CFPB Opens Period to Receive Public Comments Regarding Consumer Access to Digital Financial Records           
Inquiry is Designed to Help Agency Gauge the Amount of Control Consumers Have Over Their Online Banking Records and How Easily and Securely Consumers Are Able Share Digital Financial Records with Third Parties
November 17, 2016

The Consumer Financial Protection Bureau is seeking input from stakeholders on security, access, consumer choice and control in respect to screen-scraping and other tools for online sharing of consumer electronic banking records. For some background, check out an article written by Steve Boms stating the benefits flowing from freer consumer access to their financial data.

The bureau announced the commencement of the new Request for Information today. The goal of the inquiry is to assess the barriers, privacy and security risks, and other challenges that consumers face when attempting to securely access, use, and share their digital financial information with third parties (such as FinTech companies).

In a statement issued on the CFPB's webpage announcement of the comment period, CFPB Director Richard Cordray explained the purpose of the inquiry: 

“Consumers should be able to use their financial records and account information and securely share access in an electronic format. . . . Technology provides opportunities to use these records to create new consumer tools that help improve financial lives. To realize that potential, we are launching a public inquiry into how much control consumers have over their records and how easy and secure it is for them to share their records with third parties.”

Leaders in the banking industry are expected to urge the bureau not to issue any new regulations which would deter innovations such as the creation of new consumer-friendly tools for accessing online banking or other innovations, such as new means for securing banking records against cyberattack.

The comment period for public inquiry will end on February 21, 2017 (90 days after its publication in the Official Register, linked here) See also:

New FCC Privacy Rules Help Place Internet Users in the Driver’s Seat:  ISPs Are Now Required to Obtain Opt-In Consent from Broadband Customers Prior to Using and Sharing Sensitive Data Belonging to Users;
Reasonable Data Security and New Federal Breach Notification Requirements Also Will Take Effect Soon

by Mary Cain

On October 27, 2016, the Federal Communications Commission (FCC) adopted its final rules In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services (WC Docket No. 16-106).  Overall, the rules have been heralded by many consumer protection groups as championing meaningful choice for ISP customers. The new rules are built on widely accepted privacy principles, including those laid out in a 2012 FTC Privacy Report, "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers." They also draw from the U.S. federal Administration’s draft Consumer Privacy Bill of Rights and NIST's Guide to Protecting the Confidentiality of Personally Identifiable Information.  The FCC's Order applies to telecommunications carriers—a group that now includes broadband Internet access service customers (herein identified as “ISPs” or broadband providers) and their customers (which include those of us who sign up to be connected to residential or mobile broadband Internet access services).

Here are the key highlights of the FCC's rules adopted today:


Required Privacy Disclosures

The rules require ISPs to disclose their privacy practices. Privacy notices must clearly inform customers about:

  • what types of information will be collected
  • the carrier’s data use and sharing practices—namely, how, under what circumstances, and for what purposes the ISP plans to use and share customer proprietary network information (customer information)
  • the types of entities with whom the customer information will be shared
  • the customers right to opt in or opt out (as the case may be) to sharing of the customer information
  • the fact that the customer may deny or withdraw customer’s approval to access to their information at any time
  • the fact that the customer’s decision to deny the carrier the ability to use or share customer information for purposes outside of providing the customer with telecommunications services will not affect the customer’s ability to receive telecommunications services from the carrier (i.e., no take-it-or-leave-it offerings whereby the offer of broadband Internet access service is made contingent on the customer surrendering customer’s privacy rights)

The above information must be clearly conveyed in a conspicuous and not misleading way.  Notice of privacy practices must be given to the customer at the point of sale and must remain persistently available and easily accessible to customers on the ISP provider’s websites, apps, and the functional equivalents thereof.

Requirement of Advance Notice of Material Changes to Privacy Policies

Privacy notices must be given in advance of any material changes to the carrier’s privacy policies; notices must clearly and accurately inform the customer of associated opt-in or opt-out approval rights (discussed below).

Safe Harbor Privacy Notice to be Issued No Later than June 1, 2017

In an effort at encouraging ISPs, and particularly smaller carriers, to adopt standardized privacy notices without mandating a particular form, the FCC has directed the Consumer Advisory Committee “to formulate a proposed standardized notice format, based on input from a broad range of stakeholders, within six months of the time that its new membership is reconstituted, but, in any event, no later than June 1, 2017.” (WC Docket No. 16-106, Report and Order In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, FCC 16-148 (2016), at para. 153.)

