On March 10, 2016, the Federal Communications Commission (“FCC”) proposed new privacy and data security rules for Internet service providers (“ISPs”) that, if passed, would regulate how ISPs collect, use, share, and protect customers’ data. The notice of proposed rulemaking (“NPRM”) that FCC Chairman Tom Wheeler circulated for consideration by the full Commission is previewed in a three-page fact sheet that sets forth the proposed rules, which are built on the three core principles of choice, transparency, and security.
In order to “provide the tools consumers need to make smart choices about protecting their information—and enforce the broadband provider’s responsibility to do so,” the FCC proposes that ISPs obtain affirmative opt-in consent for the use and sharing of customer data that has not been specifically collected for the purpose of providing broadband Internet related services. However, such opt-in consent would not be necessary in two circumstances. First, ISPs would be permitted to rely solely on the creation of the customer-broadband provider relationship to fulfill their obligation to obtain consent for the use and sharing of customer data to provide broadband services and for marketing the type of broadband service purchased by a customer. “For example, your data can be used to bill you for telecommunications services and [to] ensure your email arrives at its destination,” the fact sheet said. Second, unless the customer affirmatively opts out, broadband providers are permitted to use customer data for the purposes of marketing other communications-related services or to share customer data with their affiliates that provide communications-related services for the purposes of marketing such services.
The Chairman’s proposal would require ISPs to “take reasonable steps to safeguard customer information from unauthorized use or disclosure.” At a minimum, the proposal would require ISPs to “adopt risk management practices; institute personnel training practices; adopt strong customer authentication requirements; to identify a senior manager responsible for data security; and take responsibility for use and protection of customer information when shared with third parties.”
The proposed rules would also establish new data breach notification requirements. If the proposal is adopted, ISPs would be required to notify the FCC of any breach of customer data no later than seven (7) days after discovery. In circumstances where the data breach affects more than 5,000 customers, ISPs would have to notify the Federal Bureau of Investigation and the U.S. Secret Service no later than seven (7) days after discovery and affected customers within ten (10) days.
The proposed rules will be considered by the full Commission during its March 31st open meeting. If adopted, there will be a period of public comment following the open meeting.
Relevant to this FCC NPRM, a team from Alston and Bird released a working paper regarding online privacy and ISPs on February 29, entitled, “Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others.” The working paper, of over 120 pages, provides a detailed factual analysis of the current online advertising ecosystem. The working paper notably concludes that, due in large measure to recent technical developments in encryption adoption, ISPs today do not have “comprehensive” access to user information. In addition, in comparing ISP and non-ISP access to information about users’ Internet activity, the large amount of data available to non-ISPs means that ISPs do not have “unique” access to user information. The authors have now presented the findings to senior FCC and FTC leadership. The authors are Peter Swire, Justin Hemmings, and Alana Kirkland.