As previously promised in last year’s Open Internet Order, the Federal Communications Commission (FCC or the Commission) has released a Notice of Proposed Rulemaking (NPRM) seeking comment on proposed privacy requirements for broadband internet access service providers. The proposed rules would regulate how such broadband providers use and share data about their customers and seek to enhance transparency, choice and security for customers’ personally identifiable information (PII). Comments to the NPRM are due May 27, 2016 and Reply Comments are due June 27, 2016.
Broadband providers became subject to existing privacy protections under Title II of the Communications Act as a consequence of the FCC’s reclassification of broadband providers as common carriers in the Open Internet Order. In particular, Section 222 of the Act provides privacy protection largely for certain voice telephony-related data that telecommunications carriers collect from their customers, known as Customer Proprietary Network Information (CPNI). This reclassification also largely, if not entirely, stripped the Federal Trade Commission (FTC) of jurisdiction over broadband providers due to the FTC’s own jurisdictional limitations. As a result, the internet’s broader ecosystem of broadband providers, such as Verizon and AT&T, and content and application providers, such as Buzzfeed and Wikipedia (often referred to as edge providers), among other stakeholders, is now effectively regulated by two different federal agencies with potentially varying regulatory policies and approaches.
While the Open Internet Order made Section 222 immediately applicable to broadband providers, the FCC decided not to apply then existing CPNI rules to broadband providers due to the rules’ focus on voice telephony services. Instead, the FCC adopted this NPRM to develop rules more appropriately tailored towards broadband internet access services. The NPRM is the latest example of the FCC’s increasing focus on privacy issues. In 2015, for example, the FCC hosted a workshop on broadband consumer privacy, added a privacy expert for its chief technologist position and brought data security cases against AT&T Inc. and Cox Communications, Inc. These efforts remain contentious; the NPRM was adopted by the FCC in a 3-2 vote along partisan lines and with substantive dissenting statements by Commissioners Pai and O’Rielly. A consolidated legal challenge to the Open Internet Order itself also remains pending before the D.C. Circuit. The FCC will now commence a comment period and will likely take at least nine months to adopt final rules, consistent with past agency practices.
Key Aspects of the Proposed Rules
The FCC proposes rules obligating broadband providers to disclose, in plain and persistent terms, their practices of collecting, using and sharing customer information. The use and sharing of information would fall into three categories: (1) where customer consent may be inferred, (2) where customers must opt-out and (3) where customers must opt-in. The NPRM also proposes the creation of data security rules, including requirements to report breaches to the FCC and, in certain circumstances, law enforcement.
As discussed further below, the key rules proposed in the NPRM are the following:
Broadband providers must make robust disclosures about what data they collect from customers and how that data is used and shared;
The data that broadband providers collect and use will be classified in one of three categories, and each category imposes different requirements on broadband providers for obtaining customer consent (e.g., where consent is inferred, where customers must opt-out or where customers must opt-in); and
Broadband providers must adhere to a general standard of data security and implement specific data security safeguards.
NPRM Limitations and Key Proposed Definitions
The NPRM is limited to broadband providers and does not apply to websites and other non-common carrier online edge providers, like operators of online social media networks over which the FTC has authority. Nor does the NPRM apply to manufacturers of consumer equipment used to deliver broadband services, developers of software operating systems or internet browsers, or to issues like government surveillance, encryption or law enforcement.
The FCC also proposes to define various operative terms both broadly and in ways that could vary from other privacy practices. For example, the FCC proposes to define the information subject to these rules as both CPNI and PII collected by broadband providers and would cover, at a minimum, service plan information, geo-location, media access control (MAC) identifiers, source and destination internet protocol addresses and website traffic statistics. The FCC also requests comment regarding the proposed definition of “customer” as “1) a current or former, paying or non-paying subscriber to broadband Internet access service; and 2) an applicant for broadband Internet access service.” By limiting this proposed definition to the named account holder and not everyone that uses the account, the FCC appears to be attempting to balance consumer protections with the burden on broadband providers. But the FCC’s request for comment suggests it is considering expanding the customer definition to all persons who may use a subscriber’s account. The definition of “customer” ultimately adopted in the final rules will necessarily impact the scope of the privacy protections.
The NPRM also defines “breach” for purposes of proposed data security and data breach notification rules and expands it to cover all proprietary information, not merely CPNI. This would effectively codify the FCC’s enforcement decision in the TerraCom NAL in which it interpreted Section 222(a) as an independent grant of authority to regulate all common carrier data breaches involving any proprietary information, without an intent requirement. This broadened definition could foreseeably result in a wide variety of unintentional breaches triggering the proposed obligation to provide notice to customers and law enforcement, among other potentially burdensome requirements.
