Senate Votes to Repeal FCC Privacy Rule Governing ISP Providers
In a vote of 50 to 48, along party lines, the Senate voted to overturn the privacy rules governing ISP providers that were issued in October 2016 by the Federal Communications Commission (FCC). Click here to view the FCC Privacy Rules. The FCC Privacy Rules required ISP and broadband providers to obtain an individual’s consent and authorization – through an “opt-in” mechanism – before a provider could collect, use, share or sell the customer’s information to third party marketers and companies. It also included data security and data breach notification recommendations and requirements. The FCC also imposed a blanket prohibition on ISP providers that offered “take-it-or-leave-it” broadband services contingent on pre-authorization.
Two of the main areas of dispute by the ISP Providers were the uneven application of the rules and the broad and amorphous scope of “sensitive customer” information under the rules. The FCC Privacy Rules broadened the definition of a telecommunications carrier to include broadband ISP providers and VoIP service providers while excluding “edge providers.” The FCC, however, did not define “edge providers” but alluded to them as websites and applications that a consumer can “avoid” on the internet. It identified examples, namely, “non-telecommunication services”, such as email providers, websites, cloud storage services, social media sites, music and video streaming services, but finished the sentence with an “etc.”, which undermined clarity or certainty. According to the FCC, ISP Providers differ from edge providers because of their status as the gatekeepers for access to the internet. ISP and broadband providers argued that the privacy rules imposed more burdensome restrictions on them when large or larger “edge providers” were free to collect far more sensitive information, resulting in an unfair competitive disadvantage.
The second central point of dispute was the expansive definition of consumer’s sensitive, personal information, which was even broader than the definition provided by the Federal Trade Commission. The FCC combined the definitions of several types of personal information. For example, customer proprietary network information (CPNI) information was defined as information that reflected the “destination, type, technical configuration, and/or amount of use of a service” of a customer’s internet activity. The FCC also included “content” of communications in the definition of sensitive information. Historically, PI has been defined – both in state statutes as well as by the FTC – as information that reveals the specific identity of the individual, e.g., name, address, social security number. The FCC also broke with another legal precedent by including both static and dynamic IP addresses. Finally, the FCC broadened the definition of a subscriber as including anyone who accessed the internet, such as any household members or guest. Thus, according to the ISP Providers, there appeared to be no one that was exempted, and very little information that was not deemed to be confidential, sensitive information under the FCC Privacy Rules. The Senate bill now advances to the House for its consideration and vote.