FCC Enforcement Advisory: Broadband Providers Must Take Reasonable, Good Faith Steps to Protect Consumer Privacy

grid2On Wednesday, May 20, 2015, the FCC’s Enforcement Bureau issued its first enforcement advisory in the post-Open Internet Order era. Not surprisingly, the Bureau’s first advisory addressed the consumer privacy obligations of broadband providers. In the Advisory, the Bureau reminded broadband Internet access service (“BIAS”) providers that they will need to take “reasonable, good faith steps to protect consumers’ privacy” pursuant to Section 222 of the Communications Act when the 2015 Open Internet Order goes into effect on June 12, 2015. The Advisory also advises broadband providers to seek informal FCC guidance regarding particular practices during the initial implementation of the order.

In the 2015 Open Internet Order, the Commission applied the consumer privacy protections of Section 222 of the Communications Act to BIAS providers. Section 222 regulates:

  • Proprietary Information. Section 222(a) establishes a duty of telecommunications carriers to protect the confidentiality of proprietary information of and relating to carriers, equipment manufacturers, and customers.
  • Carrier Proprietary Information. Section 222(b) prohibits carriers who receive proprietary information from other carriers for the purpose of providing telecommunications from using that proprietary information for other purposes, including marketing.
  • Customer Proprietary Network Information. Section 222(c) defines CPNI and establishes situations where carriers may use CPNI without obtaining additional consent.
As the Bureau noted in its Advisory, although the 2015 Open Internet Order applied Section 222’s substantive obligations to BIAS providers, it forbore from applying Section 222’s “telephone-centric” implementing rules. In the coming months, the Commission will conduct a separate rulemaking to adopt CPNI rules for BIAS providers. Until then, BIAS providers are subject to the obligations of Section 222, without any specific implementing rules.

In the Advisory, the Bureau warned that, during this gap period, BIAS providers should “employ effective privacy protections in line with their privacy policies and core tenets of basic privacy protections.” Rather than focusing on what the Bureau referred to as the “technical details” of the provider’s practices, the Bureau announced that its focus will be on whether providers are taking “reasonable, good-faith steps” to comply with Section 222. In other words, it seems, for now, the Bureau will be looking more at efforts and less at outcomes in its enforcement.

The Advisory also encourages BIAS providers to seek informal guidance from the Enforcement Bureau. It stated that both informal guidance, and advisory opinions as provided in the Open Internet Order are available. The Bureau cautioned that no provider “is in any way required to consult with the Enforcement Bureau,” but such consultations would, in and of themselves, “tend to show that the broadband provider is acting in good faith.” This may prove to be a significant stance, particularly if the provider is operating or using customer information in ways that later prove to be controversial. BIAS providers should carefully consider their options to obtain guidance in connection with a particular use of customer information once the rules take effect.

In light of this Enforcement Advisory and the 2015 Open Internet Order, all BIAS providers should conduct a review of their customer privacy practices and public-facing policies. Such a review would be an important starting point in demonstrating “reasonable, good-faith steps” to comply with Section 222.