FCC Releases Broadband Privacy Order with Major Implications for All Telecommunications Carriers

by Kelley Drye & Warren LLP
Contact

On October 27, 2016, the Federal Communications Commission (FCC or Commission) in a party-line (3-2) vote adopted a Report and Order (the Broadband Privacy Order or Order) that imposes a comprehensive set of privacy and data security regulations for providers of broadband Internet access service (BIAS) and replaces the existing privacy and data security rules for all other telecommunications service providers. The rules represent a significant departure from the Commission’s existing privacy and data security framework for customer proprietary network information (CPNI), and as a result may require carriers to make considerable changes to their internal privacy and data security compliance practices, marketing operations, and business plans.

The rules will go into effect on a staggered timeline, beginning 30 days after they are published in the Federal Register. Small providers (i.e., those with 100,000 or fewer subscribers) will have an additional 12 months to come into compliance with some, but not all, of the new rules. Section IX includes an implementation timeline for your reference.

In this client advisory, we provide an overview of the Broadband Privacy Order and the new rules with respect to notice, choice, and data security, and offer key takeaways for clients as they operationalize the rules. The client advisory proceeds in the following sections:

I.             Background

II.            Scope of the Broadband Privacy Order

III.           New Customer Notice Requirements

IV.          Customer Consent Framework

V.            Reasonable Data Security Standard

VI.          Data Breach Notification Requirements

VII.         Particular Practices that Raise Privacy Concerns

VIII.        Other Issues

IX.           Implementation

X.            Preemption of State Law

XI.           Key Takeaways and Conclusion

 

I.   Background

The Broadband Privacy Order is a product of the 2015 Open Internet Order, which reclassified BIAS as a telecommunications service under Title II of the Communications Act of 1934, as amended (Communications Act or the Act), and imposed the Act’s privacy provision – Section 222 – on BIAS providers. While the 2015 Open Internet Order imposed Section 222 on BIAS providers, the FCC declined to impose its voice-centric rules implementing those statutory provisions to broadband, opting instead for a separate rulemaking for broadband-specific privacy rules. On March 31, 2016, the Commission issued a notice of proposed rulemaking (NPRM) to establish specific privacy rules for BIAS providers, and asked whether it should “harmonize” those rules with its existing voice-centric rules for other telecommunications carriers. The Broadband Privacy Order adopts rules based on public input the Commission received in response to the NPRM from scores of interested parties, including the staff of the Federal Trade Commission (FTC).

Section 222 was added to the Telecommunications Act of 1996 to ensure the proper use of information necessary to facilitate the new competitive provider paradigm that replaced monopoly local phone service. As interpreted by the Commission, Section 222 imposes numerous privacy and data security requirements on telecommunications carriers and providers of interconnected Voice over Internet Protocol (VoIP) services. 

  • General Standard. Section 222(a) establishes a general duty “to protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers, equipment manufacturers, and customers, including telecommunications carriers reselling telecommunications service provided by a telecommunications carrier.”
  • Carrier Proprietary Information. Section 222(b) requires a telecommunications carrier that “receives or obtains proprietary information from another carrier for purposes of providing any telecommunications service [to] use such information only for such purpose, and . . . not for its own marketing efforts.” 
  • Customer Proprietary Network Information (CPNI). Section 222(c) sets forth the requirements related to CPNI, which is defined as “(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier; except that such term does not include subscriber list information [i.e., information published in a phone book].” Except as required by law or with the approval of the customer, a carrier that receives or obtains CPNI may “only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.” Section 222(c) also requires carriers to disclose CPNI, upon affirmative written request by the customer, to a designee of the customer. Moreover, Section 222(c) permits carriers to use, disclose, or permit access to aggregate customer information (so long as it provides such information to other carriers or persons on reasonable and nondiscriminatory terms).
  • Exceptions. Section 222(d) includes a number of exceptions from the use, disclosure, and access restrictions above, including “(1) to initiate, render, bill, and collect for telecommunications services; (2) to protect the rights or property of the carrier, or to protect users of those services and other carriers from fraudulent, abusive, or unlawful use of, or subscription to, such services; (3) to provide any inbound telemarketing, referral, or administrative services to the customer for the duration of the call, if such call was initiated by the customer and the customer approves of the use of such information to provide such service; and (4) to provide call location information concerning the user of a commercial mobile service or the user of an IP-enabled voice service [in the event of an emergency].”

