By: Ernesto Mendieta
The FCC announced that it has adopted new privacy rules that significantly increase broadband ISP’s data privacy and security obligations. These rules are the result of the NPRM proposed by the FCC on April 1, 2016, and the comments received during the past few months.
Following the FCC's Open Internet Order that reclassified broadband Internet service as a telecommunications service, these rules expand the existing Customer Proprietary Network Information (CPNI) provisions of the Communications Act that have long applied to carriers’ voice services by tailoring them to the broadband context. These rules implement the new approach the FCC is taking for regulating ISPs’ privacy and security practices, similar to Europe’s highly regulated consumer data practices. The rules will largely supplant the FTC’s long-standing practice of encouraging ISPs to conform their practices to accepted industry norms, and only engaging in enforcement action against ISPs to pursue claims of unfair or deceptive practices or data breaches.
The FCC’s three main objectives of the newly adopted rules are (i) to establish consumer choice over the use and sharing of their personal information (PI) by broadband providers, (ii) to promote transparency to consumers regarding their PI and (iii) to promote data security practices by ISPs.
First, the rules establish a framework of costumer consent required for ISPs to use and share their customers’ PI depending on the sensitivity of the information:
- Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information, which includes precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.
- Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” Non-sensitive information includes all other individually identifiable customer information such as email address or service tier information.
- Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional consent is required beyond the creation of the customer-ISP relationship.
The rules prohibit “take-it-or-leave-it” offers, meaning that an ISP cannot refuse to serve customers who do not consent to the use and sharing of their information for commercial purposes.
Additionally, the rules include transparency requirements on the form and substance of ISPs' privacy policies, to provide customers with clear, conspicuous and persistent notice about the PI they collect, how it may be used and with whom it may be shared, as well as what rights the customer has to grant or revoke consent to use their PI in various ways.
Finally, the rules require ISPs to engage in specific data security practices and guidelines, such as implementing relevant industry best practices, providing oversight of security practices, implementing robust customer authentication tools, proper disposal of data and breach disclosure requirements to consumers and law enforcement.
The scope of the rules is limited to broadband service providers and other telecommunications carriers, and do not apply to the privacy practices of websites and other “edge services.”
The rules will become effective on different moments depending on the specific requirements: (i) Notice and choice requirements will become effective approximately 12 months after publication of the summary of the Order in the Federal Register, and small providers will have an additional 12 months to come into compliance; (ii) Data security requirements will go into effect 90 days after publication; and (iii) Data breach notification requirements will become effective approximately 6 months after publication.
It is likely that the rules will face legal challenges that may delay or prevent them from becoming effective. We will continue to monitor the publication of the final Order as well as any related issues.