Proposed Transparency Requirements and Obligations for Broadband Providers
The FCC proposes requiring broadband providers to give customers clear and persistent notice about what information they collect, use and share with third parties. The NPRM proposes notice requirements at the point of sale and that the notice be persistently available, including by a link on the broadband provider’s homepage and on any of the broadband provider’s mobile apps. The Commission also seeks comment on whether it should adopt a requirement obligating businesses, upon request, to give customers, free of charge and within 30 days, lists of all of their PII that has been disclosed to third parties and how to contact those third parties, among other things.
In addition, the FCC
Proposes to give consumers information about how they can change their privacy preferences;
Seeks comment on the extent to which privacy notices should be standardized, including as part of a voluntary safe harbor for any adopted privacy notice requirements; and
Seeks further comment on the compliance burden for broadband providers adopting these transparency measures, whether mobile broadband providers should be treated differently and how the proposed rules can be harmonized for providers of voice, video and broadband services, like the “triple play” bundle.
Three Categories of Proposed Consent Requirements
The FCC proposes rules for the use of CPNI by broadband providers that follow the same general framework of three consent categories per the existing CPNI rules but would enhance those rules for broadband providers by applying them to both CPNI and PII (together, Enhanced CPNI). The FCC seeks comment on how to draw the boundaries of these three categories. It seeks further comment about whether certain types of highly sensitive information, such as Social Security numbers, deserve special treatment beyond the three-category framework noted below.
Consent Inherent in Customer Decision to Purchase ISP’s Services. The NPRM proposes that broadband providers not be subject to consent requirements when they collect Enhanced CPNI that is necessary to provide broadband services and for marketing the type of broadband services purchased by a customer. For example, broadband providers would not need to obtain additional customer approval for providing the service itself or facilitating emergency responses to 911 calls.
Opt-out. The NPRM proposes allowing broadband providers to use Enhanced CPNI for marketing other communications-related services, including those of communications-related affiliates, unless the customer affirmatively opts-out of that use. The NPRM also proposes that the opt-out option must be clearly disclosed, easily used and continuously available. As proposed, this opt-out category would not include information provided to edge services offered by broadband providers.
Opt-in. The FCC seeks to require broadband providers to obtain opt-in approval from customers before sharing Enhanced CPNI with non-communications-related affiliates or third parties, or before using Enhanced CPNI themselves for any purpose that is not expressly allowed. The NPRM envisions this opt-in rule to function similarly to consent requests in circumstances where mobile applications ask for permission to use geo-location information, contacts, lists or photographs on a consumer’s smartphone.
In addition to these three categories, the FCC seeks comment on when broadband providers should notify their customers of their opportunities to approve or disapprove of the use of their information. Further, the NPRM proposes rules and seeks comment on how broadband providers should document their compliance with the proposed rules, how its proposed framework should differ from the current framework in place for voice telephony providers and how it should be harmonized with the existing approval requirements for cable and satellite providers.
Finally, the NPRM proposes to create different rules for the use and disclosure of aggregate Enhanced CPNI. In particular, the Commission seeks to separately address ways to manage the aggregation, de-identification and re-identification of the data that broadband providers collect about their customers, and it will allow broadband providers to continue to engage in such practices so long as the aggregate information is not reasonably “linkable” to a specific device or individual, among other things.
Proposed Security Requirements
The FCC also proposes several rules designed to improve security of customer information obtained and used by the broadband providers, including a general standard by which consumers can rely on their broadband provider to take reasonable steps to safeguard their Enhanced CPNI from unauthorized use, disclosure or access. It also lists specific practices that broadband providers must follow to comply with the overarching requirement.
General Security Standard. The NPRM proposes to create a general standard for data security, requiring broadband providers to “adopt security practices appropriately calibrated to the nature and scope of the [broadband provider’s] activities, the sensitivity of the underlying data, and technical feasibility.” The FCC seeks comment on how this general standard should be codified in the rules.
Specific Required Security Practices. The NPRM proposes a series of data security safeguards, including requiring that every broadband provider establish and perform regular risk management assessments, train employees in this area, establish and use robust customer authentication procedures and take responsibility for the use of customer PII by third parties with whom the broadband provider shares such information. The FCC seeks comment on these requirements, including whether to establish a safe harbor.
Data Breach Notification Requirements. The NPRM proposes to adopt rules governing notice of data breaches by broadband providers. It defines breach and seeks comment regarding in which circumstances broadband providers should be required to notify customers of a breach of their Enhanced CPNI. For example, the FCC proposes to require broadband providers to notify affected customers within 10 days of the discovery of a triggering breach. The NPRM also proposes that broadband providers must notify the FCC of all data breaches and that other federal law enforcement be notified if the breaches impact more than 5,000 customers.
