As expected, the Federal Communications Commission (FCC) has handed down sweeping new privacy and security rules for Internet service providers (ISPs). On Thursday, October 27, 2016, a sharply divided commission voted to enact these new rules, which impose strict new requirements for ISPs’ collection, use, sharing, and protection of their customers’ information, including information ISPs receive about their customers’ geolocation and online activities.
Consequently, ISPs will soon be subject to heightened notice and consent requirements for activities such as behavioral advertising and other online tracking, as well as more robust security and data breach notification obligations. Up until now, there have not been specific FCC privacy rules that govern ISPs’ handling of such data. ISPs and members of the online advertising industry objected strenuously to numerous aspects of the FCC’s proposed rules, including the FCC’s classification of web browsing behavior as sensitive information subject to opt-in consent, an approach at odds with that of the Federal Trade Commission (FTC), the nation’s primary regulator of commercial privacy and security interests. Ultimately, the FCC waved off those objections in adopting its final rules.
The FCC’s action today represents the culmination of a rulemaking process that the FCC initiated in 2015. At that time, as part of the Open Internet Order, the FCC made the decision to apply the privacy requirements of Section 222 of the Communications Act—which had previously only governed telephone services—to the world of broadband. The FCC adopted a Notice of Proposed Rulemaking (NPRM) in March 2016 to address a host of questions regarding how Section 222 applies to broadband providers. On October 6, 2016, FCC Chairman Tom Wheeler circulated to his fellow commissioners a proposed Order, which was approved earlier today by a 3-2 vote. The final Order has not yet been released.
This WSGR Alert briefly summarizes the aspects of the FCC’s decision that we believe will be of the greatest significance to our clients.
Notice and Choice
The core privacy requirement of the new rules is that ISPs must provide notice and obtain consent from their customers, including current or former subscribers and applicants, in order to use and share certain information. When a customer signs up for a service, ISPs must:
- notify customers about what types of information the ISP collects about its customers;
- specify how and for what purposes the ISP uses and shares this information; and
- identify the types of entities with which the ISP shares this information.
The new rules direct the FCC’s Consumer Advisory Committee (CAC) to develop a standardized privacy notice format that is voluntary and would serve as a “safe harbor” for those providers who choose to adopt it.
As noted above, one of the most notable aspects of the FCC’s decision, and the one that attracted perhaps the most criticism from ISPs and the advertising industry, is the requirement that ISPs must obtain customers’ opt-in consent for the use and sharing of a broad swath of information that the FCC has labeled as “sensitive.” Such information includes the following:
- Precise geo-location (typically the real-world location of a mobile phone or device)
- Children’s information
- Health information
- Financial information
- Social Security numbers
- Web browsing history
- App usage history
- The content of communications
This broad definition represents an expansion of the concept of “sensitive data,” as some of the elements—most notably web browsing history and app usage history—have not been commonly viewed as sensitive by regulators. Although the FCC’s fact sheet states that the FCC’s treatment of sensitive information is in line with the approach taken by FTC, critics have pointed out that the FTC has never viewed web browsing behavior as categorically sensitive.
The new rules call for opt-out consent for the use and sharing of all other individually identifying customer information, which is considered non-sensitive. In addition, ISPs may infer customer consent for certain uses, such as providing and marketing broadband services, billing and collection, and preventing fraud on the provider’s network.
Recognizing that de-identified data poses fewer privacy concerns than identifiable customer data, the FCC carved out an exception to the opt-in and opt-out requirements for such data. ISPs may thus use and share de-identified data without customer consent. The FCC describes de-identified data as “data that have been altered so they are no longer associated with individual consumers or devices.”
“Take It or Leave It” Offers Prohibited
“Pay for Privacy” Permitted
The new rules allow for “pay for privacy” offerings; that is, ISPs can offer discounts or other incentives in exchange for a consumer’s express affirmative consent to the use and sharing of information. However, the FCC explained that because it views such offers as raising unique considerations, the rules require heightened disclosure for such plans, and it will determine on a case-by-case basis the legitimacy of each such plan. The FCC emphasized that consumers should not be “forced to choose between paying inflated prices and maintaining their privacy.” How the FCC will evaluate such proposals on a case-by-case basis to ensure competitive fairness and ample choices for consumers remains to be seen.
Consistent with FTC data security requirements and the NIST cybersecurity framework, the new rules require ISPs to take “reasonable measures” to protect customer data. The rules require that an ISP’s security practices be appropriately calibrated to the nature and scope of its activities, the sensitivity of the underlying data, the size of the ISP, and technical feasibility. Consistent with other security regulations, the FCC does not provide a prescriptive checklist of required data security requirements or activities. Rather, it provides guidelines about steps ISPs should consider taking to implement reasonable security practices, such as:
- implementing up-to-date and relevant industry best practices, including available guidance on how to responsibly manage security risks;
- providing appropriate accountability and oversight of its security practices;
- implementing robust customer authentication tools; and
- properly disposing of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.
Data Breach Notification
The new rules set forth data beach notification requirements for ISPs handling customer data. An ISP must provide notice if it determines that an unauthorized disclosure of customer personal information has occurred, unless the ISP establishes that no harm is reasonably likely to occur.
Specifically, in the event of a reportable breach, ISPs would be required to notify:
- affected customers of breaches of their data as soon as possible, but no later than 30 days after reasonable determination of a breach;
- the FCC, the Federal Bureau of Investigation, and the U.S. Secret Service of breaches affecting 5,000 or more customers no later than seven business days after reasonable determination of a breach; and
- the FCC at the same time as customers are first notified of breaches affecting fewer than 5,000 customers.
It remains to be seen what types of personal information will trigger the notification requirements. If the final Order adopts a broad definition of personal information that encompasses data such as geolocation data and web browsing activities associated with device identifiers, this provision would represent a substantial broadening of data breach notification requirements.
Harmonization of Broadband and Voice Rules
The new rules also apply to an ISP’s voice services and treat call-detail record information as sensitive information in the context of voice services. The FCC explained that it chose to harmonize the privacy and security rules that apply to broadband and voice services in order to provide consistent privacy and security protection for all telecommunications services.
In addition to reaffirming the right of broadband and voice customers to use the FCC’s informal dispute resolution process, the commission raised a significant new issue by expressing concern about the impact on consumers of the use of mandatory arbitration agreements, which have become an increasingly common way for companies to reduce litigation risk. The FCC announced that it intends to proceed with a rulemaking in February 2017 to address mandatory arbitration requirements in contracts for communications services.
The new data security requirements will go into effect 90 days after publication of the summary of the Order in the Federal Register. The data breach notification requirements will become effective approximately six months after publication of the summary of the Order in the Federal Register. The Notice and Choice requirements will become effective approximately 12 months after publication of the summary of the Order in the Federal Register. Small providers will have an additional 12 months to comply.
Wilson Sonsini Goodrich & Rosati – a member of the EACCNY