FCC Enacts Rigorous New Internet and Telecommunications Privacy Rules
A Hotly Contested Proceeding Expands the Commission's Regulatory Authority, But Will Likely End Up in Court
After a massive Notice of Proposed Rulemaking, extensive and contentious advocacy from all sides, and public revision of its own proposals, the FCC has just approved an Order enacting rules that impose a wide range of new regulations on Internet service providers ("ISPs") in their provision of broadband Internet access service ("BIAS"). These new rules may significantly impact both the operations and the business models of ISPs, and shift the business dynamics of the Internet ecosystem. The new rules will also apply to provision of voice services, and will impact carriers' use of call-detail record information. However, a court challenge to the new rules seems likely given their potential impact on the business of the Internet and ISP operations, under the theory that the FCC has exceeded its regulatory authority.
The FCC's new rules focus on three aspects of BIAS-related privacy: (1) ISP provision of notice to consumers with respect to how they seek to use and share their customers' private/proprietary information ("PI"); (2) customer choice and consent to those uses of their PI; and (3) secure data protection by ISPs of that information.
The new rules require that mobile and fixed ISPs:
- Notify customers about the types of information the ISP collects about them: specifying how and for what purposes the ISP uses and shares this information; identifying the types of entities with which the ISP shares this information; and obtaining different levels of consentfrom customers before using certain types of PI.
- May not make "take it or leave it offers" whereby customers must consent to the ISP's use and sharing of certain information with other parties as a condition of service; and ISPs must use "enhanced disclosure" to consumers for plans that provide discounts or other incentives in exchange for a consumer's opt-in consent to expanded use and sharing of their PI ("Pay for Privacy"). The Commission will determine on a case-by-case basis the "legitimacy" of programs that relate service price to privacy protections.
- Must strengthen their data security to enhance protection of customer information and must notify customers (within 30 days), the FCC and, in some cases, the FBI/Secret Service (within 7 business days) after reasonable determination of the breach.
Notice of ISP PI Collection, Sharing and Other Privacy Policies
In order to ensure that customers receive timely and "persistent" notice of privacy policies, the new rules require that an ISP's PI collection, sharing and other privacy policies must be made available to prospective customers at the point of sale and prior to the purchase of BIAS, whether such purchase is being made in person, online, over the telephone. ISPs cannot rely solely on website posting of privacy policies. In addition, ISPs must update customers when privacy policies are changed, and the policies must be made persistently available through: (a) a link on the ISP's homepage and (b) the ISP's mobile application. The FCC's Order also directs the Commission's Consumer Advisory Committee to develop a proposed standardized privacy notice format that is voluntary and would serve as a "safe-harbor" for those providers who choose to adopt it.
Consumer Choice/Consent Based on the Sensitivity of the Information
The FCC determined the type of customer consent required for ISPs and voice service providers to use and share their customers' PI by looking to the approaches taken in other privacy frameworks, including those of the Federal Trade Commission ("FTC") and the Obama Administration's Consumer Privacy Bill of Rights. These new rules thus focus on the sensitivity of the information - rather than how it is used - in order to meet customer expectations. Customers are presumed to generally want more controls in place before their sensitive information is used or shared. Based on the sensitivity of the PI, ISPs will now have to obtain either opt-in or opt-out consent from their customers:
- Opt-In: ISPs are required to obtain "opt-in" consent to use "sensitive" information
ISPs would have to obtain affirmative permission from consumers - opt-in consent - to use and share information that would be considered "sensitive," including:
Geo-location
Children's information
Health information
Financial information
Social Security numbers
Web browsing history
App usage history
The content of communications
- Opt-out: Use and sharing of non-sensitive information
All other individually identifiable customer information - for example, service tier information - would be considered non-sensitive and the use or sharing of that information would be subject to opt-out
- Exceptions to the Consent Requirements
Customer consent for their ISP's use of data is permitted for certain purposes, including:
Use and sharing of non-sensitive information to provide and market services and equipment typically marketed with the broadband service subscribed to by the customer;
Providing the broadband service, and bill and collect for the service; and
Protecting the broadband provider and its customers from fraudulent use of the provider's network.
