On April Fool’s Day, the Federal Communications Commission issued a notice of proposed rulemaking containing a major proposed expansion of its telecom network usage information privacy, security and breach notice rules to broadband Internet access provider data. Comments are due in this proceeding on May 27th, and reply comments on June 27th.
The NPRM quotes selectively from the 2014 FTC Privacy Staff Report, but goes much further in its requirements. In fact, the proposed rules would be unprecedentedly stringent in several respects and would be very different than privacy and security rules that apply to Internet companies today and to privacy laws applicable to other sectors. Unless narrowed in the final rule, the FCC’s proposed rules would create major challenges for privacy professionals with responsibilities for broadband Internet access provider customer data. They would also generate considerable consumer confusion about use of consumer data collected online.
It is important to understand that the FCC proposal is not a fait accompli. It will be the subject of comment on hundreds of questions posed in the NPRM and may change significantly. For example, the agency has asked both about requiring opt-in consent for all sharing of customer information, as well as whether to allow data append to ISP customer data.
Why Is the FCC Weighing In Now?
Until last year, the privacy practices of ISPs, like those of the rest of the Internet ecosystem, were overseen by the FTC under Section 5 unfairness and deception standards of the FTC Act. The FTC had launched a number of investigations of ISPs and conducted a workshop on ISP and other “large platform provider” data collection practices. However, the FCC created a federal regulatory void through its “Net Neutrality Order” by re-classifying Internet access service providers as common carriers, which in turn placed them outside the jurisdiction of the FTC.
The FCC has regulated the privacy of telecomm customer data under its 1998 Customer Proprietary Network Information rules. These rules were first developed in 1998 with twin purposes of protecting privacy and encouraging competition in the local and long distance telecomm markets (then a burning issue which was at the center of the 1996 Telecomm Act and its CPNI section). At the time of the CPNI statute and the FCC’s original CPNI rules establishing the opt-in requirement for advertising, telecom networks were not used for advertising. Applying this advertising opt-in 20 years later to the Internet would require data management structures that are foreign to the Internet today. The NPRM acknowledges potential “ripple effects” of its proposed rules, but does not propose to harmonize them with the FTC’s privacy framework.
The security provisions of the FCC’s CPNI rules were adopted in response to a wave of public concern regarding “pretext” calling to obtain customer phone records from telecomm companies. In response, the FCC revised its CPNI rules to include stringent security requirements, logging of access to CPNI, and the short breach notice requirements discussed above. The FCC proposal assumes with little discussion that these concerns and requirements apply equally with regard to Internet access provider customer data, even for data that is routinely transferred across the Internet ecosystem. It also extends the current requirements to garden variety customer contact information – name, address and phone number data – which is exempt from the CPNI law because it must be disclosed to competitors and is typically publicly available as phone directory information.
Why should privacy professionals and consumers care about this proceeding?
First, it is important to understand that under Travis LeBlanc’s leadership, even before the issuance of this NPRM, the FCC Enforcement Bureau has been very aggressive in bringing enforcement actions involving privacy and data security and obtaining settlements in the tens of millions of dollars. The NPRM would significantly expand the scope of FCC enforcement authority so that it reached a wide range of ISP customer data as well as Internet advertising involving customer data obtained directly by ISPs.
Although the FCC would likely bring enforcement actions against the ISP only, in response to this heightened risk, ISPs would likely impose strict privacy and security requirements on vendors who have access to Internet access provider customer data. The requirements would likely include indemnification obligations for violations attributable to the vendor and proof of sufficient insurance coverage from vendors to hold the ISP harmless for those violations.
Second, the proposal would place heavy importance on providing rapid notice of any form of unauthorized or excessive access to routine customer information that is not sensitive. None of these data are currently subject to breach notice obligations under state laws. This alone would increase obligations on privacy and security professionals who work for ISPs and for ISP vendors – in many cases for data that is widely available from other sources and poses no risk to the customer.
Third, use of ISP customer data would be a complex and risky activity. These data would need to be coded and treated very differently to ensure compliance and audit logging would need to be put in place for all these data, regardless of their sensitivity. Audit logs would need to be retained for a year and records of any access to the data (including by employees) that is unauthorized or exceeds authorized access would need to be retained for two years.