(2)MORE MEANINGFUL CHOICE:  New Requirements for Opt-In and Opt-Out Customer Consent

The new rules require that the consumer’s choice controls be calibrated to the sensitivity of the data that the ISP would be accessing, using or sharing. ISPs must provide access to a simple, easy-to-use mechanism for customers to provide or withdraw their consent to use, disclose, or permit access to such customer information. This calibration represents the FCC’s adoption of a tired, sensitivity-based privacy framework for customers to be able to easily exercise their choice over the use and sharing of their information. 

The highest user controls are reserved for sensitive customer information for which ISPs will be required to obtain express, affirmative consent (so-called opt-in consent) from their customers prior to using or sharing that data as well as for retroactive, material changes in uses of customer information.

A non-exhaustive list of categories of sensitive data subject to heightened customer controls has been provided in the FCC’s Order. It includes:

  • Financial Information
  • Health Information
  • Social Security Numbers
  • Precise Geo-Location Information (includes, without limitation: Wi-Fi-based; cell-based; GPS-based location information)
  • Information pertaining to Children
  • Content of Communications
  • Web-browsing History (and functional equivalents)
  • App Usage History (and functional equivalents)

The rules also ban so-called take-it-or-leave-it offerings of broadband service where the Internet access offer is contingent on the customer surrendering his/her privacy rights. Considering this type of action runs contrary to the requirements of Sections 222 and 201 of the Act, the FCC has prohibited the practice.


Use and sharing of other individually identifiable customer proprietary information that is “non-sensitive” (for example, service tier information) will be subject to opt-out consent by the customer. The FCC found that in cases of ISP use and sharing of non-sensitive personal data, default allowance and a customer opt-out regime will be consistent with the consumer’s expectations.


Customer consent will be inferred in certain cases, such as when the use and sharing of customer information is pursuant to statute or for the following reasons:

  • to provide the broadband service, and bill and collect for the service
  • to provide and market services and equipment typically marketed with the broadband service currently subscribed to by the customer (non-sensitive data only)
  • to protect the broadband provider and its customers from fraudulent use of the provider’s network

For these uses of customer information, no additional customer consent is required beyond the creation of the customer-ISP relationship.


ISPs and other telecommunications carriers must adopt reasonable data security practices appropriately calibrated to the following:

  • the nature and scope of its activities
  • the sensitivity of the underlying data
  • the size of the provider
  • technical feasibility

Carriers must take into account the CIA triad of data security principles--Confidentiality, Integrity and Availability--when developing, implementing and monitoring their selected data security practices.

While the FCC declines to require any specific activities that a carrier must undertake in order to meet the reasonable data security requirement (given that what satisfies as “reasonable” data security must, by necessity, evolve with the times), the FCC does provide the an evolving set of non-exclusive practices as guidance for ISPs to consider when developing reasonable data security practices, including that ISPs should

  • Engage with Industry Best Practices and Risk Management Tools
  • Have Strong Accountability and Oversight of Data Security Practices (develop a written comprehensive data security program; designate senior official(s) with personal accountability and responsibility for data security and privacy practices; have employee/contractor training programs on the appropriate handling of PI; exercise appropriate data security practices when sharing with third parties)
  • Have Robust Customer Authentication
  • Use Data Minimization Strategies
  • Lawfully Cooperate with Other Industry Members to Exchange Information regarding Cyber Incidents and Other Data Security Threats

Overall, the Order is consistent with NIST Cyber Security Framework; see The Order also encourages (again, without requiring) all carriers to embrace the principle of Privacy By Design (first championed by former Ontario Information & Privacy Commissioner Dr. Ann Cavoukian).


In the event of breach, the new rules require notification of specific law enforcement bodies and affected customers unless the ISP determines that no harm is reasonably likely to result. For the finer points of the new breach notification requirements and other aspects of the Order, please see the FCC’s publication of its final Report and Order In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, available here.


The Order addresses other issues, including the implementation timeline, federal preemption, rules respecting deidentification of data, the FCC prohibition on take-it-or-leave-it offers, heightened consumer protections in the context of financial incentive offers in exchange for personal information, harmonization of broadband and voice rules, and the upcoming rulemaking on dispute resolution.

What the rules do not address:

Outside of the scope of these new rules are the privacy practices of edge providers, websites and apps, such as Facebook and Twitter. The Federal Trade Commission (FTC) continues to have authority over those entities pursuant to Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce.

Why Were These New Privacy Protections Needed?

