On April Fool’s Day, the Federal Communications Commission issued a notice of proposed rulemaking containing a major proposed expansion of its telecom network usage information privacy, security and breach notice rules to broadband Internet access provider data. Comments are due in this proceeding on May 27th, and reply comments on June 27th.
The NPRM quotes selectively from the 2014 FTC Privacy Staff Report, but goes much further in its requirements. In fact, the proposed rules would be unprecedentedly stringent in several respects and would be very different than privacy and security rules that apply to Internet companies today and to privacy laws applicable to other sectors. Unless narrowed in the final rule, the FCC’s proposed rules would create major challenges for privacy professionals with responsibilities for broadband Internet access provider customer data. They would also generate considerable consumer confusion about use of consumer data collected online.
It is important to understand that the FCC proposal is not a fait accompli. It will be the subject of comment on hundreds of questions posed in the NPRM and may change significantly. For example, the agency has asked both about requiring opt-in consent for all sharing of customer information, as well as whether to allow data append to ISP customer data.
Why Is the FCC Weighing In Now?
Until last year, the privacy practices of ISPs, like those of the rest of the Internet ecosystem, were overseen by the FTC under Section 5 unfairness and deception standards of the FTC Act. The FTC had launched a number of investigations of ISPs and conducted a workshop on ISP and other “large platform provider” data collection practices. However, the FCC created a federal regulatory void through its “Net Neutrality Order” by re-classifying Internet access service providers as common carriers, which in turn placed them outside the jurisdiction of the FTC.
The FCC has regulated the privacy of telecomm customer data under its 1998 Customer Proprietary Network Information rules. These rules were first developed in 1998 with twin purposes of protecting privacy and encouraging competition in the local and long distance telecomm markets (then a burning issue which was at the center of the 1996 Telecomm Act and its CPNI section). At the time of the CPNI statute and the FCC’s original CPNI rules establishing the opt-in requirement for advertising, telecom networks were not used for advertising. Applying this advertising opt-in 20 years later to the Internet would require data management structures that are foreign to the Internet today. The NPRM acknowledges potential “ripple effects” of its proposed rules, but does not propose to harmonize them with the FTC’s privacy framework.
The security provisions of the FCC’s CPNI rules were adopted in response to a wave of public concern regarding “pretext” calling to obtain customer phone records from telecomm companies. In response, the FCC revised its CPNI rules to include stringent security requirements, logging of access to CPNI, and the short breach notice requirements discussed above. The FCC proposal assumes with little discussion that these concerns and requirements apply equally with regard to Internet access provider customer data, even for data that is routinely transferred across the Internet ecosystem. It also extends the current requirements to garden variety customer contact information – name, address and phone number data – which is exempt from the CPNI law because it must be disclosed to competitors and is typically publicly available as phone directory information.
Why should privacy professionals and consumers care about this proceeding?
First, it is important to understand that under Travis LeBlanc’s leadership, even before the issuance of this NPRM, the FCC Enforcement Bureau has been very aggressive in bringing enforcement actions involving privacy and data security and obtaining settlements in the tens of millions of dollars. The NPRM would significantly expand the scope of FCC enforcement authority so that it reached a wide range of ISP customer data as well as Internet advertising involving customer data obtained directly by ISPs.
Although the FCC would likely bring enforcement actions against the ISP only, in response to this heightened risk, ISPs would likely impose strict privacy and security requirements on vendors who have access to Internet access provider customer data. The requirements would likely include indemnification obligations for violations attributable to the vendor and proof of sufficient insurance coverage from vendors to hold the ISP harmless for those violations.
Second, the proposal would place heavy importance on providing rapid notice of any form of unauthorized or excessive access to routine customer information that is not sensitive. None of these data are currently subject to breach notice obligations under state laws. This alone would increase obligations on privacy and security professionals who work for ISPs and for ISP vendors – in many cases for data that is widely available from other sources and poses no risk to the customer.
Third, use of ISP customer data would be a complex and risky activity. These data would need to be coded and treated very differently to ensure compliance and audit logging would need to be put in place for all these data, regardless of their sensitivity. Audit logs would need to be retained for a year and records of any access to the data (including by employees) that is unauthorized or exceeds authorized access would need to be retained for two years.
Fourth, the proposal would likely create consumer confusion and significantly lengthen and complicate privacy notices. Consumers are unlikely to understand if asked to consent to ISP uses of information that the consumer choices apply only to the ISP and would have no bearing on use of consumer data elsewhere in the Internet ecosystem. Moreover, ISP privacy notices would become longer and likely more confusing to consumers. The privacy notices would need to address at a granular level the specific uses and disclosures of each type of customer data, lengthening privacy notices significantly and making the task of keeping them current both important to avoid fines and more difficult to do. For similar reasons, ISPs would need to be kept strictly informed of all vendor uses of information in order to update ISP privacy notices accordingly.
Fifth, the proposal would further complicate the stove-piped landscape of U.S. privacy regulation and add a fourth, highly specific layer of regulation to ISP customer data over and above the FTC privacy framework, ECPA, COPPA, state ISP and online privacy laws, and the privacy provisions of the cable and satellite portions of the Communications Act already regulate.
Sixth, by significantly expanding privacy, breach notice and security regulation in this area, the proposal would set a precedent that would likely be invoked at the state and federal level to call for more extensive breach notice, information security and privacy requirements, creating further uncertainty and potential regulatory complexity.
Lastly, there is some risk that complex privacy and security requirements, coupled with significant potential enforcement risk may discourage broadband investment in less profitable areas.
Top image from federal government site, fair use
If you want to comment on this post, you need to login.