Last month the Federal Communications Commission (“FCC”) closed the comment period for its proposed privacy regulations, which we previously wrote about here. The million dollar question on everyone’s minds is whether the final regulations will be broader or narrower in scope than the initial proposal, which included not only a significant expansion of the definition of personal information, but also sweeping new obligations and raised serious questions in areas where the obligations could become even stricter still. Accordingly, companies subject to the new regulations are bracing for tighter FCC Enforcement Bureau scrutiny of broad data collection and handling practices.
Fertile Ground for Class Actions.
FCC scrutiny, however, may be just the tip of the iceberg. Organizations should consider the significant possibility of consumer and class action litigation in evaluating the risk landscape.
The Communications Act has a rarely used provision that sets forth a private rights of action for violations of the Act itself or related regulations. Specifically, Section 206 of the Communications Act provides that common carriers—including broadband providers subject to the FCC’s privacy regulations—may be liable to any person injured for the “full amount of damages sustained” from “any act, matter, or thing in this chapter prohibited or declared to be unlawful.” Carriers are similarly liable for omissions to do any act, matter, or thing required to be done under the chapter. Importantly, these provisions include an ability to recoup attorney fees. A provision of Section 207 allows individuals to “bring suit for the recovery of the damages for which [the] common carrier may be liable” in any federal district court for violations of the chapter. “Chapter” is defined broadly and includes the primary provisions of the Communications Act that the FCC has proposed relying upon for the privacy regulations.
Such actions would not be without basis in precedent. The Supreme Court previously held that Section 207 authorized a private right of action to enforce regulations that the FCC issued pursuant to the Communications Act. In that context—a dispute between two companies—the Court held that the FCC regulations appropriately declared certain practices to be “unreasonable” (i.e., “unlawful” under the Communications Act) under Section 201 of the Act. The Court reasoned that since the practices were “unlawful”, the plaintiff could claim damages under Section 206, and maintain a suit for those damages under Section 207. The FCC’s proposal to base its privacy regulations, in part, on Section 201—the same statutory basis for which the Supreme Court upheld a private right of action—would permit plaintiffs’ class actions. Even if the statutory basis for the privacy regulations is not Section 201, there is still a strong argument that the Act would allow a private right of action to sue for damages allegedly suffered for violations of the regulations, as the regulations are issued pursuant to the Act, and Section 206 allows plaintiffs to seek damages for acts that are either prohibited or unlawful under the Act (and potentially, by the FCC regulations interpreting the Act).
It remains unclear the precise types of privacy rule violations the courts might be asked to decide. With the potential that the FCC’s rules will broaden privacy obligations, among the possibilities are actions based on sharing of personal (potentially a broader construct) information for marketing purposes without the necessary consent; failure to comply with the consent recordkeeping requirements or to obtain consent just before the use or disclosure; or failure to notify individuals affected by a data breach within ten days.
There is some good news. Following the Supreme Court’s recent decision in Spokeo, Inc. v. Robins, plaintiffs will not be able to simply allege a violation of a statutorily conferred right, such as those under Section 201. Instead, they may also have to allege an injury suffered. Given how broadly personal information may be defined under the new rules, alleging harm may not be an easy task.
What Should You Do?
Broadband providers should begin assessing the proposed privacy regulations against their existing business practices. This will give them a head start in dealing with the final regulations once they are issued. Thereafter an enterprise-wide assessment and modification to risky business practices can further reduce the chance of becoming targets for enforcement actions or litigation.
Companies that do business with broadband providers like cable companies and wireless carriers should consider careful review of their contractual obligations with those providers. At a minimum, they should understand which of these novel theories may implicate indemnification or duty to defend obligations by virtue of their practices with data—identifiable or not—that they are asked to deal with for broadband providers. Ambiguous contracts where each party promises to comply with applicable laws, but no party specifies what the laws are or how they will do so, could lead to new disputes to allocate liability between providers and companies that work with them. Finally, companies that work with broadband providers may want to understand the scope of the final regulations to understand what traps to look for in their agreements with providers.
Without a doubt, the new privacy regulations will provide a broader array of conduct for the FCC Enforcement Bureau to investigate and potentially penalize companies when it identifies improper privacy and data protection practices. But, the ground also appears to be fertile for potential plaintiffs to get involved. Accordingly, companies should begin to consider this landscape when making business calculations about resource allocation for compliance oriented activities, especially because the financial stakes are likely to be even higher with the plaintiffs’ bar potentially testing the limits of the Communications Act’s private right of action in alleging damages for violations of the FCC’s privacy regulations.
 The proposed regulations do not just broaden the kinds of data that would be defined as personal information. They also propose new data protection, sharing and use requirements (even if the data is aggregated) that companies must document and train employees and vendors on. They further require that mistakes be reported to the FCC, and data breaches be reported to government officials and individuals within 7 and 10 days respectively. Unlike the various state laws, the proposed rule would require notification regardless of whether there is a risk of harm to individuals, and there is no safe harbor for inadvertent access by unauthorized employees. Ultimately, the rules will likely disrupt existing business practices, and create an environment where FCC regulated entities will need to disclose even more data breach incidents.
 Global Crossing Telecomm., Inc. v. Metrophones Telecomm. Inc., 550 U.S. 45 (2007).