In an order issued November 2, 2016, the Federal Communications Commission for the first time imposed privacy requirements on providers of broadband internet access services (“BIAS”). The much-anticipated order was an outgrowth of the FCC’s 2015 decision to reclassify BIAS as a telecommunications service and wrested jurisdiction from the Federal Trade Commission. The rules will also apply to voice service providers (including VoIP, wireless and wireline); replacing longstanding rules.
The decision was based on the FCC’s conclusion that BIAS providers have access to vast amounts of information about their customers including when they are online, where they are physically located when they are online, how long they stay online, what devices they use to access the internet, what websites they visit and what applications they use. According to the FCC, the rules will give broadband customers the tools they need to make informed choices about the use and sharing of their confidential information by their broadband providers, and provide clear, flexible, and enforceable data security and data breach notification requirements. The FCC has previously defined BIAS as a mass-market retail service (by wire or wireless) that provides the capability to transmit data to and receive data from all or substantially all internet endpoints.
The FCC rules are modeled in part on the privacy and data security work done by the FTC. The framework focuses on transparency, choice and data security, and provides heightened protection for sensitive customer information. The rules are designed to protect consumer choice while giving broadband providers the flexibility they need to continue to innovate. The order was approved along party lines, with the three Democrats voting in support and the two Republicans opposing.
In particular, the rules define the information protected under Section 222 of the Communications Act as customer proprietary information (“PI”), which includes three types of information collected by telecommunications carriers: (i) individually identifiable Customer Proprietary Network Information (CPNI) as defined in Section 222(h); (ii) personally identifiable information (PII) and (iii) content of communications.
The FCC also adopted a multi-part approach to determining whether data has been properly de-identified and is therefore not subject to the customer choice regime adopted for customer PI. Specifically, the FCC found that customer proprietary information is de-identified if the carrier (1) determines that the information is not reasonably linkable to an individual or device; (2) publicly commits to maintain and use the data in a non-individually identifiable fashion and to not attempt to re-identify the data; and (3) contractually prohibits any entity to which it discloses or permits access to the de-identified data from attempting to re-identify the data.
Transparency. The rules require carriers to provide privacy notices that clearly and accurately inform customers about what confidential information the carriers collect, how they use it, under what circumstances they share it and the categories of entities with which they will share it. Carriers must also inform their customers about the right to opt in to or opt out of the use or sharing of their confidential information. Carriers must present their privacy notice to customers at the point of sale, and make their privacy policies available and easily accessible on their websites and applications. Carriers must also give their customers advance notice of material changes to their privacy policies.
Choice. The new rules provide customers with the ability to choose how their service providers may use and share their data, providing heightened protection for sensitive information, including financial information, health information, Social Security numbers, precise geo-location information, information pertaining to children, content of communications, web browsing history, application usage history and the functional equivalents of web browsing history or application usage history. For voice services, call detail information is also considered sensitive information. The FCC adopted three categories of approval for the use of customer PI obtained by providing the telecommunications service:
- Opt-in Approval. Carriers must obtain customers’ opt-in approval for use and sharing of sensitive customer PI (and for material retroactive changes to carriers’ privacy policies). Opt-in approval requires that the carrier obtain affirmative, express consent allowing the requested usage, disclosure, or access to the customer proprietary information after the customer is provided appropriate notification of the carrier’s request.
- Opt-out Approval. Carriers must obtain customers’ opt-out approval for the use and sharing of non-sensitive customer PI. Under opt-out approval, a customer is deemed to have consented to the use, disclosure, or access to the customer’s proprietary information if the customer has failed to object after the customer is provided appropriate notification of the carrier’s request for consent.
- Exceptions to Customer Approval Requirements. The rules allow telecommunications carriers to use and share customer data in order to provide the customer’s chosen services. These uses would include billing for the services; protecting the carrier and its other customers from unlawful use of the services (including unlawful robocalls), research to improve and protect networks and services and providing customer location and non-sensitive PI in certain emergency situations (such as 911 calls).
To the extent carriers collect and maintain customer PI, the FCC requires that they take reasonable measures to secure it, including the adoption of security practices appropriate to the nature and scope of its activities, the sensitivity of the underlying data, the size of the provider and technical feasibility. The FCC declined to mandate specific activities that carriers must undertake in order to meet the reasonable data security requirement.