On October 27, 2016, the U.S. Federal Communications Commission (“FCC”), in a 3-2 vote along party lines, adopted new privacy rules for broadband providers aimed at protecting the privacy of consumers. FCC Chairman Tom Wheeler stated during a press conference that “the bottom line is that broadband subscribers will finally be in the driver’s seat.”
The new rules implement the privacy requirements of Section 222 of the Communications Act for broadband Internet Service Providers (“ISPs”). The rules aim to give broadband customers more control over how their personal information is used and shared by their ISPs. The FCC established a framework of customer consent required for ISPs to use and share their customers’ personal information based on the sensitivity of the information, an approach that is consistent with other privacy frameworks.
Three categories were established for the use and sharing of information. These categories include guidance for ISPs and their customers:
In addition, the FCC rules require ISPs to provide customers with “clear, conspicuous and persistent notice” about the information they collect, how it may be used and shared, and how customers can change their privacy preferences. ISPs are required to engage in reasonable data security practices, and the new rules contain guidelines that ISPs should consider following, including “common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data.”
The FCC’s vote comes on the heels of much vocal support of and opposition to the new rules from ISPs, those in the ad industry, and other interested groups. It should be noted that the scope of these rules is limited to broadband ISPs. The rules do not apply to the privacy practices of web sites or other “edge services,” and do not cover other services of a broadband provider, such as the operation of a social media website.
The FCC Press Release can be found here. The FCC Fact Sheet and Commissioner Statements can be found here.