On March 10, 2016, the Chairman of the Federal Communications Commission (“FCC”), Tom Wheeler, announced his proposal to empower consumers’ control over how their information is used by Internet Service Providers (“ISPs”).  The Chairman made the announcement in a Huffington Post blog with a corresponding fact sheet of the proposal terms posted to the FCC’s website.  The FCC regulates communications by radio, television, wire, satellite, and cable.  It has newly increased regulatory and enforcement power over ISPs under Title II of the Telecommunications Act of 1996 due to the FCC’s reclassification of ISPs as public utilities last year as reported by King & Spalding in the Data Privacy and Security Practice Report. 

The Chairman’s announcement focused on addressing the issue that consumers regularly hand over personal information simply by using residential or mobile broadband services.  Because an ISP handles all of its customer’s network traffic, it has an unobstructed view of all of a customer’s unencrypted online activity – websites visited and applications used.  Even when data are encrypted, ISPs still can see the websites that a customer visits, how often it visits them, and the amount of time it spends on each website.  Moreover, a consumer’s relationship is very different with an ISP than it is with an application; a consumer can move freely from one internet browser or online application to another, but it is much more cumbersome to avoid the network through which a consumer receives its internet access. 

The Chairman’s announcement sets out the following tenets.  ISPs should continue to have access to consumer information in order to provide broadband services and to market broadband-related services, such as higher connection speeds, as aligned with consumers’ expectations.  Nevertheless,  the Chairman proposed that consumers should be able to opt-out of ISPs’ use of their information to market other communications-related services by the ISPs or their affiliates.  He further proposed that all other uses and sharing of consumers’ personal data should require affirmative opt-in consent. 

In addition, the FCC’s fact sheet proposes that ISPs will have a duty to keep consumers’ data secure from breaches and other vulnerabilities, which would require ISPs to take reasonable steps to safeguard customer information and, at a minimum, adopt a series of data security practices.  In addition, in the event of a data breach of the ISP, the proposal would require ISPs to provide notification to consumers within 10 days after the breach and notice to the FCC within 7 days (as well as notice to the Federal Bureau of Investigation and the Secret Service if the breach affected more than 5,000 customers).  The Chairman emphasized that the proposed regulations would only apply to ISPs, not to the websites that consumers visit while using the broadband services of ISPs.  In making this distinction, he noted that the Federal Trade Commission (“FTC”) does a “great job” of dealing with the privacy policies of online services, which now clearly fall under the FTC’s purview. 

The proposal will be voted on by the FCC Commissioners on March 31, 2016, which will be followed by a period of public comment.  To read the Chairman’s full announcement on Huffington Post, visit: http://www.huffingtonpost.com/tom-wheeler/its-your-data-protect-online-privacy_b_9428484.html.  To read the fact sheet for the Chairman’s proposal visit: https://www.fcc.gov/document/broadband-consumer-privacy-proposal-fact-sheet.

The Chairman’s proposal has already garnered considerable opposition, including statements by FCC Commissioner Michael O’Rielly, who argued that the proposed rules are not necessary and go too far.  Other opponents have noted that ISPs have been collecting less data as more websites become encrypted and more consumers are choosing virtual private networks and that the FTC already has in place a regulatory approach that has proved workable and offers flexibility in implementation.  In contrast, others argue that the proposal does not go far enough, arguing, for instance, that websites like Google are leading behavioral advertising companies that should be held to the same standard as ISPs.  After the FCC’s decision last year to reclassify ISPs as a public utility in what has been dubbed the “net neutrality” regulations, this proposal suggests that the FCC is going to exercise its authority over ISPs to introduce new and more stringent privacy protections.

Reporters, Julie A. Stockton, Palo Alto, CA, +1 650 422 6818, jstockton@kslaw.com and Drew Crawford, Washington, DC, +1 202 626 5512, dcrawford@kslaw.com.