FCC Issues NPRM on Protecting the Privacy of Customers of Broadband and Other Telecommunications Services
On April 1, the Federal Communications Commission (FCC) released a Notice of Proposed Rulemaking (NPRM) proposing to establish a new consumer privacy framework for broadband Internet access service providers (ISPs). The proposed rules would not apply to the privacy practices of web sites, apps, and other “edge services.”
Importantly, the NPRM proposes protections for types of information beyond that traditionally considered “Customer Proprietary Network Information” (CPNI). In addition to providing guidance on the information that should be considered CPNI in the broadband context (e.g., service plan and traffic information), the FCC proposes a new category of protected information, Customer Proprietary Information (CPI), including both CPNI and other personally identifiable information (PII) acquired by ISPs about their customers. The new transparency, control, and security rules proposed in the NPRM would apply to this broader category of information.
The NPRM proposes a three-tiered consent framework for ISP use and sharing of customer proprietary information.
- Consent Implied: No additional customer consent beyond creation of a customer-ISP relationship is needed for use of customer data necessary to provide broadband services, for marketing the type of broadband service purchased by a customer, and for certain other purposes consistent with customer expectations (e.g., contacting public safety).
- Opt-out: ISPs would be allowed to use (and share with affiliates) customer data to market other communications-related services unless the customer affirmatively opts out.
- Opt-in: All other uses and sharing of CPI would require express, affirmative “opt-in” consent from customers.
Among other matters, the NPRM also seeks comment on:
- Transparency requirements for ISPs, mandating notice to customers about how data is used and collected, and how privacy preferences can be changed;
- New data security mandates for ISPs, including requirements to adopt specified risk management practices, training, customer authentication, and corporate governance;
- Federal data breach notification obligation for all telecommunications carriers;
- Specific business practices, such as whether deep packet inspection, persistent tracking, and financial inducement should be prohibited or have heightened notice obligations;
- Dispute resolution mechanisms, including whether ISPs should be prohibited from compelling arbitration in customer agreements;
- Alternative proposals for BIAS privacy frameworks, which the FCC has received from industry associations and other organizations; and
- The legal authority upon which the proposed rules would be based, which is primarily Section 222 of the Communications Act, but also includes Sections 201, 202, 303(b), 303(r), 316, 705, and 706 of the Act.
Comments and Reply Comments on the NPRM will be due May 27 and June 27, 2016, respectively. (WC Docket No. 16-106 ; FCC 1b-39). For a detailed summary of the NPRM, click here.