The FCC’s Proposed Privacy Regulations: What They Mean for ISPs and Those That Do Business with Them

Orrick, Herrington & Sutcliffe LLP
Contact

Orrick, Herrington & Sutcliffe LLP

The Federal Communications Commission (“FCC”) recently issued a proposed set of privacy regulations that, if passed, will have broad implications for broadband providers, as well as for the companies that collect or receive information from them.  We recently authored an article in Law360 that outlines the key elements of the FCC’s Notice of Proposed Rulemaking (“NPRM”), includes some of the questions that the FCC is seeking comment on regarding the proposed regulations, and identifies how the regulations may impact business models and practices for companies that are not Internet Service Providers.

As we explore in more detail in our article, if passed as written the regulations will:

  • Broadly define personal information to expressly include data that many businesses commonly view as non-identifying or non-personal information;
  • Regulate where privacy policies must be displayed and what they must say;
  • Require broadband providers to offer opt-out rights for using personal information to market communications-services they offer;
  • Mandate opt-in consent before personal information can be shared or used to market non-communications or third party products or services (with consent not being valid unless obtained “just in time” for when the information will be shared or used);
  • Impose robust recordkeeping, employee and vendor training, and regulator-reporting requirements;
  • Restrict the use and sharing of aggregate information, and require contractual restrictions with vendors and third parties that receive it;
  • Require data security programs with specific programmatic components;
  • Create strict breach notification obligations with 7 and 10 day reporting deadlines, with no exceptions for inadvertent employee access or incidents with no risk of harm.

It is possible that the regulation will be clarified or revised before they are finalized, and the FCC is accepting comments on the proposal through May 27, 2016.  It’s not clear, however, that clarifications or revisions will relax the requirements, as the questions the FCC posed in the NPRM suggest that it may choose to include even more topics and requirements in the final rule.  For example, it asks whether the definition of personal information should be even broader, whether additional consents should be required for specific categories of information, if the regulation should include specific data security controls, and whether particular business models that allow users to elect less privacy protections should be restricted or prohibited.

Broadband providers are closely scrutinizing the proposed regulations, but companies that get data from them also may want to understand the proposal and how it will impact their business practices.  For example, businesses that depend on or monetize “anonymous”, pseudonymous, or aggregate data from cable companies, wireless carriers, or other broadband providers may see the data flows cut off or allowed only with new individual opt-in consent, data protection, and use limitation requirements.  Advertising and marketing service providers, including for direct marketing, behavioral advertising, and data analytics, may have new challenges and opportunities as they seek to work with ISPs.  As “applicable law” changes, existing contracts may also need a close review to identify which company has which compliance obligations, and new contracts will likely contain more robust privacy, data protection, breach reporting, and use restriction requirements.  Broadband providers and those that get data from them should explore the implications of the proposed privacy regulations now so that they can weigh in before the regulations are finalized.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick, Herrington & Sutcliffe LLP | Attorney Advertising

Written by:

Orrick, Herrington & Sutcliffe LLP
Contact
more
less

Orrick, Herrington & Sutcliffe LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide