Utilities and Telecommunications Alert: FCC Implements Privacy Rules for Broadband Internet Service Providers
December 7, 2016
The Federal Communications Commission (“FCC” or “Commission”) recently released a Report and Order (“Broadband Privacy Order” or “Order”) that applies new privacy requirements for Broadband Internet Access Service Providers (“BIAS Providers”) and revises the existing requirements for all other telecommunications providers. The FCC’s efforts follow in the wake of its reclassification last year of Broadband Internet Access Service (“BIAS”) from an information service to a more regulated telecommunications service. The rules introduced by the Broadband Privacy Order would implement the privacy requirements of Section 222 of the Communications Act for BIAS Providers. Some of the more noteworthy aspects of the Order are as follows:
- The new rules apply to all telecommunications carriers and adopt a single definition of “telecommunications carrier” for the purposes of Section 222 that includes all telecommunications carriers providing telecommunications services as well as interconnected VoIP services.
- The Order thus attempts to harmonize the rules governing the privacy and data security practices of all such carriers.
- The Broadband Privacy Order breaks from past Commission precedent by significantly extending the scope of confidential information telecommunications carriers are required to protect beyond just Customer Proprietary Network Information (“CPNI”) to include all proprietary information of, and relating to, customers.
- The Broadband Privacy Order also adopts new notice rules that will require carriers to provide publicly available privacy policies describing their collection, use, and sharing of proprietary information.
- In addition, telecommunications carriers will be required to provide advance notice of material changes to their privacy policies to their existing customers, via email or other means of active communication agreed upon by the customer.
- The Broadband Privacy Order revises and applies to BIAS Providers the tiered approach to customer choice that it has used in the past which provides three distinct categories of approval (i.e. opt-in approval, opt-out approval, or no required approval) for the various types of sensitive customer information.
- The Broadband Privacy Order also now requires telecommunications carriers to take “reasonable measures” to secure customer proprietary information from unauthorized use, disclosure, or access. The Order declines to mandate specific activities that carriers must undertake in order to meet this requirement. Rather, the Commission states that it will evaluate the reasonableness of any carriers’ data security practices on a case-by-case basis under the totality of the circumstances.
- In the event of a data breach, the Broadband Privacy Order requires BIAS Providers along with other telecommunications carriers to notify affected customers, the Commission, the FBI, and the Secret Service unless the carrier is able to reasonably determine that a data breach poses no reasonable risk of harm to the affected customers.
- Finally, the Broadband Privacy Order identifies carrier practices that the Commission believes raise privacy concerns. Examples of such carrier practices include “take-it-or-leave-it” offerings of broadband service that are contingent on surrendering privacy rights.
As noted above, the revisions to the FCC’s privacy requirements will affect not only BIAS Providers but all telecommunications carriers providing telecommunications services as well as interconnected VoIP services. Thus, all regulated providers should ensure that their privacy procedures comply with the FCC’s new regulations as the FCC’s privacy rules will likely remain a key area of focus for the FCC’s Enforcement Bureau. In addition, it has been reported that these new rules could be rolled back as the FCC transitions to a new Chairman next year and we’ll keep you apprised of any such developments.
The new rules were published in the Federal Register on December 2, 2016 and will be effective on January 3, 2017. If you have any questions regarding the above summary or the Broadband Privacy Order in general, please contact Rob Gastner at 202.659.6674.
This Utilities and Telecommunications Alert is intended to keep readers current on matters affecting businesses and is not legal advice.