On October 27, 2016, the FCC released rules to “empower consumers to decide how data are used and shared by broadband providers.” In the order, the FCC defines information protected under Section 222 for telecommunications carriers as “customer proprietary information (customer PI)”, to include the following: (1) individually identifiable Customer Proprietary Network Information (CPNI), (2) personally identifiable information (PII) and (3) content of communications. The FCC also adopts and explains its multi-part approach to determining whether data has been properly de-identified and is therefore not subject to the customer choice regime adopted by the FCC for customer PI. Much of the rules are modeled after FTC best practices and the White House Administration’s Consumer Privacy Bill of Rights.
The FCC then adopts privacy rules focusing on three core concepts – transparency, choice, and data security – while providing heightened protection for “sensitive customer information”, including: financial information, health information, Social security numbers, precise geo-location information, information pertaining to children, content of communications, web browsing history, application usage history, and the functional equivalents of web browsing history or application usage history. The transparency rules include requiring providing comprehensive privacy notices addressing specified topics (e.g., collection, use, sharing, etc.), informing customers about rights to opt in or opt out, presenting notices at the point of sale, making them persistently available and accessible, and giving advance notice of material changes to privacy policies. The choice rules gives customer of BIAS and other telecommunications services tools to make choices about the use and sharing of customer PI, adopting a tiered approach to choice by reference to consumer exceptions and context. The data security rules encourages data minimization strategies and privacy by design. To the extent carriers collect and maintain customer PI, the FCC requires reasonable measures to secure customer PI appropriately calibrated to a number of factors (e.g., nature and scope of activities, sensitivity of data, size of provider, technical feasibility, etc.). The FCC also adopts data breach notification requirements to various entities (e.g., FBI, Secret Service, FCC, etc.) as well as customers, with different notification requirements depending on whether the breach impacts 5,000 or more customers.
The FCC prohibits offerings of broadband services contingent on surrendering privacy rights, and also adopts heighten disclosure and affirmative consent requirements for BIAS providers (but not voice providers) that may offer incentives (e.g., lower monthly payments) in exchange for the right to use customers’ confidential information. Some limited exemptions apply with respect to contracts between carriers and enterprise customers for telecommunication services other than BIAS, if certain provisions are contained in such contract. Even if exemptions do apply, carriers will continue to be subject to the statutory requirements of Section 222. The FCC further intends to preempt stat privacy laws (including data security and breach laws) only to the extent they are inconsistent. Finally, the FCC sets out a schedule of effective data and implementation schedules for an “orderly transition”, providing additional time to small carriers to make necessary changes in their practices.