United States: Internet Service Providers Face New Regulatory Environment In The FCC's Privacy And Security Proposal

On March 31, 2016, the Federal Communications Commission (FCC) issued a Notice of Proposed Rulemaking (NPRM) of privacy and security regulations for Internet service providers (ISPs). The NPRM, In The Matter of Protecting the Privacy of Customer of Broadband and Other Telecommunications Service, available here, is intended to apply privacy requirements of the federal Communications Act (Act) to broadband Internet access services (BIAS). The FCC issued the NPRM through authority stemming from the 2015 Open Internet Order, which applies Section 222 of the Act to BIAS providers, making some material changes in how the FCC addresses privacy and data security for more traditional telecoms, such as landline phone service providers, but applying much of the same approach. The proposal redefines customer proprietary information for protection by BIAS providers, institutes opt-in/opt-out provisions for data use, defines and limits the use and sharing of aggregate data, suggests data security standards for BIAS providers, and sets forth a new data breach definition and new notification requirements. Throughout the NPRM, the FCC struggles with requiring third parties of BIAS providers to follow the same regulations as BIAS providers, such as whether to require third parties to follow the BIAS providers' breach notification requirements and whether to hold BIAS providers vicariously liable for privacy failures of third parties. Defining the relationship between BIAS providers and affiliates proves to be similarly difficult when the FCC discusses data security regulations and limiting use, sharing, or disclosure of customer proprietary information.

Although the FCC repeatedly references comments and data from the Federal Trade Commission (FTC), its approach to regulating ISPs is an entirely different setup and contains more similarities to the Health Insurance Portability and Accountability Act (HIPAA) than to the FTC's approach to regulating online services. Where the FTC primarily allows online services to follow self-regulatory standards, the FCC expressly states its concern that BIAS providers engage in a much greater flow of customer PI than other online services such as websites and even edge networks (e.g., Facebook) and that information is not necessarily provided knowingly or willingly. For these reasons, the FCC is approaching data security and privacy in a more hands-on and detailed manner.

It is worth noting that the Commission was far from unanimous, with Commissioners Pai and O'Rielly dissenting. Commissioner O'Rielly blasted the NPRM, writing in his dissent that regulating only one part of the Internet economy (i.e., ISPs but not edge networks) would "hamstring competition with the largest users of consumer data." In addition, the Commission laid out in the NPRM at least 500 questions on which it seeks input from the industry and the public during the comment period.

The following summary of the potential changes reveals how a sectorial approach to ISPs may saddle them with significantly more burdensome data protection requirements than faced by other online service providers, including Facebook, Google, Uber, and other edge networks. Ultimately, the distinction and its advisability present a public policy question. However, the potential impact on ISPs, particularly regarding their ability to leverage big data for commercial advantage, is immense.

Expanding the Definitions of Customer Proprietary Network Information and Customer Proprietary Information

Customer Proprietary Network Information

The FCC proposes expanding the definition of customer proprietary network information (CPNI), excluding the telephone exchange service or telephone toll service portion of the existing definition and interpreting CPNI to include any information that the BIAS provider collects or accesses in connection with the provision of BIAS. This includes information that a BIAS provider causes to be collected and stored on customer premises equipment (CPE) or other devices, including mobile devices, in order to allow the carrier to collect or access the information. The definition will also include any information a BIAS provider attaches to a customer's Internet traffic if it falls within one of the categories in Section 222(h)(1)(A). In order to provide clarity, the FCC proposes to delineate non-exhaustive examples of types of information that would be considered CPNI in the broadband context. Examples of types of information that would constitute CPNI include (1) service plan information, including type of service (e.g., cable, fiber, or mobile); service tier (e.g., speed); pricing; and capacity (e.g., information pertaining to data caps); (2) geolocation; (3) media access control (MAC) addresses and other device identifiers; (4) source and destination Internet protocol (IP) addresses and domain name information; and (5) traffic statistics.

