On December 2, 2016, the Federal Communications Commission (FCC) published the Broadband Privacy Report and Order which requires broadband Internet Service Providers (ISPs) to protect users’ privacy.
The rules implement the privacy requirements of Section 222 of the Communications Act for broadband ISPs, and aim at giving broadband customers more control over the use of their personal information.
The scope of the rules is limited to broadband service providers and other telecommunications carriers.
The rules separate the use of information into three categories and include guidance for both ISPs and customers about transparency and security requirements for personal information:
- Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The information that is considered sensitive include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.
- Opt-out: ISPs are allowed to use non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and their use would be subject to opt-out consent.
- Exceptions to consent requirements: customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection.
In addition, the rules require:
- ISPs shall provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared;
- reasonable data security practices, implementing relevant industry best practices and robust authentication tools, as well as proper data disposal;
- data breach notification requirements to give consumers and law enforcement notice of failure to protect such information.
The FCC’s Order was published in the Federal Register, triggering a 30-day deadline for petitions for reconsideration. Among the provisions that will take effect over the next few months, particularly significant are the following:
- the prohibition on conditioning the provision of Broadband Internet Access Service (“BIAS”) upon a customer’s agreement to waive privacy rights, which will take effect on January 1, 2017; and
- several new data security requirements, which will take effect on March 2, 2017.
More information is available at https://www.fcc.gov…
For more information, Francesca Giannoni-Crystal.