FCC Chairman Tom Wheeler released a Fact Sheet summarizing his proposal for new rules to protect the privacy of broadband customers. The proposal contains a three-level consent framework for the use and sharing on consumer data by broadband Internet access service (BIAS) providers. It also addresses data security and data breaches. A Notice of Proposed Rulemaking containing the proposal is scheduled to be considered at the FCC’s March 31, 2016, Open Meeting.
The proposal allows BIAS providers to assume that their customers have given them consent to use their information to the extent necessary to provide their broadband service and to market the type of broadband service purchased by a customer. For example, customer data could be used to bill the customer and ensure the customer’s email arrives at its destination, and the BIAS provider may use the fact that a customer is streaming a lot of data to suggest the customer may want to upgrade to another speed tier of service. However, BIAS providers would need to obtain customer consent, using an opt-out process, before marketing other communications-related services to them and/or sharing their data with the provider’s affiliates offering communications-related services for marketing purposes. Full opt-in consent would be required for all other uses and sharing of consumer data
The proposal apparently includes “robust and flexible data security requirements for broadband providers, including an overarching data security standard” but few details are offered. The proposal would also:
- Require broadband providers to take reasonable steps to safeguard customer information from unauthorized use or disclosure;
- Adopt risk management practices; Institute personnel training practices;
- Adopt strong customer authentication requirements;
- Identify a senior manager responsible for data security; and
- Take responsibility for use and protection of customer information when shared with third parties.
Providers would be required to notify affected customers of breaches of their data no later than 10 days after discovery. In addition, they would have to notify the FCC of any breach of customer data no later than 7 days after discovery and the FBI and US Secret Service of breaches affecting more than 5,000 customers no later than 7 days after discovery of the breach.
Wheeler emphasized that the proposal does not affect:
- The privacy practices of web sites, like Twitter or Facebook, over which the Federal Trade Commission has authority.
- Other types of services offered by a broadband provider, such as operation of a social media website.
- Issues such as government surveillance, encryption or law enforcement.
The Notice will also seek comment on additional or alternative paths to achieve pro-consumer, pro-privacy goals.
According to Wheeler, the proposal is built on three core principles: choice, transparency and security:
Choice: Consumers have the right to exercise meaningful and informed control over what personal data their broadband provider uses and under what circumstances it shares their personal information with third parties or affiliated companies.
Transparency: Consumers deserve to know what information is being collected about them, how it’s being used, and under what circumstances it will be shared with other entities. Broadband providers must provide accurate disclosures of their privacy practices in an easily understandable and accessible manner.
Security: Broadband providers have a responsibility to protect consumer data, both as they carry it across their networks and wherever it is stored.
In response to Wheeler’s Proposal, Commissioner O’Rielly issued a statement saying, in part: “The “fact” sheet demonstrates that the FCC is doubling down on its misguided and broken Net Neutrality decision by imposing troubling and conflicting “privacy” rules on Internet companies, as well as freelancing on topics like data security and data breach that are not even mentioned in the statute.”