The FCC recently adopted broadband privacy rules which will be implemented on a staggered schedule. The FCC did not provide calendar dates for implementing the rules and some of the dates are based on pending PRA approvals. The following is a summary of the new privacy rules and the dates they are scheduled to take effect.
On January 3, 2017, sections 64.2010 and 64.2011(a) became effective. Section 64.2010 pertains to the Business Customer Exemption for Provision of Telecommunications Services other than BIAS, and states that Telecommunication carriers can utilize other contractual privacy and data security regimes for services other than BIAS as long as the issues of transparency, choice, data security, and data breach are addressed. There must also be a mechanism for the customer to communicate concerns to the carrier. Section 64.2011(a) pertains to BIAS Offers Conditioned on Waiver of Privacy Rights and states that a BIAS provider cannot condition providing BIAS on a customer’s agreement to waive privacy rights, nor may a BIAS provider terminate or refuse to provide service based on a customer’s refusal to waive their privacy rights. Section 64.2011(b) is not effective until on or after December 4, 2017, as discussed below.
On March 2, 2017, new section 64.2005 replaced old sections 64.2009 (Safeguards required for use of customer proprietary network information) and 64.2010 (Safeguards on the disclosure of customer proprietary network information). Section 64.2005 covers data security, states a carrier must take reasonable measures to protect customers’ proprietary information, and lists four factors for determining reasonableness—the nature and scope of the carrier’s activities, the sensitivity of the data, the size of the carrier, and technical feasibility.
On June 2, 2017, or after PRA approval, whichever comes later, new section 64.2006 will replace old section 64.2011 (Notification of customer proprietary network information security breaches). Section 64.2006 covers data breach notifications and outlines the steps a carrier must take to notify customers, the Commission, and Federal law enforcement in the event of a data breach. There is also a subsection which states the carrier shall maintain a record of any breaches and the notifications made to customers, including the dates of the breach and customer notification. The carrier must keep the records for two years after the breach but does not have to keep a record if the carrier reasonably determines the breach resulted in no harm to customers.
On December 4, 2017, or after PRA approval, whichever comes later, and subject to a 12 month extension for small providers, three new sections will become effective. New section 64.2004 will replace old sections 64.2005 (Use of customer proprietary network information without customer approval) and 64.2007 (Approval required for use of customer proprietary network information). New section 64.2004 covers customer approval, stating a carrier may not allow access to customer proprietary information without customer approval. This section addresses limitations and exceptions to the rule, opt-out and opt-in approval requirements, a notice and solicitation requirement, and the mechanism for exercising customer approval.
Jeremy Fetty is a partner in the law firm of Parr Richey Frandsen Patterson Kruse with offices in Indianapolis and Lebanon. Mr. Fetty is current Chair of the Firm Utility and Business Section and often advises businesses and utilities (for profit, non-profit and cooperative) on regulatory, compliance, and transactional matters and reviews commercial contracts.
The statements contained herein are matters of opinion and general information only and are not to be considered legal advice and should not be construed to form an attorney-client relationship. If you have any questions regarding this article, please contact an attorney.