The Federal Communications Commission(FCC) has adopted new rules which broadband providers must adhere to regarding the privacy of customer data. The FCC has published a press release as well as a fact sheet which explain some of the details of the new rules. The FCC claims authority in this area based on the Communications Act, which requires telecommunications companies to protect the privacy of their customers. The FCC has already implemented rules governing privacy for telephone companies and is now applying the same standard to broadband providers.
The FCC has implemented rules requiring notifications of how ISPs handle customer data. ISPs must tell customers what types of data are collected, the purpose of any data sharing that takes place, and what types of entities the data is shared with. Customers must be informed of the data sharing policy when they sign up for the service, and receive notifications any time the policy is updated. Additionally, the rules require that the policy is “persistently” available either on a website or a mobile app.
The rules distinguish between sensitive data and non-sensitive data. Some of the examples given for sensitive data include precise geolocation data, financial information, social security numbers, browsing history, and the content of communications. Such information can only be shared with third-parties on an opt-in basis and customers must explicitly consent to the sharing. Data like email addresses are considered non-sensitive and can be shared by default, with the opportunity for customers to opt-out. The FCC allows exemptions to the consent requirements for some purposes. For example if sharing data is necessary to provide the broadband service, to bill the customer, or to protect an ISP from fraudulent use of its network.
The rules allow sharing of data outside the consent regime if it is deidentified. The rules state three conditions for this type of data sharing: The data must be altered so it can’t reasonably be linked to a specific person or account, the ISP must publicly commit to using the data in an unidentifiable format, and any parties which the data is shared with must be contractually obligated to not reidentify it.
The rules prohibit ISPs from denying broadband service to people who don’t to consent to the sharing of their data. It also addresses plans which offer discounts or other incentives to users in exchange for allowing ISPs to share their data. The fact sheet states, “The Commission will determine on a case-by-case basis the legitimacy of programs that relate service price to privacy protections. Consumers should not be forced to choose between paying inflated prices and maintaining their privacy.”
The FCC does not set specific rules about security measures that need to be implemented but does offer guidelines which largely focus on following industry best practices. However, it does offer specific rules about informing users of data breaches. Affected customers and the FCC itself must be informed of data breaches which compromise customer data as soon as possible, but no later than 30 days after the breach was discovered. For breaches which exceed 5000 customers, ISPs must inform the FCC, the FBI and the Secret Service within seven business days of the breach being discovered.
The new rules will gradually be brought into force. The data breach notification requirement will come into force in 6 months. The rules which give customer the choice of opting in or out of data sharing and the rules which require notification of the data sharing policy will come into force in 12 months, but small providers will have an additional 12 months to come into compliance.
The FCC is concerned about contracts between ISPs and customers which require mandatory arbitration to settle disputes and prevent customers from filing lawsuits. Although the new rules do not deal with that matter, the FCC will address it in a rulemaking session in February 2017.
Are these rules a necessary step to protect costumer privacy? Should there be more requirements or less? Leave your comments below.