Hotly Anticipated Broadband Privacy Order Released by FCC

by Davis Wright Tremaine LLP

On Nov. 2, 2016, the FCC released its long-awaited broadband privacy Order and rules by a 3-2 vote. The Order comes nearly 18 months after the Commission moved to reclassify broadband internet access service (“BIAS”) as a common carrier telecommunication service under Title II of the Communications Act, and over the strenuous dissent of both Republican commissioners. The Order adopts policies and rules that alter the telecommunications privacy ecosystem based on three core goals articulated by the FCC: transparency, choice, and security. And while ostensibly adopting rules consistent with other privacy frameworks, the Order departs significantly from those existing regimes, applying heightened standards for both internet service providers (“ISPs”) and traditional telecom carriers. The FCC justified these departures in large part by its continued – and erroneous – argument that ISPs have access to more information than other entities operating in the online ecosystem. The two Republican commissioners vigorously dissented and with the upcoming change in administration the new majority could consider overturning the Order and rules.

The FCC argues that the new rules will “make certain that BIAS providers are protecting their customers’ privacy while encouraging the technological and business innovation that help drive the many benefits of our increasingly Internet-based economy,” and boasts that the new rules protect the privacy of broadband customers. In reality, however, consumer privacy arguably is no more protected under the new rules than it was under the prior framework, as evidenced by Commissioner Rosenworcel’s statement that seems to belie the assertion that ISPs are in a unique position because of the data they can access:, she acknowledges that “service providers, advertising networks, and companies specializing in analytics have access to your personal information. Lots of it. For a long time.” Commissioner Pai asserted that the new and more restrictive rules do nothing to address the vast amounts of information that edge providers collect, use and share. In fact, both Commissioners Pai and O’Rielly argue that the FTC’s existing framework should have been sufficient for both ISPs and edge providers, but if the majority was correct that such rules are needed, Commissioner O’Reilly points out that “the ball is now squarely in the FTC’s court” to return consumer privacy to a level playing field.

To further complicate matters, the FCC released three separate fact sheets-- one upon release of the NPRM, another with its circulation of a draft order, and lastly one upon release of the final Order. Each fact sheet paints a somewhat inaccurate picture of the impact of the new rules, making it all the more imperative to understand the details of the FCC’s new privacy requirements and obligations, which we summarize below. We will be providing additional analysis of the FCC’s new rules and the implementation challenges that may lie ahead in future posts and in a two part webinar series that will take place on Nov. 29 and Dec. 6.

Background & Scope

The FCC set the stage for its radically expanded rules by opening the Order with a lengthy background section on the FCC’s long history of protecting consumer privacy as well as the perceived need for specific privacy rules that encompass BIAS. Specifically, pursuant to its statutory mandate under Section 222 of the Act, the FCC points to its history promulgating and enforcing rules related to customer proprietary network information (“CPNI”). Now that BIAS has been reclassified under Title II of the Act, the FCC asserts that imposition and enforcement of new and more expansive privacy protections invoking its authority under Section 222 is in the public interest and necessary for the protection of consumers because ISPs are the “on-ramp” to the Internet and thus have untethered access to all their customers’ Internet traffic that other actors in the Internet ecosystem do not enjoy. The FCC wrestles with the many industry comments challenging this assumption, but ultimately concludes that edge providers only have a “slice” of any individual consumer’s information, and therefore enhanced, sector-specific privacy rules are necessary to address the distinct characteristics of ISPs and these newly-defined telecommunications services.

Next, the FCC parses Section 222 of the Act to determine the scope of its new rules. The FCC adopts a definition of “telecommunications carrier” that encompasses all carriers providing telecommunications services subject to Title II, which under the 2015 Open Internet Order now includes BIAS. The FCC adopts a broad definition of “customer” to ensure that both current and former customers of ISPs, as well as new applicants, are covered by the new rules.

