As previously promised in last year’s Open Internet Order, the Federal Communications Commission (FCC or the Commission) has released a Notice of Proposed Rulemaking (NPRM) seeking comment on proposed privacy requirements for broadband internet access service providers. The proposed rules would regulate how such broadband providers use and share data about their customers and seek to enhance transparency, choice and security for customers’ personally identifiable information (PII). Comments to the NPRM are due May 27, 2016 and Reply Comments are due June 27, 2016.
Broadband providers became subject to existing privacy protections under Title II of the Communications Act as a consequence of the FCC’s reclassification of broadband providers as common carriers in the Open Internet Order. In particular, Section 222 of the Act provides privacy protection largely for certain voice telephony-related data that telecommunications carriers collect from their customers, known as Customer Proprietary Network Information (CPNI). This reclassification also largely, if not entirely, stripped the Federal Trade Commission (FTC) of jurisdiction over broadband providers due to the FTC’s own jurisdictional limitations. As a result, the internet’s broader ecosystem of broadband providers, such as Verizon and AT&T, and content and application providers, such as Buzzfeed and Wikipedia (often referred to as edge providers), among other stakeholders, is now effectively regulated by two different federal agencies with potentially varying regulatory policies and approaches.
While the Open Internet Order made Section 222 immediately applicable to broadband providers, the FCC decided not to apply then existing CPNI rules to broadband providers due to the rules’ focus on voice telephony services. Instead, the FCC adopted this NPRM to develop rules more appropriately tailored towards broadband internet access services. The NPRM is the latest example of the FCC’s increasing focus on privacy issues. In 2015, for example, the FCC hosted a workshop on broadband consumer privacy, added a privacy expert for its chief technologist position and brought data security cases against AT&T Inc. and Cox Communications, Inc. These efforts remain contentious; the NPRM was adopted by the FCC in a 3-2 vote along partisan lines and with substantive dissenting statements by Commissioners Pai and O’Rielly. A consolidated legal challenge to the Open Internet Order itself also remains pending before the D.C. Circuit. The FCC will now commence a comment period and will likely take at least nine months to adopt final rules, consistent with past agency practices.
Key Aspects of the Proposed Rules
The FCC proposes rules obligating broadband providers to disclose, in plain and persistent terms, their practices of collecting, using and sharing customer information. The use and sharing of information would fall into three categories: (1) where customer consent may be inferred, (2) where customers must opt-out and (3) where customers must opt-in. The NPRM also proposes the creation of data security rules, including requirements to report breaches to the FCC and, in certain circumstances, law enforcement.
As discussed further below, the key rules proposed in the NPRM are the following:
NPRM Limitations and Key Proposed Definitions
The NPRM is limited to broadband providers and does not apply to websites and other non-common carrier online edge providers, like operators of online social media networks over which the FTC has authority. Nor does the NPRM apply to manufacturers of consumer equipment used to deliver broadband services, developers of software operating systems or internet browsers, or to issues like government surveillance, encryption or law enforcement.
The FCC also proposes to define various operative terms both broadly and in ways that could vary from other privacy practices. For example, the FCC proposes to define the information subject to these rules as both CPNI and PII collected by broadband providers and would cover, at a minimum, service plan information, geo-location, media access control (MAC) identifiers, source and destination internet protocol addresses and website traffic statistics. The FCC also requests comment regarding the proposed definition of “customer” as “1) a current or former, paying or non-paying subscriber to broadband Internet access service; and 2) an applicant for broadband Internet access service.” By limiting this proposed definition to the named account holder and not everyone that uses the account, the FCC appears to be attempting to balance consumer protections with the burden on broadband providers. But the FCC’s request for comment suggests it is considering expanding the customer definition to all persons who may use a subscriber’s account. The definition of “customer” ultimately adopted in the final rules will necessarily impact the scope of the privacy protections.
The NPRM also defines “breach” for purposes of proposed data security and data breach notification rules and expands it to cover all proprietary information, not merely CPNI. This would effectively codify the FCC’s enforcement decision in the TerraCom NAL in which it interpreted Section 222(a) as an independent grant of authority to regulate all common carrier data breaches involving any proprietary information, without an intent requirement. This broadened definition could foreseeably result in a wide variety of unintentional breaches triggering the proposed obligation to provide notice to customers and law enforcement, among other potentially burdensome requirements.
Proposed Transparency Requirements and Obligations for Broadband Providers
The FCC proposes requiring broadband providers to give customers clear and persistent notice about what information they collect, use and share with third parties. The NPRM proposes notice requirements at the point of sale and that the notice be persistently available, including by a link on the broadband provider’s homepage and on any of the broadband provider’s mobile apps. The Commission also seeks comment on whether it should adopt a requirement obligating businesses, upon request, to give customers, free of charge and within 30 days, lists of all of their PII that has been disclosed to third parties and how to contact those third parties, among other things.
In addition, the FCC
Three Categories of Proposed Consent Requirements
The FCC proposes rules for the use of CPNI by broadband providers that follow the same general framework of three consent categories per the existing CPNI rules but would enhance those rules for broadband providers by applying them to both CPNI and PII (together, Enhanced CPNI). The FCC seeks comment on how to draw the boundaries of these three categories. It seeks further comment about whether certain types of highly sensitive information, such as Social Security numbers, deserve special treatment beyond the three-category framework noted below.
