On October 6, Federal Communications Commission Chairman Tom Wheeler published a fact sheet and blog post outlining his proposal to create privacy rules for internet service providers (ISPs), setting the final rules up for a vote at the FCC’s October 27 open meeting. The fact sheet demonstrates that the Federal Trade Commission and other government privacy experts have influenced Chairman Wheeler’s thinking on certain issues, although key elements of the Chairman’s proposal remain unchanged. For analysis of salient aspects of the FCC’s proposed consumer privacy rules, please see Fact-Checking the FCC’s Fact Sheet on Broadband Consumer Privacy by Christin McMeley, Chair of DWT’s Privacy & Security Practice.
As in the original notice of proposed rulemaking (NPRM), Chairman Wheeler proposes to require that ISPs notify customers about what types of information they collect, how and for what purposes such information is used, and the types of entities with which ISPs share such information. Additionally, the Chairman’s revised proposal now directs the Commission’s Consumer Advisory Committee to develop a standardized privacy notice format as a safe-harbor.
Updated Consent Regime
According to the fact sheet, the proposed rules are designed to adapt to changing technology and encourage innovation. In a departure from its initial position, the FCC states that its rules are “in harmony with other key privacy frameworks,” including the Federal Trade Commission’s statements and the Administration’s Consumer Privacy Bill of Rights. Specifically, the proposed rules claim to calibrate customer consent with the sensitivity of data:
- Opt-in consent is required for “sensitive” information, which the fact sheet defines to include geolocation, children’s information, health information, financial information, SSNs, web browsing history, app usage history, and “the content of communications.” (Note: web browsing history and app usage history remain controversial additions to the “sensitive information” category.)
- Opt-out consent would be required for “all other individually identifiable customer information,” including service tier information. (Note: it is unclear whether this is limited to CPNI, as Section 222(d) so limits its marketing and use restrictions, or whether the FCC intends to apply these restrictions to all “customer proprietary information”.)
- Consent is inferred for “certain purposes spelled out in the statute”, such as the provision of broadband service, billing and collection. (Note: the statutory exceptions could be narrowly construed and even restrict voluntary sharing of cybersecurity information, as otherwise permitted by law.)
Revised De-Identification Test
As in the NPRM, the Chairman proposes to carve out de-identified information, which the fact sheet describes as “data that have been altered so they are no longer associated with individual consumers or devices.” ISPs are free to share such data, but to do so they must meet the FTC’s 3-part test for de-identification: 1) information cannot be reasonably linkable to a specific individual or device; 2) ISPs must publicly commit to maintain an use information in an unidentifiable format and to not attempt to re-identify it; and 3) ISPs must contractually prohibit re-identification information they share with others. (Note: Under the revised proposal, de-identified information does not need to be aggregated.)
Disclosures Required for Financial Incentives
The Chairman’s proposed rules would also prohibit take-it-or-leave-it offers, and ISPs are therefore prohibited from conditioning service on consumers’ consent to use their information. The proposal also addresses the exchange of information for financial incentives, requiring “heightened disclosure” for plans that provide a discount in exchange for consumer data. Additionally, ISPs would need to obtain express affirmative consent before making the discount available. Even if these conditions are met, however, the fact sheet warns that the agency will evaluate the “legitimacy” of discount programs on a case-by-case basis.
Chairman Wheeler now proposes to harmonize the Commission’s existing data breach rules with the FTC and National Institute of Standards and Technology. ISPs’ practices must “be appropriately calibrated to the nature and scope of its activities, the sensitivity of the underlying data, and the size of the provider and technical feasibility.” While the fact sheet provides some examples of reasonable practices, such as properly disposing of data, the agency purposefully does not provide a comprehensive checklist of security requirements.
The Chairman’s proposal also proposes lengthened deadlines for reporting and providing notice of data breaches: 30 days for notifying consumers (from 10 days) after an ISP’s determination that an unauthorized disclosure of a customer’s personal information has occurred, unless the ISP establishes that no harm is reasonably likely to occur; and 7 business days for reporting the breach to the Commission and law enforcement agencies. (Note: it is unclear whether the notification requirement to the FCC is also based on the ISP’s determination of likely consumer harm.) Even with these lengthened deadlines, Chairman Wheeler’s proposed requirements are shorter than the vast majority of other data breach regimes.