Last Friday, the Federal Communications Commission (“FCC”) released its much-anticipated Notice of Proposed Rulemaking (NPRM) setting forth and seeking comment on proposed rules to govern the privacy practices of broadband internet access service providers (BIAS providers). Among other things, the NPRM outlines the FCC’s proposed rules for broadband privacy policies, the level of customer approval required to use and share customer proprietary information, data security requirements, and data breach notification requirements. Comments are due May 27, 2016, and Reply Comments are due June 27, 2016.
Broadband Privacy Policies. The NPRM proposes rules requiring broadband providers to issue privacy policies that include information about what customer information the BIAS provider collects and for what purposes; what customer information the BIAS provider shares and with what types of entities; and how, and to what extent, customers can opt in or opt out of use and sharing of their personal information.
Consumer Approval for Use of Customer Proprietary Information. The NPRM proposes to refer to the category of customer data its rules cover “as Customer Proprietary Information,” or “Customer PI.” Customer PI consists of (1) Customer Proprietary Network Information (CPNI) and (2) personally identifiable information (PII). CPNI would be defined as “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship” and PII would be defined as any information that is “linked” or “linkable” to an individual.
The NPRM proposes that the type of customer approval required to use customer proprietary information (customer PI) depend on the service at issue. Accordingly, it offers a three-tiered approach to govern the use and sharing of customer PI:
- Approval that is inherent in the creation of the customer-broadband provider relationship. Under the proposed rules, BIAS providers may, without additional approval from the customer, use and share customer data in order to provide broadband services (for example to ensure that a communication destined for a particular person reaches that destination), and for certain other purposes that make sense within the context of the broadband providers’ relationships with their customers.
- Opt-Out Approval: BIAS providers may also use customer PI to market other communications-related services, subject to opt-out approval of the customer. Opt-out must be clearly disclosed, easily used, and continuously available. The NPRM seeks comment on how to define “communications-related service,” but as proposed, communications-related services would not include edge services offered by the broadband provider.
- Opt-In Approval: The proposed rules would require that BIAS providers obtain opt-in approval before sharing customer information with non-communications-related affiliates or third parties or before using customer information themselves (or through their communications-related affiliates) for all other purposes.
Data Security. The proposed rules would require BIAS providers to protect the security and confidentiality of all customer PI from unauthorized uses or disclosures by adopting security practices calibrated to the nature and scope of the BIAS provider’s activities, the sensitivity of the underlying data, and technical feasibility. Specifically, the NPRM proposes to require BIAS providers to, at a minimum, adopt risk management practices, institute personnel training practices, adopt customer authentication requirements, identify a senior manager responsible for data security, and assume accountability for the use and protection of customer PI when shared with third parties. In addition, the NPRM seeks comment on whether the FCC should also adopt data minimization, retention, and destruction standards. It also seeks comment on whether to harmonizing the data security requirements for BIAS providers with those for voice providers, and whether to adopt harmonized data security requirements for cable and satellite providers.
Data Breach Notification. In the event of a breach, the NPRM proposes that a BIAS provider must:
- notify affected customers of breaches no later than 10 days after the discovery of the breach, subject to law enforcement needs;
- notify the FCC of any breach no later than 7 days after discovery of the breach; and
- notify the Federal Bureau of Investigation and the U.S. Secret Service of breaches reasonably believed to relate to more than 5,000 customers no later than 7 days after discovery of the breach, and at least 3 days before notification to customers.
Additional Related Issues. The NPRM also seeks comment on a variety of issues related to its proposed rules, including whether there are certain BIAS provider practices implicating privacy that the FCC’s rules should prohibit, or to which the FCC should apply heightened notice and choice requirements; whether the FCC’s current informal complaint resolution process for alleged violations of the Communications Act is sufficient to address customer concerns in the broadband privacy context; whether and how the FCC should incorporate other proposed frameworks and recommendations into its rules; and whether there are specific ways the FCC should incorporate multi-stakeholder processes into its proposed approach to protecting the privacy of customer PI.