Mar 172016

FCC Proposes Privacy and Security Regulations for Internet Service Providers

Clayton G. Northouse, Alan Charles Raul, Edward R. McNicholas, Jonathan E. Nuechterlein and C. Frederick Beckner III
, , ,

On March 10, FCC Chairman Tom Wheeler issued a “fact sheet” summarizing a sweeping proposal to regulate the privacy and data-security practices of Internet service providers. The proposal would subject ISPs to new stringent requirements that other participants in the Internet ecosystem do not face because they are subject only to the more elastic oversight of the Federal Trade Commission under that agency’s general “unfair or deceptive” standard.

Though the details of the proposal will not be disclosed until the notice of proposed rulemaking is released, it likely may require ISPs to provide opt-out or, in some cases, opt-in consumer consent for certain uses of web browsing, location, and other information; impose security requirements and data breach notification requirements; and require increased notification of personal information uses. The proposal also may significantly expand the scope of protected information beyond the FCC’s statutorily-defined authority over CPNI by purporting to regulate undefined “customer data.”

Chairman’s Wheeler’s proposal rests on the following explicit assumptions:

  • ISPs have “an unobstructed view of all of their [customers’] unencrypted online activity – the websites they visit, the applications they use. If customers have a mobile device, their providers can track their physical and online activities throughout the day in real time.”
  • “Consumers can move instantaneously to a different website, search engine or application. But once they sign up for broadband service, consumers can scarcely avoid the network for which they are paying a monthly fee.” The proposal did not address whether the same considerations might apply to online platforms such as search engines that are difficult for many consumers to avoid (because of network effects, for example).
  • “Consumers should have effective control over how their personal information is used and shared by their broadband service providers.”
  • ISPs need to collect customer data to provide broadband services, and the proposed regulations would not interfere with the use of “customer data necessary to provide broadband services and for marketing the type of broadband service purchased by a customer.”

The proposed regulations would require ISPs to:

  • Enable customers to opt out of the use of their data “for the purposes of marketing other communications-related services and to share customer data with their affiliates that provide communications-related services for the purposes of marketing such services.”
  • Only use or share customer data for marketing third-party products or services or for other purposes with “express, affirmative ‘opt-in’ consent from customers.”
  • “[A]dopt risk management practices; institute personnel training practices; adopt strong customer authentication requirements; identify a senior manager responsible for data security; and take responsibility for use and protection of customer information when shared with third parties.”
  • In the event of a data breach, notify affected customers “no later than 10 days after discovery”; notify “the Commission of any breach of customer data no later than 7 days after discovery”; and notify the FBI and U.S. Secret Service of breaches “affecting more than 5,000 customers no later than 7 days after discovery of the breach.”

In response to the proposal, FCC Commissioner Michael O’Rielly stated, as reported by Law360, that the agency “seems intent on doing great damage to the interworking of the Internet.” Though Chairman Wheeler’s proposal would not affect the privacy practices of websites like “Twitter of Facebook, over which the Federal Trade Commission has authority,” Commissioner O’Rielly stated that the proposal may require the FTC to issue more onerous requirements on such “edge providers” to correct the imbalance struck by the FCC’s regulation of ISPs. In a separate statement, Commissioner O’Rielly further accused Chairman Wheeler of “freelancing on topics like data security and data breach that are not even mentioned in the statute.”

The Commission plans to vote on the proposal at its March 31 meeting. If approved, the Commission would issue a notice of proposed rulemaking and initiate a period to collect public comment

Clayton G. Northouse

cnorthouse@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Edward R. McNicholas

emcnicholas@sidley.com

Jonathan E. Nuechterlein

Washington, D.C.

jnuechterlein@sidley.com

C. Frederick Beckner III

Washington, D.C.

rbeckner@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.

Unpacking Digital Data Laws Across Europe: Addressing the Digital Markets Act

The EU Digital Markets Act (DMA) is set to revolutionize the way in which so-called ‘Big Tech’ is regulated in the EU, shifting toward ex-ante rulemaking and away from traditional after-the-fact enforcement. The DMA imposes a stringent regulatory regime on large online platforms (so-called “gatekeepers”) and gives the European Commission (Commission) new enforcement powers, including an ability to impose severe fines and remedies for noncompliance.