FCC Adopts Rules Governing the Data Privacy of Broadband Consumers

December 6, 2016

By: Eric P. Bergner, Elizabeth A. Corradino, and Alexandra M. Farin

Transparency, choice, and data security are the keynotes of the Federal Communication Commission’s new rules for protecting the privacy of customers of broadband and other telecommunications services.  The rules, adopted on October 27th and officially published in the Federal Register on December 2, 2016, implement a definition of “telecommunications carriers” that includes providers of broadband internet access services (“BIAS”) and interconnected “voice over Internet Protocol” services and places new and exacting privacy requirements on them.

BIAS providers, as distinguished from edge providers (i.e., any entity providing content, application, or service over the Internet, or a device used for accessing any such content, application, or service) will now be subject to heightened data privacy requirements for the collection and use of customer proprietary information (which includes individually identifiable customer proprietary network information (“CPNI”), personally identifiable information (“PII”), and the content of communications).    

The new rules have several components, including the requirement on BIAS providers to provide privacy notices that clearly and accurately inform customers about what confidential information is collected, how it is used, under what circumstances it is shared, and the categories of entities with which it will be shared.  The privacy notice must be provided to customers at the point of sale and remain persistently available and easily accessible.  The rules also enforce specific data breach notification requirements based on the number of affected customers and the likelihood of resulting harm. 

The most noteworthy provision is the sensitivity-based customer choice framework, which requires BIAS providers and other telecommunications carriers to obtain a customer’s opt-in consent before using or sharing sensitive customer proprietary information (this framework does not apply to customer proprietary information obtained by BIAS providers from their provision of non-telecommunication services, such as email, cloud storage and music and video streaming).  The categories of information considered “sensitive” consist of precise geo-location; health, financial, and children’s information; Social Security numbers; the content of communications; and web browsing and application usage histories and their functional equivalents.  The rules also require BIAS providers to, at a minimum, offer customers the ability to opt-out of the use and sharing of non-sensitive customer information.  Opt-in and opt-out mechanisms must be persistent and easy-to-access. 

There are exceptions to these customer approval requirements.  For example, BIAS providers may always use and share customer data in order to provide the underlying broadband services, to bill and collect for the services, and for certain other limited purposes by virtue of delivering the service.

BIAS providers have raised concerns about the effect these rules will have on the ability to utilize customer proprietary information in targeted advertising, as the FCC explicitly noted that there is no inferred customer approval permitting telecommunications carriers to use and share customer proprietary information to market carrier and affiliate services, and that carriers must follow the “opt-out” regime when using non-sensitive customer proprietary information in their marketing.  As edge providers like Facebook, Google and Twitter are not required to allow customers the ability to opt-in or opt-out (depending on the level of sensitivity of the information being used), such providers have been given an unprecedented competitive advantage in behavioral advertising. 

To view the FCC’s privacy requirements for BIAS and other telecommunications services, click here.

PDF File View as PDF