On May 20, 2015, the Federal Communications Commission (“FCC”) released an Enforcement Advisory[1] notifying providers that the agency’s recent Open Internet Order “applies the core customer privacy protections of Section 222 of the Communications Act” – which requires that providers “shall only use, disclose, or permit access to individually identifiable customer proprietary network information” in the provision of services[2] – to broadband Internet access providers. Accordingly, as of June 12, 2015, and absent a judicial stay order, broadband providers will be subject to expanded requirements aimed at protecting consumer privacy and restricting the use of customer data.
While the announcement of new and expanded privacy and data protection requirements comes as no surprise in light of the Order, the FCC’s “guidance” as to how it intends to enforce Section 222 in the broadband context indicates that providers should ready their privacy and data protection programs for increased scrutiny from the agency. Between the effective date of the Order and more formal agency action to enforce Section 222 against broadband providers, “the Enforcement Bureau intends to focus on whether broadband providers are taking reasonable, good-faith steps to comply with Section 222, rather than focusing on technical details.” Enforcement Advisory at 2. The Commission further noted that “broadband providers should employ effective privacy protections in line with their privacy policies and core tenets of basic privacy protections.” Id. In other words, the Advisory warns broadband providers that they must take appropriate steps to protect consumer privacy in accordance with the dictates of Section 222.
The Advisory concludes with an invitation for broadband providers to request further advisory opinions from the Enforcement Bureau “as to whether their anticipated future course of conduct comports with the Open Internet Order.” Id. Such a request for guidance will “tend to show,” presumably in the event of a subsequent enforcement proceeding, the provider is “acting in good faith.” Id. While the Advisory provides that the “decision of a broadband provider not to seek the Enforcement Bureau’s views will not be relevant to a consideration of reasonableness or good faith,” that may be of cold comfort for providers attempting to navigate the FCC’s newly expanded privacy requirements. Id. at n. 4. When in doubt, or in the absence of a comprehensive consumer privacy and data protection program, providers may be well advised to ask for permission in the form of an advisory opinion from the FCC rather than beg for forgiveness later in an agency enforcement action. The Advisory is a clear indication of the FCC’s commitment to expanded regulation of broadband providers’ privacy and data protection efforts under Title II of the Communications Act and signals a need for providers to brace for additional scrutiny of their privacy policies – even in the absence of additional “technical details” from the agency.
[1] “Enforcement Bureau Guidance: Broadband Providers Should Take Reasonable, Good Faith Steps to Protect Consumer Privacy,” FCC Enforcement Advisory, DA 15-603 (May 20, 2015).
[2] 47 U.S.C. § 222(c)(1).