By Matt Murchison and Alex Stout

Today, the US Federal Communications Commission (FCC) approved far-reaching new information privacy rules that will govern how providers of broadband Internet access service collect, use, protect, and share data from their subscribers. These new rules, which were adopted by a 3 to 2 vote, are intended to fill a consumer protection gap that was created by the FCC’s reclassification of broadband Internet access service (or BIAS) as a Title II common carrier service as part of the 2015 Open Internet Order (the Federal Trade Commission (FTC) does not have jurisdiction over common carriers acting as common carriers). Although the full text of the today’s privacy order (the Order) has not yet been released, the agency provided a general outline of its new rules.

Today’s privacy rules are the result of a process that began in March, when the FCC circulated a Notice of Proposed Rulemaking (NPRM) on implementing Section 222’s privacy obligations for broadband providers. Section 222 was applied to broadband providers as part of the 2015 Open Internet Order, but until today’s Order the precise privacy obligations of broadband providers was not clear. The FCC’s NPRM had initially proposed sweeping new rules that in many ways went beyond the existing privacy framework of the FTC. For example, while the FTC has long embraced a unified, “technology neutral” approach applied equally to ISPs, websites, and all other participants in the Internet ecosystem, the FCC’s proposals focused solely on regulating ISPs. Moreover, whereas the FTC’s approach historically has turned on the sensitivity of the information being collected, used, or shared, the FCC’s initial proposal would have treated all forms of customer information equally, whether the information was a Social Security number or merely the customer’s first and last name. And while the FTC imposes a reasonableness standard for data security practices, the FCC proposed that broadband providers be required to “appropriately calibrate[]” their security practices to the data being collected, without an apparent reasonableness standard.  The FTC, in its comments to the FCC in this proceeding, suggested changes to the FCC’s proposal that would bring the two privacy regimes into greater harmony. Although the FCC did not accept all of these changes—and never wavered from its focus on regulating only ISPs—the final product is significantly changed from what we first saw in the NPRM.

First, the Order requires that broadband providers clearly and accurately disclose to consumers what information is being collected, how and for what purposes that information is used and shared, and the types of entities with which the information is shared. These notifications must be immediate (at the time the customer subscribes to the service or when the provider’s policy changes) and persistently available on the provider’s website.

Second, the Order establishes a new hierarchy of opt-in and opt-out privacy practices for ISPs, and identifies a limited set of uses for which consent is implied. The most sensitive information—such as geo-location, children’s information, health information, web browsing and app usage history, and the content of messages—cannot be used or shared without the subscriber’s express prior consent. Less sensitive data that is still individually identifiable can be used or shared unless the customer opts out of that use. The full text of the Order will, we presume, include specifics outlining when and how providers must make an opt-out mechanism available to subscribers. Additionally, a very limited set of data can be used without any ability for the subscriber to opt out. This limited exception, in effect, presumes the subscriber’s consent and authorizes the provider to use the data for purposes of providing the service and issuing bills. A final category of data—that which has been “de-identified” (that is, where the data is no longer associated with the individual to whom the information pertains)—can also be shared outside of the opt-in/opt-out requirements, so long as the de-identification comports with existing FTC standards (which require taking reasonable steps to ensure thorough de-identification, commitments not to re-identify the information, and contractual prohibitions on re-identification by parties with whom the information is shared). Industry, FTC staff, and other stakeholders continue to debate what precisely constitutes de-identified data, so it will be important to see whether the text of the Order provides any further guidance on how to distinguish between personal data and anonymous or aggregate data sets. These subscriber choice requirements, as well as the notice obligations discussed above, will go into effect 12 months (or 24 months for small providers) after the Order is published in the Federal Register.

Third, the Order prohibits broadband providers from selling services on a “take-it-or-leave-it” basis, such that customers who refused to agree to less restrictive data privacy protections would be denied service. The Order also requires “heightened disclosures” where a provider offers a service with fewer privacy protections in exchange for a lower cost of service. This heightened disclosure regime, along with a case-by-case review of provider practices, is a nod toward FTC practice, which has come to accept that consumers may make reasonable decisions to trade certain privacy rights for improved or lower-cost services. It is also a move away from the FCC’s initial proposal to prohibit these trade-offs altogether.

Fourth, the Order includes a requirement that broadband providers take “reasonable measures” to safeguard subscriber data from unauthorized use and disclosure. While the Order still includes the concept from the NPRM that these measures be “appropriately calibrated,” the addition of a reasonableness standard brings the FCC’s rules into closer alignment with the FTC and NIST frameworks. Unlike the NPRM, the Order does not include specific data security requirements such as annual data security training for employees, regular risk management assessments, or formalized incident response procedures. Nevertheless, the FCC will be judging the reasonableness of providers’ data security practices, and the NPRM’s proposals likely are a good indication of the sorts of practices that would likely be included as part of a reasonable data security regime. These requirements go into effect 90 days after the Order is published in the Federal Register.

Fifth, the Order includes data breach rules that are more closely aligned with other state and federal notification requirements. For example, whereas the NPRM would have required subscriber notice within 10 days, the Order extends that timeline to 30 days (a timeline that is much more likely to be achievable). The Order also requires providers to notify the FCC and, in some instances, the FBI and Secret Service in the event of a data breach. Details about what triggers the notification requirement will be important, including to harmonize with other disclosure regimes and expectations. These requirements go into effect 6 months after the Order is published in the Federal Register.

Sixth, in an effort to harmonize the privacy rules across services, the Order applies the new broadband rules to voice services as well. Call-detail records will be classified as sensitive information that will require opt-in consent from subscribers.

Finally, while there were reports that the FCC would ban the use of mandatory arbitration agreements in the broadband privacy context, the Order stops short of adopting such a prohibition. Instead, the Order expresses “concern” about such arrangements and contemplates a rulemaking in February 2017 to address them.

While there is still much to be learned once the full text of the Order is released, today’s vote to approve the Order demonstrates how far the FCC’s approach to broadband privacy has come over the past seven months. FTC Chairwoman Edith Ramirez expressed her support, saying: ““I am pleased that the Federal Communications Commission has adopted rules that will protect the privacy of millions of broadband users. The rules will provide robust privacy protections, including protecting sensitive information such as consumers’ social security numbers, precise geo-location data, and content of communications, and requiring reasonable data security practices. We look forward to continuing to work with the FCC to protect the privacy of American consumers.”  We will be diving deeper into the new requirements and their effects on broadband providers as soon as the Order is released, including on industry reaction to the new standards, and how they may be harmonized with other regulatory schemes and expectations.