United States: Internet Service Providers Face New Regulatory Environment In The FCC's Privacy And Security Proposal

On March 31, 2016, the Federal Communications Commission (FCC) issued a Notice of Proposed Rulemaking (NPRM) of privacy and security regulations for Internet service providers (ISPs). The NPRM, In The Matter of Protecting the Privacy of Customer of Broadband and Other Telecommunications Service, available here, is intended to apply privacy requirements of the federal Communications Act (Act) to broadband Internet access services (BIAS). The FCC issued the NPRM through authority stemming from the 2015 Open Internet Order, which applies Section 222 of the Act to BIAS providers, making some material changes in how the FCC addresses privacy and data security for more traditional telecoms, such as landline phone service providers, but applying much of the same approach. The proposal redefines customer proprietary information for protection by BIAS providers, institutes opt-in/opt-out provisions for data use, defines and limits the use and sharing of aggregate data, suggests data security standards for BIAS providers, and sets forth a new data breach definition and new notification requirements. Throughout the NPRM, the FCC struggles with requiring third parties of BIAS providers to follow the same regulations as BIAS providers, such as whether to require third parties to follow the BIAS providers' breach notification requirements and whether to hold BIAS providers vicariously liable for privacy failures of third parties. Defining the relationship between BIAS providers and affiliates proves to be similarly difficult when the FCC discusses data security regulations and limiting use, sharing, or disclosure of customer proprietary information.

Although the FCC repeatedly references comments and data from the Federal Trade Commission (FTC), its approach to regulating ISPs is an entirely different setup and contains more similarities to the Health Insurance Portability and Accountability Act (HIPAA) than to the FTC's approach to regulating online services. Where the FTC primarily allows online services to follow self-regulatory standards, the FCC expressly states its concern that BIAS providers engage in a much greater flow of customer PI than other online services such as websites and even edge networks (e.g., Facebook) and that information is not necessarily provided knowingly or willingly. For these reasons, the FCC is approaching data security and privacy in a more hands-on and detailed manner.

It is worth noting that the Commission was far from unanimous, with Commissioners Pai and O'Rielly dissenting. Commissioner O'Rielly blasted the NPRM, writing in his dissent that regulating only one part of the Internet economy (i.e., ISPs but not edge networks) would "hamstring competition with the largest users of consumer data." In addition, the Commission laid out in the NPRM at least 500 questions on which it seeks input from the industry and the public during the comment period.

The following summary of the potential changes reveals how a sectorial approach to ISPs may saddle them with significantly more burdensome data protection requirements than faced by other online service providers, including Facebook, Google, Uber, and other edge networks. Ultimately, the distinction and its advisability present a public policy question. However, the potential impact on ISPs, particularly regarding their ability to leverage big data for commercial advantage, is immense.

Expanding the Definitions of Customer Proprietary Network Information and Customer Proprietary Information

Customer Proprietary Network Information

The FCC proposes expanding the definition of customer proprietary network information (CPNI), excluding the telephone exchange service or telephone toll service portion of the existing definition and interpreting CPNI to include any information that the BIAS provider collects or accesses in connection with the provision of BIAS. This includes information that a BIAS provider causes to be collected and stored on customer premises equipment (CPE) or other devices, including mobile devices, in order to allow the carrier to collect or access the information. The definition will also include any information a BIAS provider attaches to a customer's Internet traffic if it falls within one of the categories in Section 222(h)(1)(A). In order to provide clarity, the FCC proposes to delineate non-exhaustive examples of types of information that would be considered CPNI in the broadband context. Examples of types of information that would constitute CPNI include (1) service plan information, including type of service (e.g., cable, fiber, or mobile); service tier (e.g., speed); pricing; and capacity (e.g., information pertaining to data caps); (2) geolocation; (3) media access control (MAC) addresses and other device identifiers; (4) source and destination Internet protocol (IP) addresses and domain name information; and (5) traffic statistics.

