FCC Proposes a Wide Ranging Privacy Framework for Broadband ISP Customer Data

In a highly anticipated action, the Federal Communications Commission voted along party lines on March 31 to adopt a Notice of Proposed Rulemaking (Notice) seeking comment on a range of privacy guidelines for broadband Internet Service Providers (ISPs).  FCC Chairman Wheeler, Commissioners Clyburn and Rosenworcel each voted to adopt the Notice, while Commissioners Pai and O’Rielly dissented.

The text of the Notice has not yet been released.  According to the News Release, the proposals presented in the Notice are meant to ensure that broadband customers have meaningful choice, greater transparency and security protections for the personal information that is collected by their ISPs.  The legal basis cited as authority for establishing broadband ISP-only rules is the privacy requirements of Section 222 of the Communications Act.  The Notice’s analytical framework reportedly separates the use and sharing of customer information into three categories, each of which, if adopted, would contain different and specific guidance about managing  choice and security requirements for customers’ personal information.  According to the News Release, the three categories are:

  1. Consent Inherent in Customer Decision to Purchase ISP’s Services: This is customer data necessary to provide broadband services and for marketing the type of broadband service purchased by a customer.  It would also include data used for other purposes consistent with customer expectations, such as contacting public safety.  According to the News Release, the Notice proposes that data in this category would require no additional customer consent beyond the creation of the customer-ISP relationship.
  2. Opt-out: Broadband providers collect a range of customer data in the course of a provider-customer relationship. The News Release indicates that Notice will propose that for the purposes of marketing “other communications-related services” and to share customer data with their affiliates that provide communications-related services for the purposes of marketing such services, that data can be used and shared internal to the provider’s organization, unless the customer affirmatively opts out of allowing this sharing.
  3. Opt-in: The News Release explains that the Notice will propose that any and all other potential marketing, advertising or use or sharing of consumer data would require that the broadband ISP customer provide affirmative, express “opt-in” consent to third party uses and data sharing.

Beyond creating categories and baseline requirements for customer data, the Notice apparently asks over 500 wide ranging questions about how broadband ISPs are to go about implementing customer preferences, including framing questions about the scope of transparency requirements, about “persistent” notice of what information is being collected, used and shared with third parties, and how customers readily can change their privacy preferences.  According to the News Release, the Notice also delves into a wide range of inquiries about network data security requirements, appropriate risk management practices, personnel training practices, implementation of robust customer authentication requirements, and, among other things, rules of the road for use and protection of customer information when a broadband ISP chooses to share customer data with third parties, presumably after given consent by the customer. Recognizing that data breaches are nearly impossible to prevent, the Notice reportedly seeks comment on baseline notification requirements that would be designed to encourage ISPs to do the best possible job of protecting the confidentiality of customer data.  This would include a sector-specific set of requirements on how broadband ISPs are to give consumers and law enforcement notice of breaches.

The News Release concludes by indicating that the Notice is tailored to apply only to broadband service providers and not to the privacy practices of web sites and other “edge services” over which the Federal Trade Commission (FTC) has authority.  While the Notice will apparently not include the other services a broadband provider may offer customers, such as the operation of a social media website, given the sheer number of questions poses and the structure of the framework for data privacy already outlined, there is little question that nearly every practice or operation of a broadband ISP will uniquely have to be examined from top to bottom if the framework is ultimately adopted by the FCC as proposed.

Each of the Democratic Commissioners stressed the “limited scope” of the proceeding while acknowledging the complexity of the issued teed up for comment.   Commissioner Rosenworcel, for example, expressed the hope that as the process progresses that “we think about how consumers can better understand the way their data is collected, what rules apply, and how they can protect themselves.  I believe doing this well requires harmonization—within the Communications Act—and with other federal partners with privacy interests.  Because in the broadband age, consumers should not have to be network engineers to understand who is collecting their data and they should not have to be lawyers to determine if their information is protected.”

As noted, the text of the Notice has not yet been released, nor have the Republican Commissioner dissenting statements.  However, it is plain from their views expressed while the Notice draft was on circulation, that they do not believe it to be prudent for the FCC to attempt to fashion rules just for broadband ISP customer data, preferring instead that the FTC maintain its data privacy role in this sphere as in others.