Over the last twenty years, the FCC has adopted a complicated suite of rules implementing Section 222, including notice and consent requirements, safeguards against pretexters, annual certification requirements, and data security breach notification obligations. Recently, the Commission significantly increased its enforcement efforts against providers for alleged violations of Section 222 and the Commission’s privacy rules. In addition, the Commission has used Section 201(b) of the Act, which prohibits “unjust and unreasonable” practices, to impose strong data security requirements on carriers. The Commission also has imposed significant privacy and data security requirements on carriers through consent decrees, creating a “common law of privacy” similar to the enforcement mechanisms that the FTC has employed under Section 5 of the FTC Act. Apart from its traditional telecommunications privacy rules under Section 222, the Commission also has authority over the privacy and data security practices of cable (Section 631) and satellite (Section 338(i)) providers. 

II.   Scope of the Broadband Privacy Order

In the Order, the Commission adopts a uniform suite of privacy and data security rules for all telecommunications carriers – including BIAS providers, traditional voice providers, and other providers of telecommunications service – and providers of interconnected VoIP services. The rules apply to customer proprietary information (customer PI), which includes both personally identifiable information (PII), CPNI, and the content of communications. The rules exclude de-identified information, provided carriers take steps to prevent the information from being re-identified.  

The rules apply to all telecommunications carriers

The rules apply to all telecommunications carriers and providers of interconnected VoIP services. The Commission adopts a single definition of “telecommunications carrier” for Section 222 purposes – those providing telecommunications services subject to Title II including BIAS – in order to harmonize the privacy and data security rules for both voice and broadband telecommunications carriers. As with its existing privacy rules for voice providers, the Commission also applies its new privacy and data security regime to interconnected VoIP services.

The rules cover all customer proprietary information

The rules apply to customer PI, an umbrella term that includes nearly all information acquired in connection with the provision of telecommunications service. More specifically, customer PI includes three types of information:

  • Individually identifiable Customer Proprietary Network Information (CPNI)has the statutory definition in Sec. 222 (h): “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.” For voice providers, CPNI also includes information contained in subscriber bills. For BIAS providers, the statutory phrase “made available to the carrier by the customer solely by virtue of the carrier-customer relationship” is interpreted to mean any information that falls within a CPNI category that the BIAS provider collects in connection with providing the service, but not through independent means. Types of information considered CPNI in the BIAS context include broadband service plans; geo-location information; MAC addresses and other device identifiers; IP addresses and domain name information; traffic statistics; port information; application header; application usage; application payload; and customer premises equipment (CPE) and device information.
    • Personally identifiable information (PII) is any information that is linked or reasonably linkable to an individual or device. Examples of PII include, but are not limited to, name, Social Security number, date of birth, mother’s maiden name, government-issued identifiers, physical address, email address (or other online contact information), phone numbers, MAC addresses (or other unique device identifiers), IP addresses, and persistent online or unique advertising identifiers.
    • Content of communications means any part of a communication that is highly suggestive of the substance, purpose, or meaning of a communication. Examples of content for BIAS providers are email contents, social media communications, search terms, website comments, shopping cart items, input on web-based forms, and consumer documents, photos, videos, books read, and movies watched.

The rules cover the customer PI of telecommunications carrier customers. The Commission defines “customers” as current and former subscribers as well as applicants for telecommunications service. Thus, a carrier’s duty to protect a customer’s information will extend beyond the period of the contractual relationship. The Commission notes that a carrier can limit the scope of this duty by minimizing data collection and destroying applicant and former customer information as soon as practicable, consistent with any other legal requirements.

The Order designates the subscriber to the telecommunications service as the party responsible for all privacy choices for a particular subscription, regardless of whether the particular account is shared between multiple users. However, if a provider normally treats each user differently and the subscriber allows those users to control their privacy and data security settings, the provider should give each user individualized privacy controls.