Forbidden Practices. The NPRM seeks comment on whether certain uses of data should be prohibited completely or at least subject to specific requirements. For example, the FCC proposes forbidding the practice of conditioning price discounts on a consumer’s willingness to waive privacy interests.
Additional Notable Aspects of the NPRM
In addition to its focus on transparency, choice and security, the NPRM seeks comment on the following:
A discussion of the burdens of its various proposed rules on broadband providers, signaling that this may be a scarce opportunity to push back against the proposed rules at the request of the FCC;
The FCC’s request that broadband providers document their compliance with the proposed rules, setting up the prospect of the FCC placing the burden on broadband providers to maintain a paper trail supporting their compliance whenever it is challenged;
How to harmonize its broadband privacy rules with cable and satellite providers under different sections of the Communications Act and whether the FCC should update rules that govern the application of Section 222 to traditional voice telephony service and interconnected VoIP service;
Whether the FCC should forbid broadband providers from compelling arbitration in their contracts with customers; and
The FCC’s legal authority to adopt the proposed rules.
The FCC will now commence the comment cycle and will then likely take at least nine months to adopt final rules, which is consistent with past agency practices. Consumer and privacy groups will likely commend the FCC for proposing stringent privacy protections. At the same time, the FCC is already being criticized by broadband providers for proposing to apply more onerous consent requirements and other regulatory burdens on them, while other online stakeholders like edge providers will remain under FTC authority.
In particular, broadband providers will likely argue that, rather than creating new regulatory imbalances in the internet ecosystem, the FCC should follow or defer to the FTC’s privacy framework, which protects consumer privacy against practices that are “unfair or deceptive.” Broadband providers will also likely point out that the proposed FCC rules will hinder them from competing with the dominant online advertising players, i.e., edge providers.
Moreover, broadband providers will likely argue that many of the operative definitions and interpretations proposed by the FCC are too broad, onerous and vague, and when combined with the recent aggressive track record of the FCC’s Enforcement Bureau, they create unreasonable regulatory uncertainty and risk for broadband providers. Mobile wireless broadband providers, among others, will also likely take full advantage of the NPRM’s invitation to explain their mobile network-specific challenges in complying with “one-size-fits-all” broadband privacy regulations. Congress itself may get involved by trying to use its appropriations power or other legislative efforts to block or overturn the final rules, as it has tried to do with the Open Internet Order.
At bottom, the NPRM will likely have a significant impact on broadband providers and may have ripple effects over the rest of the ecosystem beyond the reach of the FCC’s jurisdiction, in the form of “harmonized” FTC approaches or industry self-regulating guidelines for other online stakeholders.
 See Protecting & Promoting the Open Internet, Report & Order on Remand, Declaratory Ruling, & Order, 30 FCC Rcd 5601 (2015) (Open Internet Order).
 The NPRM relies on the Open Internet Order’s definition of broadband internet access service providers, which includes those who provide access by wire and wireless services (including fixed and mobile wireless).
 However, the FCC and FTC are parties to a MOU intended to ensure coordination and consultation in areas of mutual interest. See FCC-FTC Consumer Protection Memorandum of Understanding (2105) (FCC-FTC MOU).
 See U.S. Telecom. v. FCC, No. 15-1063 (D.C. Cir.).
 In light of the FCC’s approval of the NPRM on a 3-2 partisan vote, the looming presidential election may motivate the FCC to adopt final rules before November 2016, particularly if there is a change in party occupying the White House.
 The NPRM adopts the statutory definition of CPNI, as provided for in 47 C.F.R. § 64.2003(g), and Section 222(a) and (h) of the Communications Act, see 47 U.S.C. § 222(a), (h)(1).
 TerraCom, Inc. and YourTel America, Inc., Notice of Apparent Liability for Forfeiture, 29 FCC Rcd 13325 (2104). See also, Dissenting Statement of Commissioner Michael O’Reilly.
 See 47 C.F.R. § 64.2003(l).
 Specifically, the NPRM directs broadband providers to notify the FBI and the U.S. Secret Service of breaches of Enhanced CPNI “reasonably believed to relate to more than 5,000 customers.”
 This compliance burden may come to resemble the burden created by the FCC’s interpretation of the Telephone Consumer Protection Act of 1991 (TCPA), where if the called party challenges their consent to phone calls, the burden shifts to the caller to prove they had consent.
 As noted above, Comments are due May 27, 2016 and Reply Comments are due June 27, 2016.
 In light of the FCC’s approval of the NPRM on a 3-2 partisan vote, the looming presidential election may motivate the FCC to adopt final rules before November 2016, particularly if there is a change in the party occupying the White House.
 Letter from CTIA, et al., to FCC, dated Feb. 11, 2016 (“recommend[ing] that any FCC framework be consistent with the successful FTC approach, which is grounded on prohibiting unfairness and deception.”).