April 8, 2016

FCC Proposes Privacy Rules for Broadband Internet Access Service Providers

Arnold & Porter Advisory

On April 1, 2016, the Federal Communications Commission (FCC) released a Notice of Proposed Rulemaking (NPRM) that proposes to establish privacy requirements for broadband Internet access service (BIAS) providers.1 The FCC states that its proposed regulations would "ensure that consumers (i) have the information needed to understand what data the BIAS provider is collecting and what it does with that information, (ii) can decide how their information is used, and (iii) are protected against the unauthorized disclosure of their information."2

The NPRM comes a year after the FCC released its Open Internet Order reclassifying BIAS from an "information service" to a "telecommunications service" subject to Title II of the Communications Act.3 As with the Open Internet Order, the FCC Commissioners voted on the NPRM along partisan lines, with Chairman Tom Wheeler and Democratic Commissioners Mignon Clyburn and Jessica Rosenworcel voting in favor and the two Republican Commissioners, Ajit Pai and Michael O’Rielly, dissenting. The NPRM is the latest indication of the FCC's heightened interest in privacy enforcement.4

Comments on the NPRM are due on or before May 27, 2016, with reply comments due on or before June 27, 2016.

I.   Legal Authority

Whether the FCC has the legal authority to adopt the proposed rules is likely to be a hotly contested issue in the proceeding. The FCC seeks comment on its finding that the proposed rules are authorized under Section 222 of the Communications Act (imposing a duty of privacy on telecommunications carriers). The FCC also seeks comment on its finding that the proposed rules are supported by additional sources of authority, including Sections 201, 202, 705, and Title III of the Communications Act and Section 706 of the Telecommunications Act of 1996.

II.   Providers and Customer Information Subject to the Proposed Rules

The FCC makes clear that the proposed rules would apply to BIAS included within the scope of telecommunications service but would not apply to the provision of non-telecommunications services by broadband providers or to information services by providers at the "edge of the network," such as individual streaming video providers, search engines, social media, or e-commerce websites.5 Generally, the proposed rules would apply to both mobile and fixed BIAS, although the FCC seeks comment on whether there are mobile-specific issues it should consider in several areas, including privacy notice requirements, certain definitions, and customer opt-in approval for disclosure of certain customer information.

The proposed rules would apply to customer proprietary information (PI), which the FCC proposes to define as “private information that customers have an interest in protecting from public disclosure” and would fall into two categories: “(1) customer proprietary network information (CPNI); and (2) personally identifiable information (PII) the BIAS provider acquires in connection with its provision of BIAS.”6 The FCC proposes to adopt the statutory definition of CPNI.7 In the broadband context, the FCC proposes that the definition of CPNI cover, at a minimum: “(1) service plan information, including type of service (e.g., cable, fiber, or mobile), service tier (e.g., speed), pricing, and capacity (e.g., information pertaining to data caps); (2) geo-location; (3) media access control (MAC) addresses and other device identifiers; (4) source and destination Internet Protocol (IP) addresses and domain name information; and (5) traffic statistics.”8 The FCC proposes that PII mean “any information that is linked or linkable to an individual,” i.e., “it can be used on its own, in context, or in combination to identify an individual or to logically associate with other information about a specific individual.”9

III.   Proposed Rules Based on Core Principles of Transparency, Choice, and Security

A.    Privacy Notice Requirements

The FCC proposes the following specific requirements for the disclosure of BIAS providers’ privacy policies to customers.10

  • The notice would be required to specify and describe the types of customer PI collected and how they are used and disclosed, including the categories of entities that will receive the customer PI and the purposes for which the customer PI will be used by each category of entities.
  • The notice would be required to advise customers of their rights with respect to their PI, including providing customers with a simple, easy-to-access method for providing or withdrawing consent that is persistently available at no additional cost to the customer; explaining that a customer’s denial of approval to use the customer’s PI for purposes other than providing BIAS will not affect the provision of services to the customer; explaining that a customer’s approval, denial, or withdrawal of approval is valid until the customer affirmatively revokes such approval or denial; and explaining that a provider may be compelled to disclose a customer’s PI when required by law.
  • Privacy notices would be made available to prospective customers at the point of sale, prior to the purchase of BIAS, and be made persistently available through a link on the BIAS provider's homepage, the provider's mobile application, and any functional equivalent.
  • A notice of material changes in a BIAS provider’s privacy policy would have to be clearly and conspicuously provided through (1) email or another electronic means of communication; (2) customers' bills for BIAS; and (3) a link on the BIAS provider's homepage, mobile application, and any functional equivalent. The notice would be required to describe a customer's rights with respect to PI, and the steps a customer must take in order to grant or deny access to the customer's PI.
  • Privacy notices and notices of material changes would be required to be comprehensible and not misleading, clearly legible, in large type, displayed in a "readily apparent" area, and completely translated into another language if any portion of the notice is translated into that language.