The FCC includes three types of customer proprietary information (“PI”) within the scope of the new BIAS privacy rules: CPNI, which the FCC defines in accordance with Section 222; personally identifiable information (“PII”), which the FCC defines as any information that is “linked or reasonably linkable to an individual or device;” and a new category, “content of communications,” which the FCC defines circularly as “any part of the substance, purport, or meaning of a communication or any other part of a communication that is highly suggestive of the substance, purpose, or meaning of a communication.” The FCC then devotes lengthy discussion to what qualifies as CPNI in the BIAS context and examples of how ISPs may obtain CPNI in the Internet ecosystem. Of particular note, CPNI in the broadband context includes IP addresses, general geolocation data, consumer premises equipment, and information from customer’s bills, yet contains no exemption for “subscriber list information” because ISPs do not publish directories – despite the cited reference to a prior FCC decision that subscriber list information need not be published to enjoy the exemption.

The FCC then expounds on the importance of protecting PII and provides a number of illustrative examples of PII in the BIAS context, which also includes IP addresses, device identifiers and other persistent identifiers. Lastly, the FCC discusses its amorphous standards for what it believes to encompass “content” of communications, but provides little clarity as to the boundaries of what may constitute such content.

“De-identified” data is not subject to the new rule regime, and – in one of the few pleasant surprises – is actually subject to the same three-part test espoused by the FTC. If an ISP can meet this test, an ISP may use the data as it chooses, without obtaining customer consent. Unfortunately, for most ISPs it may be impossible to de-identify some PII and CPNI to the FCC’s satisfaction for its own internal uses, thereby limited the effectiveness of the test in some instances.

As indicated above, the Order and the new rules do not apply to edge providers, nor do they apply to information obtained through non-telecommunications services offered by ISPs, including the ISP’s website and, presumably, data acquired from third parties.

Harmonization between Phone and Broadband Rules

The new rules entirely supersede the existing CPNI rules. While in many ways the new rules are more onerous than the current rules, as described below, they also eliminate some existing CPNI rules, including the present authentication and annual certification rules. The general rationale for doing away with the specific authentication rules is that while such authentication measures are "encouraged," they should be replaced with a more flexible "reasonable measures" approach in order to "adapt their practices to new threats" as conditions change.


In furtherance of its core principle of transparency, the FCC adopts privacy policy notice requirements that mandate that ISPs “give their customers easy access to clear and conspicuous, comprehensible, and not misleading information about what customer data the carriers collect; how they use it; who it is shared with and for what purposes; and how customers can exercise their privacy choices.” The new rules require each ISP’s notice of privacy policies to accurately and specifically describe the types of customer PI that the carrier collects by virtue of its provision of service, and how the carrier uses that information; under what circumstances a carrier discloses or permits access to each type of customer PI that it collects, including the categories of entities to which the carrier discloses or permits access to customer PI, and the purposes for which the customer PI will be used by each category of entities; and how customers can exercise their privacy choices.

ISPs must provide notices of their privacy policies at the point of sale prior to the purchase of service, and also make them clearly, conspicuously, and persistently available on carriers’ websites and via carriers’ apps that are used to manage service. The FCC declined to mandate a standardized form or format for privacy policies, but requires each notice to “adequately inform customers of their privacy rights . . . clearly and conspicuously provide information in language that is comprehensible and not misleading, and be provided in the language used by the carrier to transact business with its customer.” While a specific format is not specified, the rules contemplate a multi-stakeholder proceeding to develop a standardized form that, if used by an ISP, will constitute a safe harbor.

In addition, the rules require ISPs “to provide advance notice of material changes to their privacy policies to their existing customers, via email or other means of active communication agreed upon by the customer.” The FCC defines a “material change” as any change that a reasonable customer would consider important to their decisions on their privacy. This definition is quite broad, and could include almost any changes made by the ISP.


