This month, the Federal Communications Commission (FCC) will consider issuing a Notice of Proposed Rulemaking (NPRM) for privacy regulations that will apply to broadband providers. The goals and objectives of the proposed regulations, which will be offered by FCC Chairman Wheeler, are outlined in a short document that the FCC released. The proposed regulations will likely contain strict privacy requirements that broadband providers have never before been subject to under federal law.
Telecommunications carriers have long been subject to privacy requirements under the Communications Act, including Section 222. Following the FCC’s Open Internet Order, Internet access (or broadband) providers are now deemed to be providing “telecommunications services”, which the FCC warned in an enforcement advisory last year subjects them to the requirements of Section 222. In what many are describing as an effort for the FCC to make a name for itself as a privacy regulator, it has significantly increased privacy-related enforcement actions in recent years, resulting in several multi-million dollar settlements. The FCC now appears ready to start specifying in regulations what exactly broadband providers must do. (Up until now, the regulations issued under that law have imposed requirements that are focused only on phone companies).
The FCC-released document indicates that the proposed regulations will:
- Require individual consent for certain uses of customer data, including express, affirmative opt-in consent when information is shared or used for third party purposes;
- Provide opt-out rights before customer data can be used to market other communications services or to share data with affiliates for marketing of communications services;
- Require specific data security protections for customer data, including adopting risk management practices and having strong customer authentication requirements;
- Regulate personnel practices by requiring appointment a data security manager, and instituting security training for personnel;
- Impact vendor and third party contracting by holding broadband providers responsible when customer data is shared with third parties; and
- Impose breach notification obligations for beaches of customer data, including notifications to customers within 10 days and to the FCC (and possibly FBI and Secret Service) within 7 days.
Broadband providers should pay considerable attention to the development of these rules. Companies with robust security and privacy programs likely already comply with many of these requirements, but will need to consider how these impending changes will require revisions to existing policies. As implementation of these rules nears, companies subject to Section 222 should consider engaging in enterprise-wide reviews or audits of their privacy and security programs (now and on an ongoing basis) to better align their current practices with these rules.
Additionally, companies that work with user data from broadband providers—like marketing service providers and data analytics companies—may soon see business models disrupted if broadband provider clients are required to comply with stricter privacy and data protection obligations.