The Federal Communications Commission recently released an order containing new privacy protections for customers of broadband internet access service (BIAS) providers, which was adopted by a 3-2 vote along partisan lines. In the week following the November 2, 2016 release, the presidential election dramatically changed the federal government’s anticipated political and legal direction in ways that could render the Broadband Privacy Order effectively dead on arrival. 

As a result, the major components of the new Broadband Privacy Order, summarized below, must be considered against the backdrop of the new political and legal reality that both the Broadband Privacy Order and the FCC itself now face. At the same time, organizations subject to the Broadband Privacy Order would be wise to treat its rules and policies as legally effective unless affirmatively stated otherwise by the new Trump administration, which means existing privacy policies and security practices will likely need to be updated and revised in compliance with the timeframe contemplated by the Broadband Privacy Order’s staggered effective date schedule, as discussed further below. 

Effect of the 2016 Election

The FCC’s two Republican commissioners, Ajit Pai and Michael O’Rielly, strongly dissented by claiming that the Broadband Privacy Order would create a different set of privacy rules and obligations for different participants in the online ecosystem: FCC-regulated BIAS providers and Federal Trade Commission-regulated online edge providers.[1] Both had also previously dissented in the 2015 Open Internet Order (known as “net neutrality”), when the FCC reclassified BIAS services as regulated telecommunications services under Title II of the Communications Act in a break from more than a decade of treating such services as unregulated information services.[2] In so doing, the Open Internet Order also established the legal authority for the FCC’s extension of its privacy rules to BIAS providers because, under Section 222 of the Communications Act of 1934, as amended, 47 U.S.C. § 222, telecommunications service providers must comply with the FCC’s privacy rules.

Yet upon the inauguration of President-elect Donald Trump, the FCC will be under the control of the Republicans, likely with FCC Commissioner Ajit Pai serving as the Acting Chair until the nominee for FCC chairman (who could also be Commissioner Pai) is confirmed by the U.S. Senate.[3] As a result, the new Republican-controlled FCC and Congress may seek to materially alter, undo or overturn the Broadband Privacy Order directly or via more indirect methods by trying to undo the Open Internet Order’s reclassification of BIAS as a Title II telecommunications service, as detailed below. 

Methods to Alter or Undo the Broadband Privacy Order. As a first step, the new Trump FCC could simply exercise its discretion to not aggressively enforce the Broadband Privacy Order. The agency could maintain such a laissez faire approach while also undertaking the more lengthy notice and comment procedures of the Administrative Procedures Act to alter or undo the Broadband Privacy Order or to reclassify BIAS again to its former status as an unregulated information service. In addition, depending on when the rules are published in the Federal Register, the new Trump administration could freeze the regulations before they become fully effective (particularly due to the Broadband Privacy Order’s staggered effective dates). The new Congress could also legislatively overturn the regulations pursuant to the Congressional Review Act. Representative Greg Walden, Chairman of the House Subcommittee on Communications and Technology, recently indicated that the new Congress plans to rely on the Congressional Review Act to review recent FCC orders.

Summary of Broadband Privacy Order

If they do survive in their present form, the FCC’s new Broadband Privacy Order rules require BIAS providers to obtain explicit customer consent for the use and sharing of customer proprietary network information (CPNI) and other sensitive customer data, including a customer’s internet browsing history. The rules also specify notice, data security and data breach notification requirements for all telecommunications carriers and harmonize the rules for BIAS providers with the FCC’s longstanding privacy rules for traditional voice telecommunications services.

Applicability of the New Rules. The FCC’s new rules apply to mass retail, consumer internet access services, including mobile, satellite and landline cable and fiber services. The rules exempt, among other things, operators of premises such as college campuses, business offices, hotels, book stores, restaurants and coffee shops, provided that services are limited to guests, employees, enrolled students or other authorized users of such premises. The rules also apply to providers of interconnected voice-over-IP (VOIP) services. However, the FCC adopted a limited exemption for enterprise telecommunications service providers (i.e., business-to-business) by which the parties are free to devise their own manner of handling issues of transparency, choice, data security and data breaches in their contract, provided that the contract expressly acknowledges that the parties have so agreed.

Use and Sharing Requirements Differ Depending on Customer Data. The FCC’s new rules protect customers’ confidential and private information by classifying data into several different types: customer network information, sensitive customer information and de-identified data.

• Opt-in Consent for Use of Customer Network Information

A BIAS provider must obtain explicit customer approval (also known as “opt-in approval”) to use or share customer network information (customer proprietary network information or CPNI) for purposes other than providing the telecommunications service.  Under the new rules, this network information includes broadband service plans, geo-location information, MAC addresses and other device identifiers, IP addresses and domain name information, traffic statistics, port information, application header, application usage, application payload, customer premises equipment and device information.

• Opt-in Consent for Use of Sensitive Customer Information (Customer PI)

The FCC’s new rules require explicit customer approval to use or share sensitive customer information. Sensitive customer information includes, but is not limited to, financial information, health information, information pertaining to children, Social Security numbers, precise geo-location information, content of communications, call detail information, web browsing history and application usage history. The FCC warned that carriers should use good judgment when using or sharing other sensitive customer information.     

