By Amanda Potter and Alex Stout

As we highlighted in a post last month, the FCC has proposed sweeping new privacy rules on broadband providers. Since our last post, the FCC has released its proposal in the form of a Notice of Proposed Rulemaking. This proposal would institute new customer privacy and data breach rules on broadband providers and follows the Commission’s landmark Open Internet proceeding, in which the Commission imposed common-carrier telecommunications rules on broadband. The public has until May 27 to submit initial comments and June 27 to submit reply comments.

While the proposal includes updates to existing FCC rules, the focus is on broadband providers. The proposed rules would express exclude providers of “edge services” (like search engines, video streaming, and mobile applications), reasoning that consumers can readily avoid edge services and that broadband providers act as “gateways” that could potentially track consumers across the Internet.

The proposed rules would cover two categories of information. First, the rules would apply to “customer proprietary network information” (CPNI), a type of data defined by the Section 222 of the Communications Act to include a customer’s technical usage or billing data. For broadband, the FCC proposes to include, at minimum, Internet service plan and pricing, geo-location data, MAC address, Device ID, IP address, and traffic statistics. Second, the rules would protect personally identifiable information (PII). The FCC only recently began to use the term PII, which it defines here to include all “linked and linkable” information about an individual, such as name, date of birth, identification numbers, Internet browsing history, and data about online transactions. These two types of data are part of a larger category of data—“customer proprietary information” (customer PI) —that would include all “private information that customers have an interest in protecting from public exposure.” All customer PI would be protected by the FCC’s new rules, for current, former, and potential customers, alike.

The FCC’s proposed rules would require broadband providers to give “clear and conspicuous notice” of the providers’ privacy practices, both at the point of sale and through a persistent link on the providers’ homepage and/or mobile application. The rules would also provide specific requirements for the content and format of those privacy policies.

The proposed rules would require broadband providers to allow customers to opt out of all secondary uses of their protected information, such as marketing for other related services offered by the broadband provider or its affiliates, and would require customer opt in before any protected information could be shared with third parties. When, how, and for how long customer may make decisions to opt in or opt out will all be subject to FCC regulation. There would be three exceptions where customer choice would not be required: (1) a customer’s consent is implied by using the service (because information sharing is required to provide the service, to bill for the service, to facilitate emergency response, or protect property rights); (2) the broadband provider is delivering a service the benefits customers (such as blocking cyberattacks or robocalls); and (3) where the broadband provider is sharing aggregated, de-identified information and agrees to be liable for any re-identification that occurs. The FCC is also considering other rules that may impact how broadband providers can use and share protected information.

The proposed rules would require broadband providers to secure the protected information they collect, instituting a broad obligation to “protect the security, confidentiality, and integrity of customer PI” from all unauthorized use or disclosure by “adopting security practices appropriately calibrated to the nature and scope of the [its] activities.” The rules also would require specific conduct, such as regular risk management assessments, data security training, and the designation of a member of senior management as the data security coordinator.

When security fails and a breach occurs, the new rules would require broadband providers to notify the FCC within seven days of discovery, followed by a notice to customers within 10 days of discovery. When more than 5,000 individuals are impacted, the provider must also notify the Federal Bureau of Investigation and the US Secret Service. The rules would define a breach as when a person “without authorization or exceeding authorization, has gained access to, used, or disclosed customer PI.” There is no explicit safe harbor for encrypted data.

For a more detailed look at the FCC’s proposed rules, please see our Client Alert.