In what is sure to be one of the more controversial sections of the Order, the FCC adopts rules that require express consent (“opt-in” approval) from a customer before the use and sharing of “sensitive” customer PI. The rules specify types of information deemed to be sensitive and subject to opt-in approval, including (1) the same types of information the FTC considers sensitive: precise geo-location, health, financial, and children’s information, and Social Security numbers; (2) the additional information that the FTC recommended should be treated as sensitive in the broadband context: content of communications; and (3) additional information that is currently treated as opt-out unless the content, website or app itself relates to sensitive information: web browsing and application usage histories and their functional equivalents. It is the last and new category of “sensitive” information that was the subject of much last minute lobbying by edge providers who recognize that consumer advocates will now turn to the FTC to harmonize their guidance. While the FCC states that it considered an opt-out regime for use of the use of web-browsing and app usage history (similar to the FTC’s approach), it ultimately determined that many consumers will want to exercise affirmative choice regarding the use and sharing of this information.

In order to obtain customer consent to use sensitive PI, ISPs may solicit customer approval at the point of sale, and may engage in later solicitations of consent after the point of sale. ISPs must actively contact their customers in subsequent solicitations to ensure that customers are adequately informed. The solicitations must be clear and conspicuous, comprehensible and not misleading, and contain the information necessary for a customer to make an informed choice regarding her or his privacy.

The FCC recognizes that ISPs will also collect non-sensitive customer PI and that there are significant benefits to customers and businesses from some use and sharing of such non-sensitive customer PI. However, the FCC found that ensuring choice for not only the sharing, of such non-sensitive customer information, but also an ISP’s internal use of such information, is necessary to protect the confidentiality of customer PI under Section 222(a). Erroneously citing the FTC’s current privacy framework, which permits the internal use of such information, including first party marketing, the FCC requires ISPs to obtain the customer’s “opt-out” approval to use, disclose, or permit access to non-sensitive customer PI.

In adopting these opt-in and opt-out requirements, the FCC stated that it understands that carriers must use and share customer PI in order to provide the underlying telecommunications service, to bill and collect payment for that service, and for certain other purposes. Therefore, the new rules provide limited exceptions to the opt-in and opt-out requirements to allow carriers to use and share information for congressionally-delineated purposes in the Communications Act, and as otherwise required or authorized by law. For example, no additional customer consent is needed in order for an ISP to use and share customer PI in order to provide the telecommunications service. Similarly, there are exemptions for the use of such information to market “communications” services typically bundled with the telecommunications service(s) to which a customer subscribes, as well as analytics and research.

While the FCC prohibits ISPs from engaging in “take it or leave it” offerings that conditions – or effectively condition – the provision of broadband on the customer consenting to use or sharing of a customer’s PI, the FCC did recognize that there are benefits to consumers of allowing BIAS providers the flexibility to offer innovative financial incentives. Therefore, the FCC requires heightened disclosure and affirmative customer consent requirements to help ensure that a customer’s decision to allow sharing of proprietary information in exchange for financial incentives is based on his or her informed consent. The disclosure must include information about what customer PI the provider will collect, how it will be used, with what types of entities it will be shared, and for what purposes. Additionally, the disclosure must be provided both at the time the program is offered and at the time a customer elects to participate in the program. In adopting these requirements, the FCC states that it will closely monitor financial incentive regimes, particularly if allegations arise that service prices are inflated such that customers are essentially compelled to choose between protecting their personal information and higher prices.

Data Security

Stating that the duty to protect the confidentiality of customer PI is one of the most important requirements entrusted to ISPs, the FCC adopts a systematic approach that it claims will protect consumers’ confidential information by requiring ISPs to take reasonable measures to secure customer PI. To comply with the FCC’s requirement, a provider must adopt security practices appropriately calibrated to the nature and scope of its activities, the sensitivity of the underlying data, the size of the provider, and technical feasibility. Through this approach, providers have some flexibility and control over their data security practices but must adhere to the FCC’s standard of reasonableness that stresses context and adaptability to evolve over time. Therefore, depending on the nature of its operations, an ISP may comply with the FCC’s requirements by utilizing its own tailored mechanism to protect customer PI. However, the FCC does provide a number of “best practices” that it deems to be “exemplary” in nature to serve as a guidepost for ISPs, including smaller ISPs, in developing their own security regimes.