Consistent with the Commission’s earlier ruling on mobile device CPNI, the Order clarifies that information that a BIAS provider causes to be collected or stored on a customer’s device, including CPE, is CPNI.

The rules permit use and sharing of de-identified information, with safeguards

Carriers may rely on de-identification as a means to enable use and sharing of customer PI without obtaining customer consent. The Order adopts a three-part test, grounded in FTC guidance, to establish a baseline for deeming information as de-identified. Customer PI will be considered de-identified if the carrier:

  1. determines the information is not reasonably linkable to an individual or device;
  2. publicly commits to maintain and use the information in a non-individually identifiable manner and not attempt to re-identify the data; and
  3. contractually forbids any entity that it gives access to the de-identified data from trying to re-identify the data.

The standard for assessing reasonableness will depend on how easy it is to re-identify the data, not how much it costs to initially de-identify it. The Commission emphasizes that it will not prohibit particular de-identification practices, but rather will analyze de-identification practices on a case-by-case basis.

III.   New Customer Notice Requirements

The Order requires telecommunications carriers to provide clear privacy notices informing customers about the type of information they collect and to explain how and for what purposes carriers will use or share that information. Carriers must also notify customers about their rights to opt in or out of sharing customer PI.

The privacy notice must be provided to customers at the point of sale and made persistently available and accessible on a provider’s website, app, and any functional equivalent. The notice must include the following information:

  • the types of customer PI the carrier collects just by providing its services and how that information will be used;
  • when a carrier discloses or allows access to each type of customer PI, the types of entities it shares that information with, and the purposes for which that customer PI will be used by each type of entity; and
  • how consumers can exercise their privacy choices.

Telecommunications carriers must also provide an additional notice in the event of material changes to their privacy and data security practices. The Commission explains that a change to a privacy policy is considered material if a reasonable customer would find it important to his or her decisions about privacy. Notification of such a material change must be provided through a form of active communication agreed to by the customer, such as email, and must describe (1) the changes being made and (2) the customer’s rights with respect to the material change as it relates to his or her customer PI. The Commission eliminates existing periodic notice requirements for voice CPNI from the rules.

All notices must be clear, conspicuous, and not misleading, and must be conveyed in a language other than English if the telecommunications carrier transacts business with the customer in that other language.

The Order also tasks the Commission’s Consumer Advisory Committee with creating a standardized privacy notice that will serve as a “safe harbor” for those carriers that choose to adopt it. The proposed notice standard is to be developed no later than June 1, 2017.

IV.   Customer Consent Framework

The Broadband Privacy Order adopts a modified three-tiered consent framework governing the collection, use, and sharing of customer PI, based on the sensitivity of the information at issue. This new framework replaces the existing entity-and-use-based framework for other telecommunications services and interconnected VoIP services. As explained below, the new framework requires opt-in consent for uses and sharing of sensitive customer PI, requires opt-out consent for uses and sharing non-sensitive customer PI, and permits certain uses and sharing of customer PI for specific purposes enumerated in the statute without obtaining additional customer consent.

When opt-in consent is required

The new rules require express informed consent (opt-in approval) from customers for the use of sensitive customer PI. Specifically, the Order states that the following categories of information qualify as “sensitive customer PI”:

  • Precise geo-location information (excluding customer postal or billing address)
  • Health information
  • Financial information
  • Children’s information
  • Social Security numbers
  • Contents of communications
  • Web browsing and application usage histories and their functional equivalents
  • Call detail information (for voice providers)

The Order also requires BIAS and voice providers to obtain opt-in consent for material retroactive changes to the use of both sensitive and non-sensitive information.

When opt-out consent will suffice

The Order requires BIAS providers and other telecommunications carriers to obtain customer opt-out consent before using, disclosing, or allowing access to non-sensitive customer PI. The Commission defines opt-out approval as a means of obtaining customer consent based on a customer’s failure to object to the carrier’s request for consent.

The Order eliminates the existing 30-day waiting period before carriers may deem opt-out consent effective. Now, carriers must wait for an amount of time that would give a reasonable customer the opportunity to view the opt-out solicitation. The Order also eliminates the requirement for telecommunications carriers to refresh opt-out approval every two years.

