As we reported last month, the FCC was preparing a proposed rulemaking (NPRM) to establish privacy and data security requirements for broadband internet access service (BIAS) providers. The FCC has now released that proposal with comments and reply comments due May 27th and June 27th respectively.
The brief background to this proposal is that in 2015, the FCC adopted net neutrality rules in Open Internet Order, which reclassified BIAS as a common carrier telecommunications service subject to regulation under Title II of the Communications Act. The Commission determined that, as a consequence of reclassification, Section 222 of the Communications Act, which is part of Title II, would now apply to BIAS providers. Section 222 regulates a telecommunications carrier’s use and disclosure of Customer Proprietary Network Information (“CPNI”) – which includes information related to the quantity, location, and amount of use of a telecommunications service. The FCC concluded in its Open Internet Order that the rules implementing Section 222 were telephone-centric and ill-suited to BIAS, and so chose to forbear from applying those rules to ISPs. With this latest release, the FCC is proposing a new set of rules implementing Section 222 that would apply to BIAS providers.
Our prior post gave the broad overview of the FCC’s proposal. In light of the proposals release we can now flesh that out with some additional details:
Scope of Data Covered. The NPRM proposes to expand the types of data that are subject to FCC oversight and regulation. The NPRM builds off the 2014 TerraCom/YourTel Order, in which the FCC ruled that Section 222(a) of the Communications Act served as an independent grant of authority to the Commission to police data privacy and security, separate from the CPNI protections addressed throughout the rest of Section 222. Here, the FCC uses Section 222(a) to create a new category of data called “Customer Proprietary Information,” (Customer PI) of which (1) CPNI and (2) Personally Identifiable Information (PII) are subsets, both of which would be subject to FCC rules restricting their use and disclosure.
The FCC proposes to redefine CPNI from its telephone-centric origins “to include any information falling within [certain categories] that the BIAS provider collects or accesses in connection with the provision of BIAS.” Those categories include, for example, service plan information, device identifiers, IP addresses, and domain names.
PII would be regulated along with CPNI pursuant to Section 222(a). PII would be defined as “any information that is linked or linkable to an individual” and would include at least 30 different types of data, including name, address, SSN, browsing history, religion, and race.
Customer Notice and Approvals for Use and Disclosure. The NPRM proposes requiring BIAS providers to provide customers with clear and conspicuous notice of their privacy practices at the point of sale and prior to their purchase of BIAS. The FCC proposes specific content that must be contained within this notice. Customers must also be given advance notice of material changes to BIAS providers’ privacy policies.
Customer PI (whether CPNI or PII) necessary to provide broadband services (such as billing) and for marketing the same types of broadband services purchased by the customer (such as a larger data plan) would not require additional customer consent. Customer data could be used by broadband providers to market other “communications-related services” and could be shared with their affiliates that provide other communications-related services for marketing such services, so long as the provider offers the customer an opt out opportunity. Any other use or sharing of customer data would require “express, affirmative opt-in consent.”
The proposed rules include provisions detailing how providers should solicit opt-ins or opt-outs, mandating that customer choices be implemented promptly, and requiring that records of compliance with these rules be kept for one year.
Aggregate Data. The NPRM proposes to allow BIAS providers to use, disclose, and permit access to aggregate Customer PI (collective CPNI and PII that has been deidentified) subject to certain conditions. Those conditions include, among other things, that the BIAS provider not attempt to re-identify the data and contractually prohibits any entity to which it discloses aggregate data from attempting to re-identify the data.
Data Security and Breach Notification. Broadband providers must safeguard Customer PI from unauthorized use or disclosure. Specific safeguards that the FCC proposes to enshrine in its rules include adoption of risk management practices, employee training, customer authentication requirements, the appointment of a senior manager to oversee privacy, and assuming responsibility for the data practices of third parties with which a provider shares Customer PI. Broadband providers would be required to notify customers, the FCC, and potentially the FBI and Secret Service of breaches involving Customer PI within 7-10 days of discovery.