As described in our May 8 client alert, most of the discussion regarding the new “network neutrality” order from the Federal Communications Commission (FCC) has focused on the FCC’s decision to reinstate rules the agency adopted in 2015 and then overturned in 2017. Equally important, though, are the significant implications the order will have for customer privacy. The FCC’s conclusion that broadband internet access service (BIAS) should be treated as a telecommunications service will subject broadband providers to different requirements than those that have governed them since 2017, will create uncertainty about how to comply with those requirements and likely will lead to additional rulemaking activity at the FCC – further increasing uncertainty in the medium term.

FCC now in charge of BIAS privacy

Telecommunications carriers are exempt from Federal Trade Commission (FTC) privacy rules and instead are regulated at the federal level entirely by the FCC. Accordingly, the FCC’s determination that BIAS is a telecommunications service shifts the regulation of BIAS privacy from the FTC to the FCC. In recognition of this shift, the FCC and the FTC have entered into a new memorandum of understanding addressing how they will divide their jurisdiction and cooperate in regulating internet access services.

The decision to reclassify BIAS – mass-market consumer internet access service – as a telecommunications service does not affect the FTC’s authority over non-BIAS offerings. Thus, privacy for internet access services provided to enterprise customers or as specialized offerings customized for particular customers or uses will continue to be regulated by the FTC. In other words, different types of internet access service will be subject to different privacy requirements, depending on what customers are being served and how the service is provided. 

FCC privacy requirements for BIAS providers

The basic privacy requirements for telecommunications carriers are contained in Section 222 of the federal Communications Act, which limits the ways in which customer information can be used by telecommunications carriers. Section 222 applies to information about the quantity, technical configuration, type, destination, location and amount of use of a service by telecommunications customers. (This information is known as customer proprietary network information, or CPNI.) As it did when it adopted the last round of network neutrality rules in 2015, the FCC decided it would not forbear from applying Section 222 to BIAS. Under Section 222, BIAS providers will be required to obtain permission to use CPNI to market their services and will not be allowed to use CPNI they obtain from other carriers for marketing. 

The FCC did not, however, apply its own privacy rules for telecommunications carriers to BIAS, concluding that those rules were not well adapted to internet access services. This means BIAS providers will have relatively little guidance from the FCC concerning what information qualifies as customer information when the customer is purchasing BIAS, what kind of notices have to be provided to customers, and how to obtain and maintain consent to use customer data. BIAS providers also will not be subject to the FCC’s data breach notification requirements, which are part of the FCC’s broader privacy rules. While the FCC could provide BIAS providers with guidance on how to comply with Section 222, it is not likely that any guidance will be made available in the near future.

Proposed BIAS privacy rules could come soon

Following the 2015 order, the FCC adopted broad reforms of its privacy rules, but those rules were overturned by Congress through the Congressional Review Act (CRA), and the FCC is prohibited from readopting those or substantially similar rules. However, the FCC likely will try to adopt new rules to cover BIAS, and particularly, to fill in the gaps concerning customer notice and consent. The FCC has not signaled what it will do, but one possibility is that it will propose rules closely resembling the existing telecommunications carrier rules, with changes necessary to reflect the differences between BIAS and other telecommunications services.

Any FCC action to adopt new, BIAS-specific privacy rules likely will not occur until at least 2025, and it is likely that the privacy rules for BIAS would be subject to appeals, possibly including an argument that they are prohibited as a result of Congress overturning the 2016 rules under the CRA. Until new rules go into effect, BIAS providers will have to rely on interpretations of Section 222 and any guidance the FCC issues.