On November 2, 2016, the Federal Communication Commission (FCC) released their broadband privacy protection order, which came almost 18 months after the FCC reclassified broadband internet service (BIAS) as a common carrier telecommunication service under Title II of the Communications Act (the Act). The order communicates three main goals to be accomplished via the expanded consumer privacy standards: transparency, choice, and security for customers.
The FCC explained that expanded privacy protections for consumers are necessary because ISP’s have “untethered” access to their customer’s internet information. The order broadened the definitions of “telecommunications carrier” to include all carriers providing telecommunications services subject to Title II and “customer” encompassing current, former, and applicant customers. Three types of customer propriety information (PI) are included within the scope of the new rules: customer proprietary network information (CPNI); personally identifiable information (PII), defined as “any information that is linkable to an individual or device”; and “content of communications”, defined as “any part of the substance, purport, or meaning of a communication or any other part of a communication that is highly suggestive of the substance, purpose, or meaning of a communication.” Any “de-identified” data is not subject to the new rule.
To provide choice, the FCC now requires express consent from a customer before using any sensitive customer PI. Sensitive materials include: precise geo-location, health, financial, and children’s information, social security numbers; and in the broadband context, content of communications, and additional information that is currently treated as “opt-out” unless the content, website, or app itself relates to sensitive information. ISPs may seek customer consent at the point of sale and engage in later solicitations of consent, as well, but must actively contact customers to ensure they are adequately informed.
Finally, to achieve security for customer PI, internet service providers must take reasonable measures, which includes adopting security practices tailored to the nature and scope of its activities, the sensitivity of the data, size of the provider, and technical difficulty. Affected customers, the FCC, FBI, and Secret Service must be notified of a data breach that could result in consumer harm unless it can be reasonably determined that the breach poses no risk of harm to affected customers. Notification affecting 5,000 or more customers must be made to the FCC, FBI, and Secret Service within 7 business days and at least 3 days before notifying customers. If the breach affects less than 5,000 customers, the FCC and customers must be notified within 30 calendar days. Notifications to customers must include information as to the scope of the breach, any harm that could result, and whether they should take action.
The order requires that “for any exemption of non-BIAS services from coverage of the overall rules to be valid, the carrier/enterprise service contract must contain certain provisions.” A carrier that contracts with an enterprise customer for telecommunications services other than BIAS need not comply with the privacy and data security rules if their contract specifically addresses transparency, choice, data security, data breach, and provides a mechanism for communication with the carrier regarding privacy and data security concerns.
Jeremy Fetty is a partner in the law firm of Parr Richey Frandsen Patterson Kruse with offices in Lebanon and Indianapolis. He often advises businesses and utilities (for profit, non-profit and cooperative) on organizational, human resources, and transactional matters and drafts and reviews commercial contracts.
The statements contained herein are matters of opinion and general information only and are not to be considered legal advice and should not be construed to form an attorney-client relationship. If you have any questions regarding this article, please contact an attorney.