“When consumers sign up for Internet service, they shouldn’t have to sign away their right to privacy,” was the clear pronouncement from the Federal Communications Commission (“FCC”) in its fact sheet describing proposed privacy rules directed at Internet Service Providers (“ISPs”).
On March 10, 2016, Chairman Wheeler circulated his proposal among the other four FCC commissioners. The goal of the proposed rules is to give broadband consumers increased choice, transparency, and security with respect to their data.
If approved, these rules would be the first explicit privacy regulations placed on ISPs like Comcast, Verizon, and Time Warner Cable, and would significantly curb the ability of those companies to share consumer data with advertisers without permission.
As detailed in the fact sheet, ISPs collect personal and private information to create detailed profiles about their customers. ISPs track every website that a customer visits, which grants them access to a host of information about their customers, including private information like a chronic medical condition or financial problems.
The proposed rules would put ISPs under greater privacy oversight than web platforms like Twitter and Facebook, which are regulated by the Federal Trade Commission, not the FCC.
Under the proposed FCC rules, customer consent will be considered inherent in the customer/ISP relationship concerning the data necessary to provide broadband services and for marketing the type of service that the customer purchased. However, customers will be able to “opt-out” of having their data used to market other communications-related services or shared with affiliates. All other uses and sharing of customer data would require express, “opt-in” consent from customers.
If implemented, ISPs would be subject to strict data breach notification requirements. If a breach occurs, the ISP would be required to notify affected customers within 10 days after it discovers the breach and the Commission within 7 days after it discovers the breach. If a breach affects over 5,000 customers, the ISP must notify the FBI and the U.S. Secret Service within 7 days after it discovers the breach. This would greatly constrict, for example, the notification deadlines under many State laws, which can be as long as 90 days. In addition, it is unclear to what extent the proposed FCC rules will preempt state breach notification laws in regard to ISP customers.
Under the proposal, ISPs would also be required to take specific enumerated steps toward protecting customer data, including: adopting risk management practices; instituting personnel training practices; adopting strong customer authentication requirements; identifying a senior manager responsible for data security (such as a CISO); and taking responsibility for use and protection of customer information when shared with third parties.
The Commission will vote on the proposal at the March 31 Open Meeting, and it will be followed by a period of public comment, if adopted.