Breach Notification

In order to ensure that affected customers and the appropriate federal agencies receive notice of data breaches that could result in consumer harm, the FCC adopts rules requiring IPSs to notify affected customers, the FCC, and the FBI and Secret Service unless the carrier is able to reasonably determine that a data breach poses no reasonable risk of harm to the affected customers. The FCC defines a breach as any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed customer PI. In adopting breach notification requirements, the FCC recognizes that over-notification to customers can itself result in harm, and therefore states that it adopts a harm-based notification process. It concludes that such notification will empower customers to protect themselves against further harm, help the FCC identify and confront systemic network vulnerabilities, and assist law enforcement agencies with criminal investigations.

Unfortunately, this is another area where what the Commission says does not actually reflect the reality of the result. In defining “harm” the Order includes not only financial, economic and identity theft – as most state breach notification statutes do – but also “physical and emotional harm,” “reputational damage, personal embarrassment, or loss of control over the exposure of intimate personal details.” It creates a rebuttable presumption that breach of sensitive customer PI poses a reasonable likelihood of customer harm requiring notification. As a result, the harm that the FCC states it was avoiding – over-notification – is likely.

Specifically, unless the ISP reasonably determines that there is no reasonable risk of harm to the affected consumers, the new rules require notification of a breach to the FCC, the FBI and the Secret Service within seven (7) business days, and at least three (3) business days before notifying customers, if the breach affects 5,000 or more customers. For breaches affecting fewer than 5,000 customers, ISPs must notify the FCC without unreasonable delay and no later than thirty (30) calendar days following the carrier’s reasonable determination that a breach has occurred. ISPs must notify affected customers without unreasonable delays and in any case within 30 days. Because a carrier may not fully understand the circumstances and impact of a breach initially, the FCC expects carriers to supplement their initial breach notifications to the Commission, FBI, and Secret Service, as appropriate.

As part of the breach notification to customers, carriers must include information that helps the customer understand the scope of the breach, the harm that might result, and whether the customer should take any action in response. While the FCC does not spell out the requirements of the customer breach notification, it does provide a number of examples of what it expects would be included. Additionally, the rules require customer notification by means of written notification to the customer’s address of record or email address, or by contacting the customer by other electronic means agreed to by the customer for data breach notification purposes.

Dispute Resolution

The FCC concludes that its current informal complaint resolution process is sufficient to address customer concerns or complaints with respect to the privacy and data security rules. However, the FCC stated that it has serious concerns about the impact on consumers of mandatory arbitration requirements as a standard part of many contracts for communications services. The FCC plans to initiate a rulemaking in February 2017 on the use of mandatory arbitration requirements in consumer contracts for broadband and other communications services. That plan may also change with the new administration.

Enterprise Voice Customer Exemption

Recognizing that its existing voice CPNI rules include customer authentication obligations as a required data security practice but allow business customers to bind themselves to authentication schemes that are different than otherwise provided for by the rules, the revised rules continue an exemption for carrier contracts with enterprise customers for telecommunications services other than BIAS from compliance with the new privacy and data security rules if the carrier’s contract with the customer specifically addresses the issues of transparency, choice, data security, and data breach; and provides a mechanism for the customer to communicate with the carrier about privacy and data security concerns. However, even if the exemption applies, the carrier will still be subject to the statutory requirements of Section 222.


