FCC Adopts Privacy Rules at October Open Meeting

At the October Open Meeting, the Commission adopted rules that require Internet Service Providers (ISPs) to protect consumer privacy under Section 222 of the Communications Act.  According to a Press Release, the rules establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is consistent with the frameworks of the FTC and the Administration’s Consumer Privacy Bill of Rights. The Commission also released an updated Fact Sheet summarizing the adopted rules governing ISPs and consumer data.  The Fact Sheet explicitly states that rules “reflect careful consideration of the needs of smaller ISPs.”  For instance, “small providers” are afforded and additional 12 months to come into compliance with the Notice and “Choice” requirements.  The Order has not yet been released, but the Fact Sheet provides the following overview:

• Clear Notice: Collection, Use, and Sharing of Customer Information
  • Notifications:
    • Notify customers about what types of information the ISP collects about it’s customers;
    • Specify how and for what purposes the ISP uses and shares this information; and
    • Identify the types of entities with which the ISP shares this information.
  • Immediate and persistent notification. ISPs must provide this information upfront and with significant privacy policy changes, and it must be viewable on the ISP’s website or mobile app.
  • Multi-stakeholder approach. Directs the Consumer Advisory Committee (CAC) to develop a standardized notice format that will be voluntary and serve as a “safe- harbor” for the providers who choose to adopt it.
• Consent Requirements: Use of Personal Information Based on Sensitivity (“Consumer Choice”)
  • Opt-In: ISPs will be required to obtain “opt-in” consent to use and share sensitive information. The following information will be considered “sensitive,” including:
    • Web browsing & app usage history; Precise geo-location; Children’s information; Health information; Financial information; Social security numbers; the content of communication.
  • Opt-out: Use and sharing of non-sensitive information (all other individually identifiable customer information) would be subject to opt-out consent requirements in most cases.
  • Exceptions: Consumer consent is inferred for certain purposes, including:
    • Use and sharing of non-sensitive information to provide and market services and equipment typically marketed with the broadband service subscribed to by the customer;
    • To provide the broadband service, and bill and collect for the service;
    • To protect the broadband provider and its customers from fraudulent use of the provider’s network.
• Protection of De-Identified Information
  • The rules allow ISPs to use and share properly de-identified information outside the consent regime, if it meets the FTC’s three part test to ensure that customer information is not re-identified:
    1. Alter the customer information so it can’t be reasonably linked to a specific individual or device;
    2. Publicly commit to maintain and use information in an unidentifiable format and to not attempt to re-identify the data;
    3. Contractually prohibit the re-identification of shared information.
• Protection of Customer Information – ISPs must take reasonable measures to protect customer data. The Order provides the following guidelines, rather than requirements, on how ISPs should do this:
  • Implement updated and relevant industry best practices;
  • Provide appropriate accountability and oversight of its security practices;
  • Implement robust customer authentication tools;
  • Properly dispose of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.
• Data-Breach Notification Requirements. In the event of a breach, ISPs would be required to notify:
  • Affected customers of breaches of their data as soon as possible, but no later than 30 days after reasonable determination of a breach;
  • The Commission at the same time as customers first notified of breaches (i.e., 30 days) fewer than 5,000 customers; and
  • The Commission, FBI, and the U.S. Secret Service of breaches affecting 5,000 or more customers no later than 7 business days after reasonable determination of the breach.
• Implementation Timeline:
  • Data security requirements – 90 days after publication in the Federal Register.
  • Data breach notification requirements – effective approximately 6 months after publication in the Federal Register.
  • Notice and Choice requirements – effective approximately 12 months after publication in the Federal Register. Small providers have an additional 12 months to comply.
• Miscellaneous
  • Prohibits “Take-it-or-Leave-It” Offers – an ISP can’t refuse to serve customers who don’t consent to the use and sharing of the information for commercial purposes.
  • Heightens Consumer Protections for Financial Incentives – the rules require heightened disclosure for plans that provide discounts or other incentives in exchange for consent. The Commission will review these programs on a case-by- case basis.
  • Harmonization of Broadband and Voice Rules – the new rules also apply to voice services and treat call-detail record information as sensitive information in the context of voice services.
  • Dispute Resolution – the Commission intends to proceed with a rulemaking in February 2017 to address mandatory arbitration requirements in contracts for communications services.
• The Rules do NOT:
  • Regulate the privacy practices of websites or apps, like Twitter or Facebook.
  • Regulate other services of broadband providers, like operation of a social media website.
  • Address issues like government surveillance, encryption, or law enforcement.

Please feel free to contact us if you would like any additional information.