On March 31, 2016, the Federal Communications Commission (FCC) adopted a Notice of Proposed Rulemaking (NPRM) that proposed to establish new privacy guidelines for broadband Internet service providers (ISPs).1 The FCC designed the proposal to “ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs.”2 To accomplish this goal, the NPRM proposes to apply the privacy requirements of Section 222 of the Communications Act3 to ISPs that offer broadband Internet access service (or, in the NPRM’s terminology, “BIAS”).4 The FCC asserted that applying the privacy requirements set forth in Section 222 would “give broadband customers the tools they need to make informed decisions about how their information is used by their ISPs and whether and for what purposes [their information may be shared] with third parties.”5
The FCC seeks to tighten privacy rules through the NPRM, which would require ISPs to obtain explicit consent from customers for using or sharing their data in certain circumstances. FCC Chairman Tom Wheeler explained that more restrictive rules are necessary because ISPs have such a “broad view of all [their] customers’ unencrypted online activity.”6 The proposed rules have invoked contentious discussions throughout the communications industry and beyond. Privacy and consumer rights groups have been pushing the FCC to strengthen privacy rules since January 2016, when more than 50 organizations co-signed a letter to Chairman Wheeler urging him to “commence a rulemaking as soon as possible to protect the privacy of broadband consumers.”7 Broadband providers, however, are strongly opposed to the proposals, arguing that the proposed rules will harm consumers and stifle innovation. Several corporations and trade associations representing ISPs, advertisers, and content providers have also spoken out via the ongoing notice and comment period against the proposed rules on the basis that they are unnecessarily burdensome and threaten innovation. Should the FCC implement the proposed rules as written, the Internet economy as we know it could shift significantly; however, the extensive and contentious comment period remains ongoing, so it is unclear whether the rules will advance as proposed.
Types of Data Impacted by the Proposed Rules
As it stands, the NPRM first spells out what types of customer data require protection, how much protection is required, and what legal provisions underlie the FCC’s action. Section 222(a) of the Communications Act states: “Every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to . . . customers.”8 Customer proprietary network information (CPNI), the type of data explicitly protected in Section 222, is defined in Section 222(h)(1) to encompass largely technical information associated with the provision of telecommunications services by the provider.9 Given the specificity of that definition, and the possibility that the definition provides an exhaustive list of CPNI, the NPRM does some gymnastics to reach beyond those listed data types and apply to consumer data more generally. In addition to CPNI, the NPRM claims that Section 222(a) provides the FCC with authority to reach additional classes of data designated in the NPRM as personally identifiable information (PII).10 The NPRM refers to CPNI and PII together as customer proprietary information (CPI).11 After categorizing consumer data in this manner, the NPRM sets forth a tiered series of privacy protections applicable to different data for different purposes.
The Proposal’s Restrictions on the Use and Disclosure of Customer Data
The NPRM sets forth three different levels of privacy protection to govern ISP use of customer data, each linked to some level of consumer notice and consent: (1) approval that is inherent in the creation of the customer-broadband provider relationship; (2) opt-out approval; and (3) opt-in approval.12 It is this third category, opt-in approval, that has prompted so much debate and has resulted in a torrent of comments and submissions to the FCC, so many that the FCC has now extended the deadline for reply comments, previously June 27, until July 6, 2016.13
Approval Inherent in the Customer-Broadband Provider Relationship
The NPRM’s first category is the most permissive and least controversial. The NPRM proposes to allow ISPs to use customer data without any further consultation with the customer for the provision of broadband services, purposes that consumers likely anticipate.14 The NPRM envisions that customers impliedly consent to the use of their data for billing purposes, protection from cybersecurity threats, e-mail routing, locating customers in emergency situations, and the like.15 In the FCC’s view, ISP use of customer data in this way is “consistent with customer expectations” and no further steps – by either the customer or the ISP – are necessary.16
Opt-out Approval for Marketing of Communications-Related Services
Second, the NPRM proposes that ISPs offer customers opt-out opportunities before they or their affiliates use CPI data to market other “communications-related services”.17 Under the NPRM, such an opt-out “must be clearly disclosed, easily used, and continuously available.”18 To this end, the NPRM proposes rules that require ISPs to provide an opt-out option when they “(1) Use [CPI] for the purpose of marketing communications-related services to that customer; and (2) Disclose or permit access to [CPI] to its affiliates that provide communications-related services for the purpose of marketing communications-related services to that customer.”19 Notably, this proposed rule would encompass all CPI instead of being limited to CPNI only.