Customer Proprietary Information

The FCC also proposes to define the type of proprietary customer information that telecommunications carriers have to protect pursuant to Section 222(a). Customer proprietary information would include private information that customers have an interest in protecting from public disclosure, and such information would fall into either the CPNI category or the personally identifiable information (PII) category. Together, these categories are "customer PI" and include information the BIAS provider acquires in connection with its provision of BIAS. In defining PII, the FCC draws heavily from other federal regulations and guidance, resulting in a nonexclusive list of PII data elements, which among common elements also include mother's maiden name; MAC address or other unique device identifiers; IP addresses; persistent online identifiers; eponymous and non-eponymous online identities; Internet browsing history; traffic statistics; application usage data; current or historical geolocation; and shopping records. PII would also include a BIAS customer's name, postal address, and telephone number as PII, a deviation from the standard treatment of "telephone directory information," as the FCC does not view the current collection standards for that type of information to be similar to the directories of customer information that telephone services maintain and publish.

What Is a Communications-Related Service?

The FCC seeks comment regarding the definition of "communications-related services" for allowing BIAS providers to use customer PI to market communications-related services to subscribers and to disclose customer PI to their communications-related affiliates for the purpose of marketing communications-related services subject to opt-out approval.

Notice of Privacy Policy

Under the proposed regulations, BIAS providers must notify customers of their privacy practices in a clear and conspicuous manner at the point of sale and on an ongoing basis through a link on the provider's home page, mobile application, and any functional equivalent. BIAS providers will be required to:

  • Provide a notice of their privacy practices that will specify and describe types of customer PI collected by virtue of its provision of broadband service; of how the BIAS provider uses, and under what circumstances it discloses, each type of customer PI it collects; and the categories of entities that will receive customer PI from the BIAS provider and the purposes for which the customer PI will be used by each category of entities;
  • Advise customers of their opt-in and opt-out rights with respect to their own PI, and provide access to a simple, easy-to-access method for customers to provide or withdraw consent to use, disclose, or provide access to customer PI for purposes other than the provision of broadband services through a method that is persistently available and at no additional cost to the customer;
  • Explain that a denial of approval to use, disclose, or permit access to customer PI for purposes other than providing BIAS will not affect the provision of any services to which the customer subscribes, except for a brief description in clear and neutral language describing any consequences directly resulting from the lack of access to the customer PI; and
  • Explain that any approval, denial, or withdrawal of approval for the use of customer PI for any purposes other than providing BIAS is valid until the customer affirmatively revokes such approval or denial, and inform the customer of his or her right to deny or withdraw access to such PI at any time. The notification must also explain that the provider may be compelled to disclose a customer's PI when other laws provide for such disclosure.

The notification must be comprehensible and not misleading, clearly legible in sufficiently large type, displayed in an area so as to be readily apparent to the customer, and completely translated into another language if any portion of the notice is translated into that language. In addition to these requirements, the FCC seeks comment on whether to adopt a provision similar to California's Shine the Light law, which requires businesses, upon request, to provide to their customers, free of charge and within 30 days, (1) a list of categories of personal information disclosed by the business to third parties for the third parties' marketing purposes; (2) the names and addresses of all the third parties that received personal information from the business in the preceding calendar year; and (3) if the nature of the third parties' businesses cannot be reasonably determined by the third parties' name, examples of the products or services marketed by the third party. See Cal. Civ. Code. §1798.83.

In order to ease the burden on both customers and BIAS providers, the FCC contemplates creating a standardized notice of privacy practices, which could provide a safe harbor for BIAS providers for the proposed law's notice provision, and removing the current requirement to provide customers with periodic updates. However, under the FCC's proposed rules, a BIAS provider would be required to provide notice of material changes to the privacy policies to customers prior to the material changes and also include specific terms within the material change update.

Levels of Customer Choice for Data Use and Disclosures

The FCC proposal sets forth three categories of data for use and disclosure. The first category does not require customer approval or permission. The second category requires BIAS providers to provide customers with notice and opportunity to opt out before using a customer's PI or sharing a customer's PI with an affiliate that provides communications-related services in order to market communications-related services to the customer. The third category requires BIAS providers to seek and receive opt-in approval from customers before using or sharing customer PI for all other uses.