Protection of Customer PI - Data Security and Breach Notification
The Commission has imposed severe penalties on several carriers for breaches in the security of their customer data over the past year or two. In taking a more proactive approach, the FCC's Order enacts robust data security rules that expressly require ISPs to adopt "reasonable" data security practices, such as:
Implementing up-to-date and relevant industry best practices, including making available guidance on how to manage security risks responsibly;
Providing appropriate accountability and oversight of its security practices;
Implementing robust customer authentication tools; and
Properly disposing of data consistent with FTC best practices.
Data breaches are, of course, occurring with increasing frequency. The impact on consumers of a breach of their data can be significant and costly. With that in mind, the Order implements new data breach notification requirements designed to give consumers and law enforcement notice of failures to protect such information. Such notifications would have to be made to affected customers, the FCC, and in some cases the FBI and U.S. Secret Service. For these purposes, an ISP will be required, in the event of a data breach, to notify:
Affected customers of breaches of their data as soon as possible, but no later than 30 days after "reasonable determination" of a breach;
The Commission, the Federal Bureau of Investigation, and the U.S. Secret Service of breaches affecting 5,000 or more customers no later than 7 business days after "reasonable determination" of the breach; and
The Commission at the same time as customers are first notified of breaches affecting fewer than 5,000 customers.
An ISP would not need to provide data breach notices where the ISP reasonably determines that the breach will not cause a risk of harm to consumers. Still, the Commission's data breach notification requirements constitute a substantial expansion of FCC regulatory authority into an area already crowded with state requirements and a history of FTC enforcement. Where the Commission's rules are inconsistent with any state laws, those rules would preempt those laws. Nevertheless, the addition of yet another layer of privacy-related regulation will likely make ISP compliance even more challenging.
Implementation Timeline
The FCC states that its new Order gives providers sufficient time to implement the changes required by the rules, while adopting an implementation timeline calibrated to ensure that consumers receive the benefit of the new rules as quickly as possible. According to the FCC's concurrently-published Fact Sheet:
The data security requirements will go into effect 90 days after publication of the summary of the Order in the Federal Register;
The data breach notification requirements will become effective approximately 6 months after publication of the summary of the Order in the Federal Register; and
The Notice and Choice requirements will become effective approximately 12 months after publication of the summary of the Order in the Federal Register. Small providers will have an additional 12 months to come into compliance with this requirement
Maintaining Mandatory Arbitration
One action that the Commission considered but did not take in this Order relates to mandatory arbitration clauses. The Commission chose not to enact a prohibition on mandatory arbitration clauses in BIAS consumer contracts. Eliminating such clauses would give consumers access to litigation, and perhaps class action law suits, as a means for remedying harms they believe that they have suffered. Commissioner Clyburn pushed hard for this, and expressed disappointment when her proposal was not adopted. Nevertheless, the Chairman has committed to opening a separate and more comprehensive proceeding on mandatory arbitration clauses, and the breadth of that new proceeding may include voice telecommunications services. The Chairman stated that the Commission targets producing a new NPRM on mandatory arbitration clauses by February of 2017. It remains to be seen how this proceeding will progress if the Chairman steps down at the end of President Obama's term and Commissioner Clyburn is not named as the new Chair.
What's Next?
It comes as no surprise, of course, that many of the new regulatory requirements enacted in the FCC's Order were opposed by several ISPs and others. Many ISPs have argued that the FCC's rules unwisely and unnecessarily exceed or contradict the requirements enforced by the FTC, resulting in regulatory headaches for ISPs and confusion for consumers, especially when Internet edge providers (e.g., Amazon, Facebook) are not subject to the same requirements to protect PI. For example, ISPs have argued that the FTC does not classify customer web browsing history and application use as sensitive. They have also argued that, in making this classification and thus requiring customer opt-in before ISP use of that data to market its own products to its own customers, customer expectations are contradicted and unnecessary burdens are created on all parties. Combined with a number of other objections to specific requirements, as well as to the underlying expansion of FCC regulatory authority here, it seems very likely that the FCC's Order will be challenged in court. And while sweeping the provision of voice services into the same new privacy regulatory regime may have some beneficial effects, doing so may raise additional legal issues and create an additional set of opponents to the rules. Of course, unless the challengers get a stay from a court, the new rules will go into effect during the pendency of any court challenge.
In the meantime, there are a lot of important details in the Order and rules for ISPs to review as they begin the process of compliance. We urge you to read the Order carefully when it is released, and to contact us if we can be of assistance.