On March 31, the Federal Communications Commission (FCC), voting 3-2 along party lines, adopted a Notice of Proposed Rulemaking (NPRM) to establish a set of regulatory data security and privacy rules for broadband Internet access service providers (ISPs). If approved, these proposed rules would regulate how ISPs use and share consumer data. The FCC has commenced a comment period—comments are due May 27, 2016, and reply comments are due June 27, 2016.
In its 2015 Open Internet Order (Order), the FCC reclassified ISPs as “common carriers,” which are subject to certain privacy protections of Title II of the Communications Act of 1934 (Act). Although section 222 of the Act (Section 222) was included, the FCC conceded that its existing Consumer Proprietary Network Information (CPNI) rules were specific to voice services and would not apply to ISPs. The FCC noted then that this NPRM would be forthcoming. (See our LawFlash discussing the Order: FCC Adopts Open Internet (Net Neutrality Rules).)
Beyond imposing new rules on ISPs, the FCC’s reclassification may have ultimately dispossessed the Federal Trade Commission (FTC), much to its opposition, of its jurisdiction over ISP privacy violations, because common carriers are an exception to the FTC’s consumer marketplace enforcement authority. In the NPRM, the FCC reasons that “the current federal privacy regime, including the important leadership of the [FTC] . . . does not now comprehensively apply the principles of privacy protection to these 21st century telecommunications services provided by broadband networks. That is a gap that must be closed...”
The rules set forth in the NPRM are based on three core principles: (i) transparency on data collection, (ii) consumer choice with respect to use of data, and (iii) data security and breach notifications. The following are highlights of some of the FCC’s proposals.
The NPRM proposes rules to enhance customers’ ability to make informed choices through effective disclosures of ISPs’ privacy policies. It also proposes that an ISP must clearly and conspicuously notify its customers of its privacy policies and must specify and describe (i) the types of proprietary information collected, (ii) how the ISP will use and disclose the information, and (iii) the categories of entities that will receive the information and purposes for usage. ISPs must also advise customers of their opt-in and opt-out rights and provide easy-to-access methods for customers to grant or withdraw consent to use, disclose, or provide access proprietary information. The NPRM proposes specific terms with respect to the content, form, timing, and placement of these notices, as well as rules for notice of material changes to an ISP’s privacy policies.
The NPRM proposes rules to empower consumers to decide the extent to which ISPs can use and share proprietary information while also providing ISPs with guidance on the nature of their obligations. The NPRM incorporates the three-tiered framework approach to choice from existing Section 222 regulations, with certain changes. Under this framework, some uses of proprietary information require explicit opting out or opting in, while for other uses, consent is implied with certain exceptions.
Data Security and Breach Notifications
The NPRM proposes data security rules, which would address specific ISP data security practices. These rules would require that providers generally protect the security, confidentiality, and integrity of customer data and permit consumers to rely on their ISP to take reasonable steps to safeguard customer information from unauthorized use. The proposal would also include specific data security practices, including (i) establishing regular risk-management assessments, (ii) requiring appropriate employee training, (iii) appointing a senior management official to oversee data security measures, (iv) creating robust customer authentication procedures, and (v) notifying customers of account changes.
The NPRM also proposes rules for notifying consumers of data breaches. It proposes that ISPs must notify (i) affected customers within 10 days of discovery of a breach, (ii) the FCC no later than seven days after discovery of a breach, and (iii) the Federal Bureau of Investigation and the US Secret Service no later than seven days after discovery of a breach affecting more than 5,000 customers (and at least three days before notifying customers). The proposals include regulating the content and timing of breach notices. Furthermore, the proposed definition of “breach” is broader than the current Section 222 definition—the proposed definition would cover all proprietary information, not just CPNI, would not include an intent element, and would include inadvertent breaches and cover all customer proprietary information.