FCC Signals a Change in Course on Broadband Privacy, but it’s Not All Smooth Sailing Ahead
In an apparent response to overwhelming criticism from Internet Service Providers (“ISPs”), industry groups, academics, and other government agencies, Federal Communications Commission (FCC) Chairman Tom Wheeler has released a Fact Sheet outlining significant changes to the agency’s previous proposed rules on broadband privacy. Contrary to the Notice of Proposed Rulemaking (“NPRM”) it released in March, the FCC now proposes a consumer consent framework for broadband data that is more consistent with existing Federal Trade Commission (FTC) privacy precedent. The Fact Sheet also relaxes the FCC’s prior proposed rules on disclosures of de-identified data and customer breach notification. But while the Fact Sheet gives industry stakeholders much to celebrate, several areas of concern remain.
New Consent Framework Distinguishes Between Sensitive and Non-Sensitive Data
The NPRM proposed to create a new, broad category of data called “Customer Proprietary Information” (“CPI”). CPI would include information about customers’ accounts, known as Customer Proprietary Network Information (“CPNI”), and both sensitive and non-sensitive personally identifiable information (“PII”) ranging from customers’ social security numbers to their names and Internet usage statistics. The NPRM would have required customers to provide opt-in approval for most uses and disclosures of CPI, regardless of the information’s sensitivity.
Although we will have to wait until the Commissioners’ vote on the proposed Order on October 27th to see whether the Final Rule will change the proposed definition of CPI, the Fact Sheet indicates that the FCC will follow the FTC’s general approach in distinguishing between sensitive and non-sensitive customer information. Under the new framework, ISPs would have to obtain opt-in consent only for uses and disclosures of “sensitive” data, while opt-out consent would be sufficient for any other type of data. But while the proposed categories of “sensitive” data largely track the FTC Privacy Framework, two are unique to the FCC framework: “web browsing history” and “app usage history.” Participants in the online advertising ecosystem should pay close attention to how the FCC interprets these categories in the Final Rule, as restrictions on the use and disclosure of these types of data could severely impede their ability to deliver relevant and cost-effective advertisements to consumers.
No Consent Required for Use and Disclosure of De-Identified Data
The Fact Sheet also proposes to allow companies “to use and share properly de-identified information outside the consent regime required for other consumer data.” While the NPRM did not specifically prohibit uses of de-identified, non-aggregate data, it did seek comment on whether such data should be subject to the opt-in consent framework. The Fact Sheet’s proposal is a positive development for consumers, as de-identified data informs the relevant advertising that supports much of the content available on the Internet today.
More Time for Breach Notification to Customers, but Not Regulators or Law Enforcement
Commenters almost universally panned the NPRM’s proposed 10-day window for notifying customers following the discovery of a breach of CPI, noting that ISPs would not know enough about the breach that quickly to provide customers with any useful information. The FCC responded to this criticism by extending the customer notification window to 30 days after discovery of a breach. However, the agency did not change its proposed 7-day window for providing notice of a breach to the Commission, the FBI and the Secret Service. It also remains unclear whether ISPs will be required to provide notice for breaches of non-sensitive CPI, such as customer names.
The FCC appears to have responded to at least some of the criticism that the NPRM was inflexible and out of line with existing privacy frameworks and FTC precedent. The Fact Sheet represents a significant improvement over the NPRM, but the precise rules will not be known or finalized until the full Commission votes on whether to adopt the Final Rule on October 27th. We will provide a more comprehensive update as more information is released in the coming weeks.