In providing access to the Internet, ISPs “collect extensive information about all of their customers, including location, web browsing and app use history, when and with whom they communicate, and even the content of those communications,” as explained by retired FCC Commissioner Michael Copps.  As Copps continues: “In short, nearly everything a consumer does online is visible to his or her ISP. ISPs need some of that information to provide service, but they also can exploit private details for profit, primarily through marketing.”

Partly in recognition of the ISPs’ capability and willingness to monitor, collect, share and monetize vast swathes of users’ personal information—including highly sensitive information belonging to the individual users—for unconsented to purposes extraneous to providing users with an Internet connection, elected officials and consumer protection advocates have been urging the FCC to finalize strong privacy rules applicable in the ISP setting.

This past July, a group of seven Democratic Senators1 led by Senator Ed Markey (D-Mass.) wrote a letter to the FCC urging it to finalize broadband privacy rules after the D.C. Circuit Court upheld the FCC’s 2015 Open Internet Order in United States Telecom Ass’n v. FCC.  The 2015 Open Internet Order, among other things, reclassified broadband Internet access service as a telecommunications service subject to Title II of the Communications Act, including the application and enforcement of Section 222’s privacy protections.

The rules adopted at the FCC’s October Meeting represent the culmination of a rulemaking process following the D.C. Circuit Court’s ruling on the reclassification of broadband as a telecommunications service. This process has involved feedback from multiple stakeholders. 

1The Senators signing the FCC letter urging finalization of the rules included Sens. Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.)—both members of the Commerce, Science and Transportation Committee—and Sens. Al Franken (D-Minn.), Elizabeth Warren (D-Mass.), Patrick Leahy (D-Vt.), Bernie Sanders (I-Vt.) and Tammy Baldwin (D-Wisc.).


Latest News in Privacy & Cybersecurity
Important Disclaimer: The information in this blog post (“post”) is provided to members of the public for general informational purposes only, and contains opinions on general topics. Nothing in this post should be taken as legal counsel, and no attorney-client relationship is created by virtue of reading this webpage or you receiving this post in any form. No information in this post should be construed as legal advice, nor is it intended to be a substitute for legal counsel on any subject matter. The information in this post may or may not reflect the current law in your jurisdiction. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the information recipient’s state, country or other appropriate law licensing jurisdiction. This website contains Attorney Advertising.
Privacy Policy  &   Additional Legal Notices
The opinions and information expressed in this blog are presented as general information only and should not be taken as specific legal advice. This website does not contain any guarantee or warranty regarding the outcome of any legal matter. Scroll down to the bottom of this web page for additional notice and links containing more information.  
December 22, 2016 —Office of U.S. Trade Representative Publishes Proposed Rule Addressing Privacy Rights:  Proposed Rule, issued pursuant to the Privacy Act of 1974, addresses how an individual can find out if a USTR system of records contains information about them and, if so, how the individual can request to access, and correct or amend, a record in the system 

The Privacy Act of 1974 (the “Privacy Act”) requires federal agencies to abide by a code of fair information practices and procedures and mandates safeguards to protect against the unwarranted disclosure of the personally identifiable information contained in systems of records held by federal agencies. The Privacy Act also grants to the individual a degree of access and amendment rights concerning the individual's personally identifiable information held in a federal agency's system of records. In accordance with the Privacy Act, each agency of the Federal government must publish a set of regulations describing its Privacy Act procedures and any systems of records that are exempted

Attorney Advertising

from provisions of the Privacy Act, including the reasons for any such exemptions. 

On December 22, 2016, the Office of the United States Trade Representative (USTR) formally announced a proposed rule that would revise its Privacy Act policies and procedures. The proposed rule describes how individuals can discover whether a USTR system of records contains information about them and, if so, how to access or amend a record. The proposed rule would revise current Privacy Act rule 15 C.F.R. Part 2005 by moving regulations and creating a new subpart C within part 2004. Part 2005 is being reserved, and Part 2004 now contains all of the rules governing the disclosure of USTR records and information.

Comments on the proposed rule [Docket Number USTR-2016-0027] must be received by January 23, 2017. Comments can be submitted through the Federal eRulemaking Portal located at, citing Docket Number USTR-2016-0027.

Background on USTR's Proposed Rule and Updates of its SORNs:

USTR announced that it has undertaken a comprehensive review of its practices related to the collection, use, protection and disclosure of its systems of records and information. As a result of such review, the agency has updated both its implementing rule under the Privacy Act and its system of records. A notice regarding USTR’s updates to its Privacy Act system of records notices (SORNs) can be found at Docket No. USTR-2016-0028, published in the Federal Register.