B.    Consumer Consent

The FCC proposes three categories of consent governing when and how BIAS providers can use or share customer PI.

1. Approval Inherent in Creation of Customer-BIAS Provider Relationship

Customer approval would be implied and BIAS providers would not need consent to use customer PI for the purpose of providing BIAS or services necessary to, or used in the provision of, BIAS, or for marketing additional BIAS offerings to a customer when the customer already subscribes to that category of service from the same BIAS provider.

2. Customer Opt-Out Approval Required for Use of Customer PI for Marketing Other Communications-Related Services

BIAS providers, or their affiliates11 that provide communications-related services, would be able to use customer PI to market other communications-related services subject to clearly disclosed, easily used, and continuously available customer opt-out approval.12

3. Customer Opt-In Approval Required for All Other Purposes

All other uses of customer PI, including sharing customer PI with third parties or non-communications-related affiliates or using customer PI for purposes other than marketing communications-related service, would require a customer's opt-in approval.13

For the categories that would require a customer's opt-out or opt-in approval, the FCC proposes rules requiring BIAS providers to, among other things: (1) solicit approval prior to when a BIAS provider first intends to use or disclose a customer’s PI, (2) maintain records documenting the status of customer approval and disclosures to third parties for at least one year, and (3) implement processes to train and supervise personnel on customer PI access.

C.    Security

The FCC proposes a general standard requiring BIAS providers to "protect the security, confidentiality, and integrity of customer PI that such BIAS provider receives, maintains, uses, discloses, or permits access to from any unauthorized uses or disclosures, by adopting security practices appropriately calibrated to the nature and scope of the BIAS provider's activities, the sensitivity of the underlying data, and technical feasibility."14

To supplement the general standard, the FCC proposes specific types of practices that BIAS providers would be required to follow to protect against unauthorized use or disclosure of customer PI, including (1) establishing and performing regular risk management assessments and promptly addressing any identified weaknesses; (2) training employees, contractors and affiliates who handle customer PI about the BIAS provider's data security procedures; (3) ensuring due diligence and oversight by designating a senior management official with responsibility for implementing and maintaining the BIAS provider's data security procedures; (4) establishing and using robust customer authentication procedures to grant customers access to their PI; and (5) taking responsibility for the use of customer PI by third parties with whom they share information. The FCC proposes that any security measures employed by a BIAS provider should take into account the nature and scope of the BIAS provider's activities, and the sensitivity of the underlying customer PI.

The FCC also seeks comment on whether it should require mobile BIAS providers to use their contractual relationship with device or OS manufacturers to obtain contractual commitments to safeguard customer data.

The FCC also proposes breach15 notification requirements under which a BIAS provider would be required to:

1.  notify affected customers within 10 days after the discovery of a breach;
2.  notify the FCC of any breach no later than 7 days after discovery; and
3.  notify the FBI and US Secret Service of breaches impacting more than 5,000 customers no later than 7 days after discovery and at least 3 days before customer notification.

Finally, the FCC proposes to extend its record retention requirements for voice providers to BIAS providers. Currently, voice providers are required to maintain a record of breaches and notifications for a period of at least two years.

IV.   Use and Disclosure of Aggregate Customer Proprietary Information

The FCC proposes to allow BIAS providers to use, disclose, and permit access to aggregate customer PI16 if the BIAS provider (1) determines that the information is not "reasonably linkable" to a specific person or device; (2) publicly commits to maintain and use the data in a non-individually identifiable manner and to not attempt to re-identify the data; (3) contractually prohibits any entity to which it discloses or permits access to the data from attempting to re-identify the data; and (4) exercises reasonable monitoring to ensure that those contracts are not violated.

V.   Specific Practices That Would Be Prohibited

The FCC seeks comment on whether to restrict certain BIAS provider practices. Specifically, the FCC proposes to prohibit BIAS providers from making service offerings contingent on a customer's waiving privacy rights, and seeks comment on whether other practices, such as offering higher-priced services for heightened privacy protections, using deep packet inspection for purposes other than network management, or using certain technology that tracks consumer Internet activities, should be prohibited or subject to heightened privacy requirements.

