On October 27, 2016, the U.S. Federal Communications Commission (“FCC”), in a 3-2 vote along party lines, adopted new privacy rules for broadband providers aimed at protecting the privacy of consumers. FCC Chairman Tom Wheeler stated during a press conference that “the bottom line is that broadband subscribers will finally be in the driver’s seat.”
The new rules implement the privacy requirements of Section 222 of the Communications Act for broadband Internet Service Providers (“ISPs”). The rules aim to give broadband customers more control over how their personal information is used and shared by their ISPs. The FCC established a framework of customer consent required for ISPs to use and share their customers’ personal information based on the sensitivity of the information, an approach that is consistent with other privacy frameworks.
Three categories were established for the use and sharing of information. These categories include guidance for ISPs and their customers:
“Opt-in” for Sensitive Information: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information, including precise geo-location, financial information, health information, children’s information, social security numbers, web browsing information, app usage history, and content of communications.
“Opt-out” for Non-Sensitive Information: ISPs can use and share non-sensitive information unless a customer opts-out. This category includes other individually identifiable information, including a customer’s email address and service tier.
Exceptions to Consent Requirements: For certain purposes, customer consent is inferred by the creation of the ISP-customer relationship, and ISPs can use such information for the provision of broadband services or billing and collection.
In addition, the FCC rules require ISPs to provide customers with “clear, conspicuous and persistent notice” about the information they collect, how it may be used and shared, and how customers can change their privacy preferences. ISPs are required to engage in reasonable data security practices, and the new rules contain guidelines that ISPs should consider following, including “common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data.”
The FCC’s vote comes on the heels of much vocal support of and opposition to the new rules from ISPs, those in the ad industry, and other interested groups. It should be noted that the scope of these rules is limited to broadband ISPs. The rules do not apply to the privacy practices of web sites or other “edge services,” and do not cover other services of a broadband provider, such as the operation of a social media website.
The FCC Press Release can be found here. The FCC Fact Sheet and Commissioner Statements can be found here.