The Federal Communications Commission (FCC) adopted an order on Oct. 27, 2016, which started to go into effect this month, regarding privacy and data security obligations for broadband internet access service (BIAS) providers and other telecommunications carriers under its jurisdiction, which were expanded in 2015 by the Open Internet rules (Privacy rule). Buzz around the FCC is that a result of the presumably different regulatory goals of the new Trump administration, and expected changes in the composition of the FCC’s commissioners, may be to put the future of both the Open Internet rules and the Privacy rule in question. Unless and until that happens, the Privacy Rule will result in a number of important changes for carriers, including:
- Applicability: The Privacy rule applies to telecommunications carriers, which now includes providers of broadband access, excepting dial-up and premises operators that subscribe for the purpose of giving access to their own customers. Customers of enterprise subscribers who use the enterprise account are still treated as customers, but the enterprise subscriber may exercise choices on behalf of those it permits to use the subscription. It does not cover websites, mobile apps, social media platforms or other “edge networks.” Also, the rule applies to BIAS providers in their capacity as such, and not in their offering of edge services that the BIAS provider may offer such as email, websites, cloud storage solutions, social media sites, music streaming services and video streaming services ….” MORE >>
- Data Categories: The Privacy Rule governs so-called customer proprietary information (customer PI), which includes previously defined and regulated individually identifiable customer proprietary network information (CPNI), personally identifiable information (PII) and communications content. PII is defined to include information that can identify an individual or an individual device. In many instances PII and CPNI are overlapping (e.g., geo-location, IP address). In a departure from the FCC’s initial proposed rule, the FCC adopts a sensitivity framework for determining what level of customer consent is required, rather than a use-based paradigm. However, the FCC takes a European-style approach to sensitivity, including treating network browsing and usage activities as sensitive. MORE >>
- Notice: While noting that the FCC is flexible as to format for the notice of privacy practices, BIAS providers are required to reasonably, clearly, conspicuously and meaningfully inform customers about what customer PI the providers collect, how they use it, under what circumstances they share it, and the customer’s choices as to use and sharing. Although the FCC rejected period notice requirements (e.g., send annual or biannual notices), providers must make the privacy notice consistently available. If there are material changes to the privacy notice, customers must be given advance notice via email or other means agreed upon by the customer. In order to relieve the burden of notice and choice provision formats and notices, the FCC has charged the Consumer Advisory Committee with formulating a standardized notice format by June 1, 2017, that can serve as a safe harbor. There are enhanced notice requirements for programs that provide financial incentives for providing consents. MORE >>
- Choice: BIAS providers must have express, informed, opt-in consent for use and sharing of sensitive customer PI. Sensitive customer PI includes precise geo-location, health, financial and children’s information; Social Security number, content; and web browsing and application usage and their functional equivalents. For nonsensitive customer PI, BIAS providers may rely on either opt-out or opt-in consent for use and sharing. Furthermore, the options (opt-out and opt-in) must be persistent and adjustable over time at the customer’s election. Any material retroactive changes to handling of customer PI, regardless of sensitivity, require opt-in consent. Exempted from the customer choice requirements are usage and sharing of customer PI to the extent necessary to provide the underlying telecommunications service, for billing and collection, and where permitted or required by applicable law. MORE >>
- Security: The FCC requires reasonable methods of data security be employed to protect customer PI, appropriate for the entity’s size, nature and scope of the entity’s activities, the sensitivity of the data, and the technical feasibility. The FCC discusses recommended standards and best practices and echoes the FTC’s recommendation that entities develop and maintain a written information security program, against which the security can be measured.
- Breach Notification: The BIAS provider data breach notification rule includes a risk-of-harm analysis. If no harm to customers is reasonably likely to occur as a result of the breach, notification to regulatory bodies is not required. However, the FCC’s definition of harm includes emotional and physical harm and is not restricted to financial injury or identity theft, and adopts a rebuttable presumption of harm for sensitive customer PI. There is no safe harbor for encrypted data, and the analysis of a risk of harm from acquisition, use or disclosure of encrypted information relies on an assessment of the reasonable likelihood of decryption of that information.
For breaches affecting fewer than 5,000 customers, carriers must notify the FCC without unreasonable delay and within 30 days of the carrier’s reasonable determination that a breach has occurred. For breaches affecting 5,000 customers or more, carriers must notify the FCC, U.S. Secret Service and Federal Bureau of Investigation within seven days of reasonably determining that a breach has occurred and at least three days before notifying customers. A reasonable determination is made when the carrier finds that a breach has more likely than not occurred. Customers must be notified within 30 days of a reasonable determination that a breach has occurred.
The data breach notification rule specifies both content of the notice and method of notice. BIAS providers must keep copies of the customer notifications, date of incident and date of notification for two years after the reasonable determination of the breach. MORE >>
- Discounts and Incentives
The FCC adopted heightened notice requirements for discounts and other incentives in exchange for customers’ express affirmative consent to the use and sharing of their customer PI to the extent it is not necessary to operate the service. MORE >>
- Take It or Leave It
The FCC fully adopts its Notice of Proposed Rule-Making prohibition of take-it-or-leave-it offers requiring consent to data sharing and use that are not necessary to provide services as a condition of obtaining the services. MORE >>
- Mandatory Arbitration/Dispute Resolution
The FCC noted that the record to date gives it “serious concerns about the impact on consumers from mandatory arbitration provisions …” and gave notice of an intended rule-making on the subject due February 2017. MORE >>
For a detailed analysis of the Privacy Rule, click here.