On April 1, 2016, the Federal Communications Commission (the “FCC”) released the text of a Notice of Proposed Rulemaking (the “NPRM”) proposing and soliciting public comment on rules to regulate how broadband Internet access service providers (“Broadband Providers”) collect, use, and protect their customers’ personal information. Approved in a 3-2 party-line vote, the NPRM spans 133 pages (excluding the statements of the FCC Commissioners), is immensely detailed, and poses hundreds of questions for stakeholders to consider and address in their written comments in the proceeding. Interested parties must file initial comments by May 27, 2016, and reply comments must be filed by June 27, 2016.
Overview of the NPRM
As foreshadowed by the Fact Sheet released a few weeks ago by FCC Chairman Tom Wheeler, the NPRM proposes rules to implement the protections afforded to customer information under Section 222 of the Communications Act of 1934 (the “Communications Act”) in the context of Broadband Providers. Consistent with the information provided in the Fact Sheet, the NPRM’s proposed rules are framed around three core principles: transparency, customer choice, and data security. Given its limited length, the Fact Sheet only provided the highest level overview of the Chairman’s proposal, and the NPRM adopted last week is far more nuanced. For example, the item proposes expansive definitions of protected customer information, and seeks comment on whether these expanded definitions should be incorporated into existing Section 222 rules for traditional voice providers.
In addition, the NPRM proposes rules prohibiting the offering of broadband service conditioned on the waiver of the rights afforded by this framework, and inquires whether the FCC should adopt rules to prohibit the inclusion of binding arbitration clauses in a Broadband Providers’ customer contracts. The NPRM notes that the scope of these rules is limited to entities providing broadband service, and emphasizes that they do not apply to edge providers.
The FCC’s Proposed Framework
The NPRM’s proposed rules are broken out in to three broad categories: transparency of Broadband Providers data collection practices, customer choice with respect to the use of their information, and data security and breach notification requirements. The breadth of these rules is accentuated by the NPRM’s proposed definitions with respect to the types of information protected under Section 222. Below, we briefly summarize the scope of the types of information and customers protected under the proposed rules and then detail the FCC’s proposed Section 222 framework for Broadband Providers.
Scope of the FCC’s Proposed Privacy Framework
Customers Covered by the NPRM’s Proposed Rules
The NPRM proposes a broad definition of the term “customer.” As proposed, customers would include current subscribers to broadband services, former subscribers to broadband services, and applicants for broadband services. The NPRM seeks comment on whether such an expanded definition of customer should also apply to voice service providers.
Customer Information Covered by the NPRM’s Proposed Rules
The NPRM proposes to expand the types of customer information protected under its existing Section 222 rules for voice services. The NPRM’s proposed rules protect customer proprietary information (“CPI”). Under the NPRM’s proposals, CPI means both customer proprietary network information (“CPNI”), as defined in Section 222, and personally identifiable information (“PII”).
As defined in Section 222(h)(1), CPNI means customer information that relates to “the quantity, technical configuration, type, destination, location, and amount of use” of telecommunications services that is provided by a customer in the context of a carrier-customer relationship. The NPRM proposes to interpret this statutory definition as including, at a minimum:
- service plan information,
- geo-location information,
- device identifiers,
- source and destination IP addresses and domain names, and
- traffic statistics.
The NPRM also seeks comment on whether other types of information, including port information, application headers, application usage, or information regarding customer premises equipment, should be included in the definition of CPNI.
PII means any information that is linked or linkable to an individual such that it can be used on its own, or in combination, to identify an individual or to logically associate with other information of a specific individual. PII includes, but is not limited to, name, social security number, date and place of birth, mother’s maiden name, physical and email address, phone number, and unique identifiers.
The NPRM seeks comment on whether other types of information should be classified as CPNI or PII, and whether such protections should be harmonized with the existing Section 222 rules.
Transparency of Broadband Providers Data Collection Practices
Disclosure and Content Requirements for Privacy and Security Policies
The NPRM proposes that a Broadband Provider must clearly and conspicuously notify customers of its privacy policies in a comprehensible and readily apparent manner. Under the proposed rules, a Broadband Provider’s privacy policies must specify and describe:
- the types of CPI collected,
- how the Broadband Provider uses and discloses each type of CPI,
- the entities that will receive CPI from the Broadband Provider, and for what purpose, and
- customers’ opt-out or opt-in rights.
In describing customers’ opt-out or opt-in rights, Broadband Providers must explain that (a) a customer’s disapproval of use or disclosure will not affect the provision of any services, (b) a customer’s approval, denial, or withdrawal of consent is valid until the customer affirmatively revokes such consent, and that a customer can withdraw consent at any time, and (c) the provider may be compelled to disclose a customer’s information by law.
