New FCC Privacy Order for Broadband Service Providers

On October 27, 2016, the FCC, under the leadership of Chairman Wheeler, stepped into protecting internet privacy in a big way. The new FCC privacy order, passed 3 to 2 along party lines, is controversial with broadband providers and advertisers as being unnecessary, overreaching, and creating regulatory confusion. However, this is the year of privacy and cybersecurity.  Users, from the top to the bottom, have come to expect limited privacy and having their data hacked by bad guys and their personal web search history known by providers and web sites.  Lengthy privacy notices are quickly agreed to.  Internet users, basically all U.S. adults, know that, by living online on their iPads and looking down at their mobile phones, they are giving up what the U.S. society thought privacy was when there was just the telephone. The FCC is attempting to address this loss of internet privacy for the firms it has authority to regulate, the broadband service providers.

A New York Times article by Farhad Manjoo (10/19/16) says it all: “Whoever Wins the White House, This Year’s Big Loser is Email.” With the hacking of the Clinton email servers, a cybersecurity issue, and the constant reporting of the loss of personal and financial data, even from government servers, again a hacking issue, privacy demands have come to the forefront. The EU has become far more aggressive than the U.S. with privacy protection requiring, for example, opt-in cookie notifications for every web site. The FCC may be seeking to give users more mandated protection, like the EU has done.  While some broadband providers have voluntarily enacted pro-consumer privacy policies, the FCC order will now mandate the policies for all broadband providers. 

The new FCC order regulates privacy practices of broadband internet service providers only, carving out non-broadband providers or “web” and social media companies like Facebook or Google which the FTC (Federal Trade Commission) regulates.  Broadband providers are those firms connecting users to the Internet at the edge as opposed to web sites which are accessed through the connection of the customer’s broadband provider. Wheeler's concern has been that broadband providers, that are now more tightly regulated under rigorous Chapter 47 Title II regulation through the highly controversial Network Neutrality order a/k/a Open Internet Order, would require customers to pay higher fees in exchange for limiting privacy.  The underlying technical difference from broadband providers and web sites is that the broadband providers connect customers to the internet web sites. That internet connection, through cable, DSL, or mobile phones, gives providers access to users’ information not freely available to web companies. The two simple examples of the type of information always available to the broadband provider but not to a web site or app company include precise geo-location data and the unique address of every web page visited by the user. The FCC has regulated on a limited basis privacy in the past. The FCC require telecommunications firms (think voice service) to keep customer data confidential. These FCC CPNI rules (Customer Proprietary Network Information) included basic information like a number called by the customer and when it was called.  The FCC privacy order is now expanding its Internet privacy rules far beyond the telephone CPNI rules.

The new FCC rules give customers “opt-in” and “opt-out” rights for their broadband providers, limiting or expanding as authorized by the customers to make commercial use of the customers’ private, personal information. When signing up for broadband service, the FCC rule will give the user the privacy right to “opt-in” to a technical process that will allow their broadband provider to use and share with third-parties the customer’s sensitive information like precise GPS location, web browsing history, and app usage. Customers of broadband service providers will also have the right to “opt-out” from their broadband providers’ practice of using and sharing with third parties non-sensitive information like the customers’ email addresses.  Moreover, broadband service providers will now be required to provide easy to understand, “transparent” notices to their customers stating what information is being collected and how that information may be used or shared with third parties. The FCC order will mandate privacy protection practices, addressing the cyber security hacking problems, requiring broadband providers to use reasonable data security practices and to implement best practices consistent with the FTC’s rules and the President’s 2015 “Consumer Privacy Bill of Rights.”   If a broadband service provider is hacked, these policies could arguably protect the broadband provider against liability if the provider is shown to have been implementing the reasonable security practices.

The FCC’s privacy order also imposes a “common-sense data breach notification” requirement for broadband providers to giving consumers and law enforcement notice of breaches. These type of notices for web sites in the U.S. vary based on differing state regulations (Massachusetts and California, for example, have the most comprehensive privacy protection and notice requirements) or different vertical related industry service statutes such as HIPAA/HITECH for healthcare related services and Frank-Dodd for financial related services. One advantage of the regulation for broadband providers is that they will be subject to one, national set of privacy and cybersecurity rules and that potentially different state regulation of the broadband providers’ privacy and cybersecurity notice practices will be pre-empted by the FCC.

Arguments against the privacy order articulated by the two Republican commissioners and by broadband service providers and on-line advertisers contend that: a) the FTC has already regulated privacy of web companies, b) the FCC’s new opt-in privacy rule for broadband providers will be confusing to consumers, c) the order would treat internet providers differently than web companies like Google or AOL, favoring Google type companies over broadband service providers, d) the order went too far in protecting certain non-sensitive consumer information like names, addresses, and phone numbers, and e) like the lengthy dissent argument set forth in the Network Neutrality decision, the FCC failed to follow basic comment periods and information evidence gathering requirements needed to comply with administrative law as provided in Chevron v.  Natural Resources Defense Council, Inc., 467 U.S. 837 (1984).   Based on the comments provided by those opposing broadband providers and advertising associations opposing the new privacy order, it is likely that the order will be challenged and appealed.    

