Get updates by email

Select Specific Blog Updates

Paul Zimmerman

Photo of M&R Blog

FCC Approves New Privacy Rules for Broadband Providers

On October 27, 2016, the Federal Communications Commission (FCC) approved new rules for internet service providers' (ISPs) use and sharing of customer data. By a 3-to-2 vote, the FCC passed regulations requiring broadband providers to obtain express permission from subscribers to gather and give out data on their web browsing, app use, location and financial information.  As we have noted in previous blog posts, the proposed regulations proved to be quite divisive within the media industry, leading to a very volatile public comment period.

The rules are reflective of the FCC’s efforts to apply the Communications Act’s privacy requirements to ISPs (i.e. by reclassifying them as common carriers). These new regulations require providers to obtain affirmative opt-in consent to use and share information labeled as sensitive – including geolocation information, call and text message records, financial data, health information, web browsing and app usage history.

The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice and security requirements for customers’ personal information:

Opt-in:  ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geolocation, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.

Opt-out:  ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations. 

Exceptions to consent requirements:  Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

In addition, the rules include:

• Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences;

• A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with Federal Trade Commission best practices and the Consumer Privacy Bill of Rights.

• Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information.

ISPs will have about one year to make the changes required by the new rules. Notably, the broadband providers must notify users of their new privacy options (e.g. via email notification or dialogue boxes on websites). However, the digital advertising industry has been quick to lambast the new rules. “There is no lawful, factual or sound policy basis to justify a discriminatory approach that treats ISPs differently from some of the largest companies in the Internet ecosystem that engage in similar practices,” said NCTA — The Internet & Television Association, an industry trade group. The rules do not apply to the privacy practices of web sites or other “edge services,” and do not cover the ancillary services of a broadband provider, such as a social media website.

There is every reason to believe that the battle over the new FCC rules is far from over, with some industry insiders predicting litigation. The requirement of opt-in provisions has massive implications for the digital advertising industry, and the apparently unequal application of privacy regulations across the media landscape will continue to draw complaints from throughout the sector. M&R will continue to provide updates as this odyssey unfolds.

This blog post is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.