On the heels of the Open Internet Order adopted by the Federal Communications Commission (FCC) last year, FCC Chairman Tom Wheeler has circulated a Notice of Proposed Rulemaking (NPRM) to fellow Commissioners that would apply the privacy protections of the Communications Act to broadband Internet access services. Wheeler’s proposal will be voted on at the FCC’s March 31, 2016 Open Meeting and, if adopted, will be released for public comment. According to the Fact Sheet released by the FCC that summarizes the NPRM, the proposal is limited in scope in that it does not address the privacy practices of websites over which the Federal Trade Commission (FTC) has jurisdiction, other types of services offered by broadband Internet Service Providers (ISPs), or government surveillance, encryption, and law enforcement issues. The proposal nevertheless has major implications for ISPs and the rapidly evolving U.S. privacy and data security landscape.
The proposal would separate the use of customer data by ISPs into three categories, focusing on ensuring that customers have choice in how their data is used, clear understanding of what data is being collected about them, and assurances that their data is secure. The three categories are organized around customer consent:
- Consent Inherent in Decision to Purchase Broadband Services. ISPs would be able to use customer data as necessary to provide broadband services and direct service-related marketing to customers without obtaining additional consent, based on a customer’s decision to purchase broadband service.
- Opt-Out Required. ISPs would be able to use customer data to market communications-related services unrelated to the service purchased by a customer and to share data with affiliates for such purposes, but customers must be given an opt-out option with respect to such data usage.
- Opt-In Required. All other uses of customer data would require express, affirmative opt-in consent from customers.
Thus, under the proposal, ISPs would not be prohibited from using and sharing customer data, but customers would have choices about how their data is used and shared.
The proposal would also establish data security requirements for ISPs to protect customer data against data breaches and other vulnerabilities, which reportedly includes (among other things) requirements for internal risk management, employee training, strong customer authentication, and protection of information shared with third parties. In the event of a breach of customer data, ISPs would be required to notify (1) affected customers within 10 days of discovery, (2) the FCC within 7 days of discovery, and (3) the Federal Bureau of Investigation and the U.S. Secret Service (for breaches affecting more than 5,000 customers) within 7 days of discovery of the breach. These proposed timeframes for notifications are shorter than most state data breach notification laws currently in effect.
This NPRM is just one of several instances of the FCC taking an active interest in consumer privacy and data security issues over the last few years. Earlier this week, the FCC settled with Verizon Wireless over its use of “supercookies” and alleged failure to adequately protect customers’ information (see our post here). Last year, AT&T settled with the FCC for $25 million over allegations that employees at the company’s call centers had inappropriately shared customers’ information with cellphone traffickers (see our post here). That settlement remains the FCC’s largest relating to data security. With these recent actions, the FCC has become a major player in the privacy and data security arena, along with the FTC, state attorneys general, plaintiffs’ lawyers, and foreign regulators.