Tech & Sourcing @ Morgan Lewis


On October 6, Federal Communications Commission (FCC) Chairman Tom Wheeler released a factsheet outlining proposed rules aimed at protecting broadband consumers’ privacy. The proposed rules would apply to internet service providers (ISPs) and cover data collection, usage, security, and breach notification.

If adopted, ISPs would need to notify their consumers about the types of data being collected, when and how collected consumer data can be shared, and the types of entities with which ISPs can share the information. ISPs would also be required to adopt reasonable measures to protect consumer data from data breaches and other vulnerabilities.

For sensitive information—e.g., information related to geo-location, children, money, health and app usage, social security numbers, browsing history, and communications content—ISPs would have to obtain affirmative “opt-in” consent from consumers before using or sharing such information. In contrast, ISPs would only have to offer consumers the ability to “opt-out” of the ISP before using or sharing non-sensitive information.

These proposed rules are in line with the previous coordination of privacy and data security oversight between the FCC and the Federal Trade Commission (FTC). While the FTC aims to protect the privacy of consumers related to internet companies and websites, the FCC’s rules only apply to ISPs in their provision of broadband services. In other words, the proposed rules would not apply to privacy policies of websites or apps owned by an ISP. In his factsheet, Chairman Wheeler asserts that the proposed rules and oversight of ISPs are in line with the FCC’s regulation of other telecommunication carriers, and points to the FCC’s regulation of telephone companies’ usage of consumer call information as precedent (read our prior post about the FCC’s attempts to adopt data privacy and security rules for ISPs).

The FCC will consider the proposed rules on October 27, 2016.