FCC Proposed Rules That Impact Everyone’s Online Privacy

“Broadband Internet access service” (BIAS) is the essential conduit for the conduct of our daily personal and private lives, without which all Internet activity comes to a stop. Indeed, the Federal Communications Commission recently referred to BIAS as “the most significant communications technology of today.”¹ Nevertheless, because BIAS is the road on which Internet traffic travels, and not the destination, it is largely invisible. Rarely do we consider that Internet service providers (ISPs) that provide BIAS to consumers have extraordinarily broad access “to very sensitive and very personal information that could threaten a person’s financial security, reveal embarrassing or even harmful details of medical history or disclose to prying eyes the intimate details of interest, physical presence and fears.”² As ISPs follow their customer’s Internet voyages, they can (and often do) develop highly individualized profiles of where each user travels and what services are acquired upon arrival at their Internet destinations. Indeed, the ability of ISPs to capture individualized data is far greater than the access enjoyed by “edge providers” such as Internet search engines, e-commerce sites, and streaming video services, but with far less regulation or disclosure of their monitoring activities.

Until now.

The FCC has adopted, by a 3-to-2 vote, a Notice of Proposed Rulemaking (NPRM) (133 pages long, plus more than a dozen pages of commissioners’ statements) that proposes to establish privacy guidelines applicable to ISPs.³ This column explores the FCC’s proposal and some of the most important issues it raises.

General Outline

The NPRM proposes rules implementing the privacy requirements of §222 of the Communications Act for broadband ISPs. The FCC said in a statement that the NPRM proposes rules that would give broadband customers “the tools they need to make informed decisions about how their information is used by their ISPs” and whether and for what purposes their ISPs may share their customers’ information with third parties.⁴ The term “customer” is defined in the NPRM to mean a current or former, paying or non-paying subscriber to broadband Internet access service—as well as an applicant for broadband Internet access service. In other words, it is a definition so broad as to effectively include every individual or business that accesses the Internet.

The NPRM is drafted to enact what it considers the “three core privacy principles” or “three foundations of privacy” that traditionally have driven privacy considerations across a range of industries—that is, transparency, choice, and data security and breach notification. To do so, the NPRM proposes to provide consumers with (1) the information needed to understand what data their ISP is collecting and what it does with that information, (2) the ability to decide how their information is used, and (3) protections against the unauthorized disclosure of their information.

The FCC’s proposal starts with the proposition that a customer’s decision to purchase an ISP’s services manifests “inherent” consent to certain data collection. Thus, customer data necessary to provide broadband services and for marketing the type of broadband service purchased by a customer—and for certain other purposes consistent with customer expectations, such as contacting public safety—would require no additional customer consent beyond the creation of the customer-ISP relationship.

The proposal next provides that ISPs would be allowed to use customer data for the purposes of marketing other communications-related services and to share customer data with their affiliates that provide communications-related services for the purposes of marketing such services unless the customer affirmatively opts out.

Then, the NPRM provides that all other uses and sharing of consumer data would require “express, affirmative ‘opt-in’ consent from customers.”

The Specifics

The NPRM first proposes to define the information that would be protected as customer proprietary information, which would include both “customer proprietary network information” (CPNI) and personally identifiable information (PII) collected by broadband providers through their provision of services.

Under the NPRM, CPNI means “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship” and “information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer or a carrier,” but not “subscriber list information.”

The NPRM proposes that, at a minimum, the following types of information would constitute CPNI in the broadband context:

• service plan information, including type of service (e.g., cable, fiber, or mobile), service tier (e.g., speed), pricing, and capacity (e.g., information pertaining to data caps);
• geo-location (that is, the physical or geographical location of a customer or the customer’s devices or devices);
• media access control (MAC) addresses and other device identifiers;
• source and destination Internet protocol (IP) addresses and domain name information; and
• traffic statistics.

PII would be defined as “any information that is linked or linkable to an individual.” It would include, but not be limited to, the customer’s name, Social Security number, unique government identification numbers (e.g., driver’s license, passport, taxpayer identification), date and place of birth, mother’s maiden name, physical address, email address or other online contact information, phone numbers, MAC addresses or other unique device identifiers, IP addresses, persistent online identifiers (e.g., unique cookies), eponymous and non-eponymous online identities, account numbers and other account information (including account login information), Internet browsing history, traffic statistics, application usage data, current or historical geo-location, financial information (e.g., account numbers, credit or debit card numbers, credit history), shopping records, medical and health information, the fact of a disability and any additional information about a customer’s disability, biometric information, education information, employment information, information relating to family members, race, religion, sexual identity or orientation, other demographic information, and information identifying personally owned property (e.g., license plates, device serial numbers). As should be recognized, the proposed definition of PII is appropriately comprehensive given the value of PII and the harm that could result if PII were accessed for nefarious purposes.

Having defined the private consumer data at issue, the NPRM next applies the “three foundations of privacy”—transparency, choice, and security—to broadband providers’ use of that data.

First, transparency would be achieved by ISPs disclosing:

• what customer information they collect and for what purposes;
• what customer information they share and with what types of entities; and
• how, and to what extent, customers can opt in or opt out of use and sharing of their personal information.