Category 1: Customer Approval Implied/Not Required

BIAS providers will not be required to secure customer approval for customer PI when the customer PI is required for provision of the telecommunications service from which the information is derived or for services necessary to or used in the provision of the telecommunications service. This language mirrors Section 222(c)(1) for CPNI. However, it is unclear how the "provision of" BIAS and "services necessary to or used in" BIAS are going to be defined. The regulations also expand the amount of information a BIAS provider may use in the provision of BIAS or services necessary to or used in BIAS. BIAS providers will be able to use all customer PI and can also use customer PI to market to the customer additional BIAS offerings that are in the "same category of service" when the customer already subscribes to that category of service from the provider. The FCC proposes to adopt Section 222(d) as tailored for broadband services, which contains statutory exceptions for use of CPNI without customer notice or approval. Examples of these exceptions include IP-enabled voice service in specific emergency situations and billing for the broadband services.

Category 2: Use and Disclosure of Customer PI for Marketing Communications-Related Services

Under the proposed regulations, customers would have the responsibility to opt out from use, disclosure, and permitted access to customer PI for marketing of other communications-related services after receiving a BIAS provider's notice of privacy policy. The proposed rules also:

  • Expand the opt-out definition approval in the current CPNI rules (47 C.F.R. §64.2003(l)) to include customer PI; and
  • Eliminate the 30-day waiting period currently required to make a voice customer's opt-out approval effective so that a customer can opt out at any time and "with minimal effort."

Opt-out information must be clearly disclosed, easily used, and continuously available. Questions remain about how affiliates and BIAS providers will be treated, especially with the provision of bundled services. The FCC seeks clarification of how customers view sharing of customer PI between BIAS providers and affiliates. As proposed, communications-related services would not include edge services offered by the broadband provider.

Category 3: Use and Disclosure of Customer PI for All Other Purposes

The FCC proposes to require BIAS providers to seek and receive opt-in approval from customers before using or sharing customer PI for all uses and sharing other than those that fall within categories 1 and 2, supra. BIAS providers will have to acquire opt-in approval before:

  • Using customer PI for purposes other than marketing communications-related services,
  • Sharing customer PI with affiliates providing communications-related services for purposes other than marketing communications-related services, and
  • Sharing customer PI with all other affiliates and third parties. Third parties include joint venture partners and independent contractors.

The FCC seeks clarification of the purposes for which BIAS providers use customer PI and specifically whether the FCC should require opt-in consent for sharing geolocation data with affiliates. The primary concern in this category appears to be sharing customer PI in mobile contexts and allowing customers more control over the flow of their data to third parties.

Maintaining Customer Opt-In/Opt-Out Records

BIAS providers must:

  • maintain records on customer PI disclosure to third parties for at least one year,
  • maintain records of customer notices and approval for at least one year,
  • adequately train and supervise their personnel on customer PI access,
  • establish supervisory review processes, and
  • provide prompt notice to the Commission of unauthorized uses or disclosures.

Data Security Standards

The FCC seeks to codify BIAS providers' obligation found in Section 222(a) to "protect the security, confidentiality and integrity" of customer PI. The FCC seeks comment on defining these terms, while noting that HIPAA (healthcare sector) has defined the terms (42 C.F.R. §164.304) but the Gramm Leach Bliley Act (GLBA) (financial services sector) has not (15 U.S.C. 6801(b)). In order to protect data, every BIAS provider will be required to:

  • Establish and perform regular risk management assessments and promptly address any weaknesses in the provider's data security system identified by such assessments;
  • Train employees, contractors, and affiliates that handle customer PI about the BIAS provider's data security procedures;
  • Ensure due diligence and oversight of these security requirements by designating a senior management official with responsibility for implementing and maintaining the BIAS provider's data security procedures;
  • Establish and use robust customer authentication procedures to grant customers or their designees access to customer PI; and
  • Take responsibility for the use of customer PI by third parties with whom they share such information.

BIAS Provider Liability for Third-Party Downstream Privacy Violations

The FCC appears to be pursuing a theory of vicarious liability for BIAS providers that share customer data with third parties. However, the FCC is also exploring and requests input on using contractual commitments to fulfill protecting shared data in lieu of vicarious liability. Additional concerns of the FCC include whether mobile BIAS providers should use contractual relationships with mobile device or mobile operating systems (OS) manufacturers that manufacture devices and hardware that operate on a BIAS provider's network to safeguard shared data.