VI.   Other Issues

The FCC seeks comment on whether its current informal complaint resolution process would be sufficient to address complaints under the proposed rules; whether BIAS providers should be prohibited from compelling arbitration in contracts with customers; and the FCC's proposal to preempt state laws only to the extent they are inconsistent with the rules adopted by the FCC, without the presumption that more restrictive state requirements are inconsistent with FCC rules.

The FCC also seeks comment on the possible use of other privacy frameworks proposed by various stakeholders, and on whether or how it should incorporate multi-stakeholder processes, such as those utilized by the Department of Commerce, into its proposed approach to broadband privacy.

  1. Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Dkt No. 16-106, Notice of Proposed Rulemaking, FCC 16-39 (rel. Apr. 1, 2016) (NPRM).

  2. Id. ¶ 14.

  3. See Protecting and Promoting the Open Internet, Report and Order on Remand, Declaratory Ruling, and Order, 30 FCC Rcd 5601, 5618 ¶ 59 (2015).

  4. See Arnold & Porter Advisory, FCC Fines Verizon Wireless US$1.35 Million for Use of Tracking Cookies Without Consent (March 2016); Arnold & Porter Advisory,Cox Communications To Pay $595,000 To Settle FCC's First Privacy and Data Security Enforcement Action Against a Cable Operator (November 2015).

  5. The 2015 Open Internet Order defined an edge provider as “{a}ny individual or entity that provides any content, application, or service over the Internet, and any individual or entity that provides a device used for accessing any content, application, or service over the Internet.” Open Internet Order at Appendix A, 47 C.F.R. § 8.2(b).

  6. NPRM ¶ 57.

  7. 47 U.S.C. § 222(h)(1)(CPNI means “‘information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship’ and ‘information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer or a carrier,’ except that CPNI ‘does not include subscriber list information.’”).

  8. NPRM ¶ 41.

  9. Id. ¶¶ 60-61. The FCC provided the following “illustrative, non-exhaustive” examples of PII: “name; Social Security number; date and place of birth; mother’s maiden name; unique government identification numbers (e.g., driver’s license, passport, taxpayer identification); physical address; email address or other online contact information; phone numbers; MAC address or other unique device identifiers; IP addresses; persistent online identifiers (e.g., unique cookies); eponymous and non-eponymous online identities; account numbers and other account information, including account login information; Internet browsing history; traffic statistics; application usage data; current or historical geo-location; financial information (e.g., account numbers, credit or debit card numbers, credit history); shopping records; medical and health information; the fact of a disability and any additional information about a customer's disability; biometric information; education information; employment information; information relating to family members; race; religion; sexual identity or orientation; other demographic information; and information identifying personally owned property (e.g., license plates, device serial numbers).” Id. ¶ 62.

  10. The FCC proposes to define “customer” to mean “1) a current or former, paying or non-paying subscriber to broadband Internet access service; and 2) an applicant for broadband Internet access service.” Id. ¶ 31.

  11. The FCC seeks comment on whether to define "affiliate" as it is defined in the Communications Act of 1934, as amended, and the FCC’s current rules, i.e., “‘a person that (directly or indirectly) owns or controls, is owned or controlled by, or is under common ownership or control with, another person,’ where the term "own" is defined to mean ‘to own an equity interest (or the equivalent thereof) of more than 10 percent.’” Id. ¶ 30 (quoting 47 U.S.C. § 153(2)).

  12. The FCC proposes to define "opt-out approval" as "a method for obtaining customer consent to use, disclose, or permit access to the customer's proprietary information in which a customer is deemed to have consented to the use, disclosure, or access to the customer's covered information if the customer has failed to object thereto after the customer is provided appropriate notification of the BIAS provider's request for consent consistent with" the proposed rules. Id. ¶ 68.

  13. The FCC proposes to define "opt-in approval" as "a method for obtaining customer consent to use, disclose, or permit access to the customer's proprietary information that requires that the BIAS provider obtain from the customer affirmative, express consent allowing the requested usage, disclosure, or access to the covered information after the customer is provided appropriate notification of the provider's request consistent with the requirements set forth {in the proposed rules} and before any use of, disclosure of, or access to such information." Id. ¶ 69.

  14. Id. ¶ 170.

  15. The FCC proposes to define "breach" to mean any instance in which a "'person without authorization or exceeding authorization, has gained access to, used, or disclosed customer proprietary information.'" Id. ¶ 75.

  16. The FCC proposes to define "aggregate customer proprietary information" as "collective data that relates to a group or category of services or customers, from which individual customer identities and characteristics have been removed." Id. ¶ 74.

Subscribe Link

Email Disclaimer