NPRM along partisan lines, with Chairman Tom Wheeler and Democratic Commissioners Mignon Clyburn and Jessica Rosenworcel voting in favor and the two Republican Commissioners, Ajit Pai and Michael O’Rielly, dissenting. The NPRM is the latest indication of the FCC's heightened interest in privacy enforcement.
Comments on the NPRM are due on or before May 27, 2016, with reply comments due on or before June 27, 2016.
I. Legal Authority
Whether the FCC has the legal authority to adopt the proposed rules is likely to be a hotly contested issue in the proceeding. The FCC seeks comment on its finding that the proposed rules are authorized under Section 222 of the Communications Act (imposing a duty of privacy on telecommunications carriers). The FCC also seeks comment on its finding that the proposed rules are supported by additional sources of authority, including Sections 201, 202, 705, and Title III of the Communications Act and Section 706 of the Telecommunications Act of 1996.
II. Providers and Customer Information Subject to the Proposed Rules
The FCC makes clear that the proposed rules would apply to BIAS included within the scope of telecommunications service but would not apply to the provision of non-telecommunications services by broadband providers or to information services by providers at the "edge of the network," such as individual streaming video providers, search engines, social media, or e-commerce websites. Generally, the proposed rules would apply to both mobile and fixed BIAS, although the FCC seeks comment on whether there are mobile-specific issues it should consider in several areas, including privacy notice requirements, certain definitions, and customer opt-in approval for disclosure of certain customer information.
The proposed rules would apply to customer proprietary information (PI), which the FCC proposes to define as “private information that customers have an interest in protecting from public disclosure” and would fall into two categories: “(1) customer proprietary network information (CPNI); and (2) personally identifiable information (PII) the BIAS provider acquires in connection with its provision of BIAS.”The FCC proposes to adopt the statutory definition of CPNI. In the broadband context, the FCC proposes that the definition of CPNI cover, at a minimum: “(1) service plan information, including type of service (e.g., cable, fiber, or mobile), service tier (e.g., speed), pricing, and capacity (e.g., information pertaining to data caps); (2) geo-location; (3) media access control (MAC) addresses and other device identifiers; (4) source and destination Internet Protocol (IP) addresses and domain name information; and (5) traffic statistics.” The FCC proposes that PII mean “any information that is linked or linkable to an individual,” i.e., “it can be used on its own, in context, or in combination to identify an individual or to logically associate with other information about a specific individual.”
III. Proposed Rules Based on Core Principles of Transparency, Choice, and Security
A. Privacy Notice Requirements
The FCC proposes the following specific requirements for the disclosure of BIAS providers’ privacy policies to customers.
- The notice would be required to specify and describe the types of customer PI collected and how they are used and disclosed, including the categories of entities that will receive the customer PI and the purposes for which the customer PI will be used by each category of entities.
- The notice would be required to advise customers of their rights with respect to their PI, including providing customers with a simple, easy-to-access method for providing or withdrawing consent that is persistently available at no additional cost to the customer; explaining that a customer’s denial of approval to use the customer’s PI for purposes other than providing BIAS will not affect the provision of services to the customer; explaining that a customer’s approval, denial, or withdrawal of approval is valid until the customer affirmatively revokes such approval or denial; and explaining that a provider may be compelled to disclose a customer’s PI when required by law.
- Privacy notices would be made available to prospective customers at the point of sale, prior to the purchase of BIAS, and be made persistently available through a link on the BIAS provider's homepage, the provider's mobile application, and any functional equivalent.
- Privacy notices and notices of material changes would be required to be comprehensible and not misleading, clearly legible, in large type, displayed in a "readily apparent" area, and completely translated into another language if any portion of the notice is translated into that language.
B. Consumer Consent
The FCC proposes three categories of consent governing when and how BIAS providers can use or share customer PI.
- Approval Inherent in Creation of Customer-BIAS Provider Relationship
Customer approval would be implied and BIAS providers would not need consent to use customer PI for the purpose of providing BIAS or services necessary to, or used in the provision of, BIAS, or for marketing additional BIAS offerings to a customer when the customer already subscribes to that category of service from the same BIAS provider.
