New FCC Privacy Rules Help Place Internet Users in the Driver’s Seat: ISPs Are Now Required to Obtain Opt-In Consent from Broadband Customers Prior to Using and Sharing Sensitive Data Belonging to Users;
Reasonable Data Security and New Federal Breach Notification Requirements Also Will Take Effect Soon
by Mary Cain
Here are the key highlights of the FCC's rules adopted today:
(1)INCREASED TRANSPARENCY OF ISPs’ USE AND SHARING PRACTICES:
Required Privacy Disclosures
The rules require ISPs to disclose their privacy practices. Privacy notices must clearly inform customers about:
- what types of information will be collected
- the carrier’s data use and sharing practices—namely, how, under what circumstances, and for what purposes the ISP plans to use and share customer proprietary network information (customer information)
- the types of entities with whom the customer information will be shared
- the customers right to opt in or opt out (as the case may be) to sharing of the customer information
- the fact that the customer may deny or withdraw customer’s approval to access to their information at any time
- the fact that the customer’s decision to deny the carrier the ability to use or share customer information for purposes outside of providing the customer with telecommunications services will not affect the customer’s ability to receive telecommunications services from the carrier (i.e., no take-it-or-leave-it offerings whereby the offer of broadband Internet access service is made contingent on the customer surrendering customer’s privacy rights)
The above information must be clearly conveyed in a conspicuous and not misleading way. Notice of privacy practices must be given to the customer at the point of sale and must remain persistently available and easily accessible to customers on the ISP provider’s websites, apps, and the functional equivalents thereof.
Requirement of Advance Notice of Material Changes to Privacy Policies
Privacy notices must be given in advance of any material changes to the carrier’s privacy policies; notices must clearly and accurately inform the customer of associated opt-in or opt-out approval rights (discussed below).
Safe Harbor Privacy Notice to be Issued No Later than June 1, 2017
In an effort at encouraging ISPs, and particularly smaller carriers, to adopt standardized privacy notices without mandating a particular form, the FCC has directed the Consumer Advisory Committee “to formulate a proposed standardized notice format, based on input from a broad range of stakeholders, within six months of the time that its new membership is reconstituted, but, in any event, no later than June 1, 2017.” (WC Docket No. 16-106, Report and Order In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, FCC 16-148 (2016), at para. 153.)
(2)MORE MEANINGFUL CHOICE: New Requirements for Opt-In and Opt-Out Customer Consent
The new rules require that the consumer’s choice controls be calibrated to the sensitivity of the data that the ISP would be accessing, using or sharing. ISPs must provide access to a simple, easy-to-use mechanism for customers to provide or withdraw their consent to use, disclose, or permit access to such customer information. This calibration represents the FCC’s adoption of a tired, sensitivity-based privacy framework for customers to be able to easily exercise their choice over the use and sharing of their information.
A.OPT-IN CONSENT REQUIREMENTS
The highest user controls are reserved for sensitive customer information for which ISPs will be required to obtain express, affirmative consent (so-called opt-in consent) from their customers prior to using or sharing that data as well as for retroactive, material changes in uses of customer information.
A non-exhaustive list of categories of sensitive data subject to heightened customer controls has been provided in the FCC’s Order. It includes:
- Precise Geo-Location Information (includes, without limitation: Wi-Fi-based; cell-based; GPS-based location information)
- Information pertaining to Children
- Content of Communications
- Web-browsing History (and functional equivalents)
- App Usage History (and functional equivalents)
The rules also ban so-called take-it-or-leave-it offerings of broadband service where the Internet access offer is contingent on the customer surrendering his/her privacy rights. Considering this type of action runs contrary to the requirements of Sections 222 and 201 of the Act, the FCC has prohibited the practice.
B.CUSTOMER OPT-OUT RIGHTS
Use and sharing of other individually identifiable customer proprietary information that is “non-sensitive” (for example, service tier information) will be subject to opt-out consent by the customer. The FCC found that in cases of ISP use and sharing of non-sensitive personal data, default allowance and a customer opt-out regime will be consistent with the consumer’s expectations.
