Details of the proposal have not yet been released – only news release so far – text of broadband privacy rules to come soon
Late this afternoon the FCC adopted a Notice of Proposed Rulemaking (NPRM) proposing new rules governing the privacy practices of Internet Service Providers (ISPs) at its monthly open meeting, which was delayed several times while FCC commissioners negotiated over an unrelated issue. These new rules would not apply to “edge” providers (such as Netflix, Twitter, Facebook, Apple and Google) who provide their content over the ISPs’ broadband networks and whose practices continue to be subject to the jurisdiction of the Federal Trade Commission; but they would apply to all providers of broadband Internet access service, including telecommunications carriers and cable operators.
This rulemaking is another outgrowth of last year’s FCC “Open Internet Order,” in which the FCC re-classified ISPs as common carriers subject to Title II of the Communications Act. That decision was appealed to the D.C. Circuit, was briefed and argued at the end of last year, and is now awaiting the court’s decision. While the FCC in its reclassification Order “forbore” from applying many traditional common carrier rules to ISPs, it explicitly declared that they would be subjected to the privacy-related provisions of section 222 of the Act.
Chairman Wheeler framed the proposed new rules as being “built on three core principles: choice, transparency and security” and his statements at the meeting tracked his earlier released proposal:
- Choice and Transparency. The FCC is proposing a regime that will require ISPs to disclose what information is being collected about customers, how it is used or shared with affiliates or third parties, and the circumstances of such sharing. The rules would then limit how ISPs use broadband customers’ data as follows:
- No consent needed: ISPs could use customer data to provide and market the types of services already purchased by the consumer.
- Opt-Out: ISPs could use customer data to market other communications-related services, and also share customer data with affiliates that will market or provide such services, unless the customer affirmatively opts out of such usage.
- Opt-In: ISPs cannot use or share consumer data for marketing any other service unless the customer affirmatively allows such additional usage.
- Data Security. The FCC is proposing “robust and flexible” data security requirements and an “overarching data security standard” applicable to ISPs. These requirements or standards would require providers to:
- Safeguard against unauthorized use or disclosure of customer information,
- Adopt risk management practices,
- Adopt customer authentication requirements for access,
- Appoint a senior manager for data security,
- Assume responsibility for protection of data that is shared with third parties, and
- Notify customers and the FCC of any data breach, and include the FBI and Secret Service if more than 5,000 customers are affected.
Chairman Wheeler’s proposals already have come under harsh criticism from industry and many other parties on a variety of grounds, including that such “sector-specific” rules would apply to ISPs but not edge providers, who would have a free hand in using the same and many other types of customer proprietary information. Critics have also noted that such massive “regulatory asymmetry” vis-à-vis edge providers would harm ISPs’ debt ratings and have other negative effects on the information ecosystem; and that such broad regulation—and likely FCC enforcement actions involving penalties in the hundreds of millions of dollars-- betrays the FCC’s assurances last year that its Open Internet Order constituted only “light touch” regulation narrowly focused on the overarching public interest in an open Internet.
As has become customary of late, today’s NPRM was adopted on a party-line 3-2 vote over the stinging dissents of Commissioners Pai and O’Rielly. Commissioner Pai said the Commission dug a “hole” when it reclassified Internet access service as telecommunications, but in response created a disparate regime proposing new rules that selectively burden ISPs while creating a windfall for edge providers who profit from using customer information, which will be able to continue without abatement. Commissioner O’Rielly focused on Section 222 and the associated CPNI rules developed for telephone service as being the “square peg being pushed into the round hole” of broadband access service, and argued that the new proposals would make burdensome “opt-in” consent the “default” mechanism for obtaining customer permission.
Although formally approved by the Commission during the open meeting, the NPRM has not yet been released to the public. Interestingly, Commissioner Rosenworcel said by her count there will be more than 500 questions for consideration. Among the issues we expect to analyze are:
- Do the new rules place broadband Internet access providers under a more burdensome regime than other providers in the Internet ecosystem?
- How will the Commission define protected “customer proprietary information?”
- Will the Commission attempt to “harmonize” the definition of “customer proprietary information” with existing CPNI rules for voice services?
- Whether the Commission will expand its rules to cover information beyond what is traditionally considered “CPNI.”
- How will the Commission define the concept of “communications-related services” under the anticipated opt-out consent regime?
- Whether the Commission will address network management practices, including tools such as packet inspection, in its apparent desire to construct prescriptive rules.
- Whether the Commission will distinguish between mobile and fixed broadband providers in the application of any new rules.
- Whether there will be any consideration of the absence of parity in exempting edge providers from the new rules, and the effect such absence of parity will have on ISPs.
- Whether the Commission’s proposed rules will implicate any First Amendment commercial speech issues.
- Will the FCC expressly prohibit the practice of discounting service in exchange for certain forms of consent?
Once it is released and comment dates are announced, we will distribute another advisory analyzing the proposal in detail.