Exceptions to customer approval requirements

The Commission recognizes certain exceptions to the requirements for customer consent for use and sharing of customer PI.

The Order permits use and sharing of non-sensitive customer PI without customer consent for the provision and marketing of services that are part of, necessary to, or used in the provision of telecommunications. This exception includes the provision and marketing of communications services commonly bundled with the subscriber’s telecommunications service, CPE, and adjunct-to-basic services (such as caller ID and call forwarding for voice and DNS for BIAS). The exception also includes the provision of inside wiring and technical support, reasonable network management, and network enhancement and security research.

Moreover, pursuant to Section 222(d) of the Communications Act, carriers do not need to seek approval to use or share customer PI to:

  • initiate, render, bill, and collect for service;
  • protect the rights and property of the carrier or protect their customers from unwanted abuses, including to protect against spam, malware, and other harmful traffic (e.g., robocalls);
  • provide inbound services to customers (such as when a customer initiates contact with a carrier’s customer service division); and
  • provide certain customer PI in emergency situations.  

The rules do not alter carrier obligations under existing laws and regulations affecting collection, use, or disclosure of communications, such as the Electronic Communications Privacy Act (ECPA), the Communications Assistance for Law Enforcement Act (CALEA), and the Cybersecurity and Information Sharing Act (CISA).

Requirements for soliciting opt-out and opt-in approval

The Order requires carriers to solicit customer approval for the use and sharing of customer PI at the point of sale (which may be in person, by phone, or electronic), and permits carriers to solicit approval at any time after the point of sale. Carriers making material changes to their privacy policies must solicit customer approval before implementing such changes.

Carriers’ solicitations must “clearly and conspicuously” inform customers of:

  • the types of customer PI they seek to use, disclose, or permit access to;
  • how such information will be used or shared; and
  • the types of entities with which such information will be shared.

Solicitations must be “comprehensible and not misleading,” must be translated into a language other than English if the carrier transacts business with the customer in another language, and must provide a means to easily access (1) the carrier’s privacy policy and (2) a mechanism which will enable the customer to adjust privacy settings (more on that below).

How customers may exercise privacy choices

Carriers must provide customers with access to a choice mechanism that is “simple, easy-to-use, clear and conspicuous, in language that is comprehensible and not misleading, and made available at no additional cost to the customer.” This mechanism must be persistently accessible on or via the carrier’s website, app (if the carrier provides one for purposes of account management), or the functional equivalents of either.

The Commission recommends, but does not require, a customer-facing dashboard for controlling privacy settings.

Out of concern for the compliance costs for small businesses, the Commission will allow carriers flexibility in implementing choice mechanisms. For example, if a carrier does not maintain a website, it could provide a 24-hour toll-free number for changing privacy settings.

The Commission does not establish a bright-line rule about how quickly carriers must give effect to a customer’s grant, denial, or withdrawal of approval, but indicates that customer choices must be implemented “promptly,” and that customer choices must remain in effect indefinitely absent revocation.

Importantly, the Order eliminates the specific periodic compliance recordkeeping and annual certification requirements that previously applied to voice providers.

V.   Reasonable Data Security Standard

In the Order, the Commission requires telecommunications carriers to adopt reasonable data security practices. The reasonable data security standard requires that carriers “take reasonable measures to protect customer PI from unauthorized use, disclosure, or access.” The Commission finds that carriers’ data security practices should be oriented around principles of “confidentiality, integrity, and availability.” Confidentiality means protecting customer PI from unauthorized access and disclosure; integrity means protecting information from unauthorized modification or destruction; and availability means providing authorized users with access to information on an as-needed basis.  

In assessing whether or not their security practices comply with the reasonable data security standard, carriers must take into account the following four factors:

  1. The nature and scope of the carrier’s activities;
  2. The sensitivity of the collected data;
  3. The size of the carrier; and
  4. Technical feasibility.

These factors will be assessed in light of the totality of the circumstances, and no single factor is independently outcome determinative.

