FCC Issues Proposed Privacy Rules Applicable to Broadband Internet Service Providers
We continue to witness tension between businesses and consumers as the latter battle to keep their personal information from being used without permission. The government stands in the middle of these two interests, pressured by both to take a position. On March 7, 2016, the Federal Communications Commission (FCC) reached an agreement with Verizon Communications, Inc., to pay a $1.35 million fine and enter a three-year consent decree that will restrict how it sends data about “supercookies” from more than 100 million users.
Following that action, the FCC announced that it has issued proposed privacy rules which, if adopted, would apply to broadband Internet Service Providers. The rules generally would require broadband providers to disclose how customer data is used, take steps to protect customer information, and to disclose a data breach to customers within ten days of its discovery. The proposed rules are designed to level the playing field between broadband providers and telephone networks, which have been forced to comply with similar rules for decades.
According to the FCC, the privacy rules are based on the three principles of “choice, transparency, and security” and are designed to give consumers better control over the use of their personal information by broadband providers. To that end, the rules would require affirmative opt-in consent from a consumer for use or sharing of any data that is not collected specifically for the purposes of providing the broadband service.
With respect to taking “reasonable steps” to protect customer data, broadband providers will be required to adopt risk management practices and strong authentication requirements. In addition to notifying customers within ten days of the discovery of a data breach, an affected broadband provider would also have to inform the FCC within seven days of the discovery. The proposal will be voted on by the full FCC at its March 31 meeting.
As noted, these are only proposed rules and regulations, which have yet to be adopted by the FCC. They also, as the FCC stressed, will not apply to websites, over which the Federal Trade Commission has regulatory authority, but only to Internet Service Providers. However, any company which provides broadband service should start preparing to comply with enhanced privacy rules, as the FCC will likely adopt some version of these regulations. In particular, affected entities should begin evaluating the ways in which customer data is used, and specifically separating those uses that are integral parts of providing the service from those which are not. Uses falling into the latter category will need to be evaluated and, if they are to continue, a procedure for obtaining opt-in consent from customers should be developed.
In light of the recent efforts by the European Union to influence United States businesses in how they protect consumer data (see European Commission Announces Forthcoming EU-US Privacy Shield Agreement; The Judicial Redress Act - A Step Closer Toward the Privacy Shield?), it will be interesting to watch if the FCC actions reflect an aggressive stance on the part of the US government to protect consumer data.
For questions or additional information on this matter, please contact Jay Shapiro (shapiroj@whiteandwilliams.com; 212.714.3063), Joshua Mooney (mooneyj@whiteandwilliams.com; 215.864.6345), Michael Jervis (jervism@whiteandwilliams.com; 215.864.7042) or another member of our Cyber Law and Data Protection Group.