FCC Proposes Privacy and Security Regulations for Internet Service Providers

On March 10, FCC Chairman Tom Wheeler issued a “fact sheet” summarizing a sweeping proposal to regulate the privacy and data-security practices of Internet service providers. The proposal would subject ISPs to new stringent requirements that other participants in the Internet ecosystem do not face because they are subject only to the more elastic oversight of the Federal Trade Commission under that agency’s general “unfair or deceptive” standard.

Though the details of the proposal will not be disclosed until the notice of proposed rulemaking is released, it likely may require ISPs to provide opt-out or, in some cases, opt-in consumer consent for certain uses of web browsing, location, and other information; impose security requirements and data breach notification requirements; and require increased notification of personal information uses. The proposal also may significantly expand the scope of protected information beyond the FCC’s statutorily-defined authority over CPNI by purporting to regulate undefined “customer data.”

Chairman’s Wheeler’s proposal rests on the following explicit assumptions:

  • ISPs have “an unobstructed view of all of their [customers’] unencrypted online activity – the websites they visit, the applications they use. If customers have a mobile device, their providers can track their physical and online activities throughout the day in real time.”
  • “Consumers can move instantaneously to a different website, search engine or application. But once they sign up for broadband service, consumers can scarcely avoid the network for which they are paying a monthly fee.” The proposal did not address whether the same considerations might apply to online platforms such as search engines that are difficult for many consumers to avoid (because of network effects, for example).
  • “Consumers should have effective control over how their personal information is used and shared by their broadband service providers.”
  • ISPs need to collect customer data to provide broadband services, and the proposed regulations would not interfere with the use of “customer data necessary to provide broadband services and for marketing the type of broadband service purchased by a customer.”

The proposed regulations would require ISPs to:

  • Enable customers to opt out of the use of their data “for the purposes of marketing other communications-related services and to share customer data with their affiliates that provide communications-related services for the purposes of marketing such services.”
  • Only use or share customer data for marketing third-party products or services or for other purposes with “express, affirmative ‘opt-in’ consent from customers.”
  • “[A]dopt risk management practices; institute personnel training practices; adopt strong customer authentication requirements; identify a senior manager responsible for data security; and take responsibility for use and protection of customer information when shared with third parties.”
  • In the event of a data breach, notify affected customers “no later than 10 days after discovery”; notify “the Commission of any breach of customer data no later than 7 days after discovery”; and notify the FBI and U.S. Secret Service of breaches “affecting more than 5,000 customers no later than 7 days after discovery of the breach.”

In response to the proposal, FCC Commissioner Michael O’Rielly stated, as reported by Law360, that the agency “seems intent on doing great damage to the interworking of the Internet.” Though Chairman Wheeler’s proposal would not affect the privacy practices of websites like “Twitter of Facebook, over which the Federal Trade Commission has authority,” Commissioner O’Rielly stated that the proposal may require the FTC to issue more onerous requirements on such “edge providers” to correct the imbalance struck by the FCC’s regulation of ISPs. In a separate statement, Commissioner O’Rielly further accused Chairman Wheeler of “freelancing on topics like data security and data breach that are not even mentioned in the statute.”

The Commission plans to vote on the proposal at its March 31 meeting. If approved, the Commission would issue a notice of proposed rulemaking and initiate a period to collect public comment