What Can ISPs Do With YOUR Personal Information? The FCC Has Some Ideas …

Massive proposal would impose new limits, obligations on ISP use of private/proprietary customer data.

Continuing its advance into the realm of privacy regulation, the FCC has proposed extensive rules that, if adopted, would impose a wide range of new regulations on Internet service providers (ISPs) in their provision of broadband Internet access service (BIAS). According to the Commission, its goal is to provide broadband consumers with "meaningful choice, greater transparency and strong security protections" with respect to personal information their ISPs collect from them. Notwithstanding those laudable aspirations, though, the proposals will almost certainly stoke considerable controversy - as will the basis asserted by the FCC for its authority to adopt the rules in the first place.

Anyone interested in the rights of broadband consumers (or the obligations of ISPs) should pay close attention to this proceeding, starting with the recently-released Notice of Proposed Rulemaking (NPRM). But be forewarned: The NPRM is more than 100 dense pages long, posing more than 500 questions up for comment. It's not for the faint of heart. We will summarize the high points here, to get you oriented.

As indicated above, the FCC's proposals focus on three aspects of BIAS-related privacy: (1) consumer choice in how their private/proprietary information ("PI") is used by the ISP; (2) transparency by the ISPs with respect to how they use, or may use, that information; and (3) secure protection, by ISPs, of that information. And just what does PI consist of? For now, the FCC proposes to define customer PI to include "private information that customers have an interest in protecting from public disclosure". Under this proposal, such information would fall into two categories: (1) customer proprietary network information (CPNI); and (2) personally identifiable information that the BIAS provider acquires in connection with its provision of BIAS.

Choice/Consent.
Obviously, in connection with the consumer/ISP relationship, the ISP obtains from its customers various types of private information that could be useful to the ISP in various ways. In the Commission's view, three categories of possible ISP uses of such information warrant three distinct levels of customer consent.

• Customer PI Necessary to Provide the ISP's Services: With respect to customer PI that is necessary for the provision of broadband services in the first place, the Commission proposes to deem customer consent to be implied. That is, no additional consent need be obtained with respect to such use of such customer information, nor would the ISP be required to give the customer the opportunity to opt out of such use. That, of course, makes perfect sense: having contracted for the provision of BIAS, the customer can reasonably be assumed to have understood that at least some personal information would be required to for the ISP to provide that service.

Additionally, Section 222(d) of the Communications specifically authorizes providers to use or disclose customer information in certain limited circumstances, including, for example, where some emergency situations. The customer would be presumed to have consented to such uses under the proposal, with no opt-in or opt-out opportunity; the FCC proposes to adopt these exceptions, tailored to the broadband context.

The same would be true of ISP use of the customer's PI for the purpose of marketing additional BIAS offerings in the same category of service (i.e., mobile or fixed BIAS) that the ISP is already providing to the customer. This would be consistent with similar obligations already imposed on other carriers.

• Customer PI Used to Market Other Communications Services: ISPs would be allowed to use customer PI to market other communications-related services to the customer as long as, before doing so, the ISP advised the customer of that possible use and provides the customer an opportunity to opt out. Also subject to this advance-notice-and-opt-out-opportunity requirement would be any sharing of customer PI by the ISP with any affiliates that provide communications-related services.
• All Other Uses of Customer PI: All other uses and sharing of customer PI would require the ISP to seek, and obtain, express, affirmative "opt-in" consent from the customer before the uses or sharing could occur.

Transparency/Notice of ISP Privacy Policies
Nearly everyone agrees that ISPs should inform consumers about their privacy practices. As a practical matter, most ISPs do so by posting their policies on their websites. Nevertheless, the NPRM proposes rules to enhance effective disclosure of broadband providers' privacy policies that would include notice to consumers regarding:

• What customer information the ISP collects and for what purposes;
• What customer information the ISP share and with whom; and
• How, and to what extent, customers can opt in or opt out of use and sharing of their personal information.

In order to ensure customer timely and "persistent" notice of privacy policies, the Commission proposes that, rather than allowing ISPs to rely on website posting alone, the rules would require that an ISP's privacy notice must be:

• made available to prospective customers at the point of sale and prior to the purchase of BIAS, whether such purchase is being made in person, online, over the telephone, or by some other means; and
• made persistently available through: (a) a link on the ISP's homepage; (b) the ISP's mobile application; and (c) any functional equivalent to the provider's homepage or mobile application.

The NPRM also seeks comments on a wide variety of practical questions that arise with respect to such notice. For example: Should the language and format of ISP privacy notices be standardized? Should the content of such notices be "harmonized" with notices regarding the same ISP's use of customer information for voice and video services? Should an ISP be required to give customers notice of any material change in its privacy policies - and, when such changes are made, to what extent should customers have the right to deny access to their private information for the revised ISP uses?

Protection of Customer PI - Data Security and Breach Notification.
In the last year or two the Commission has imposed severe penalties on several carriers for breaches in the security of their customer data. In the same vein, the NPRM proposes robust data security rules that would expressly require ISPs to:

• take "reasonable steps" to safeguard customer information;
• adopt risk management practices;
• institute personnel training practices;
• implement strong customer authentication requirements;
• identify a senior manager responsible for data security; and
• take responsibility for use and protection of customer information when shared with third parties.

The Commission also asks whether ISPs should be required to use the traditional principles of limiting the collection and retention of sensitive customer information - and disposing of the data safely when no longer needed for the purpose for which it was collected.