In an effort to provide certainty to carriers and customers, the FCC addresses a timeline in which carriers must implement the privacy rules adopted in the Order. The FCC reiterates that until the rules become effective, Section 222 applies to all telecommunications services, including BIAS, and the existing rules continue to apply to telecommunications services other than BIAS and to interconnected VoIP. Based on the ordering clauses in the Order, the following is a timeline of the effective dates of the rules:

·  30 days after publication in Federal Register:

  • 64.2001 (Basis and Purpose)
  • 64.2002 (Definitions)
  • 64.2010 (Business customer exemption)
  • 64.2011(a) (No conditioning provision of service on waiver of privacy rights)
  • 64.2012 (Effect on state law)

·  90 Days after publication in Federal Register:

  • 64.2005 (Data security requirements)

·  After notice of OMB approval and effective dates in Federal Register:

  • 64.2003(Notice Requirements)
  • 64.2004 (Customer Approval) 
  •  64.2006 (Data Breach Notification) 
  •  64.2011(b) (BIAS Financial Incentive for Opt-In)

In an apparent attempt to minimize disruption to ISPs’ business practices, the FCC won’t require ISPs to obtain new consent from all customers upon the implementation of the new rules. Rather, for BIAS, the will treat as valid or “grandfathered” any consumer consent that was obtained prior to the effective date of the rules and that is consistent with the new requirements. For example, if a BIAS provider obtained a customer’s opt-in consent to use that individual’s location data to provide coupons for nearby restaurants and provided adequate notice regarding his or her privacy rights, then the customer’s consent would be treated as valid. However, if the customer consent was not obtained in the manner contemplated by the new rule, a new opportunity for choice is required.

Recognizing that small carriers may face increased difficulties in implementing the new rules, the rules allow small carriers an additional twelve months to implement the notice and customer approval rules. For purposes of the extension, the FCC defines small BIAS providers as providers with 100,000 or fewer broadband connections and small voice providers as those with 100,000 or fewer subscriber lines as reported on their most recent Form 477, aggregated over all the providers’ affiliates.


In implementing these new broadband privacy and data security rules, the FCC recognizes that they may be at odds with state law. Therefore, the FCC states that its intent is to only preempt state privacy laws, including data security and data breach laws, to the extent that they are inconsistent with any rules adopted by the FCC. The FCC attempts to ground its authority to preempt state law in a variety of ways. However, its preemptive authority is likely to be challenged in court, as ambiguity remains as to exactly how preemption would effectively occur.

Legal Authority

The FCC’s defense of its legal authority to adopt and implement the broadband privacy rules is sure to be one of the most scrutinized aspects of the Order and will undoubtedly be challenged in court if the rules survive in the new administration. This summary will not attempt to give a full picture of how the FCC seeks to justify its actions. That said, the FCC asserts that its actions are well-grounded in its statutory authority, including but not limited to Section 222 of the Act. Essentially, the FCC repeats its conclusions from the Open Internet Order that Section 222 applies to BIAS providers. In particular, the FCC concludes that Section 222(a) imposes on ISPs an enforceable duty to protect the confidentiality of customer PI as it now defines that term, and that the new rules faithfully implement that mandate. The FCC points to the CPNI provisions of Section 222(c) for its authority to adopt revised, expanded rules applying those provisions to ISPs and traditional voice carriers alike, and relies on section 222(a) for its additional rules for newly-defined customer PI that does not fall within the statutory definition of CPNI.

To bolster its claims of legal authority, the FCC relies on a variety of other sections of the Communications Act. In addition to citing Section 222, it argues that Sections 201(b) and 202(a) of the Act provide additional authority to protect against privacy-related practices that are unjust or unreasonable, or unjustly or unreasonably discriminatory. It also claims that, with respect to mobile BIAS and other mobile telecommunications services, the new rules are independently supported by its authority under Title III of the Act to protect the public interest through spectrum licensing. Lastly, the FCC states that the rules are consistent with the purposes of Section 706 of the 1996 Act.


The FCC’s new broadband privacy and data security rules represent a significant departure from the status quo for ISPs. While this summary provides a high-level overview of the contents of the Order, DWT will provide further guidance, with specific analysis, of the provisions on an ongoing basis through a series of future posts, including any available information on changes that may be brought about by a new administration. Stay tuned for further announcements.

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.