C.EXCEPTIONS TO CUSTOMER CONSENT REQUIREMENTS
Customer consent will be inferred in certain cases, such as when the use and sharing of customer information is pursuant to statute or for the following reasons:
- to provide the broadband service, and bill and collect for the service
- to provide and market services and equipment typically marketed with the broadband service currently subscribed to by the customer (non-sensitive data only)
- to protect the broadband provider and its customers from fraudulent use of the provider’s network
For these uses of customer information, no additional customer consent is required beyond the creation of the customer-ISP relationship.
(3)“REASONABLE,” ROBUST AND FLEXIBLE DATA SECURITY PRACTICES:
ISPs and other telecommunications carriers must adopt reasonable data security practices appropriately calibrated to the following:
- the nature and scope of its activities
- the sensitivity of the underlying data
Carriers must take into account the CIA triad of data security principles--Confidentiality, Integrity and Availability--when developing, implementing and monitoring their selected data security practices.
While the FCC declines to require any specific activities that a carrier must undertake in order to meet the reasonable data security requirement (given that what satisfies as “reasonable” data security must, by necessity, evolve with the times), the FCC does provide the an evolving set of non-exclusive practices as guidance for ISPs to consider when developing reasonable data security practices, including that ISPs should
- Engage with Industry Best Practices and Risk Management Tools
- Have Strong Accountability and Oversight of Data Security Practices (develop a written comprehensive data security program; designate senior official(s) with personal accountability and responsibility for data security and privacy practices; have employee/contractor training programs on the appropriate handling of PI; exercise appropriate data security practices when sharing with third parties)
- Have Robust Customer Authentication
- Use Data Minimization Strategies
- Lawfully Cooperate with Other Industry Members to Exchange Information regarding Cyber Incidents and Other Data Security Threats
(4)DATA BREACH NOTIFICATION RULES: (5)OTHER ISSUES ADDRESSED:
The Order addresses other issues, including the implementation timeline, federal preemption, rules respecting deidentification of data, the FCC prohibition on take-it-or-leave-it offers, heightened consumer protections in the context of financial incentive offers in exchange for personal information, harmonization of broadband and voice rules, and the upcoming rulemaking on dispute resolution.
What the rules do not address:
Outside of the scope of these new rules are the privacy practices of edge providers, websites and apps, such as Facebook and Twitter. The Federal Trade Commission (FTC) continues to have authority over those entities pursuant to Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce.
Why Were These New Privacy Protections Needed?
In providing access to the Internet, ISPs “collect extensive information about all of their customers, including location, web browsing and app use history, when and with whom they communicate, and even the content of those communications,” as explained by retired FCC Commissioner Michael Copps. As Copps continues: “In short, nearly everything a consumer does online is visible to his or her ISP. ISPs need some of that information to provide service, but they also can exploit private details for profit, primarily through marketing.”
Partly in recognition of the ISPs’ capability and willingness to monitor, collect, share and monetize vast swathes of users’ personal information—including highly sensitive information belonging to the individual users—for unconsented to purposes extraneous to providing users with an Internet connection, elected officials and consumer protection advocates have been urging the FCC to finalize strong privacy rules applicable in the ISP setting.
This past July, a group of seven Democratic Senators1 led by Senator Ed Markey (D-Mass.) wrote a letter to the FCC urging it to finalize broadband privacy rules after the D.C. Circuit Court upheld the FCC’s 2015 Open Internet Order in United States Telecom Ass’n v. FCC. The 2015 Open Internet Order, among other things, reclassified broadband Internet access service as a telecommunications service subject to Title II of the Communications Act, including the application and enforcement of Section 222’s privacy protections.
The rules adopted at the FCC’s October Meeting represent the culmination of a rulemaking process following the D.C. Circuit Court’s ruling on the reclassification of broadband as a telecommunications service. This process has involved feedback from multiple stakeholders.
1The Senators signing the FCC letter urging finalization of the rules included Sens. Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.)—both members of the Commerce, Science and Transportation Committee—and Sens. Al Franken (D-Minn.), Elizabeth Warren (D-Mass.), Patrick Leahy (D-Vt.), Bernie Sanders (I-Vt.) and Tammy Baldwin (D-Wisc.).