Flexible Data Security Considerations

Although the FCC is considering very specific requirements for protecting data security, there are a few factors that BIAS providers may work with while implementing the data security requirements, such as the nature and scope of the BIAS provider activities and the sensitivity of the customer PI that is involved. For example, reasonable safeguards for small BIAS providers will differ significantly from those for large-scale BIAS providers, and BIAS providers regularly handling Social Security numbers and medical information will need to institute stronger protections than BIAS providers handling names and email addresses.

Limiting Data Collection, Retention, and Required Disposal

The FCC further seeks to institute data minimization procedures for customer PI, differentiating between sensitive customer PI and other customer PI. In addition to requesting information on whether certain data should be exempt from any collection and storage, the FCC is also contemplating harmonizing data retention requirements for BIAS providers with those of cable and satellite providers. For example, cable and satellite providers are required to destroy personal data if the information is no longer necessary for the purpose for which it was collected. 47 U.S.C. §§551(e); 338(i)(6).

Data Breach Notification Requirements

The FCC removed the "intent" requirement of the Section 222 breach definition and instead defines a breach as any instance in which "a person, without authorization or exceeding authorization, has gained access to, used or disclosed customer proprietary information." The proposed notification requirements are stringent. BIAS providers must:

  • Notify affected customers of breaches of customer PI no later than 10 days after the discovery of the breach, subject to law enforcement needs, under circumstances enumerated by the Commission;
  • Notify the Commission of any breach of customer PI no later than seven days after discovery of the breach; and
  • Notify the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USS) of breaches of customer PI reasonably believed to relate to more than 5,000 customers no later than seven days after discovery of the breach and at least three days before notification to the customers.

The FCC seeks to limit notification fatigue for customers and is considering both limitations based on risk of harm analyses, similar to those currently existing in some state breach notification laws, and a time limit that is more expansive, such as "without undue delay" instead of the currently proposed 10-day limit to notify customers. As indicated in BakerHostetler's Data Security Incident Response Report, for the majority of breaches in 2015, it was approximately 40 days from the date of discovery to the date of notification.

Data Breach Notification Content Requirements

In a change from the less-specific existing breach notification rules in Section 222, the FCC provides that particular content must be included in breach notifications to customers:

  • The date, estimated date, or estimated date range of the breach.
  • A description of the customer PI that was used, disclosed, or accessed or was reasonably believed to have been used, disclosed, or accessed by a person without authorization or exceeding authorization as a part of the breach of security.
  • Information the customer can use to contact the telecommunications provider to inquire about the breach of security and the customer PI that the carrier maintains about the customer.
  • Information about how to contact the FCC and any state regulatory agencies relevant to the customer and the service.
  • Information about national credit-reporting agencies and the steps customers can take to guard against identity theft, including any credit monitoring or reporting the telecommunications provider is offering customers affected by the breach of security.

Prohibited Practices

Last, the FCC sets forth practices with privacy implications that "may be prohibited" by the final rule. These practices include offering higher-priced broadband services for heightened privacy protections and the use of deep packet inspection for purposes other than network management. In other words, the FCC may be poised to outright prohibit offering consumers less-expensive broadband if they consent to have their usage data used to tailor interest-based ads for them. Commissioner O'Rielly points out that this "is a popular program offered by a major provider" and challenges the Commission's concern that consumers "may not understand what they are trading." In addition, the FCC also seeks comment on whether persistent identifiers should be subject to heightened privacy protections beyond even opt-in usage proposals already made. Finally, the FCC asks whether it should prohibit mandatory arbitration of consumer disputes, which enable companies to avoid class action litigation.

In Conclusion

The FCC's proposals would result in BIAS providers having constraints on their data practices, such as those related to interest-based advertising, that do not apply to other digital service providers like Google and Facebook, at least to the extent they remain edge networks and not providers of BIAS. To the extent BIAS providers want to compete on an equal footing with edge networks, should the rulemaking take effect as proposed, they would need to segregate their BIAS and non-BIAS service offerings and related data. Further, the FCC's approach to privacy reflects a Californiaesque or European-style approach to what is treated as protected data and the level of consent required to collect, use, and share such data. The FCC is seeking public comment on this NPRM through May 27, 2016 and reply comments thereafter are due by June 27, 2016.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.