Opt-in Approval for All Other Uses
The third, and by far most restrictive, category in the NPRM requires affirmative, express opt-in approval from ISP customers for all other uses of their data. The NPRM proposes to require ISPs to obtain opt-in approval from customers before using their information for any use that is not inherent to the provision of the services or the marketing of other communications-related services (i.e., covered by the first two categories).20 This includes the sharing of data with non-affiliate third parties. An opt-in requirement is generally viewed as the most restrictive form of consent, and the FCC explains its rationale behind imposing this higher standard in paragraph 18 of the NPRM:
“We believe that, in an era in which broadband providers are or may be affiliated with content providers, social networks, or companies that serve online ads and forms of social media, opt-in approval is needed to protect the reasonable expectations of consumers, who may not understand that their broadband provider can sell or otherwise share their information with unrelated companies for diverse purposes (such as targeted advertising), or can repurpose customer information for such purposes.”21
The FCC also provided some additional detail as to acceptable methods of obtaining opt-in approval from customers. The NRPM suggests requiring ISPs to provide customers with a “clearly disclosed, easy-to-use method for the customer to deny or grant approval, such as through a dashboard or other use interface that is readily apparent and easy to comprehend.”22 The FCC gave the example of a link on a BIAS provider’s homepage and mobile application as an acceptable method.23 The proposed rules allow the customer approval or disapproval to remain in effect until the customer revokes or limits such approval or disapproval.24 Until now, for most uses of customer data, companies, including ISPs, have often relied on an opt-out process, so the imposition of an opt-in requirement is a radical departure from current business practice.
Comment Period Continues, with Reply Comments Due July 6
At nearly 150 pages in length and containing such an involved—and controversial—new regulatory scheme, the NPRM was bound to cause strong reactions. Indeed, by the time the initial comment period closed on May 27, 2016, over 200,000 comments were lodged with the FCC. Opponents claim that the proposed regime is extremely burdensome, duplicative of existing FTC regulatory authority, or even runs afoul of the First Amendment.25 Supporters claim that the proposed rules are warranted due to the incentives ISPs have to monetize customer data and the privacy risks associated with the collection, use, and sharing of consumer data, including the threat of data breaches in the modern digital economy.26
Among some of the more interesting comments were submissions from the staff of the FTC’s Bureau of Consumer Protection, FTC Commissioner Maureen Ohlhausen, AT&T, Verizon, T-Mobile, the Electronic Frontier Foundation, and the National Consumers League. The comment submitted by FTC staff commended the FCC for its attention to issues surrounding ISPs’ use of consumer information and generally supported the proposed rules, offering only relatively minor modifications. Commissioner Ohlhausen submitted a separate comment, explaining that while she “strongly support[s]” the comment from FTC staff, she believes that the FCC’s specific approach “may not best serve consumers’ interests.”27 AT&T, Verizon, and T-Mobile each asserted similar arguments in their respective comments, arguing that the proposed rules are unreasonably restrictive, anticompetitive, and unlawful.28The Electronic Frontier Foundation and National Consumers League both submitted comments largely supporting the FCC, arguing that the proposed rules are well within the FCC’s jurisdiction and necessary to protect consumers and their data.29
The initial round of comments was due on May 27, 2016, with reply comments scheduled to be due one month later, on June 27. Because of the sheer volume of comments received, however, the FCC has now extended that deadline until after the Independence Day holiday, with reply comments now due on July 6.
The FCC’s proposal to impose a new privacy regulatory scheme on ISPs is a major development in U.S. privacy regulation. It has already generated strong reactions among stakeholders and the public, and the volume of comments—and the likely volume of reply comments—suggests that there is much hanging in the balance. Whether the NPRM goes forward as written or is substantially revised remains to be seen. What is certain, however, is that regulators’ interest in privacy issues is continuing to grow. Businesses of all stripes—not just ISPs—are wise to follow these developments and proposals closely and to actively participate in the comment process to ensure their perspectives are heard by regulators.
WSGR summer associate Lindsey Edwards contributed to the preparation of this article.
1 Notice of Proposed Rulemaking, FCC, WC Docket No. 16-106 (April 1, 2016) (hereinafter “NPRM”).
2 Press Release, “FCC Proposes to Give Broadband Consumers Increased Choice, Transparency and Security for their Personal Data,” FCC (March 31, 2016), https://apps.fcc.gov/edocs_public/attachmatch/DOC-338679A1.pdf.
