Giving Customers Control: FCC Confronts Internet Service Providers with Privacy Rules

By Nicole A. Poulos

The Federal Communications Commission (“FCC”) voted yesterday to propose new privacy rules for broadband Internet Service Providers (“ISPs”) a mere three weeks after Chairman Tom Wheeler proposed them.  The proposed privacy rules, which are intended to give customers more control over their personal data, will now be released for public comment.  Currently, no enforceable privacy rules exist for broadband networks.

Adoption of the Proposed Rulemaking did not go without a fight, as the final vote was a 3-2 split.  Opponents to the rules argued that the regulations only target ISPs, and fail to reach social networks and other online services.  Proponents of the proposed rules argued that ISPs can collect and piece together a wealth of information on customers, including private information.

What does this mean for consumers?

Under the proposed privacy rules, consumers are given increased choice, transparency and security with respect to how their personal information is used and shared by their broadband service provider.  The FCC reasoned that consumers have the right to:

  1. control what personal data their broadband provider uses and what is shared with third parties;
  2. know what personal information their broadband provider is collecting, how their information is being used, and when it will be shared with other entities; and
  3. security protections.

What does this mean for broadband service providers?

According to the FCC proposal fact sheet, ISPs will not be prohibited “from using or sharing customer data, for any purpose.”  Rather, the proposed privacy rules obligate ISPs to offer choices to consumers to opt-in or opt-out in certain instances.  Under the proposal, ISPs will be permitted to use customer data necessary to provide its services and for marketing the service the customer purchased.  Unless a customer affirmatively opts-out, a broadband provider, under the new rules, may use a customer’s data to market other communications-related services and share that data with affiliates who provide such services.

To safeguard a customer’s data, ISPs will need to implement an array of practices and data security standards.  According to the FCC news release dated March 31, 2016, such obligations include: “requirements to adopt risk management practices; institute personnel training practices; implement strong customer authentication requirements; identify a senior manager responsible for data security; and take responsibility for use and protection of customer information when shared with third parties.”

What happens when there is a data breach?

In the event of a data breach, broadband providers must notify:

  • Affected customers no later than 10 days after discovery of customer data breach
  • The Commission no later than 7 days after discovery of any customer data breach
  • The FBI and U.S. Secret Service no later than 7 days after discovery of a customer data breach affecting more than 5,000 customers

Who is not affected by the new privacy rules?

The new privacy rules will not affect operations of social media websites and websites regulated by the FTC, such as Twitter or Facebook.

If you or your company have questions or concerns, contact the author or a Polsinelli Privacy and Data Security team member.