FCC Votes 3-2 to Initiate Sweeping Broadband Privacy Rulemaking Proceeding
On March 31, 2016 at its Open Meeting, the Federal Communications Commission (FCC or Commission) voted along party lines (3-2) to launch a notice of proposed rulemaking (NPRM) to establish privacy rules for broadband Internet Service Providers (ISPs). As we explained in our blog post in anticipation of this vote, this rulemaking stems from the 2015 Open Internet Order and is intended to seek comment on how the Commission should apply Section 222 of the Communications Act of 1934, as amended, to broadband Internet access service (BIAS).
While the text of the NPRM—and the approximately 500 questions contained within it—has not yet been released, a Commission press release, fact sheet, and prior statements outline the NPRM in broad strokes. (We will follow up with more information once we have the item in hand.)
As a threshold issue, in the NPRM, the FCC seeks comment on definitions for both broadband customer proprietary network information (CPNI), as well as the broader category of “proprietary information” contained in Section 222(a).
In addition, the NPRM seeks comment on proposed rules reflecting three “core principles”: choice, transparency, and security. With respect to choice, the NRPM creates three categories of data use and sharing policies, similar to the existing framework:
- Implied Consent. The Commission recognizes that there is consent “inherent” in a customer’s decision to purchase an ISP’s service. This data is necessary to provide the broadband service and requires no additional consent beyond the creation of the relationship
- Opt-out. Broadband providers would be allowed to use customer data for marketing other communications-related services and to share information with their affiliates, unless the consumer affirmatively opts out
- Opt-in. All other uses and sharing of consumer data would require express, affirmative consent from consumers
- Data security requirements. The NPRM will propose both a general standard for data security as well as specific practices to “reasonably secure” customer data.
- Data breach notification. All telecommunications providers—including traditional carriers and broadband providers—will be required to notify law enforcement and consumers when CPNI or proprietary information is accessed without authorization. This provision appears to significantly expand the breach notification procedures applicable to traditional telecommunications carriers today.
Tags: data breach, Data Security, FCC, NPRM, Privacy, Rulemaking