The NPRM’s proposed disclosure requirements do not distinguish between fixed and mobile Broadband Providers. The NPRM seeks comment on whether the FCC should consider any mobile-specific considerations, as well as whether the proposed disclosure requirements are technically feasible for implementation on mobile devices.
Timing of Disclosure
The NPRM seeks comment on its proposal that a Broadband Provider must (a) provide notice of their privacy and security policies at the point of sale, prior to the purchase of service, and (b) make such policies persistently available through a link on its homepage, mobile application, or functional equivalent.
Material Changes to Privacy Policies
The NPRM seeks comments on a number of these proposed rules and related issues. In particular, the NPRM asks whether the FCC should require Broadband Providers to provide bi-annual notification of their privacy practices, whether the proposed rules create compliance burdens for Broadband Providers, whether Broadband Providers should be required to provide notices in a standardized format, and whether the use of such a standardized format should afford the Broadband Provider with safe harbor for compliance with the proposed customer notification rules. In addition, the NPRM seeks comment on whether the privacy notices rules for providers of voice, video, and broadband services should be harmonized.
In describing the need for customer choice with respect to the use and disclosure of their personal information, the NPRM draws from existing Section 222 regulations. Specifically, the NPRM proposes varying degrees of customer choice (i.e., no consent required, opt-out, or opt-in), depending on how their information is used.
Customer Consent is Implied or Unnecessary
The NPRM proposes that, by purchasing broadband Internet access service, a customer implicitly grants approval for a Broadband Provider to use, disclose, or permit access to CPI in the following circumstances:
- to provide broadband services,
- to market additional broadband services in the same category to which the customer already subscribes,
- to initiate, render, bill, and collect for broadband services and other closely related services (e.g., technical support),
- to protect the rights or property of a Broadband Provider, other users of broadband services, or other Broadband Providers from fraudulent or unlawful use,
- to provide inbound marketing, referral, or administrative service if such service was initiated by the customer,
- to assist authorized emergency personnel pursuant to next generation 911 alternatives, inform the user’s guardian or family of the user’s location in an emergency, or to providers of information services for purposes of assisting in delivery of emergency services, and
- as otherwise required by law.
The NPRM seeks comment on these proposed scenarios in which customer consent is not required.
Opportunity to Opt-Out Required
The NPRM seeks comment on its proposal that Broadband Providers would be permitted to (i) use a customer’s information to market other “communications-related services” to the customer, and (ii) share a customer’s information with an “affiliate” that provides “communications-related services” for the purposes of marketing to that customer; provided, that the customer has an opportunity to opt-out of such use or disclosure. The NPRM also seeks comment on its proposal to use the Communications Act’s definition of “affiliate” for purposes of its proposed rules. Affiliate, as currently defined, means “a person that (directly or indirectly) owns or controls, or is owned or controlled by, or is under common ownership or control with, another person,” with “own” being defined as owning an equity interest of more than 10 percent.
Affirmative Opt-In Required
The NPRM seeks comment on its proposal that all other uses or disclosure of CPI not covered by the above two categories would require an express, affirmative opt-in consent. The NPRM specifically notes that opt-in consent would be required before marketing non-communications-related services, or sharing with an affiliate that does not provide communications-related services.
Timing and Notice of Customer Approval
The NPRM seeks comment on its proposal to require Broadband Providers to solicit consent from customers when the Broadband Provider first intends to use or disclose CPI in a manner that would require consent. When soliciting a customer’s consent, the Broadband Provider would be required to provide information about the types of information that will be used or disclosed, how it will be used, and the entities or types of entities with which such information will be shared. However, the NPRM does not proscribe specific rules regarding how Broadband Providers should solicit consent, and seeks comments on if and how such rules should be implemented.
Documenting Compliance with Consent Requirements
Under the rules proposed in the NPRM, Broadband Providers would be required to maintain records of disclosures of CPI, customer notices, and opt-in/opt-out approvals for at least one year. Additionally, Broadband Providers must adequately train and supervise personnel, establish a supervisory review process, and promptly notify the FCC of any unauthorized uses or disclosures.
Use of Aggregate Customer Proprietary Information
The NPRM proposes rules that would allow Broadband Providers to use and disclose aggregated CPI if (a) such information is not linkable to a specific device or individual, (b) the provider publicly commits to maintain such aggregate data in a non-individually identifiable manner and does not attempt to re-identify it, (c) the provider contractually prohibits any entity with which such aggregated date is shared from attempting to re-identifying the data, and (d) the provider reasonably monitors such third parties.
