By Matt Murchison and Alex Stout

Last week, the FCC announced that Chairman Tom Wheeler had circulated a Notice of Proposed Rulemaking (NPRM) on implementing Section 222’s privacy obligations for broadband providers. Section 222’s requirements were originally crafted for telephone companies, and were first applied to broadband providers as part of the 2015 Open Internet Order, which reclassified broadband providers as telecommunications carriers. However, the FCC expressly forbore from applying to broadband providers the rules it had adopted over the years implementing Section 222 in the telephone context. The upcoming NPRM, which the full Commission will vote on at its March 31 Open Meeting, will, for the first time, propose specific requirements implementing Section 222’s privacy obligations in the broadband context.

The FCC’s fact sheet about the NPRM reiterates the three guiding principles that the Chairman has identified in recent weeks—choice, transparency, and security—and provides some new details on the specific proposals under consideration.

First, the approach laid out in the NPRM would require different levels of consent for different uses of customer data.  No consent would be needed for the use of “customer data necessary to provide broadband services and for marketing the type of broadband service purchased by a customer.” Opt-out consent would be required for the use of customer data for “marketing other communications-related services” (or for sharing data with affiliates for that purpose). Opt-in consent would be required for all other uses.

Second, the NPRM proposes requiring ISPs to take “reasonable steps” to keep customer data secure, including “adopt[ing] risk management practices,” “institut[ing] personnel training practices,” and “adopt[ing] strong customer authentication requirements.” These requirements could potentially resemble those of the Federal Trade Commission, which similarly mandate “reasonable” approaches to data security in lieu of more specific requirements.

And finally, the NPRM proposes imposing “data breach notification requirements” on ISPs, including a 7-day window for notifying the FCC of any breach and a 10-day window for notifying affected customers.

Anyone who has responded to a data breach knows that this is an exceedingly tight timeline—far more stringent that any state data breach laws (even more stringent than Puerto Rico’s notoriously short 10-day window for notifying the Department of Consumer Affairs and California’s recommended timeline of 10 business days for notifying consumers).

While the NPRM is likely to be approved on March 31, the Commission’s Republican members—Ajit Pai and Mike O’Reilly—are known to have doubts about the Commission’s role in privacy enforcement (see our coverage of the FCC’s TerraCom and YourTel enforcement actions)—and are expected to dissent.