Recently, Federal Communications Commission (FCC or Commission) Chairman Tom Wheeler circulated to the Commission a revised proposed order to regulate the data privacy and security practices of internet service providers (ISPs) (also known by the Commission as broadband internet access service (BIAS) providers). We previously wrote about the Commission’s initial proposal in this regard (available here), which was criticized by the industry and even the Federal Trade Commission (FTC) as inconsistent with data privacy standards applicable to the rest of the internet (e.g., social media platforms, search engines, etc.). Based on a fact sheet issued by Chairman Wheeler’s office (available here), the revised proposal, which is set to be voted on by the full Commission on Oct. 27, 2016, strives to be more consistent with the FTC approach to privacy and data security, but with special considerations for the telecom industry. The fact sheet previews the revised approach, including requirements for:
- Opt-in consent for any use or sharing of sensitive information, which the proposal defines as including geo-location, children’s information, health information, financial information, Social Security numbers, Web browsing history, app usage history and content of communications – a more expansive definition of sensitive data than under the historical FTC approach, at least so far as usage data is concerned (which will affect the ability to engage in interest-based advertising).
- An opt out for use and sharing of nonsensitive information.
- Strong protections for use and sharing of de-identified information.
- Prohibition of “take-it-or-leave-it” offers requiring consent to data sharing and use that are not necessary to provide the service, as a condition of obtaining the service.
- Heightened notice requirements for discounts and other incentives in exchange for consumers’ express affirmative consent to the use and sharing of their personal information to the extent not necessary to operate the service, and restrictions on pricing services for those who do not consent, because “[c]onsumers should not be forced to choose between inflated prices and maintaining their privacy.”
The proposed rule is also said to include data security requirements based on FTC and NIST cybersecurity frameworks and a harm-based data breach notification rule. The data breach rule purportedly will require providers to notify affected customers within 30 days of discovering an incident, the Commission of an incident within seven business days of discovering the incident, and the Federal Bureau of Investigation and U.S. Secret Service of incidents affecting more than 5,000 customers within seven business days of discovering the incident.
The proposed rules specifically exclude privacy practices of websites and apps over which the FCC lacks jurisdiction. While the revised proposed rulemaking promises to result in less differential treatment of BIAS providers and other online services providers (e.g., Facebook and Google), it appears that the chairman remains intent on applying stricter rules to service providers under the FCC’s limited jurisdiction than to edge networks and other non-BIAS providers.