While the NPRM’s proposed rules implement the above framework, the FCC is seeking comment on alternative approaches to provide customers with adequate choice in the use and disclosure of their information. The FCC also seeks comment on whether Broadband Providers should be able to disclose non-aggregate, de-identified information without customer consent.
Applicability of Customer Choice to Small Broadband Providers
The NPRM seeks comment on ways to minimize the burden of the customer choice framework on small Broadband Providers. The NPRM inquires whether small Broadband Providers that collect CPI from fewer than 5,000 customers per year should be exempt from the customer choice framework, or whether they should be permitted to grandfather in existing customer approval to use CPI.
Data Security and Breach Notification
The NPRM proposes and seeks comment on a number of rules regarding the data security practices of Broadband Providers, as well as notification requirements following an unauthorized use or disclosure of CPI.
Data Security Requirements
The NPRM proposes that broadband providers be required generally to ensure the security, confidentiality, and integrity of CPI and protect against unauthorized use or disclosure. To satisfy this requirement, the NPRM proposes that Broadband Providers be required, at a minimum, to:
- establish risk management practices and assessments,
- implement appropriate personnel training,
- create robust customer authentication requirements,
- identify a senior manager responsible for data security practices,
- §notify a customer of account changes and attempts to access CPI, and
- take responsibility for the use of CPI by third parties with whom the Broadband provider shares such information.
The NPRM seeks additional comments related to these proposals, including the frequency of risk management assessments, whether Broadband Providers should be required to adopt multi-factor authentication, and whether customers should have the right to access and correct all of their information stored by a Broadband Provider. The NPRM also seeks comments on whether rules should be adopted limiting the collection of sensitive CPI, and whether limitations should be imposed on the retention of CPI.
Data Breach Notification Requirements
The NPRM proposes imposing data breach notification requirements on Broadband Providers. If CPI is breached, a broadband provider would be required to provide notification to:
- affected customers no later than 10 days after discovery of the breach, subject to law enforcement needs,
- the FCC no later than seven days after discovery of a breach, and
- the Federal Bureau of Investigation and the United States Secret Service no later than seven days after discovery for breaches affecting more than 5,000 customers, and at least three days before notification to customers.
The NPRM proposes to define “breach” to mean any instance where “a person, without authorization or exceeding authorization, has gained access to, used, or disclosed” CPI. Unlike the current CPNI rules, the proposed definition does not include an intent element. The NPRM seeks comment on this approach to defining what does—and does not—constitute a breach.
The NPRM proposes regulating the content of data breach notifications. Such notifications must include the date of the breach, a description of the information that was breached, company contact information, contact information for the FCC and state regulatory agencies, and information regarding credit monitoring.
The NPRM notes that the FCC is concerned with “notice fatigue” and proposes to adopt a trigger to limit notification in certain circumstances. Further comment is sought on whether notification should be required only when certain types of CPI is disclosed without the requisite authorization. Additionally, the FCC seeks comment on whether a Broadband Provider should provide notice to customers if a third-party has suffered a data breach.
Comments Sought on Customer Contract Provisions and Certain Broadband Provider Practices
The NPRM proposes to prohibit offering broadband services that are contingent on the waiver of the Section 222 protections. The NPRM also seeks comment on whether rules should be imposed to prohibit or limit the ability of Broadband Providers from (a) offering higher-priced broadband services for higher privacy protections, (b) using deep packet inspection for purposes other than network management, and (c) using persistent identifiers. Among the limitations considered, the NPRM suggests that rules imposing heightened notification requirements for these practices will be proposed.
The NPRM also seeks comments on whether to propose rules prohibiting Broadband Providers from compelling arbitration in their contracts with customers.
The NPRM asserts that the legal authority for the proposed rules is grounded primarily in Section 222 of the Communications Act, but is also supported by Sections 201, 202, and 705, as well as Section 706 of the Telecommunications Act of 1996 (the “Telecommunications Act”). The NPRM seeks comment on whether these statutory provisions establish authority to promulgate the proposed rules. The NPRM also seeks comment on the appropriate legal authority for specific proposals, including whether the disclosure requirements are compelled speech under the First Amendment, the extent to which the FCC might need to rely on Section 705 to protect broadband subscribers, and whether the rules proposed by the NPRM could be independently supported by Section 706 of the Telecommunications Act.
Interested parties currently have until May 27, 2016 to submit initial comments and until June 27, 2016 to submit reply comments. While detailed, the foregoing is merely a summary of the contents of the FCC’s complex and detailed NPRM.
 47 U.S.C. 153(2) (2012).