Enter to open, tab to navigate, enter to select
FCC Adopts Privacy Rules for Internet Service Providers
Practical Law Legal Update w-004-1815 (Approx. 5 pages)
FCC Adopts Privacy Rules for Internet Service Providers
by Practical Law Intellectual Property & Technology
| Published on 28 Oct 2016 • USA (National/Federal) |
The Federal Communications Commission (FCC) has adopted a set of broad privacy rules that require internet service providers (ISPs) to protect the privacy of their customers' information. The new rules include specific requirements for customer notice, choice, and consent and require ISPs to take reasonable data security measures and provide data breach notification.
On October 27, 2016, the Federal Communications Commission (FCC) announced its adoption of new rules that require internet service providers (ISPs) to protect the privacy of their customers' personal information. As described in the FCC's fact sheet, the rules implement the privacy requirements of Section 222 of the Communications Act as applied to ISPs (47 U.S.C. § 222).
The FCC explained that it developed the new rules:
- To ensure consumers have increased choice, transparency, and online security over their personal information.
- To be consistent with other privacy frameworks, including the FTC's current approach and the Administration's Consumer Privacy Bill of Rights, despite its broad definition of sensitive information and detailed consent requirements.
Scope
The FCC's 2015 Open Internet Order provided the basis for the new rules when it reclassified broadband internet access service from a lightly regulated information service to a more closely scrutinized telecommunications service (30 FCC Rcd. 5601). However, the new privacy rules do not apply to:
- Other services broadband providers offer, like social media websites.
- Website and app providers that fall under the FTC's authority, including edge providers such as Google, Twitter, and Facebook.
Customer Notice and Consent Required
Under the rules, ISPs must notify customers about what types of personal information they collect and specify how and for what purposes they will use and share the information. An ISP must provide:
- Notice when a customer signs up for service.
- Updated notice if its privacy policy changes in significant ways.
The rules' consent obligations differ depending on the sensitivity of the personal information by requiring:
- Opt-in consent when ISPs seek to use and share sensitive personal information, defined by the FCC to include:
- precise geo-location, like the real-world location of a mobile phone or device;
- children's information;
- health information;
- financial information;
- Social Security numbers;
- web browsing history;
- app usage history; and
- communications content.
- Opt-out consent for the use and disclosure of other personal information, like email addresses or service tier information.
Exceptions to the consent requirements include instances where customer consent can be reasonably inferred, such as:
- To provide the broadband service, bill and collect for it, or market and provide related services and equipment.
- To protect the broadband provider and its customers from fraudulent network use.
The rules prohibit ISPs from refusing to provide service if customers do not consent to information sharing.
De-Identified Data Use and Protection
ISPs may use and share properly de-identified customer personal information without consent under the new rules. However, ISPs must ensure the information is not re-identified by:
- Altering customer information so that it cannot be reasonably linked to a specific individual or device.
- Publicly committing to:
- maintain and use the information in an unidentifiable format; and
- not attempt to re-identify the data.
- Contractually prohibiting third-parties from re-identifying shared information.
Reasonable Data Security Measures
The rules require ISPs to take reasonable data security measures that, according to the FCC, are similar to FTC data security requirements and the NIST Cybersecurity Framework. ISP data security practices should be designed according to:
- Its size and the characteristics of its activities.
- The sensitivity of the personal information it collects.
- Technical feasibility.
An ISP's data security measures should:
- Follow current industry best practices, including those that address risk management.
- Provide for appropriate accountability and governance.
- Include robust customer authentication methods.
- Support proper data disposal.
Data Breach Notification
The rules include enhanced data breach notification requirements. If an unauthorized disclosure of customer personal information occurs, unless it determines that no harm is reasonably likely to occur, the ISP must notify:
- Affected customers as soon as possible, but no later than 30 days after reasonable determination of the breach.
- The FCC, the FBI, and the US Secret Service if the breach affects 5,000 or more customers, no later than seven business days after reasonable determination of the breach.
- The FCC at the same time customers are notified, for breaches that affect fewer than 5,000 customers.
ISPs will still need to review and comply with state-level data breach notification requirements that may vary from the FCC's requirements.
Timeline
The timeline for ISPs to implement the new rules varies. For example:
- The customer notice and choice requirements will go into effect approximately 12 months after publication in the Federal Register; however, small ISPs will have an additional 12 months to comply.
- The data security requirements will go into effect 90 days after publication in the Federal Register.
- The data breach notification requirements will go into effect approximately six months after publication in the Federal Register.
Update: The FCC has released the Report and Order relating to these rules.