Exemplary reasonable data security practices

In the Order, the Commission abandons its NPRM proposal to mandate specific minimum security standards in favor of a general reasonableness standard and recommended “exemplary practices.” Those practices include:

  • Engagement with industry best practices and risk management tools. Carriers may consider adopting the NIST Cybersecurity Framework, examining FTC guidance, reviewing implementation guides for security requirements under existing sectoral privacy laws, and examining best practices recommended by the FCC’s Communications Security, Reliability, and Interoperability Council (CSRIC).
  • Strong accountability and oversight. The Commission recommends that carriers develop comprehensive, written data security programs. Carriers may also consider hiring chief privacy and data security officers, conducting employee training on handling customer PI, and obtaining data security commitments from third parties as a condition of disclosure.
  • Robust customer authentication. Carriers may consider stronger alternatives to customer authentication than customer-generated passwords or routine security questions. They may heighten authentication requirements before disclosing information that could cause serious harm to customers if improperly disclosed. Carriers could also give customers notice of attempted account changes, but should avoid inducing “notice fatigue.”
  • Other practices. Carriers may benefit from implementing data minimization procedures spanning the entire data lifecycle (from collection to deletion/disposal), utilizing strong data encryption technologies, and appropriately sharing cyber threat information with law enforcement officials.   

While the reasonable data security standard applies to both BIAS and other telecommunications services, the Commission clarified that the above exemplary practices “may be implemented differently depending on the services an entity provides.”

VI.   Data Breach Notification Requirements

The Broadband Privacy Order requires BIAS providers and other telecommunications providers to notify affected customers and certain government agencies of data breaches unless the provider reasonably determines that no harm to customers is likely to occur.

The Order defines a breach as “any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed customer proprietary information.” This definition includes unintentional data breaches and breaches involving a carrier’s vendors and contractors.

Harm-based notification trigger

The Commission will require breach notification “unless the carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach.” Under this rule, carriers have an obligation to take the necessary investigative steps to determine whether harm is reasonably likely. The Order defines “harm” broadly to include “financial, physical, and emotional harm.” As a result, breach notification will be required in circumstances that could lead to reputational damage, personal embarrassment, or loss of control over the exposure of intimate personal details.

The rules also establish a rebuttable presumption that any breach involving sensitive customer PI poses a reasonable likelihood of customer harm and hence would require customer notification. The Order notes that the harm-based trigger applies even if the breached data had been encrypted.

Notification to the Commission and federal law enforcement

Under the Broadband Privacy Order, providers must notify the FCC of all breaches that meet the harm-based trigger, and, if a breach affects 5,000 or more customers, the provider must notify the FBI and Secret Service.

The breach notifications must occur within the following timeframe:

  • Breaches affecting 5,000 or more customers. Carriers must notify the FCC, FBI, and Secret Service within 7 business days from when they reasonably determined a breach occurred, and at least 3 days before notifying customers.
  • Breaches affecting fewer than 5,000 customers. Carriers must notify the FCC without unreasonable delay and within 30 calendar days from the reasonable determination that a breach occurred.

The Commission will create a centralized portal for reporting breaches to the FCC and federal law enforcement agencies, and will issue a public notice with details on how to access the portal once it has been set up.

Customer notification requirements

Carriers must notify affected customers of reportable breaches within 30 calendar days following the carriers’ reasonable determination that a breach occurred, unless the FBI or Secret Service requests a further delay. The FBI or Secret Service can direct a provider to delay notifying customers and the general public of a breach for as long as necessary to avoid interference with an ongoing criminal or national security investigation.

The Commission notes that carriers have a continuing obligation to supplement their breach notifications if they determine that a breach affects additional customers than those initially notified.

Data breach notifications to affected customers must contain the following information:

  • the date, estimated date, or estimated date range of the breach;
  • a description of the customer PI breached or reasonably believed to have been breached;
  • information the customer can use to contact the carrier to inquire about the breach and the customer PI that the carrier maintains about that customer;
  • information about how to contact the FCC and any pertinent state regulatory agencies; and
  • if the breach creates a risk of financial harm, information about national credit-reporting agencies and steps customers can take to guard against identity theft, as well as any credit monitoring, credit reporting, credit freezes, or other consumer protections the carrier is offering affected customers.