In addition to these three categories, the FCC seeks comment on when broadband providers should notify their customers of their opportunities to approve or disapprove of the use of their information. Further, the NPRM proposes rules and seeks comment on how broadband providers should document their compliance with the proposed rules, how its proposed framework should differ from the current framework in place for voice telephony providers and how it should be harmonized with the existing approval requirements for cable and satellite providers.
Finally, the NPRM proposes to create different rules for the use and disclosure of aggregate Enhanced CPNI. In particular, the Commission seeks to separately address ways to manage the aggregation, de-identification and re-identification of the data that broadband providers collect about their customers, and it will allow broadband providers to continue to engage in such practices so long as the aggregate information is not reasonably “linkable” to a specific device or individual, among other things.
Proposed Security Requirements
The FCC also proposes several rules designed to improve security of customer information obtained and used by the broadband providers, including a general standard by which consumers can rely on their broadband provider to take reasonable steps to safeguard their Enhanced CPNI from unauthorized use, disclosure or access. It also lists specific practices that broadband providers must follow to comply with the overarching requirement.
Additional Notable Aspects of the NPRM
In addition to its focus on transparency, choice and security, the NPRM seeks comment on the following:
The FCC will now commence the comment cycle and will then likely take at least nine months to adopt final rules, which is consistent with past agency practices. Consumer and privacy groups will likely commend the FCC for proposing stringent privacy protections. At the same time, the FCC is already being criticized by broadband providers for proposing to apply more onerous consent requirements and other regulatory burdens on them, while other online stakeholders like edge providers will remain under FTC authority.
In particular, broadband providers will likely argue that, rather than creating new regulatory imbalances in the internet ecosystem, the FCC should follow or defer to the FTC’s privacy framework, which protects consumer privacy against practices that are “unfair or deceptive.” Broadband providers will also likely point out that the proposed FCC rules will hinder them from competing with the dominant online advertising players, i.e., edge providers.
Moreover, broadband providers will likely argue that many of the operative definitions and interpretations proposed by the FCC are too broad, onerous and vague, and when combined with the recent aggressive track record of the FCC’s Enforcement Bureau, they create unreasonable regulatory uncertainty and risk for broadband providers. Mobile wireless broadband providers, among others, will also likely take full advantage of the NPRM’s invitation to explain their mobile network-specific challenges in complying with “one-size-fits-all” broadband privacy regulations. Congress itself may get involved by trying to use its appropriations power or other legislative efforts to block or overturn the final rules, as it has tried to do with the Open Internet Order.
At bottom, the NPRM will likely have a significant impact on broadband providers and may have ripple effects over the rest of the ecosystem beyond the reach of the FCC’s jurisdiction, in the form of “harmonized” FTC approaches or industry self-regulating guidelines for other online stakeholders.
 See Protecting & Promoting the Open Internet, Report & Order on Remand, Declaratory Ruling, & Order, 30 FCC Rcd 5601 (2015) (Open Internet Order).
 The NPRM relies on the Open Internet Order’s definition of broadband internet access service providers, which includes those who provide access by wire and wireless services (including fixed and mobile wireless).
 However, the FCC and FTC are parties to a MOU intended to ensure coordination and consultation in areas of mutual interest. See FCC-FTC Consumer Protection Memorandum of Understanding (2105) (FCC-FTC MOU).
 See U.S. Telecom. v. FCC, No. 15-1063 (D.C. Cir.).
 In light of the FCC’s approval of the NPRM on a 3-2 partisan vote, the looming presidential election may motivate the FCC to adopt final rules before November 2016, particularly if there is a change in party occupying the White House.
 The NPRM adopts the statutory definition of CPNI, as provided for in 47 C.F.R. § 64.2003(g), and Section 222(a) and (h) of the Communications Act, see 47 U.S.C. § 222(a), (h)(1).
 TerraCom, Inc. and YourTel America, Inc., Notice of Apparent Liability for Forfeiture, 29 FCC Rcd 13325 (2104). See also, Dissenting Statement of Commissioner Michael O’Reilly.
 See 47 C.F.R. § 64.2003(l).
 Specifically, the NPRM directs broadband providers to notify the FBI and the U.S. Secret Service of breaches of Enhanced CPNI “reasonably believed to relate to more than 5,000 customers.”
 This compliance burden may come to resemble the burden created by the FCC’s interpretation of the Telephone Consumer Protection Act of 1991 (TCPA), where if the called party challenges their consent to phone calls, the burden shifts to the caller to prove they had consent.
 As noted above, Comments are due May 27, 2016 and Reply Comments are due June 27, 2016.
 In light of the FCC’s approval of the NPRM on a 3-2 partisan vote, the looming presidential election may motivate the FCC to adopt final rules before November 2016, particularly if there is a change in the party occupying the White House.
 Letter from CTIA, et al., to FCC, dated Feb. 11, 2016 (“recommend[ing] that any FCC framework be consistent with the successful FTC approach, which is grounded on prohibiting unfairness and deception.”).