FCC Releases Enforcement Advisory – Tells Broadband Providers to Take “Reasonable, Good Faith” Steps to Protect Consumer Privacy in Absence of Rules
Come June 12, unless stayed by a federal court, broadband Internet service providers will be subject to expanded requirements to protect consumer privacy and new limitations on the use of customer data under the FCC’s recent Open Internet Order. The problem: no one is exactly sure what those additional requirements and limitations are, and new “guidance” from the Commission’s Enforcement Bureau simply advises broadband providers to take “reasonable, good-faith steps to comply with Section 222, rather than focusing on technical details,” and to “employ effective privacy protections in line with their privacy policies and core tenets of basic privacy protections.”
As a reminder, as part of its Open Internet Order, the Commission applied the statutory obligations of Section 222 of the Communications Act that relate to the use and disclosure of customer proprietary network information or “CPNI” (more generally and traditionally thought of as information about a telephone customer’s use of their service – not personally identifiable information, such as Social Security numbers or payment card information). However, the Commission declined to apply its own rules implementing Section 222, finding that they were “not well suited” for broadband service. This outcome leaves broadband service providers in the precarious position of interpreting a statute without any official guidance or rules from the agency of jurisdiction, even where the agency itself is unable to explain how Section 222 applies to broadband but says only that Section 222 will apply.
The first complicating factor for providers in applying the FCC’s recent advice is that it is not clear what “CPNI” even means in the broadband context. The statute defines CPNI as “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.” In the phone context, that includes call-detail information, information about the customer’s calling plan, information found on customers’ bills, and the like. CPNI does not, however, include aggregate information or published directory information. In the broadband context, it is unclear exactly how that will translate. While ISPs assign IP addresses, that information is public, so arguably more akin to a published telephone number and therefore not CPNI. A customer’s web browsing habits and logs of sites visited or applications used, however, would clearly be considered CPNI by the Commission, but few if any ISPs maintain such logs and any such data should be limited to information that was obtained “solely by virtue of the carrier-customer relationship.” For example, interest-based advertising through browser cookies as part of ad networks should not be affected by the application of Section 222, although such practices may be subject to other requirements.
Adding to the complexity of applying the statute without rules is the fact that we can no longer rely on Congress’ intent when enacting the statute, as evidenced by recent FCC enforcement actions and public statements. Section 222 was designed to promote competition among telephone providers in 1996 by restricting a carrier’s ability to use certain proprietary information to its own competitive advantage and requiring the disclosure of other customer information to competitors, such as phone directory listing information. According to the Conference Report, “section 222 strives to balance both competitive and consumer privacy interests with respect to CPNI” (emphasis added). However, in recent months the Commission has taken a more expansive reading of Section 222, finding that it imparts a duty upon telecommunications carriers – and now broadband service providers – to protect the personal information of their customers, whether or not it is CPNI. This broad application of Section 222 was first seen in October 2014, when the FCC initiated an enforcement action against two telecommunications carriers based on a claimed data breach, alleging that such breaches violated the carriers’ duties under both Section 222 and Section 201(b) of the Act (requiring “just and reasonable” practices by carriers). It was reinforced less than six months later by a $25 million settlement with another carrier. Although the carriers in the first action vigorously dispute liability, it is clear that the Commission plans to broadly construe the scope and reach of providers’ extensive (and presently undefined) privacy duties under those provisions.
Leaving aside the debate about whether Section 222 actually addresses the protection of consumer data beyond CPNI, the statute clearly places limits on the use of CPNI. While the FCC’s data protection enforcement activities have received a lot of press of late, Chairman Wheeler’s letter to Congress confirms that the Commission is still very interested in how providers are using customer information. Indeed, both the Open Internet Order and the new enforcement advisory state that broadband providers “are in a position to obtain vast amounts of personal and proprietary information about their customers” and “absent privacy protections” a broadband provider’s “use of personal information could be at odds with its customers’ interests.” This idea was also reinforced by consumer advocates at a recent FCC workshop on consumer privacy. Despite the fact that broadband service providers are not the gatekeepers of consumer Internet activity that the Commission and consumer advocates believe them to be, it is clear that the FCC will be focused on broadband providers’ use of consumer data for marketing and other competitive purposes in its upcoming rulemaking on this issue.
In the meantime, what are “reasonable, good-faith steps” that broadband providers can take to comply with Section 222 and avoid enforcement actions while rules are being developed? While not exactly clear, the FCC advises providers that the Enforcement Bureau will furnish informal and formal advice to providers through additional enforcement advisories, and upon request, and that asking for guidance could be an indication of a provider’s “good-faith” should an enforcement action ensue. In the absence of baring your soul to the FCC, there are some practical approaches to compliance, including:
- Review your data security program. Ensure that customer data (e.g., Social Security numbers, drivers’ license numbers, financial and payment information, etc.) is protected on your systems, as well as by your third party service providers. Recent FTC and FCC enforcement actions can provide some guidance on agency expectations.
- Assess your current marketing activities. Are you utilizing broadband usage information to inform marketing or advertising campaigns? If so, do you have the appropriate customer “consent” for such activities, as required by the Section 222? The FCC’s current CPNI rules regarding opt-in and opt-out requirements for marketing to voice service customers may provide some guidance for broadband marketing activities.
- Revise your privacy and CPNI policies. If your privacy policies define CPNI narrowly and only apply protections and use restrictions to CPNI for telephone service, it’s time to update your policy to conform with Section 222’s application to broadband Internet service. Although the CPNI notice requirements are found in the FCC rules, not the statute, your published privacy and CPNI policies must be accurate with respect to your practices and your application of the new requirements.
- Update employee training. However you ultimately apply Section 222 to your broadband service, your employees need to understand your new policies and procedures.
The Commission’s view of privacy and information security, as well as its role in protecting it, is continuously expanding. And although the Commission states in the Order that it “cannot impose a penalty in the absence of ‘fair notice of what is prohibited,’” that hasn’t necessarily been their practice in this area…