Customer notifications must occur by means of written notification to the customer’s address or email address, or by other electronic means of communications agreed to by the customer for such purposes. Former customers must be notified at their last known postal address determinable on the basis of commonly available sources.

Record retention and harmonization

Providers must keep records of the dates on which they determine that reportable breaches have occurred, the dates of customer notification, and written copies of all customer notifications for two years from the date a breach was reasonably determined to have occurred. This retention requirement does not extend to breaches that fall short of requiring notice to the FCC.

VII.   Particular Practices that Raise Privacy Concerns

The Order addresses two practices that the Commission has deemed particularly concerning for consumer privacy: so-called “take-it-or-leave-it” offers, and programs that provide financial incentives to consumers in exchange for allowing providers to use, disclose and/or permit access to customer PI.

“Take-it-or-leave-it” offers

The Order prohibits BIAS providers from “conditioning the provision of broadband service on a customer surrendering his or her privacy rights” or from “terminating service or otherwise refusing to provide BIAS due to a customer’s refusal to waive any such privacy rights.” The Order finds that such practices are harmful to consumers, particularly lower-income consumers, and that “prohibiting such practices will ensure that consumers will not have to trade their privacy for broadband services.”

In support of its decision, the Commission states that so-called “take-it-or-leave-it” offers are inconsistent with the requirements under Section 222(a) for telecommunications carriers to protect the confidentiality of customer PI and notes that “a ‘take-it-or-leave-it’ customer acceptance” does not constitute “approval” to use, disclose or permit access to CPNI as required by Section 222(c)(1). The Order further concludes that a take-it-or-leave-it approach is both an unjust and unreasonable practice under Section 201(b) and violates Section 202(a)’s prohibition against unreasonable discrimination.

Financial incentive programs

The Order adopts heightened disclosure and affirmative consent requirements for “BIAS providers offering financial incentives in exchange for consent to use, disclose, and/or permit access to customer PI.”

Unlike “take-it-or-leave-it” offers, the Commission finds that certain financial incentive practices can be beneficial to both BIAS providers and consumers, and that “it is not unusual for business[es] to give consumers benefits in exchange for their personal information.” However, in order to prevent BIAS providers from engaging in “coercive or predatory” practices in connection with a financial incentive offer, the Order requires providers to “provide a clear and conspicuous notice of the terms of any financial incentive program that is explained in a way that is comprehensible and not misleading.”

Such notices must comply with the general notice requirements adopted in Section 64.2003 of the Commission’s rules and must, at a minimum, include the following information: (1) what customer PI the provider will collect; (2) how the customer PI will be used; (3) the types of entities with which the customer PI will be shared; and (4) the purposes for which the customer PI will be shared. The Order requires that such a notice “must be provided both at the time the program is offered and at the time a customer elects to participate in the program” and must be “easily accessible and separate from any other privacy notifications.”

Additionally, the notice must be translated into other languages through which the BIAS provider transacts business with its customers. Moreover, BIAS providers must “provide at least as prominent information to customers about the equivalent plan without exchanging personal information” when marketing a financial incentive program.

BIAS providers must obtain opt-in consent for consumers to participate in financial incentive programs and “must provide a simple and easy-to-use mechanism that enables customers to change their participation in such programs at any time.”

The Commission will review financial incentive practices on a case-by-case basis.

VIII.   Other Issues

Dispute resolution

The Order maintains the Commission’s current informal dispute resolution process through which customers can file informal complaints against a provider for alleged violations of the Commission’s rules, and reminds carriers that they may not “require customers to waive, or otherwise restrict their ability to file complaints with or otherwise contact the Commission regarding violations of their privacy rights.”

The Order also addresses the practice of requiring customers to arbitrate disputes with the carrier. The Commission notes that it has “serious concerns” about the inclusion of mandatory arbitration clauses in contracts for communications services, which it will address in a notice of proposed rulemaking in February 2017.

Privacy and data security exemption for enterprise voice customers

The Order broadens an existing exemption from the Commission’s Section 222 rules for enterprise voice customers. Specifically, the Order establishes that “a carrier that contracts with an enterprise customer for telecommunications services other than BIAS need not comply with the other privacy and data security rules” adopted in the Order if the contract meets certain conditions.

