At its Open Meeting yesterday, the Federal Communications Commission (FCC) adopted a Notice of Proposed Rulemaking (NPRM) that would apply the privacy protections in Section 222 of the Communications Act to broadband Internet Service Providers (ISPs). The text of the NPRM, which reportedly seeks public comment on more than 500 questions relating to privacy and security obligations for ISPs when handling customer data that they obtain in the provision of Internet access services, has not yet been released.

As we previously reported, the proposal focuses on ensuring that customers have choice as to how their data is used, a clear understanding of what data is being collected about them, and assurances that their data is secure. Of particular significance, the FCC has proposed that ISPs provide customers the ability to opt-out of the use of their data to market communications-related services that are unrelated to services they have purchased, and that customers be required to provide opt-in consent before their data can be used for other purposes. In addition, the NPRM proposes data security requirements to protect customer data against breaches and other vulnerabilities and data breach notification requirements.

The NPRM does not apply to web sites and other “edge services” over which the Federal Trade Commission (FTC) has jurisdiction.  Commission votes on the NPRM were split along party lines, with the three Democratic Commissioners approving and the two Republican Commissioners dissenting. In their separate statements, Republican Commissioners O’Rielly and Pai questioned the FCC’s authority and expertise to regulate privacy and data security, and opined that these matters would be better addressed by the FTC, which has more experience enforcing privacy and data security laws in a technology-neutral manner. While this debate will continue, there is no question that the NPRM proposes a host of new requirements that add more complexity to the evolving U.S. privacy and data security landscape.