Data breaches are, of course, occurring with increasing frequency, and the impact on consumers of a breach of their data can be significant and costly. With that in mind, the Commission asks commenters to address data breach notification requirements designed to give consumers and law enforcement notice of failures to protect such information. One notable proposal in this regard: specific data breach notification requirements harmonized for providers of all telecommunications services. Such notifications would have to be made to affected customers and the FCC and, in some circumstances, the FBI and U.S. Secret Service. For these purposes, a carrier would be required, in the event of a data breach, to notify:

• affected customers no later than ten days after the discovery of the breach, subject to law enforcement needs;
• the Commission no later than seven days after discovery of the breach; and
• the FBI and the U.S. Secret Service no later than seven days after discovery of the breach, and at least three days before notification to the customers, in the case of breaches of customer PI reasonably believed to relate to more than 5,000 customers.

The Commission's proposals, if adopted, would constitute a substantial expansion of FCC regulatory authority into an area already crowded with state requirements and a history of FTC enforcement. Where the Commission's proposed rules would be inconsistent with any state laws, the FCC's rules would trump, or "preempt", those laws. Nevertheless, the addition of yet another layer of privacy-related regulation will likely make ISP compliance more challenging.

Other Prohibited Practices
In addition to the wide-ranging proposals on the foregoing, the Commission also wants to know whether certain other ISP practices implicating privacy concerns should be prohibited or, at least, subject to increased notice and choice limitations. In particular, in the NPRM the FCC would prohibit ISP offerings of: (1) BIAS contingent on "the waiver of privacy rights by consumers"; and (2) lower-priced services in return for broader ISP rights to use or share sensitive consumer data. Additionally, the Commission asks whether the use of either deep packet inspection (for purposes other than network management) or persistent tracking technologies should be barred or subject to heightened protections. Again, adoption of FCC rules along these lines would constitute a significant expansion of its current regulatory agenda.

******************

As we consider the many details of the Commission's proposals, it's useful, and important, to bear in mind how we got here and why these proposals are controversial.

The proposals are based on the FCC's interpretation of Section 222 of the Communications Act (formal title: "Privacy of Customer Information"). Subsection (a) of Section 222 imposes a general duty on telecommunications carriers to protect the confidentiality of "proprietary information" of their customers and other carriers. Subsection (b) specifically requires carriers to protect proprietary information received from other carriers, and also not to use it for their own marketing purposes.

Beyond those general provisions, though, Subsection (c) has been seen as the core of Section 222. It addresses the obligations of carriers to protect "customer proprietary network information" (CPNI). CPNI has a long technical definition, but for our purposes here we can think of it as the quantity, type and amount of telecommunications service a customer uses.

Section 222(c) requires that carriers use or disclose "individually identifiable" CPNI only in connection with the provision of telecommunications services, though "aggregate customer information" may be disclosed for other purposes. The FCC has applied CPNI rules to voice-based telecommunications services for many years, but this sole and narrow step into FCC regulation of privacy was generally considered a sleepy regulatory backwater subject to very limited FCC enforcement activity " until 2014.

Then things changed in a big way.

In October, 2014, the Commission imposed a $10 million fine on two companies that stored proprietary customer information (e.g., customer, addresses, social security numbers, driver's licenses, etc.) on two publicly accessible folders on the Internet without password protection or encryption. Six months later, the FCC entered into a $25 million consent decree with AT&T arising from data breaches by employees at a couple of its call centers. As a result of those breaches, propriety information (including names and social security numbers) of more than a quarter of a million customers had been improperly accessed. These cases reflected a dramatic expansion of the Commission's regulation on the privacy front to cover protection of information beyond purely CPNI; they were, however, limited to traditional telecommunications services.

Nevertheless, they paved the way for a further expansion when, in March, 2015, the Commission (in its Open Internet Order) declared the provision of BIAS to be a Title II telecommunications service, with broadband providers suddenly subject to Section 222's privacy requirements. The most recent NPRM is one further logical step in that process. By a sort of regulatory accretion, the Commission has moved from a privacy regime regulating a relatively limited set of consumer information held by a relatively limited set of service providers to a regime regulating far broader types of information held by a far broader universe of providers.

But even if we put aside questions regarding the wisdom or efficacy of the particular proposals advanced by the FCC, the NPRM presents a much bigger question: should the FCC be significantly expanding its privacy regulatory regime? And it's that bigger question that has generated a lot of controversy.

Some public interest groups believe that FCC action will bring long needed regulation to an area where consumers are particularly vulnerable and unable to understand or protect their privacy interests. Others believe that the FCC lacks both the experience to intrude with proper sensitivity into such a core part of the U.S. economy and, even more importantly, the statutory authority to do so even if it had the experience. Many in this camp assert that the task should be left to the Federal Trade Commission, which has experience and technical capabilities built up over years of protecting consumer on-line privacy rights.

As attractive as that proposition may seem, however, there's a major problem with it. Recall that the FCC has ruled that BIAS is a Title II telecommunications service. As a result, Section 5(a)(2) of the Federal Trade Commission Act expressly prohibits the FTC from regulating BIAS (under the common carrier exemption there). The FCC and FTC recently signed a memorandum regarding how they will work cooperatively together, as they have done in the past in matters such as telemarketing and "cramming" of telecommunications services. But at least for the foreseeable future, we can expect the FCC to take the lead on enforcing consumer privacy rights against ISPs based on the proposed rules (or rules very close to those proposed).

Comments on the NPRM are due by May 27, 2016, and reply comments are due by June 27. Comments and replies can be filed electronically through the FCC's ECFS webpage: refer to Proceeding Number 16-106.

This is an important proceeding that will attract a lot of attention. Call us if you have questions or would like our assistance in participating.