• Opt-out Consent for Use of Non-Sensitive Customer Information

BIAS providers may use or share non-sensitive customer PI, so long as they provide an “opt-out” mechanism to enable customers to revoke their consent for use and sharing of their data.  

• Unrestricted Use of De-identified Data

The FCC also addressed what it termed “de-identified data,” i.e., data altered so that it is not linked to or reasonably associated with individual customers or their devices. Carriers may use and share such information without obtaining customer approval.

Notice and Customer Consent. The FCC’s rules require carriers to make clear disclosures about their privacy practices, as well as customer privacy options, at the point of sale, on their websites and apps, and again through email after any material change. FCC’s action in this proceeding is largely consistent with the FTC’s notice and choice model outlined in the FTC’s privacy framework.

Extra Scrutiny for Particular Data-Use Practices. Under the rules, a broadband ISP can offer financial incentives in exchange for a customer’s approval to use or disclose the customer’s proprietary information. If it offers these financial incentives, it must provide consumers with separate and heighted privacy policy notice and opt-in methods. However, a provider cannot condition service on a customer’s agreement to waive his or her privacy rights. The FCC does not want to limit providers’ ability to design innovative new offerings, but at the same time, it stated that it “will closely monitor the development of financial incentive practices” to ensure that customers do not have to choose between privacy protection and high prices. If the rules withstand court challenges and the change in administration, then it is unclear whether a Republican FCC will look unfavorably on these practices.

Data Security and Breach Notification. The rules require telecommunications providers to take reasonable measures to protect personal information from unauthorized use or disclosure. While the FCC did not specify minimum security practices, it referred providers to other federal data security models, such as NIST’s Cybersecurity Framework, and required providers to account for the following factors in their plans: (1) the nature and scope of the telecommunications carrier’s activities; (2) the sensitivity of the data it collects; (3) the size of the telecommunications carrier; and (4) the technical feasibility of certain security measures. The FCC also set forth aggressive deadlines by which BIAS providers must notify customers, the FCC, the FBI and the Secret Service if a data breach occurs. 

Staggered Effective Date Schedule. According to the FCC’s current implementation schedule, the Broadband Privacy Order’s regulations will become effective in phases over a one-year period. The data use and sharing notice and choice requirements are scheduled to become effective approximately 12 months after publication in the Federal Register (which will likely happen by mid to late November), although small providers would have an additional 12 months to come into compliance. Providers would have 90 days to implement the data security requirements and six months to implement the data breach notification procedures after the publication of the rules. Note that this staggered effective date schedule likely means that the latter phases of this schedule are even more vulnerable to never becoming effective because of the additional time provided to opponents of the rules.

Privacy Complaints and Mandatory Arbitration. The FCC affirmed that its current complaint procedures apply to the new privacy rules. Customers who experience violations of any of the rules may file informal complaints with the FCC, and carriers cannot require customers to waive their ability to file complaints regarding violations of their privacy rights.

The Broadband Privacy Notice of Proposed Rulemaking requested comment on the use of mandatory arbitration in consumer contracts for broadband and other communications services. Instead of addressing the issue in this proceeding, the FCC indicated that it will initiate a new rulemaking proceeding in February 2017. Again, however, in light of the election results, the new Trump FCC is under no obligation to honor this non-binding statement of intent from the current FCC.

Practical Compliance Steps

To reiterate, BIAS providers and other stakeholders would be wise to treat the Broadband Privacy Order as permanent and lasting unless the Trump administration affirmatively states otherwise. In the meantime, a provider should prepare to: (1) perform a comprehensive review of what it is currently doing with customer data; (2) ensure that its existing privacy policy is written in plain English (and in any other foreign language in which the provider conducts business), and explains how customer data is used or shared and how customers can opt in or opt out of contemplated uses, as applicable; and (3) display a link to the privacy policy prominently in all customer-facing materials.

ENDNOTES

[1]Various cable and wireless trade associations and other industry stakeholders also supported this view and joined in opposition to the Broadband Privacy Order.

[2]The Trump campaign also expressed its strong opposition to the Open Internet Order.

[3]The term of FCC Commissioner Jessica Rosenworcel, a Democratic member, has expired and she must step down by the end of the current Congress in late December 2016 unless she is reconfirmed for a new term. If the current Congress does not reconfirm her in its final weeks, the FCC would have two Republicans and two Democrats (including current Chairman Tom Wheeler). There had been some acrimony earlier in the year between the Senate Republican leadership and Chairman Wheeler regarding whether he would commit to stepping down immediately upon the Republicans winning the White House rather serve until the end of his term in 2018. Regardless, the Trump administration will have authority to name its own chairman as of inauguration, regardless of whether Wheeler serves out his term. The chairman controls the FCC agenda and leadership appointments. Therefore, Wheeler is likely to follow tradition and step down before inauguration rather than remain in a reduced role under a Republican chairman. Assuming Wheeler steps down and Rosenworcel is not reconfirmed, the Republicans would control the resulting three-member FCC (composed of Commissioners Pai, O’Rielly and Clyburn) by a 2-1 majority on the day the new administration begins.

[View source.]