Customer Proprietary Information

The FCC also proposes to define the type of proprietary customer information that telecommunications carriers have to protect pursuant to Section 222(a). Customer proprietary information would include private information that customers have an interest in protecting from public disclosure, and such information would fall into either the CPNI category or the personally identifiable information (PII) category. Together, these categories are "customer PI" and include information the BIAS provider acquires in connection with its provision of BIAS. In defining PII, the FCC draws heavily from other federal regulations and guidance, resulting in a nonexclusive list of PII data elements, which among common elements also include mother's maiden name; MAC address or other unique device identifiers; IP addresses; persistent online identifiers; eponymous and non-eponymous online identities; Internet browsing history; traffic statistics; application usage data; current or historical geolocation; and shopping records. PII would also include a BIAS customer's name, postal address, and telephone number as PII, a deviation from the standard treatment of "telephone directory information," as the FCC does not view the current collection standards for that type of information to be similar to the directories of customer information that telephone services maintain and publish.

What Is a Communications-Related Service?

The FCC seeks comment regarding the definition of "communications-related services" for allowing BIAS providers to use customer PI to market communications-related services to subscribers and to disclose customer PI to their communications-related affiliates for the purpose of marketing communications-related services subject to opt-out approval.

Notice of Privacy Policy

Under the proposed regulations, BIAS providers must notify customers of their privacy practices in a clear and conspicuous manner at the point of sale and on an ongoing basis through a link on the provider's home page, mobile application, and any functional equivalent. BIAS providers will be required to:

  • Provide a notice of their privacy practices that will specify and describe types of customer PI collected by virtue of its provision of broadband service; of how the BIAS provider uses, and under what circumstances it discloses, each type of customer PI it collects; and the categories of entities that will receive customer PI from the BIAS provider and the purposes for which the customer PI will be used by each category of entities;
  • Advise customers of their opt-in and opt-out rights with respect to their own PI, and provide access to a simple, easy-to-access method for customers to provide or withdraw consent to use, disclose, or provide access to customer PI for purposes other than the provision of broadband services through a method that is persistently available and at no additional cost to the customer;
  • Explain that a denial of approval to use, disclose, or permit access to customer PI for purposes other than providing BIAS will not affect the provision of any services to which the customer subscribes, except for a brief description in clear and neutral language describing any consequences directly resulting from the lack of access to the customer PI; and
  • Explain that any approval, denial, or withdrawal of approval for the use of customer PI for any purposes other than providing BIAS is valid until the customer affirmatively revokes such approval or denial, and inform the customer of his or her right to deny or withdraw access to such PI at any time. The notification must also explain that the provider may be compelled to disclose a customer's PI when other laws provide for such disclosure.

The notification must be comprehensible and not misleading, clearly legible in sufficiently large type, displayed in an area so as to be readily apparent to the customer, and completely translated into another language if any portion of the notice is translated into that language. In addition to these requirements, the FCC seeks comment on whether to adopt a provision similar to California's Shine the Light law, which requires businesses, upon request, to provide to their customers, free of charge and within 30 days, (1) a list of categories of personal information disclosed by the business to third parties for the third parties' marketing purposes; (2) the names and addresses of all the third parties that received personal information from the business in the preceding calendar year; and (3) if the nature of the third parties' businesses cannot be reasonably determined by the third parties' name, examples of the products or services marketed by the third party. See Cal. Civ. Code. §1798.83.

In order to ease the burden on both customers and BIAS providers, the FCC contemplates creating a standardized notice of privacy practices, which could provide a safe harbor for BIAS providers for the proposed law's notice provision, and removing the current requirement to provide customers with periodic updates. However, under the FCC's proposed rules, a BIAS provider would be required to provide notice of material changes to the privacy policies to customers prior to the material changes and also include specific terms within the material change update.

Levels of Customer Choice for Data Use and Disclosures

The FCC proposal sets forth three categories of data for use and disclosure. The first category does not require customer approval or permission. The second category requires BIAS providers to provide customers with notice and opportunity to opt out before using a customer's PI or sharing a customer's PI with an affiliate that provides communications-related services in order to market communications-related services to the customer. The third category requires BIAS providers to seek and receive opt-in approval from customers before using or sharing customer PI for all other uses.

