Today, the Federal Communications Commission (FCC) issued a fact sheet summarizing rules Chairman Tom Wheeler is proposing to regulate the privacy practices of broadband Internet Service Providers (ISPs). Chairman Wheeler also will be circulating today to other FCC commissioners a draft Notice of Proposed Rulemaking (NPRM), which fully sets forth the proposed rules. That NPRM will not be available to the public until the FCC votes to adopt it at the FCC’s next open meeting on March 31st. In the meantime, the fact sheet provides a high-level overview of the NPRM’s proposed approach.
The Rules Will Be Based on Familiar Privacy Principles and Apply To Only ISPs. The fact sheet notes that Chairman Wheeler’s proposal is built on three familiar core principles of privacy: choice, transparency, and security. The fact sheet also clarifies that the proposed rules will apply only to ISPs and not to websites or applications, over which the Federal Trade Commission has authority.
The Level of Required Consent Will Depend on the Service at Issue. To enable consumers to make choices about how to protect their information, the proposed rules will separate the use and sharing of information into three categories:
- Consent inherent in the customer’s decision to purchase ISP services: Under the proposed rules, ISPs will not need consent to use a customer’s data in ways necessary to deliver broadband service (for example, for billing, collection, and usage alerts purposes) because consent to such use is presumed in the customer’s decision to purchase broadband service.
- Opt-Out Consent: ISPs also will be able to use a customer’s data to market “other communications-related services” to that customer, subject to an opt-out requirement. What constitutes an “other communications-related service” is not yet clear.
- Opt-In Consent: All other uses of customer data by ISPs, however, would require an affirmative opt-in from customers.
ISPs Will Be Subject to Data Security Requirements That Track Existing FTC Best Practices. The proposed rules will require ISPs to “take reasonable steps” to safeguard subscriber data from unauthorized use or disclosure. This will require, at a minimum, for ISPs to “adopt risk management practices; institute personnel training practices; adopt strong customer authentication requirements; identify a senior manager responsible for data security; and take responsibility for use and protection of customer information when shared with third parties.”
ISPs Will Be Subject to Data Breach Reporting Requirements. The proposed rules will require ISPs to report data breaches to the FCC and to law enforcement within seven days, and to affected customers within 10 days. The reporting obligation to law enforcement will apply only for breaches affecting more than 5000 subscribers. These requirements are similar to the breach reporting requirements in place today for voice service.
The fact sheet stressed that the approach to regulating privacy set out in the NPRM “isn’t about prohibition; it’s about permission.” The fact sheet notes that although the NPRM will offer a well-formed proposal for final rules, it also will seek comment on additional or alternative paths for achieving pro-consumer, pro-privacy goals. The comment cycle will begin after the NPRM is adopted on March 31 and then published in the Federal Register.