On April 1, 2016, the FCC officially proposed new rules that would significantly expand broadband ISPs’ data privacy and security obligations. These new rules would largely supplant the FTC’s long–standing practice of encouraging ISPs to conform their privacy and security practices to accepted industry norms, and only engaging in enforcement action against ISPs to pursue claims of unfair or deceptive practices or data breaches. Following the FCC’s 2015 Open Internet Order, this is the FCC’s first major marker of how it intends to regulate ISPs’ privacy and security practices. Far from a deregulatory approach, these proposed rules track closely with Europe’s regulation of consumer data.
For its proposed data privacy rules, the FCC expands on its existing Customer Proprietary Network Information rules that have long applied to carriers’ voice services by applying and tailoring them to the broadband context, such that service plan information, geo-location, and MAC and IP addresses would be added to the traditional categories of voice-related CPNI. It then recognizes a new category of data – personally identifiable information (PII) – that will be added to the CPNI data to create an aggregate class of protected data known as “customer proprietary information” or "customer PI.” The FCC defines PII to include anything that is “linked or linkable to an individual,” which includes a wide array of customer data, such as the customer’s biographical data, browsing history, biometric information, and app usage, to name but a few examples.
The FCC then establishes privacy and security rules driven by its three core guideposts: promoting transparency to consumers, establishing consumer choice over the use and disclosure of customer PI, and promoting data security through various data security requirements and reporting obligations. The FCC seeks to achieve transparency by dictating various requirements on the form and substance of ISPs’ privacy policies, including clear and comprehensible disclosure of what PI is collected, how it is used, and what rights the customer has to grant or revoke consent to use their PI in various ways.
To create a framework for consumer choice over how their PI is collected and used, the FCC creates a three-tiered approach:
- Inherent Consent: customer consent is not required to convey data that the customer inherently consented to be used as part of subscribing to the service, such as sending the customer their bill for the services subscribed to;
- Opt-out model: in these scenarios, ISPs would be allowed to use certain limited data on an opt-out basis, such as using or sharing with its affiliates the customer’s PI to market other communications-related services;
- Opt-in model: and for all other contexts, such as displaying ads tied to the customer’s browsing history, any other use or sharing of consumer data requires an express, affirmative opt-in consent from their customers.
With respect to data security, the FCC proposes various new rules, including required regular risk-management assessments, employee training programs, adoption of specific customer-authentication requirements, and the designation of one member of senior management responsible for data security issues. The breach-disclosure requirements are far more exacting than existing CPNI-breach disclosure requirements, and include required notices to affected consumers, the FCC, FBI and Secret Service.
While these new rules are directed to ISPs, the FCC has also sought comment on how or if they could require ISPs to also contractually impose these obligations on the various third parties involved in ISP/customer interactions, including equipment manufacturers, web site providers, advertisers, and so on. Opening comments on the proposed rules are due on May 27, 2016, and reply comments are due on June 27, 2016.