Privacy & Information Security Law Blog

This post has been updated. 

On October 27, 2016, the Federal Communications Commission (“FCC”) announced the adoption of rules that require broadband Internet Service Providers (“ISPs”) to take steps to protect consumer privacy (the “Rules”). According to the FCC’s press release, the Rules are intended to “ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs.” 

The Rules require ISPs to obtain customer consent for the use and disclosure of customer information as follows:

• Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information, including precise geolocation data, financial information, health information, children’s information, Social Security numbers, web browsing history, app usage history and the content of communications.
• Opt-out: ISPs may use and share non-sensitive customer information unless a customer “opts-out.” All other individually identifiable customer information (e.g., email address or service tier information) is considered non-sensitive and the use and sharing of such information is subject to opt-out consent.
• Exceptions to consent requirements: Customer consent is inferred for certain purposes, including the provision of broadband service or billing and collection. For the use of this type of information, the Rules do not require additional customer consent beyond the establishment of the customer-ISP relationship.

The Rules also:

• Require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences.
• Require broadband providers to engage in reasonable data security practices. To that end, the Rules provide guidelines on steps ISPs should consider taking to protect customer data, including (1) implementing relevant industry best practices, (2) providing appropriate oversight of security practices, (3) implementing robust customer authentication tools, and (4) properly disposing of data.
• Impose data breach notification requirements as follows: In the event that an ISP determines that unauthorized disclosure of a customer’s personal information has occurred, unless the ISP determines that no harm is reasonably likely to occur, the ISP must notify (1) affected customers no later than 30 days after the determination has been made; (2) if the breach affected 5,000 or more customers: the FCC, FBI and U.S. Secret Service, no later than seven business days after the determination has been made; and (3) the FCC at the same time customers are notified if the breach affected fewer than 5,000 customers.
• Prohibit “take-it-or-leave-it” offers, meaning that an ISP cannot refuse to serve customers who do not consent to the use and sharing of their information for commercial purposes.

According to the FCC’s press release, the Rules do not apply to the privacy practices of websites and other “edge services” over which the FTC has authority. In addition, the scope of the Rules does not include other services of broadband providers, such as the operation of social media websites, or issues such as government surveillance, encryption or law enforcement.

Next Steps

According to the FCC’s press release:

• the requirements related to Notice and Choice will become effective approximately 12 months after publication of the summary of the Order in the Federal Register. Small providers will have an additional 12 months to comply;
• the data security requirements will go into effect 90 days after publication of the summary of the Order in the Federal Register; and
• the data breach notification requirements will become effective approximately six months after publication of the summary of the Order in the Federal Register.

UPDATE: On November 2, 2016, the FCC released the full text of the rules.