In particular, the contract must “[address] the issues of transparency, choice, data security, and data breach; and [provide] a mechanism for the customer to communicate with the carrier about privacy and data security concerns.” Notably, “the contract at issue need not be a fully negotiated agreement, but can take the shape of standard order forms.”

The Order acknowledges that enterprise customers often have different privacy needs and expectations than individual consumers, and that these sophisticated customers should be permitted to negotiate privacy and data security protections with their carriers to meet their own unique needs. However, the Commission reminds carriers that even with this exemption, they remain subject to the statutory requirements of Section 222.

IX.   Implementation

As explained in more detail below, in recognition that “carriers will need some time to update their internal business processes as well as their customer-facing privacy policies and choice mechanisms,” the Order provides a staggered timeline by which carriers must implement the new privacy and data security rules. It also provides guidance on how carriers should treat customer approvals and share customer PI received before the new rules are effective. Finally, the Order extends the timeline for small carriers to implement the transparency and customer choice rules.

Effective dates and implementation schedule for privacy rules

Effective Date Rule Section(s) Summary of Rule
30 Days After Publication of a Summary of the Order in the Federal Register 47 C.F.R. § 64.2001 Basis and purpose of the rules 
47 C.F.R. § 64.2002 Definitions
47 C.F.R. § 64.2011(a) Prohibition on “take-it-or-leave-it” broadband service offerings
47 C.F.R. § 64.2010 Business customer exemption
47 C.F.R. § 64.2012 Preemption of state law
90 Days After Publication of a Summary of the Order in the Federal Register 47 C.F.R. § 64.2005 Requirement to employ reasonable data security practices

6 Months After Publication of a Summary of the Order in the Federal Register or Upon PRA Approval,* whichever is later

*After PRA approval, the WCB must release a public notice indicating that the rule is effective, and giving carriers a time period to come into compliance with the rule that is the later of (1) eight weeks from the date of the public notice, or (2) six months after the Commission publishes a summary of the Order in the Federal Register.
47 C.F.R. § 64.2006 Requirement to provide notification of data breaches to customers, the FCC and law enforcement (depending on the size and nature of the breach)

12 Months After Publication of a Summary of the Order in the Federal Register or Upon PRA Approval,* whichever is later**

*After PRA approval, the WCB must release a public notice indicating that the rule is effective, and giving carriers a time period to come into compliance with the rule that is the later of (1) eight weeks from the date of the public notice, or (2) twelve months after the Commission publishes a summary of the Order in the Federal Register.

**The Order provides small carriers an additional 12 months to comply with the new notice and approval rules
47 C.F.R. § 64.2003 Requirements for providing notice to customers of privacy policies
47 C.F.R. § 64.2004 Requirements for customer approval to use, disclose or permit access to customer PI (this includes inferred, opt-out and opt-in approval)
47 C.F.R. § 64.2011(b) Notice requirements for financial incentive programs

Uniform timeline for BIAS and voice services

The Order clarifies that the new rules will be implemented simultaneously for both BIAS providers and providers of other telecommunications services. It also cautions that until the new rules are effective and implemented, the existing rules for voice services remain in place, and that all providers of telecommunications services, including BIAS providers, remain subject to Section 222.

Customer consent obtained prior to effective and implementation date of new rules

The Order provides that for BIAS providers, including small BIAS providers, the Commission will “treat as valid or ‘grandfather’ any consumer consent that was obtained prior to the effective date of [the new] rules” so long as such consent is “consistent with [the] new requirements,” meaning that the notice provided the consumer with adequate notice regarding his or her privacy rights. In so doing, the Order states that the Commission’s goal is to “minimize disruption to carriers’ business practices.” The Order further directs the Consumer and Governmental Affairs Bureau to work with the industry to engage in a voluntary consumer education campaign about the new rules.

With respect to providers of other telecommunications services, the Order determines that a proper customer consent “subject to the legacy rules remains valid for the time during which it would have remained valid under the legacy rules,” but the scope of such consent remains unchanged. It further specifies that “opt-out consent obtained before the release date of this order remains valid for two years after it was obtained, after which a carrier must conform to the new rules” and “[o]pt-in consent that is valid under the legacy rules remains valid.”   

