On March 10, Tom Wheeler, chairman of the Federal Communications Commission, submitted to the FCC a proposal for the adoption of new privacy rules applicable to broadband Internet service providers.
As Wheeler stated in a blog post published on the Huffington Post on the same day the proposal was announced, these new privacy rules are meant to "empower consumers" by helping them gain increased control over the personal data they share with their ISPs. The rules are based on three core principles: choice, transparency and security.
Under the proposed rules, ISPs would still be allowed to collect customer data to deliver their services to consumers but their sharing of such data with affiliates or third parties for marketing or promotional purposes would be more restricted. ISPs could continue sharing customer online activity data for marketing or promotional purposes with their affiliates, but only if such affiliates provide communication-related services and if the customer does not opt out of this sharing. In all other circumstances, ISPs would be prohibited from sharing customer data with third parties for promotional or marketing purposes, unless they obtain the customer's "opt in," i.e., the customer's express, affirmative consent.
The proposals also refer to specific breach notification requirements, which will require ISPs to notify: (1) affected customers of a breach of data no later than 10 days after discovery; (2) the FCC of any breach no later than seven days after discovery; and (3) the FBI and the U.S. Secret Services in case of breaches affecting more than 5,000 customers no later than seven days after discovery of the breach. It is unclear whether there will be a minimum threshold of number of individuals affected by the breach before notifications are required.
Finally, with regard to security requirements, the new rules would mean that ISPs would need to adopt certain security measures to protect customer data. Details for these security measures are not specified but will include "(1) taking reasonable steps to protect data from unauthorized use or disclosure and (2) adopting risk management practices with respect to customer data."
This increased protection of consumers' online activity against ISPs seems to be based on the rationale that ISPs have a unique position compared with other providers of online services such as Twitter or Facebook, as unlike those services or applications, which consumers can immediately stop using at any time, consumers are more tied into their relationship with ISPs and cannot easily avoid or replace the network they are using. Wheeler pointed out that this type of regulation has been in place to protect phone data for years: "The information collected by the phone company about your telephone usage has long been protected information. Regulations of the (FCC) limit your phone company's ability to repurpose and resell what it learns about your phone activity."
Aside from this unbalanced relationship, ISPs' have unique access to extensive areas of a consumer's online activity data. According to the proposal, when activity is unencrypted, an ISP can see exactly which website and applications a consumer uses. Even when encrypted, an ISP can still see the websites visited, how often and for how long. In particular, there is a concern regarding the ISPs' ability to uncover sensitive "private information such as a chronic medical condition or financial problems" by piecing together online activity. There also seems to be a perception that consumers may expect an application or website to be tracking its use, but not its network provider.
It is clear that only ISPs, such as Verizon Wireless or Comcast, are subject to these new proposed rules. However, ISP affiliates and third-party advertisers who provide marketing or promotional services using customer data obtained from ISPs will also be affected by the proposed ruler. It was made very clear that the tracking of online customer activity by other website or app providers, such as Facebook or Twitter, does not fall within the ambit of this regime.
Certain ISPs have voiced concern over such increased regulation. The day before the proposal was announced, Bob Quinn, senior vice president of Federal Regulatory Affairs for AT&T, stated that there was no basis for treating ISPs to a heightened standard because ISPs are not currently operating in the absence of any privacy regulations. Rather, ISPs are already operating "under the privacy regime (which prohibits deceptive and unfair trade practices)" of the Federal Trade Commission. In addition, Quinn pointed out that singling out ISPs as opposed to other online web or application providers does not necessarily serve consumers because, "consumers expect and deserve consistent privacy protections for their online data, regardless of which company is collecting it and the technology used to collect it."
At its next open meeting on Thursday, the FCC is expected to vote on whether to seek comment from the public on these proposed rules.
Originally published in the Daily Journal on March 28, 2016.