3 47 U.S.C. § 222.
4 NPRM ¶ 2.
5 Press Release, “FCC Proposes to Give Broadband Consumers Increased Choice, Transparency and Security for their Personal Data,” FCC (March 31, 2016), https://apps.fcc.gov/edocs_public/attachmatch/DOC-338679A1.pdf.
6 Statement of Tom Wheeler, Chairman, FCC (March 31, 2016), https://apps.fcc.gov/edocs_public/attachmatch/DOC-338679A2.pdf.
7 Letter to Tom Wheeler, Chairman, FCC (January 20, 2016), https://cdt.org/files/2016/01/2016-01-19-Broadband-Privacy-Letter-to-FCC-FINAL.pdf.
8 47 U.S.C. § 222(a).
9 47 U.S.C. § 222(h)(1) (“The term ‘customer proprietary network information’ means–
(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier; except that such term does not include subscriber list information.”).
10 NPRM ¶ 57.
12 Id. ¶ 18.
13 Press Release, “Wireline Competition Bureau Extends Deadline for Filing Reply Comments in Broadband Privacy Proceeding,” FCC (June 22, 2016), http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0622/DA-16-712A1.pdf.
14 NPRM ¶ 18.
15 Id. ¶ 114. The NPRM proposes implementing the statutory exceptions codified in Section 222 of the Communications Act, which include the uses listed above. See 47 U.S.C. § 222(d).
16 Id. ¶ 111.
17 Id. ¶ 122.
18 Id. ¶ 18; see also id. at 107 (proposed rule: 47 C.F.R. § 64.7002 Customer Approval Requirements).
20 NPRM ¶ 18.
22 Id. ¶ 144.
24 Id. ¶ 147.
25 See National Association of Manufacturers, Comment to the FCC re Protecting the Privacy of Customers of Broadband and Other Telecommunications Services (May 27, 2016), https://ecfsapi.fcc.gov/file/60002077338.pdf; See Cellular Telecommunications Industry Association, et al., Comment to the FCC re Protecting the Privacy of Customers of Broadband and Other Telecommunications Services (May 27, 2016), https://ecfsapi.fcc.gov/file/60002079394.pdf.
26 Electronic Frontier Foundation, Comment to the FCC re Protecting the Privacy of Customers of Broadband and Other Telecommunications Services (May 27, 2016), https://ecfsapi.fcc.gov/file/60002081036.pdf; Federal Trade Commission, Bureau of Consumer Protection, Comment to the FCC re Protecting the Privacy of Customers of Broadband and Other Telecommunications Services (May 27, 2016), https://ecfsapi.fcc.gov/file/60002078443.pdf; National Consumers League, Comment to the FCC re Protecting the Privacy of Customers of Broadband and Other Telecommunications Services (May 27, 2016), https://ecfsapi.fcc.gov/file/60002078689.pdf.
27 Maureen K. Ohlhausen, Commissioner, Federal Trade Commission, Statement re Comment of the Staff of the Bureau of Consumer Protection of the Federal Trade Commission (May 27, 2016) (emphasizing the differences between the FTC’s approach and the proposed FCC approach to consumer privacy), https://ecfsapi.fcc.gov/file/60002079250.pdf.
28 See AT&T Services Inc., Comment to the FCC re Protecting the Privacy of Customers of Broadband and Other Telecommunications Services (May 27, 2016), https://ecfsapi.fcc.gov/file/60002080023.pdf; T-Mobile USA, Inc., Comment to the FCC re Protecting the Privacy of Customers of Broadband and Other Telecommunications Services (May 27, 2016), https://ecfsapi.fcc.gov/file/60002080297.pdf; Verizon, Comment to the FCC re Protecting the Privacy of Customers of Broadband and Other Telecommunications Services (May 27, 2016), https://ecfsapi.fcc.gov/file/60002078934.pdf.
29 See Electronic Frontier Foundation, Comment to the FCC re Protecting the Privacy of Customers of Broadband and Other Telecommunications Services (May 27, 2016), https://ecfsapi.fcc.gov/file/60002081036.pdf; National Consumers League, Comment to the FCC re Protecting the Privacy of Customers of Broadband and Other Telecommunications Services (May 27, 2016), https://ecfsapi.fcc.gov/file/60002078689.pdf.