Limited extension of implementation period for small carriers

In recognition that some of the new rules may constrain the limited resources available to smaller carriers, the Order provides a 12-month extension for small carriers to implement the new notice and customer approval rules. The small carrier extension will be available to “small BIAS providers . . . with 100,000 or fewer broadband connections and small voice providers with 100,000 or fewer subscriber lines as reported on their most recent Form 477, aggregated over all the providers’ affiliates.”

The Commission declines to provide an extension of the other rule changes (e.g., data breach notification and “take-it-or-leave-it” prohibition) because they “should not be costly for small carriers that generally collect less customer information and use customer information for narrower purposes.”

X.   Preemption of State Law

The Order adopts a proposal from the NPRM to “preempt state privacy laws, including data security and breach laws, only to the extent that they are inconsistent with any rules adopted by the Commission.” The Order acknowledges that states play a key role in protecting consumer privacy, and as such directs that “[w]here state privacy laws do not create a conflict with federal requirements, providers must comply with federal law and state law.”

The Commission will “take a fact-specific approach” to determine if a conflict between state and federal law exists, and the Order instructs providers to notify the Commission in an “appropriate petition” if they believe that they are “unable to comply simultaneously with the Commission’s rules and with the laws of another jurisdiction.”

Additionally, to address concerns about customer notice fatigue, the Commission invites providers that may be required to send out multiple customer notices in order to comply with both state and federal law to “come to the Commission with a proposed waiver that will enable them to send a single notice that is consistent with the goals of notifying consumers of their data breach.”

Finally, the Order clarifies that the same preemption standard will apply for both voice and BIAS providers.

XI.   Key Takeaways and Conclusion

The Broadband Privacy Order is the arguably most consequential and comprehensive FCC privacy rulemaking since the 1996 Telecommunications Act, which codified Section 222. Not only does the Order impose new rules for broadband providers, it also “harmonizes” these new rules with its existing rules for other telecommunications service providers. The practical impact and reach of the rules will not be known for some time, but at this point we can offer a few of our key takeaways from the Order:

  • All carriers must prepare and maintain public-facing privacy notices. The Commission’s new notice rules will require all telecommunications carriers to draft and post public-facing privacy policies that describe their collection, use, and sharing of customer PI. Formerly, this obligation only applied to BIAS providers (through the Commission’s transparency rule). We expect that disclosures in these privacy policies will be a significant area of enforcement, similar to the Commission’s enforcement of annual CPNI certifications.
  • The sensitivity-based consent framework upends the existing CPNI approval framework. The Commission’s adopted rules fundamentally reshape the consent framework for telecommunications carriers, focusing on the sensitivity of the information, rather than on the particular uses and recipients of the information (as the voice CPNI rules did). As a result, all carriers should carefully review and revise their policies, procedures, and systems for obtaining and tracking customer approval.
  • The Order leaves a significant interpretive role for FCC’s Enforcement Bureau with respect to data security. Unlike the existing voice CPNI rules and the Commission’s proposed data security rules, which mandated specific data security compliance practices, the new rules simply require carriers to adopt “reasonable” data security practices. By focusing on the “reasonableness” of carriers’ privacy and data security practices, the Commission leaves significant room for its Enforcement Bureau to interpret whether particular practices are reasonable, in a manner similar to the FTC’s approach to privacy and data security enforcement. For this reason, providers should carefully review the Commission’s “exemplary” data security practices and Enforcement Bureau consent decrees in order to gauge which practices the Commission expects of providers.
  • Now is the time to begin reviewing contracts with vendors. In the Order, the Commission makes clear that carriers will be held responsible for the acts of their agents, vendors, and other third parties with whom they share customer PI. As a result, carriers should take the opportunity now to review contracts with those third parties to determine whether they include specific terms addressing privacy and security. This is particularly important for non-BIAS telecommunications carriers serving enterprise customers, who will be able to take advantage of the Commission’s expanded business customer exemption.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Kelley Drye & Warren LLP | Attorney Advertising

Written by:

Kelley Drye & Warren LLP
Contact
more
less

Kelley Drye & Warren LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.