See more of Barlow Keener's articles at TMCNet

This blog/Web site is made available by the contributing lawyers or law firm publisher solely for educational purposes to provide general information about general legal principles and not to provide specific legal advice applicable to any particular circumstance. By using this blog/Web site, you understand that there is no attorney client relationship intended or formed between you and the blog/Web site publisher or any contributing lawyer. The blog/Web site should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

The FCC Hacks into Mobile Privacy

The FCC Hacks into Mobile Privacy  March 2016
By Barlow Keener, Attorney, Keener Law GroupCIPP (Privacy)/US Certified
 
The whole world of tech pundits, tweets, blogs, and news reports focus on the current privacy crisis. Not a day goes by without data privacy problems rising to the top of Google News. Hackers regularly break into any large company and steal terabits of customer data. And web firms are regularly accused of using customer data improperly without customer consent or knowledge. Web firms all have privacy terms and are held strictly accountable for following their own agreed upon standards. Germany recently initiated a proceeding against Facebook linking antitrust to alleged privacy abuses. 

In the U.S., the Federal Trade Commission has been the entity most responsible for carrying out vigorous privacy investigations against web firms like Google or Facebook. But still, a strongly held view by privacy advocates is that the U.S. has lagged behind other countries when it comes to protecting privacy rights involving communications carriers. This is because of a gap in the law limiting the authority of the FTC for regulating common carriers and giving authority to the FCC.

At the end of March 2016, after several years of study and consideration, the FCC announced it will issue a notice of proposed rule making delivering new privacy rules for common carriers. Common carriers include mobile carriers, which is the concern of most privacy advocates, and indeed the devices that contain more privacy data that any other computer we use. The Telecommunications Act of 1996 gave the FCC the authority to issue regulations to protect the privacy of common carrier customers. In 1999, the FCC issued the first orders covering CPNI, or customer proprietary network information. The CPNI rules have been amended over the years.  There are not opt-in, opt-out requirements, only accessibility requirements. Carriers can use the CPNI for any use as long as the privacy of the data is maintained. CPNI has traditionally included information like phone numbers; also included is all information “made available to the carrier by the customer solely by virtue of the carrier-customer relationship.”  

The idea that a mobile phone device connected by a carrier would contain so much very personal information was unimaginable 15 years ago. Mobile device information available to mobile carriers includes all the data typically passed by an Internet service provider, both encrypted and unencrypted. But data generated also includes GPS location, Wi-Fi access points, device motion, video, photos, texts, audio files, notes, and massive amounts of data generated by apps on the device. When the Verizon supercookie tracking issue arose last year, FCC Chairman Tom Wheeler committed to Congress to investigate the particular issue. Wheeler told Congress

“that ensuring the privacy and security of sensitive personal information about consumers' use of communications services is of utmost importance. As you suggest, we will be considering the extent to which our rules and policies relating to consumer privacy, data security, and transparency may be implicated.”

Now, a year later, the FCC is taking action. The FCC delivered what it called a fact sheet of the proposed rules that would be included in the NPRM. The NPRM will be presented for a vote at the full commission’s March 31, 2016, meeting, followed by a period for public comment. There are three basic permission categories addressed:

• Initial Sale: Data needed for providing and marketing broadband requires customer consent beyond creating the customer-broadband relationship.

• Opt-Out: Broadband providers must give the customer the ability to opt-out from allowing the provider to use the data to market other communications-related services and to share customer data with their affiliates that provide communications-related services.

• Opt-In: Broadband providers must receive the customer’s pro-active opt-in consent for all other uses of the customer’s data and for sharing the data

Carriers will be required to implement risk management practices for protecting information from hackers, beef up customer authentication, institute privacy training, appoint a senior manager for privacy issues, and take responsibility – which means liability – for the use and protection of the data by third parties. Also included are time limits for notifying customers of a data breach – 10 days – and notifying the FCC seven days from discovery. The FCC’s NPRM will not prohibit the mobile carriers from using customer data. However, it will give customers control over whether the data will be used by third parties. 

The FCC’s proposal imposing privacy requirements on mobile carriers is inevitable. Courts, agencies, and legislators around the globe are quickly closing in on all entities to protect privacy.  U.S. mobile carriers, and wired common carriers, will now be required by the FCC to implement very similar privacy policies that are imposed on web firms like Google, Facebook, WhatsApp, Snapchat, and Instagram.

See more of Barlow Keener's articles at TMCNet

This blog/Web site is made available by the contributing lawyers or law firm publisher solely for educational purposes to provide general information about general legal principles and not to provide specific legal advice applicable to any particular circumstance. By using this blog/Web site, you understand that there is no attorney client relationship intended or formed between you and the blog/Web site publisher or any contributing lawyer. The blog/Web site should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.