As we have previously advised, the FCC’s proposed rulemaking to “protect the privacy of customers of broadband and other telecommunications services” (the “NPRM”) proposes sweeping changes to the ways that Internet Service Providers currently collect, use, secure, and disclose consumer data.
The NPRM goes far beyond simply proposing to apply the privacy provisions of Section 222(c) of the Communications Act to broadband providers, and instead proposes sweeping new rules governing notice, choice and data security that will (if adopted) place ISPs under a significantly more burdensome regulatory framework than that which applies to edge providers.
Section 222(c) of the Act historically required carriers to protect the privacy of customer proprietary network information (“CPNI”), which is statutorily defined to cover only information that relates to the “quantity, technical configuration, type, destination, location, and amount of use of any telecommunications service.” Ignoring that definition, the NPRM proposes to re-interpret Section 222(a) as empowering the FCC to require ISPs to protect what is now called “customer proprietary information” or “CPI,” and then goes even farther to assert that Sections 201(b), 202(a) and 706 of the Communications Act give it authority to both limit ISPs’ use of CPI, and also require expansive notice provisions and increased security for a broad array of consumer data.
The premised “need” for both the new limits on ISPs and requirements for notice and security stems from the supposition that “ISPs are the most important and extensive conduits of consumer information and thus have access to very sensitive and very personal information,” as well as the gap in protection that was created when the FCC reclassified broadband Internet access service as a Title II service, thus making ISPs “carriers” and removing them from the Federal Trade Commission’s jurisdiction.
Throughout the NPRM, the FCC goes to great lengths to compare its proposed framework to other existing privacy regimes. The NPRM states that it
"focuses on transparency, choice, and data security in a manner that is consistent with … the FTC’s leadership, and the various sector-specific statutory approaches,"
referring to the HIPAA Privacy Rule, the California Online Privacy Protection Act, state laws pertaining to customer choice, and data security under the Satellite and Cable Privacy Acts, and the Gramm-Leach-Bliley Act.
In truth, however, the Commission adopts selected parts or principles of each of those regimes to support its own proposals, while omitting other parts of those laws that would undercut the Commission’s proposed rules and give ISPs more flexibility in data collection, use and protection by balancing the benefits of such use with consumer expectations and potential harm.
In our advisory, we take an in-depth look at whether the Commission has the legal authority to propose these rules. We also consider the potential impact of the Commission’s proposals for new definitions, notice, choice, data security and breach notification, and certain impermissible practices.