On November 2, 2016, the Federal Communications Commission (“FCC”) published a Report and Order entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (“Order”) as a final rule in the Federal Register. The Order applies the privacy requirements of the Communications Act of 1934 as amended (“Act”) to broadband Internet access service (BIAS) and other telecommunications carriers.
on January 3, 2017, several ISPs and cable associations including The Internet and Television Association (NCTA) and the US Telecom Association (USTA) filed Petitions for Reconsideration requesting the Commission to significantly modify the Order.
What is the Order about?
Scope. The Order provides guidance for both broadband Internet Service Providers (ISPs) and their customers about the transparency, choice and security requirements for customers’ proprietary information (“Customer PI”).
The Order includes under Customer PI three types of information: (1) individually identifiable Customer Proprietary Network Information (CPNI), such as broadband service plans, geo-location, IP address and domain name identifiers; (2) personally identifiable information (PII), including “any information that is linked or reasonably linkable to an individual or device”, such as web browsing history, app usage history, and (3) content of communications, including “any part of the substance, purport or meaning of a communication or any other part of a communications that is highly suggestive” of the same.
The Order does not regulate (i) the privacy practices of websites or apps, like Twitter or Facebook, over which the Federal Trade Commission (FTC) has authority; (ii) other services of broadband providers, such as operation of a social media website; (iii) issues such as government surveillance, encryption, or law enforcement.
Requirements. The Order provides for:
- opt-in. ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, children’s information, social security numbers, web browsing history, app usage history and the content of communications.
- opt-out. ISPs are allowed to use and share non-sensitive information (e.g., email address or service tier information) unless a customer “opts-out;”
- exceptions to consent requirements. Customer consent is inferred for certain purposes specified in the statute, such as broadband service or billing and collection.
In addition, the Order includes:
- transparency requirements that require ISPs to “provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences”;
- a requirement to engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights;
- common-sense data breach notification requirements, data minimization strategies and recommendation to embrace the principle of privacy by design.
Implementation. The data security requirements went into effect on January 3, 2017. See here. Section 64.2005, which addresses data security and requires carriers to take “reasonable measures to protect customer proprietary information from unauthorized use, disclosure or access,” will be effective March 2, 2017.
More on November 2, 2016 Rules Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, Docket 16-106 is available at https://www.fcc.gov…
For more information, Francesca Giannoni-Crystal and Federica Romanelli