On December 2, 2016, a notice and summary of the Federal Communications Commission’s (FCC’s) controversial Broadband Privacy Order
(the Order) was published in the Federal Register. The Order imposes comprehensive privacy and data security regulations for providers of broadband Internet access service (BIAS) and replaces existing privacy and data security rules for all other telecommunications service providers.
Since “carriers will need some time to update their internal business processes as well as their customer-facing privacy policies and choice mechanisms,” the Order provides a staggered timeline for implementing the new privacy and data security rules. It also provides guidance on how carriers should treat customer approvals and share customer PI received before the new rules are effective. Finally, the Order extends the timeline for small carriers to implement the transparency and customer choice rules.
||Summary of Rule
|January 2, 2017
||47 C.F.R. § 64.2001
||Basis and purpose of the rules
|47 C.F.R. § 64.2002
|47 C.F.R. § 64.2011(a)
||Prohibition on “take it or leave it” broadband service offerings. Broadband providers cannot condition the provision of service on a customer surrendering his or her privacy rights.
|47 C.F.R. § 64.2010
||Exemption for enterprise voice customers from Section 222 rules, provided the service contract meets certain requirements.
|47 C.F.R. § 64.2012
||Preemption of state law, only to the extent state law is inconsistent with rules adopted by the Commission.
|March 2, 2017
||47 C.F.R. § 64.2005
||Service providers required to employ “reasonable” data security practices. We strongly encourage you to contact your usual Kelley Drye attorney to determine if your security measures are likely to be deemed “reasonable.”
|June 2, 2017, or upon PRA approval, whichever is later
||47 C.F.R. § 64.2006
||Data breach notification requirement. Providers may be required to notify the FCC and/or law enforcement, depending on the scale of the breach.
|Dec. 4, 2017, or upon PRA approval, whichever is later*
||47 C.F.R. § 64.2003
||Provide notice to customers of privacy policies. Notices must be provided at the point of sale and made persistently available to consumers, and be provided in the event of material changes to privacy and data security policies.
|47 C.F.R. § 64.2004
||Requirement to obtain customer approval to use, disclose, or permit access to customer proprietary information. Providers must obtain opt-in consent for using “sensitive” customer PI.
|47 C.F.R. § 64.2011(b)
||Notice requirement for financial incentive programs. Providers must give clear and conspicuous notice of the terms of any financial incentive program in comprehensible and clear language.
|* The Order provides small carriers an additional 12 months to comply with the new notice and approval rules.
A few of the rules must obtain approval from the Office of Management and Budget (OMB) under the Paperwork Reduction Act (PRA) before they go into effect. After OMB approval, the FCC’s Wireline Competition Bureau (WCB) must release a public notice indicating that the rule is effective, and giving carriers a time period to come into compliance with the rule that is the later of (1) eight weeks from the date of the public notice, or (2) the effective date noted above.
Should you have any questions about the Order and its implications for your organization, feel free to contact any one of the attorneys in the Kelley Drye Communications