On April 1, 2016, the FCC released a Notice of Proposed Rulemaking (“NPRM”) proposing new privacy rules for broadband Internet service providers (“ISPs”).  These proposed rules spring from the reclassification of broadband Internet access service as a Title II telecommunications service in the 2015 Open Internet Order and would govern how ISPs collect, use and protect their subscribers’ personal information as well as how they communicate with subscribers about their personal information.  

The NPRM is lengthy and seeks comment on some 500 discrete questions.  This update is intended as a preliminary view into the range of issues covered and potential obligations the FCC is considering imposing at the conclusion of its examination of the record in response to the NPRM. 

Comments are due May 27, 2016.   Reply Comments are due June 27, 2016.

Background

In its 2015 Open Internet Order, the FCC reclassified broadband Internet access service as a Title II telecommunications service, exposing broadband Internet access service to a variety of common carrier obligations under the Communications Act.  This includes Section 222, which imposes a duty on telecommunications carriers to protect their customers’ proprietary information and to use such information only for authorized purposes.  At the same time, the FCC exercised its forbearance authority with respect to broadband privacy requirements to the limited extent of refraining from imposing its voice CPNI rules to broadband.  Nonetheless, the FCC noted that the statutory terms of Section 222 would apply.  Accordingly, with this NPRM, the FCC proposes rules that would apply Section 222’s requirements to broadband ISPs. 

Summary

The NPRM focuses on three core privacy principles – transparency, choice and security – that the FCC believes underlie the critical steps that the federal government has taken to protect the privacy of many specific forms of data, as well as looking to existing private sector practices.  The proposed regulations will, according to the NPRM, ensure that consumers (i) have the information needed to understand what data the ISP is collecting and what it does with that information, (ii) can decide how their information is used, and (iii) are protected against the unauthorized disclosure of their information.

Customer Proprietary Information.  The NPRM proposes to define the information that would be protected under Section 222 as “customer proprietary information” to include both customer proprietary network information (known as “CPNI”) as established by Section 222(h) and a broader category of personally identifiable information (“PII”) collected by broadband providers through their provision of broadband Internet access service.

At a minimum, the NPRM proposes considering five types of information to constitute CPNI in the broadband context:

• Service plan information, including type of service (ex: cable), service tier (ex: speed), pricing and capacity (ex: information pertaining to data caps);
• Geo-location (information related to the physical or geographical location of a customer or the customer’s device(s));
• MAC addresses and other device identifiers;
• IP addresses (both source and destination) and domain name information; and
• Traffic statistics (ex: monthly data consumption, average speeds, or frequency of contact with particular domains and IP addresses).

When it comes to PII, the NPRM proposes a broad definition – “any information that is linked or linkable to an individual.”  Some examples of data that would be considered PII: customer names, addresses, birth dates, Social Security Numbers, email addresses, phone numbers, IP and MAC addresses, and financial and employment information.

Transparency.  In recognition of the widespread agreement that companies should inform consumers about their privacy practices, the NPRM proposes rules to enhance the ability of consumers to make informed choices through effective disclosure of broadband providers’ privacy policies.  This would include the obligation to inform consumers about:

• What customer information they collect and for what purposes;
• What customer information they share and with what types of entities; and
• How, and to what extent, customers can opt in or opt out of use and sharing of their personal information.

Choice.  The NPRM focuses on consumer choice because broadband providers, in the FCC’s view, are able to view vast swathes of customer data, including highly sensitive healthcare and financial information.  Thus the NPRM proposes rules aimed at empowering customers to decide the extent to which broadband providers can use and share their proprietary information, while providing guidance to broadband providers about the nature of their privacy obligations.  To this end, the NPRM looks to the framework of best practices for providing consumers with privacy choices that was recommended by the Federal Trade Commission (“FTC”) in its 2012 Privacy Report and proposes to recognize three types of customer approval with respect to use of customer proprietary information, which, as proposed, includes both CPNI and PII.

Approval inherent in the creation of the customer-broadband provider relationship.  Consistent with Communications Act, the NPRM proposes rules that would allow broadband providers to use and share customer data in order to provide broadband services, and for certain other purposes that make sense within the context of the ISPs’ relationships with their customers without additional approval from the customer.