Category 1: Customer Approval Implied/Not Required

BIAS providers will not be required to secure customer approval for customer PI when the customer PI is required for provision of the telecommunications service from which the information is derived or for services necessary to or used in the provision of the telecommunications service. This language mirrors Section 222(c)(1) for CPNI. However, it is unclear how the "provision of" BIAS and "services necessary to or used in" BIAS are going to be defined. The regulations also expand the amount of information a BIAS provider may use in the provision of BIAS or services necessary to or used in BIAS. BIAS providers will be able to use all customer PI and can also use customer PI to market to the customer additional BIAS offerings that are in the "same category of service" when the customer already subscribes to that category of service from the provider. The FCC proposes to adopt Section 222(d) as tailored for broadband services, which contains statutory exceptions for use of CPNI without customer notice or approval. Examples of these exceptions include IP-enabled voice service in specific emergency situations and billing for the broadband services.

Category 2: Use and Disclosure of Customer PI for Marketing Communications-Related Services

Under the proposed regulations, customers would have the responsibility to opt out from use, disclosure, and permitted access to customer PI for marketing of other communications-related services after receiving a BIAS provider's notice of privacy policy. The proposed rules also:

  • Expand the opt-out definition approval in the current CPNI rules (47 C.F.R. §64.2003(l)) to include customer PI; and
  • Eliminate the 30-day waiting period currently required to make a voice customer's opt-out approval effective so that a customer can opt out at any time and "with minimal effort."

Opt-out information must be clearly disclosed, easily used, and continuously available. Questions remain about how affiliates and BIAS providers will be treated, especially with the provision of bundled services. The FCC seeks clarification of how customers view sharing of customer PI between BIAS providers and affiliates. As proposed, communications-related services would not include edge services offered by the broadband provider.

Category 3: Use and Disclosure of Customer PI for All Other Purposes

The FCC proposes to require BIAS providers to seek and receive opt-in approval from customers before using or sharing customer PI for all uses and sharing other than those that fall within categories 1 and 2, supra. BIAS providers will have to acquire opt-in approval before:

  • Using customer PI for purposes other than marketing communications-related services,
  • Sharing customer PI with affiliates providing communications-related services for purposes other than marketing communications-related services, and
  • Sharing customer PI with all other affiliates and third parties. Third parties include joint venture partners and independent contractors.

The FCC seeks clarification of the purposes for which BIAS providers use customer PI and specifically whether the FCC should require opt-in consent for sharing geolocation data with affiliates. The primary concern in this category appears to be sharing customer PI in mobile contexts and allowing customers more control over the flow of their data to third parties.

Maintaining Customer Opt-In/Opt-Out Records

BIAS providers must:

  • maintain records on customer PI disclosure to third parties for at least one year,
  • maintain records of customer notices and approval for at least one year,
  • adequately train and supervise their personnel on customer PI access,
  • establish supervisory review processes, and
  • provide prompt notice to the Commission of unauthorized uses or disclosures.

Data Security Standards

The FCC seeks to codify BIAS providers' obligation found in Section 222(a) to "protect the security, confidentiality and integrity" of customer PI. The FCC seeks comment on defining these terms, while noting that HIPAA (healthcare sector) has defined the terms (42 C.F.R. §164.304) but the Gramm Leach Bliley Act (GLBA) (financial services sector) has not (15 U.S.C. 6801(b)). In order to protect data, every BIAS provider will be required to:

  • Establish and perform regular risk management assessments and promptly address any weaknesses in the provider's data security system identified by such assessments;
  • Train employees, contractors, and affiliates that handle customer PI about the BIAS provider's data security procedures;
  • Ensure due diligence and oversight of these security requirements by designating a senior management official with responsibility for implementing and maintaining the BIAS provider's data security procedures;
  • Establish and use robust customer authentication procedures to grant customers or their designees access to customer PI; and
  • Take responsibility for the use of customer PI by third parties with whom they share such information.

BIAS Provider Liability for Third-Party Downstream Privacy Violations

The FCC appears to be pursuing a theory of vicarious liability for BIAS providers that share customer data with third parties. However, the FCC is also exploring and requests input on using contractual commitments to fulfill protecting shared data in lieu of vicarious liability. Additional concerns of the FCC include whether mobile BIAS providers should use contractual relationships with mobile device or mobile operating systems (OS) manufacturers that manufacture devices and hardware that operate on a BIAS provider's network to safeguard shared data.

