The Federal Communications Commission (“FCC”) recently issued a proposed set of privacy regulations that, if passed, will have broad implications for broadband providers, as well as for the companies that collect or receive information from them. We recently authored an article in Law360 that outlines the key elements of the FCC’s Notice of Proposed Rulemaking (“NPRM”), includes some of the questions that the FCC is seeking comment on regarding the proposed regulations, and identifies how the regulations may impact business models and practices for companies that are not Internet Service Providers.
As we explore in more detail in our article, if passed as written the regulations will:
- Broadly define personal information to expressly include data that many businesses commonly view as non-identifying or non-personal information;
- Regulate where privacy policies must be displayed and what they must say;
- Require broadband providers to offer opt-out rights for using personal information to market communications-services they offer;
- Mandate opt-in consent before personal information can be shared or used to market non-communications or third party products or services (with consent not being valid unless obtained “just in time” for when the information will be shared or used);
- Impose robust recordkeeping, employee and vendor training, and regulator-reporting requirements;
- Restrict the use and sharing of aggregate information, and require contractual restrictions with vendors and third parties that receive it;
- Require data security programs with specific programmatic components;
- Create strict breach notification obligations with 7 and 10 day reporting deadlines, with no exceptions for inadvertent employee access or incidents with no risk of harm.
It is possible that the regulation will be clarified or revised before they are finalized, and the FCC is accepting comments on the proposal through May 27, 2016. It’s not clear, however, that clarifications or revisions will relax the requirements, as the questions the FCC posed in the NPRM suggest that it may choose to include even more topics and requirements in the final rule. For example, it asks whether the definition of personal information should be even broader, whether additional consents should be required for specific categories of information, if the regulation should include specific data security controls, and whether particular business models that allow users to elect less privacy protections should be restricted or prohibited.
Broadband providers are closely scrutinizing the proposed regulations, but companies that get data from them also may want to understand the proposal and how it will impact their business practices. For example, businesses that depend on or monetize “anonymous”, pseudonymous, or aggregate data from cable companies, wireless carriers, or other broadband providers may see the data flows cut off or allowed only with new individual opt-in consent, data protection, and use limitation requirements. Advertising and marketing service providers, including for direct marketing, behavioral advertising, and data analytics, may have new challenges and opportunities as they seek to work with ISPs. As “applicable law” changes, existing contracts may also need a close review to identify which company has which compliance obligations, and new contracts will likely contain more robust privacy, data protection, breach reporting, and use restriction requirements. Broadband providers and those that get data from them should explore the implications of the proposed privacy regulations now so that they can weigh in before the regulations are finalized.