Opt-out approval. The NPRM proposes to allow broadband providers (or their affiliates that provide communications-related services) to use customer proprietary information to market other communications-related services subject to opt-out approval of the customer, which must be clearly disclosed, easily used, and continuously available.  As proposed, communications-related services would not include edge services offered by the broadband provider.

Opt-in approval.  The NPRM proposes to require broadband providers to receive opt-in approval from their customers before sharing customer proprietary information with non-communications-related affiliates or 3^rd parties or before using customer proprietary information for any other purpose.

Content.  The NPRM recognizes that other federal laws, including Section 705 of the Communications Act, which restricts the unauthorized publication or use of communications, and the Electronic Communications Privacy Act, which specifies standards for law enforcement access to electronic communications and related data, already protect content carried over broadband networks.  Comment is sought regarding whether more protection is needed.

Heightened Protection for Certain Types of Information. The NPRM also seeks

comment on whether there are particular types of information (fox example, Social Security numbers) that deserve special treatment.

Data Security and Breach Notification. The NPRM outlines the FCC’s belief that privacy and data security are inexorably linked and proposes that consumers should be able to rely on their broadband ISP to take reasonable steps to safeguard customer information from unauthorized use, disclosure, or access.  Moreover, the NPRM proposes a number of notification requirements on broadband providers in the event of a data breach, including notice to affected customers, the FCC and federal law enforcement.

Notice Requirements.  The NPRM proposes disclosure requirements for ISPs’ privacy and security policies.  The FCC based these proposed notice obligations on its existing CPNI rules, the Section 631 (cable privacy) requirements, the California Online Privacy Protection Act and to numerous proposed best practices regimes, including those proposed by the FTC and NTIA.

The proposed disclosure requirements are extensive and contemplate adoption of a highly prescriptive regime for communicating with customers about the broadband ISP’s collection and use of customer proprietary information and providing them a means of opting-in or opting-out of certain uses.  This includes: 

• Describing the types of customer proprietary information collected, how the ISP uses (and under what circumstances it discloses) each type of PI that it collects, and the categories of entities that will receive the customer proprietary information along with the purposes for which it is used.
• Advising customers of their opt-in and opt-out rights with respect to their own proprietary information, along with access to a simple, easy-to-access method to provide or withdraw consent.  Such method would need to be persistently available and at no additional cost to the customer.
• Explaining that a denial of approval to use, disclose, or permit access to customer proprietary information for purposes other than providing broadband Internet access service will not affect the provision of any services to which the customer subscribes.
• Explaining that any approval, denial, or withdrawal of approval for the use of the customer proprietary information for any purposes other than providing broadband Internet access service is valid until the customer affirmatively revokes such approval or denial.
• Providing a notice that is comprehensible and not misleading, clearly legible, and displayed in an area so as to be readily apparent to the customer.
• Making the notice available to prospective customers at the point of sale (prior to purchase), and persistently available via a link on the ISP’s homepage, through the ISP’s mobile application and through functional equivalent to the ISP’s homepage or mobile application.

Harmonization of Privacy Policies.  Although the NPRM does not propose rules that would harmonize a communication company’s voice, video and broadband privacy notices, it does seek comment on whether the FCC should take this step.  In doing so, the FCC appears to recognize that having different rules governing notice requirements for voice, video and broadband services, when most companies offer bundled services, is not ideal and could be more burdensome than necessary.

            Potential Small ISP Exceptions.  The NPRM seeks comment on a number of ways to minimize the burden of the proposed privacy rules on small broadband ISPs.  In particular, the NPRM seeks comment on whether there are any small provider-specific exemptions that could be built into the FCC’s proposed approval framework, and whether to exempt providers that collect data from fewer than 5,000 customers a year, provided that they do not share customer data with third parties. 

Next Steps 

The categories and proposed rules covered above represent only the tip of approximately 500 questions contained in the NPRM.  All broadband ISPs should closely monitor this proceeding and review their privacy policies to ensure compliance with the statutory requirements. 

If you have questions about CPNI, cable privacy rules, or your obligations to protect subscriber privacy as a broadband ISP, please contact Barbara Esbin at besbin@cinnamonmueller.com or (202) 872-6811, Bruce Beard at (314) 394-1535 or bbeard@cinnamonmueller.com or Scott Friedman at (312) 372-3930 or sfriedman@cinnamonmueller.com.