Fourth, the proposal would likely create consumer confusion and significantly lengthen and complicate privacy notices. Consumers are unlikely to understand if asked to consent to ISP uses of information that the consumer choices apply only to the ISP and would have no bearing on use of consumer data elsewhere in the Internet ecosystem. Moreover, ISP privacy notices would become longer and likely more confusing to consumers. The privacy notices would need to address at a granular level the specific uses and disclosures of each type of customer data, lengthening privacy notices significantly and making the task of keeping them current both important to avoid fines and more difficult to do. For similar reasons, ISPs would need to be kept strictly informed of all vendor uses of information in order to update ISP privacy notices accordingly.
Fifth, the proposal would further complicate the stove-piped landscape of U.S. privacy regulation and add a fourth, highly specific layer of regulation to ISP customer data over and above the FTC privacy framework, ECPA, COPPA, state ISP and online privacy laws, and the privacy provisions of the cable and satellite portions of the Communications Act already regulate.
Sixth, by significantly expanding privacy, breach notice and security regulation in this area, the proposal would set a precedent that would likely be invoked at the state and federal level to call for more extensive breach notice, information security and privacy requirements, creating further uncertainty and potential regulatory complexity.
Lastly, there is some risk that complex privacy and security requirements, coupled with significant potential enforcement risk may discourage broadband investment in less profitable areas.
Overview of the FCC Proposal
The principal features of the proposal that depart from typical privacy and security requirements include:
- Heavy regulation of any ISP customer information that is linked or linkable to a customer. Information regulated by the proposal would include not only content, but also ordinary contact information (mailing addresses, email addresses, phone numbers), information about customers’ service plans or broadband usage, IP addresses, MAC addresses, and any other information that is “linked to linkable to an individual”. Any of this information would be subject to the requirement regardless of whether it was publicly available or routinely disclosed on ad network exchanges. While many recent privacy best practices and some privacy laws cover this broad range of data, they almost always scale requirements to the sensitivity of particular data elements. The FCC’s current CPNI rule for telecomm data (discussed in the next section) is an outlier in this regard. And the new proposal would apply the CPNI rule’s “categorical” approach to a much wider range of data without regard to the data’s sensitivity.
- Broad and short-fuse breach notice requirements. This requirement would apply to any access or use of data without authorization or exceeding authorization, not just to actual data breaches. There would be no harm trigger and notification would be required not only for access to sensitive information (such as customer financial information), but also to access “any information that is linked or linkable to an individual” customer. Unlike under state breach notice laws, there would be no exception to notice if an employee or contractor accidentally accessed customer information for legitimate business purposes. Notification would be required within seven days to the FCC (and in breaches involving more than 5,000 people also the Secret Service) for any data breach of ISP customer information, with a 10-day deadline to notify customers.
- Opt-in consent requirements for most disclosures of information and for most first-party advertising. Customer opt-in would be required both for disclosures of ISP customer information to third parties for most purposes, including for marketing or advertising, as well as for internal ISP and ISP affiliates’ uses of the information to market or advertise non-“communications-related services.” This would include uses of customer data for most first-party advertising by ISPs to their own customers (except as described in the next bullet), as well to other types of online advertising that are offered on an opt-out basis today. For example, an ISP would need opt-in consent to advertise alarm monitoring or content offerings to customers. The NPRM also indicates that affiliates of ISPs would be directly subject to the requirements of the final rule.
- Opt-out requirement for marketing and advertising. Customer opt-out would be required to use customer information, or share that information with affiliates, to market or advertise communications-related products or services (other than upgrades of existing services) or for sharing that information with affiliates for those purposes.[1]
- Notice requirements. ISPs would be required to provide very specific notice to customers of how the ISP “uses and under what circumstances it discloses each type of customer information the ISP collects.”
- Information security requirements. ISPs would be required to keep logs for a year of all access to or disclosure of any covered information (including by contractors), to adopt risk management practices; institute personnel training practices; adopt strong customer authentication requirements; identify a senior manager responsible for data security; and take responsibility for use and protection of customer information when shared with third parties.
- Presumption of non-preemption of state laws. State laws would be preempted only if the FCC determined that they were inconsistent with the final CPNI rule.
[1] Neither opt-in nor opt-out consent would be required for ISP to use a customer’s data to provide the broadband service to which the customer subscribes or to market upgrades to that service.