Then, the NPRM explains that consumers “must be empowered to decide how broadband providers may use and share their data.” It proposes a tiered approach to choice:

• Approval that is inherent in the creation of the customer-broadband provider relationship. The NPRM proposes rules that always allow ISPs to use and share customer data to provide broadband services (for example to ensure that a communication destined for a particular person reaches that destination), and for certain other purposes within the context of the ISPs’ relationships with their customers without additional approval from the customer.
• Opt-out approval. The NPRM proposes to allow ISPs or affiliates that provide communications-related services to use customer PI to market other communications-related services subject to opt-out approval of the customer. Under the NPRM, opt-out must be “clearly disclosed, easily used, and continuously available.”
• Opt-in approval. The NPRM also proposes to require ISPs to receive opt-in approval from their customers before sharing customer information with non-communications-related affiliates or third parties or before using customer information themselves (or through their communications-related affiliates) for any purpose outside of those described above. As an example, opt-in approval would be required when a mobile application asks for permission to use geo-location information, contact lists, or photographs on a consumer’s smartphone.

In discussing the final prong, security, the NPRM defines “breach” as any instance in which “a person, without authorization or exceeding authorization, has gained access to, used, or disclosed customer proprietary information.” It proposes that consumers should be able to rely on their broadband provider to take “reasonable steps” to safeguard customer information from unauthorized use, disclosure, or access, a standard whose definition may be elusive for broadband providers and consumers alike. Nevertheless, the NPRM proposes certain definite breach notification terms that may provide predictability that heretofore has been lacking due to the absence of a uniform federal breach notification statute.⁵ For example, the NPRM proposes adoption of a specific trigger as to when notice is needed and the requirement that broadband providers notify affected customers within 10 days of the discovery of a breach that triggers customer notification requirements. The NPRM proposes that the FCC be notified of all data breaches, and that other federal law enforcement be notified of breaches that impact more than 5,000 customers within seven days of discovery of such a breach, and three days before notification to the customer. It allows law enforcement to seek delay of customer notification.

Other Matters

As might be expected in such a lengthy, comprehensive document, the NPRM contains a number of other proposals. For instance, it would require that broadband providers adopt risk management practices, institute personnel training practices, implement strong customer authentication requirements, identify a senior manager responsible for data security, and take responsibility for use and protection of customer information when shared with third parties.

Next Steps

Attorneys and clients are able to comment on the NPRM until May 27, 2016, with reply comments open until June 27, 2016. The FCC is actively seeking comments on dozens and dozens of topics, ranging from whether there are particular types of information (such as Social Security numbers, financial account information, or geo-location information) that deserve special treatment, to whether there are additional or alternative paths “to achieve pro-consumer, pro-privacy goals.” Parties who believe that their interests are affected in one way or another may want to consider commenting before the deadline.

It is important to recognize that the scope of the NPRM is limited to broadband service providers and that it does not apply to the privacy practices of websites and other “edge services” over which the Federal Trade Commission has authority.⁶ Moreover, the NPRM’s scope does not include other services of a broadband provider, such as the operation of a social media website, or issues such as government surveillance, encryption, or law enforcement.

The struggle between the overwhelming usefulness and importance of the Internet for businesses and individuals, on the one hand, and privacy concerns, on the other, continues unabated, as this column frequently has observed in a variety of contexts.⁷ The NPRM draws stark attention to the fact that privacy concerns abound each time we access any technology that is connected to the Internet. The NPRM, if adopted, will address consumers’ rights to have notice, choice, and security when it comes to the use of private information by broadband providers.

Endnotes:

1. See Federal Communications Commission, Notice of Proposed Rulemaking, Released April 1, 2016, at 2, available at http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0401/FCC-16-39A1.pdf.

2. Id. at 3.

3. Id.

4. See Press Release, “FCC Proposes to Give Broadband Consumers Increased Choice, Transparency and Security for Their Personal Data,” March 31, 2016, available at http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0404/DOC-338679A1.pdf.

5. At the present time, data breach notification and response is governed by a patchwork of industry-specific federal regulations, such as under the Health Insurance Portability and Accountability Act (HIPPA) and the Gramm-Leach-Bliley Act, and the varying breach statutes enacted by 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands. See http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.

6. The FTC continues to be active in the privacy realm. See e.g., FTC Memorandum of Understanding with Canadian Agency to Strengthen Cooperation on Do Not Call, Spam Enforcement, available at https://www.ftc.gov/system/files/documents/cooperation_agreements/032416crtcmou2.pdf. It also recently announced a second “PrivacyCon” event to be held on Jan. 12, 2017.

7. See, e.g., Shari Claire Lewis, “The EU-U.S. Data Protection Dispute and Possible Resolution,” NYLJ, Feb. 18, 2016; “Standing to Assert Claims for Online Privacy Breaches,” NYLJ, Dec. 15, 2015; “Fifth Amendment Does Not Extend to ‘Digital Person,'” NYLJ, Oct. 20, 2015; “Circuit Clarifies Time Limit for Computer Hacking Suits,” NYLJ, Aug. 18, 2015.

Reprinted with permission from the April 19, 2016 issue of the New York Law Journal.  All rights reserved.