The New Cop on the Beat for Internet Privacy
March 28, the Federal Communications Commission (FCC) hosted a public workshop on “Broadband Consumer Privacy,” aimed at exploring the FCC's "role in protecting the privacy of consumers that use broadband Internet access service.” It’s a topic worth exploring now more than ever because, as The Privacy Advisor reported, the commission has recently announced new rules as part of its Open Internet Order that appear to firmly establish it as the new federal cop on the beat for Internet privacy. These rules give the FCC, traditionally a telecom privacy cop, the ability to take action against broadband Internet service providers for consumer privacy infractions.
A Little Background
The FCC has had longstanding authority to police privacy infractions for the entities it has traditionally regulated—phone, cable and satellite companies. In particular, Section 222 of the Communications Act and its related rules have, for many years, provided consumers strong privacy—and, less well-known, data security—protections in their use of phones through duties it creates for carriers. These include a “duty to protect the confidentiality of proprietary information of, and relating to ... customers,” which includes things like contact information, usage and location data; specific obligations related to “individually identifiable” confidential propriety network information (CPNI), and a duty to protect CPNI that a carrier causes to be stored on devices like mobile phones. A recent powerful example of the FCC’s use of its Section 222 authority is its $25 million settlement with AT&T over alleged failures to protect consumers’ personal information, the largest fine for data privacy violations in U.S. history.
But Section 222 is not the only provision of the act that the FCC has used to protect consumer privacy in the telecom space; Section 201(b) has become a more frequently used tool as well. Section 201(b) declares unlawful any “unjust or unreasonable” practice “in connection with” communication services by wire or radio, and last fall, the FCC made clear its view that unjust or unreasonable privacy and data security practices fall within Section 201(b)’s scope. In a proposed $10 million fine issued against TerraCom and YourTel, the FCC asserted that these two carriers violated Section 201(b) by failing to employ reasonable data security practices to protect customers’ personal information, representing in their privacy policies that they protected their customers’ personal information when in fact they did not and failing to notify all customers whose personal information “could have been breached by (their) inadequate data security policies.”
This is a broad reading of Section 201(b)—encompassing privacy practices related to the protection and maintenance of customers’ personal data; disclosures about that protection, and notifications when customers’ personal data is put at risk—and it suggests that the FCC is ready to take more sweeping action on privacy. In the case of TerraCom and YourTel, that reading contributed to record-setting fine—the largest privacy action in the commission’s history. And that same reading was used in the FCC’s action against AT&T., mentioned above, where the FCC—citing TerraCom—said that that “Section 201(b) applies to carriers’ practices for protecting customers’ PII and CPNI.”
Open Internet Order: Opening Up ISPs to FCC’s Privacy Policing
Under the Open Internet Order, Sections 222 and 201(b) now apply—for the first time in history—to Internet service providers (ISPs) like Comcast, Time Warner, Verizon FIOS and AT&T GigaPower that provide broadband Internet access to consumers. This means these companies now must worry about how their privacy practices comply with FCC expectations not just Federal Trade Commission and state attorneys general expectations. Certain specifics of this new privacy authority will not be settled for quite some time—the commission’s existing CPNI rules under Section 222 will not apply until they are updated, and the fate of the entire Open Internet Order is still up in the air—but what is clear is that the FCC intends to use the order to make its official foray into full-throated Internet privacy protection.
The text of the order makes plain that the commission applied Sections 222 and 201(b) to broadband Internet providers because it sees a need to extend its existing authority over consumer privacy into the Internet space. In explaining its decision not to forbear from applying Section 222, the FCC highlighted the need to safeguard the privacy of consumer information that flows via broadband Internet. “Broadband providers serve as a necessary conduit for information passing between an Internet user and Internet sites or other Internet users, and are in a position to obtain vast amounts of personal and proprietary information about their customers,” the commission wrote. “Absent appropriate privacy protections,” it continued, “use or disclosure of that information could be at odds with those customers’ interests.” In its view, applying the privacy protection of Section 222 is needed to safeguard consumers and eliminate their concerns about giving up privacy while accessing the Internet. Similarly, the FCC acknowledged the utility of Section 201(b) in protecting consumers’ personal information on the Internet, citing its action against TerraCom and YourTel and saying that “privacy needs are no less important when consumers communicate over and use broadband Internet access than when they rely on (telephone) services.”
Given the FCC’s recent active use of Sections 222 and 201(b) to police telecom companies’ protections of consumer data, it is safe to say the FCC will not be shy about using those sections to police the privacy practices of consumer-facing ISPs, especially once the new CPNI rules under Section 222 are issued. These ISPs should be on notice that the FCC will scrutinize their compliance with Section 222 and 201(b). Indeed, FCC Enforcement Bureau Chief Travis LeBlanc has warned ISPs that “with convergence and with this new rule-making, there are a lot of companies that are crossing into the FCC space, and they just need to be careful to make sure they know our rules.”
How To Stay Off the FCC’s Privacy Beat
So how can consumer-facing ISPs make sure they know how the FCC’s privacy rules apply to them? How can they ensure that their privacy practices comply with FCC expectations and avoid missteps? The best way, for now, is to look at how its prior privacy actions against carriers might apply to ISPs.
Three key lessons can be drawn from the FCC’s recent privacy and data security actions: Know how your customer data is kept private; monitor how your employees and third-party partners can access it, and check what you disclose to consumers about both.
With TerraCom and YourTel, a major problem was the carriers’ use of third-party hosting services for online storage of customer application documents that lacked adequate cybersecurity. The FCC’s investigation revealed that the documents were stored in clear, readable text and in an electronic format accessible to anyone with an Internet connection. Consumer-facing ISPs should ensure that they store customer information in keeping with industry best practices regarding password protection and encryption for electronic storage.
With AT&T, the FCC’s main concern was with how employees of a third-party call center were able to access tens of thousands of customers’ accounts containing personal information without authorization and how this went undetected for so long. Putting in place proper procedures for accessing customers’ personal information, and technology and personnel to monitor that access, is critical.
Lastly, again with TerraCom and YourTel, the carriers got into trouble for stating in their privacy policies that they had “implemented technology and security features to safeguard the privacy of your customer-specific information from unauthorized access or improper use,” when the reality on the ground was obviously otherwise. Consumer-facing ISPs would be wise to revisit their privacy policies and other public statements about how they handle consumers’ personal information.
The FCC’s Enforcement Bureau has said it sees “privacy in the broadband space as a trend in enforcement in the near future.” Learning from privacy missteps in the telecom space will help ISPs avoid becoming part of that trend. Exactly how the commission will use its new privacy authority is uncertain, but one thing is for sure: This “new cop” is not likely to hold back.
If you want to comment on this post, you need to login.