Flexible Data Security Considerations

Although the FCC is considering very specific requirements for protecting data security, there are a few factors that BIAS providers may work with while implementing the data security requirements, such as the nature and scope of the BIAS provider activities and the sensitivity of the customer PI that is involved. For example, reasonable safeguards for small BIAS providers will differ significantly from those for large-scale BIAS providers, and BIAS providers regularly handling Social Security numbers and medical information will need to institute stronger protections than BIAS providers handling names and email addresses.

Limiting Data Collection, Retention, and Required Disposal

The FCC further seeks to institute data minimization procedures for customer PI, differentiating between sensitive customer PI and other customer PI. In addition to requesting information on whether certain data should be exempt from any collection and storage, the FCC is also contemplating harmonizing data retention requirements for BIAS providers with those of cable and satellite providers. For example, cable and satellite providers are required to destroy personal data if the information is no longer necessary for the purpose for which it was collected. 47 U.S.C. §§551(e); 338(i)(6).

Data Breach Notification Requirements

The FCC removed the "intent" requirement of the Section 222 breach definition and instead defines a breach as any instance in which "a person, without authorization or exceeding authorization, has gained access to, used or disclosed customer proprietary information." The proposed notification requirements are stringent. BIAS providers must:

  • Notify affected customers of breaches of customer PI no later than 10 days after the discovery of the breach, subject to law enforcement needs, under circumstances enumerated by the Commission;
  • Notify the Commission of any breach of customer PI no later than seven days after discovery of the breach; and
  • Notify the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USS) of breaches of customer PI reasonably believed to relate to more than 5,000 customers no later than seven days after discovery of the breach and at least three days before notification to the customers.

The FCC seeks to limit notification fatigue for customers and is considering both limitations based on risk of harm analyses, similar to those currently existing in some state breach notification laws, and a time limit that is more expansive, such as "without undue delay" instead of the currently proposed 10-day limit to notify customers. As indicated in BakerHostetler's Data Security Incident Response Report, for the majority of breaches in 2015, it was approximately 40 days from the date of discovery to the date of notification.

Data Breach Notification Content Requirements

In a change from the less-specific existing breach notification rules in Section 222, the FCC provides that particular content must be included in breach notifications to customers:

  • The date, estimated date, or estimated date range of the breach.
  • A description of the customer PI that was used, disclosed, or accessed or was reasonably believed to have been used, disclosed, or accessed by a person without authorization or exceeding authorization as a part of the breach of security.
  • Information the customer can use to contact the telecommunications provider to inquire about the breach of security and the customer PI that the carrier maintains about the customer.
  • Information about how to contact the FCC and any state regulatory agencies relevant to the customer and the service.
  • Information about national credit-reporting agencies and the steps customers can take to guard against identity theft, including any credit monitoring or reporting the telecommunications provider is offering customers affected by the breach of security.

Prohibited Practices

Last, the FCC sets forth practices with privacy implications that "may be prohibited" by the final rule. These practices include offering higher-priced broadband services for heightened privacy protections and the use of deep packet inspection for purposes other than network management. In other words, the FCC may be poised to outright prohibit offering consumers less-expensive broadband if they consent to have their usage data used to tailor interest-based ads for them. Commissioner O'Rielly points out that this "is a popular program offered by a major provider" and challenges the Commission's concern that consumers "may not understand what they are trading." In addition, the FCC also seeks comment on whether persistent identifiers should be subject to heightened privacy protections beyond even opt-in usage proposals already made. Finally, the FCC asks whether it should prohibit mandatory arbitration of consumer disputes, which enable companies to avoid class action litigation.

In Conclusion

The FCC's proposals would result in BIAS providers having constraints on their data practices, such as those related to interest-based advertising, that do not apply to other digital service providers like Google and Facebook, at least to the extent they remain edge networks and not providers of BIAS. To the extent BIAS providers want to compete on an equal footing with edge networks, should the rulemaking take effect as proposed, they would need to segregate their BIAS and non-BIAS service offerings and related data. Further, the FCC's approach to privacy reflects a Californiaesque or European-style approach to what is treated as protected data and the level of consent required to collect, use, and share such data. The FCC is seeking public comment on this NPRM through May 27, 2016 and reply comments thereafter are due by June 27, 2016.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Frankfurt Kurnit Klein & Selz
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Frankfurt Kurnit Klein & Selz
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions