Indiana Communication Services – FCC Broadband Privacy Protection Order

On November 2, 2016, the Federal Communication Commission (FCC) released their broadband privacy protection order, which came almost 18 months after the FCC reclassified broadband internet service (BIAS) as a common carrier telecommunication service under Title II of the Communications Act (the Act). The order communicates three main goals to be accomplished via the expanded consumer privacy standards: transparency, choice, and security for customers.

The FCC explained that expanded privacy protections for consumers are necessary because ISP’s have “untethered” access to their customer’s internet information. The order broadened the definitions of “telecommunications carrier” to include all carriers providing telecommunications services subject to Title II and “customer” encompassing current, former, and applicant customers. Three types of customer propriety information (PI) are included within the scope of the new rules: customer proprietary network information (CPNI); personally identifiable information (PII), defined as “any information that is linkable to an individual or device”; and “content of communications”, defined as “any part of the substance, purport, or meaning of a communication or any other part of a communication that is highly suggestive of the substance, purpose, or meaning of a communication.” Any “de-identified” data is not subject to the new rule.

To accomplish transparency, the FCC adopts privacy policy notice requirements mandating that ISPs provide easy access to “clear and conspicuous, comprehensible, and not misleading information about what customer data the carriers collect, how they use the data, who it is shared with and for what purposes”, including the categories of entities to which the carrier discloses access to customer PI, and “how customers can exercise their choices regarding privacy options.” These notices must be provided at the point of sale prior to purchase and advanced notice of material changes must be provided to existing customers.

To provide choice, the FCC now requires express consent from a customer before using any sensitive customer PI. Sensitive materials include: precise geo-location, health, financial, and children’s information, social security numbers; and in the broadband context, content of communications, and additional information that is currently treated as “opt-out” unless the content, website, or app itself relates to sensitive information. ISPs may seek customer consent at the point of sale and engage in later solicitations of consent, as well, but must actively contact customers to ensure they are adequately informed.

Finally, to achieve security for customer PI, internet service providers must take reasonable measures, which includes adopting security practices tailored to the nature and scope of its activities, the sensitivity of the data, size of the provider, and technical difficulty. Affected customers, the FCC, FBI, and Secret Service must be notified of a data breach that could result in consumer harm unless it can be reasonably determined that the breach poses no risk of harm to affected customers. Notification affecting 5,000 or more customers must be made to the FCC, FBI, and Secret Service within 7 business days and at least 3 days before notifying customers. If the breach affects less than 5,000 customers, the FCC and customers must be notified within 30 calendar days. Notifications to customers must include information as to the scope of the breach, any harm that could result, and whether they should take action.

The order requires that “for any exemption of non-BIAS services from coverage of the overall rules to be valid, the carrier/enterprise service contract must contain certain provisions.” A carrier that contracts with an enterprise customer for telecommunications services other than BIAS need not comply with the privacy and data security rules if their contract specifically addresses transparency, choice, data security, data breach, and provides a mechanism for communication with the carrier regarding privacy and data security concerns.