Subscribe to Our Monthly Newsletters

Stay updated on trending legal insights and get our attorneys' take on the latest industry news.

Marketing by

Paul Zimmerman

Photo of M&R Blog

Illia Uriadnikov ©

FCC Proposes New Privacy Rules for Internet Service Providers

On Thursday, March 10, the Federal Communications Commission (FCC) previewed new broadband privacy rules that would require Internet Service Providers (ISPs) to disclose how customer data is being used, take reasonable steps to protect such information, and notify affected customers within ten days of detecting a data breach. This step follows the FCC’s still-contested vote to declare ISPs a public utility, placing them under tighter regulatory scrutiny. This sets up what promises to be a dynamic dialogue involving consumers, privacy advocates, ISPs and industry associations exploring the scope and workability of potentially inconsistent federal privacy regulations.

The notice of proposed rulemaking released by the FCC represents the regulatory agency’s efforts to apply the privacy rules of the Communications Act (i.e., for telephone networks) to broadband service providers. Or, as Tom Wheeler, FCC Chairman, claims in a blog hosted on Huffington Post: “establishing baseline privacy standards for ISPs is a common sense idea whose time has come.” The full commission will vote to seek comment on the new rules at a March 31 open meeting. If approved, consumers and industry groups alike will have the opportunity to weigh in.

The key provision in the proposed rules would require broadband service providers to obtain affirmative opt-in consent for the use and sharing of data that has not been specifically collected for the purpose of providing communications-related services. As Wheeler explains in his letter, “We recognize that ISPs must necessarily collect and use information you create to provide service. However, consumers deserve to have safeguards in place to ensure that information necessary to run the network is used only for that purpose unless the owner of that information -- the consumer -- agrees otherwise.”

In theory, ISPs have considerable access to the personal information of their customers, including their web-browsing activity. Or, as the FCC said in a fact sheet issued alongside the proposed rules “An ISP handles all of its customers’ network traffic, which means it has an unobstructed view of all of their unencrypted online activity -- the websites they visit, the applications they use.”

The proposal also calls for comment on questions surrounding how ISPs should obtain consumers' consent, including whether they can charge customers lower fees if they agree to behavioral advertising. Besides the use and disclosure restrictions, the commission's proposal includes "robust and flexible" data security and breach notification requirements for broadband providers. With respect to data security, the proposal would require ISPs to take “reasonable steps” to safeguard customer data from unauthorized use or disclosure. ISPs would be obligated, at a minimum, to adopt risk management practices, institute training practices, adopt strong customer authentication requirements, identify a senior manager responsible for data security and take responsibility for the use and protection of customer information when it is shared with third parties, according to the fact sheet.

The breach reporting requirement, which the commission described as "common-sense," would require providers to notify affected customers of breaches of their data no later than 10 days after discovering the incident and to alert the FCC no later than seven days after discovery.

The FCC’s proposed rules represent the latest in a series of disagreements between the agency and broadband providers such as AT&T, Comcast and Verizon over internet regulations. These companies oppose an approach that subjects them to greater privacy scrutiny than technology companies such as Google, Apple and Facebook, which also gather customer data. Notably, the proposal will not extend to the individual websites a consumer elects to visit like Twitter or Facebook, over which the Federal Trade Commission has authority, or to other types of services offered by a broadband provider, such as operation of a social media website.

While the FCC’s proposal certainly highlights the regulatory patchwork of United States privacy rules, it is important to underscore that these rules do not expressly prohibit data collection or responsible information sharing. The FCC boldly declares that “this isn't about prohibition; it's about permission.” This is consistent with both the FCC’s and FTC’s position that responsibly sharing data with marketers, brands and the private sector promotes innovation and creativity, and provides a benefit to the consumer.

While the FCC’s new privacy rules, if implemented, will likely reach the courts, what is clear right now is that all companies who handle consumer data should carefully consider how they are practicing transparency, maintaining consumer trust and safeguarding reasonable privacy expectations. No doubt the best place to start is evaluating privacy policies, terms of use and best practices for handling consumer data.

This article is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.