The FCC in its regularly scheduled monthly meeting at the end of Oct., approved new privacy rules for providers of broadband Internet access service. The new rules are, in part, a result of the classification of broadband services as "common carrier" services in the 2015 Open Internet Order, thus moving consumer issues from the regulatory realm of the Federal Trade Commission to that of the Federal Communications Commission.
Specifically, under Section 222 of Title II of the Communications Act, common carriers and by extension broadband internet service providers are required to protect the privacy of their customers' information. That's a very broad, sweeping statement, but the new rules, of which the final version has not yet been released, represent a major step towards aligning the FCC's rules with both those of the FTC and some of the states. Will the new rules be perfectly in sync? No, but at least there will be some common patterns and themes on which both providers and consumers can rely.
The complete final rules will not become effective for providers until six months after they are printed in the Federal Register, which has yet to happen. However, both providers and consumers should be more than aware that some important changes are coming. There are a number areas of interest; each is important in its own right, and while space limits the depth in which these issues can be presented, I'll briefly discuss these areas.
The first is that both fixed and mobile broadband providers must disclose, in clear and obvious terms, the nature of the information being collected, how, and for what purpose the information will be used and shared by the ISP, as well as general information about the types of entities with whom the information will be shared. Names of specific entities with whom the information is shared may not be available, but the types of entities will. Notifications by providers to consumers on changes in terms must be provided immediately (either at the time a person subscribes to a service or when the provider changes its policy). Such terms must also be available on the provider's website at all times.
Secondly, there must be formal and clearly defined "opt-in" and "opt-out" provisions to not only notify consumers of what information is being collected, but to identify the types of data for which permission is implied, and does not require explicit permission. Special information, which will require the explicit "opt-in," includes geo-location, children's information, health information, certain financial information, Social Security numbers, Web browsing, app usage history, and most importantly message content. One other new twist is that the broadband rules will apply to voice services (read: call detail) as well, with call detail records included in the special information category. The sharing of any of this information clearly, and unequivocally, requires the customer's consent. The flip side of this is that there is a small amount of information to which the consumer cannot opt out of providing. Most of this relates to information necessary to generate bills, although aggregated information, where personal identifiers have been removed for the purpose of general trending information, may also be shared without consumer-provided consent.
Broadband providers are explicitly prohibited from offering "take it or leave it" service packages. That is, while they retain the right to charge additional fees to consumers who choose not to share information, they are clearly forbidden from forcing consumers to share all available information or simply not purchase the offered service. Back in the day, many people paid for the privilege of having their residential phone numbers not printed in the phone book. This is the broadband version of the same concept. If you want your information to remain private, it will cost you.
In addition, broadband providers will be required to take "reasonable measures" to protect consumer data from either disclosure or unauthorized use. What's "reasonable" is for a court to decide, but the FCC will be monitoring provider practices, and it's likely that there will be some additional clarification provided in the next Notice of Proposed Rulemaking that the FCC makes on these issues in early 2017.
Notice to consumers when data breaches occur will also take a more consistent form (if not completely standardized) that more closely aligns with current standards used by the FTC along with the states. To begin with, consumers who are affected by a breach will be notified as soon as possible, but no later than 30 days after the provider becomes aware of the breach. Further, broadband providers are obligated to notify federal law enforcement (FBI, Secret Service) in the event of a breach affecting more than 5,000 customers no more than 7 days after the entity becomes aware of the breach. Finally, the FCC must be notified at the same time that consumers are notified when the breach affects fewer than 5,000 customers.
One final important point: The new rules regulate only privacy operations of broadband service providers, NOT websites or apps. Consumer issues related to either of these categories remain under the purview of the Federal Trade Commission. The new rules also do not affect (read: regulate) other services offered by broadband providers, nor do they address other areas of privacy including government surveillance, encryption, or law enforcement activities.
You can view the FCC's current fact sheet online. More clarification on the finer points of the FCC's action will be available once the complete rules are published in the Federal Register. For the time being, however, consumers and providers should be satisfied that they know, at a minimum, the direction in which the rules are evolving.