- Customer Opt-Out Approval Required for Use of Customer PI for Marketing Other Communications-Related Services
BIAS providers, or their affiliates that provide communications-related services, would be able to use customer PI to market other communications-related services subject to clearly disclosed, easily used, and continuously available customer opt-out approval.
- Customer Opt-In Approval Required for All Other Purposes
All other uses of customer PI, including sharing customer PI with third parties or non-communications-related affiliates or using customer PI for purposes other than marketing communications-related service, would require a customer's opt-in approval.
For the categories that would require a customer's opt-out or opt-in approval, the FCC proposes rules requiring BIAS providers to, among other things: (1) solicit approval prior to when a BIAS provider first intends to use or disclose a customer’s PI, (2) maintain records documenting the status of customer approval and disclosures to third parties for at least one year, and (3) implement processes to train and supervise personnel on customer PI access.
The FCC proposes a general standard requiring BIAS providers to "protect the security, confidentiality, and integrity of customer PI that such BIAS provider receives, maintains, uses, discloses, or permits access to from any unauthorized uses or disclosures, by adopting security practices appropriately calibrated to the nature and scope of the BIAS provider's activities, the sensitivity of the underlying data, and technical feasibility."
To supplement the general standard, the FCC proposes specific types of practices that BIAS providers would be required to follow to protect against unauthorized use or disclosure of customer PI, including (1) establishing and performing regular risk management assessments and promptly addressing any identified weaknesses; (2) training employees, contractors and affiliates who handle customer PI about the BIAS provider's data security procedures; (3) ensuring due diligence and oversight by designating a senior management official with responsibility for implementing and maintaining the BIAS provider's data security procedures; (4) establishing and using robust customer authentication procedures to grant customers access to their PI; and (5) taking responsibility for the use of customer PI by third parties with whom they share information. The FCC proposes that any security measures employed by a BIAS provider should take into account the nature and scope of the BIAS provider's activities, and the sensitivity of the underlying customer PI.
The FCC also seeks comment on whether it should require mobile BIAS providers to use their contractual relationship with device or OS manufacturers to obtain contractual commitments to safeguard customer data.
The FCC also proposes breach notification requirements under which a BIAS provider would be required to:
- notify affected customers within 10 days after the discovery of a breach;
- notify the FCC of any breach no later than 7 days after discovery; and
- notify the FBI and US Secret Service of breaches impacting more than 5,000 customers no later than 7 days after discovery and at least 3 days before customer notification.
Finally, the FCC proposes to extend its record retention requirements for voice providers to BIAS providers. Currently, voice providers are required to maintain a record of breaches and notifications for a period of at least two years.
IV. Use and Disclosure of Aggregate Customer Proprietary Information
The FCC proposes to allow BIAS providers to use, disclose, and permit access to aggregate customer PI if the BIAS provider (1) determines that the information is not "reasonably linkable" to a specific person or device; (2) publicly commits to maintain and use the data in a non-individually identifiable manner and to not attempt to re-identify the data; (3) contractually prohibits any entity to which it discloses or permits access to the data from attempting to re-identify the data; and (4) exercises reasonable monitoring to ensure that those contracts are not violated.
V. Specific Practices That Would Be Prohibited
The FCC seeks comment on whether to restrict certain BIAS provider practices. Specifically, the FCC proposes to prohibit BIAS providers from making service offerings contingent on a customer's waiving privacy rights, and seeks comment on whether other practices, such as offering higher-priced services for heightened privacy protections, using deep packet inspection for purposes other than network management, or using certain technology that tracks consumer Internet activities, should be prohibited or subject to heightened privacy requirements.
VI. Other Issues
The FCC seeks comment on whether its current informal complaint resolution process would be sufficient to address complaints under the proposed rules; whether BIAS providers should be prohibited from compelling arbitration in contracts with customers; and the FCC's proposal to preempt state laws only to the extent they are inconsistent with the rules adopted by the FCC, without the presumption that more restrictive state requirements are inconsistent with FCC rules.
The FCC also seeks comment on the possible use of other privacy frameworks proposed by various stakeholders, and on whether or how it should incorporate multi-stakeholder processes, such as those utilized by the Department of Commerce, into its proposed approach to broadband privacy.