The Federal Communications Commission (FCC) approved proposed new broadband privacy regulations for broadband providers (i.e., Internet service providers, or “ISPs”) on March 31, 2016. The new regulations followed the FCC’s reclassification of broadband as a “utility” (a classification still under scrutiny in litigation), which the FCC believes requires it to create privacy protections for users.
The Collection and Use of Data
Under the new proposed rules, ISPs are not barred from collecting user data, but are now required to clearly disclose to consumers what information is being collected and what is being done with it. Additionally, the new rules restrict the ability of ISPs to use and share the collected information. For example, ISPs must allow consumers to opt out of their data collection programs. ISPs cannot use or share consumer data, such as browsing history and physical location, without first obtaining an affirmative opt-in agreement from a subscriber. Even if a subscriber opts in, the ISP must also inform the subscriber how their data is being used or shared.
Data Security Provisions
The new proposed rules also establish a general data security framework. Under the new rules, ISPs will be required to adopt risk management and data security policies and practices. Within days of the discovery of a data breach, ISPs will be required to take action by notifying customers and the FCC. The FBI and Secret Service must also be notified in the event of large breaches
Disparity Between the FCC and FTC Regulations
A key issue in the industry commentary is the disparity between the FCC’s proposed rules and those of the Federal Trade Commission (FTC), which regulates other types of online entities, including telecom and cable companies. Consumer groups believe the rules should be consistent across the industry, and should protect customer data no matter which company obtains it. Broadband providers say they are merely seeking consistent treatment.
This disparity results from differences in the authority conferred on the two agencies. Compared to the FCC, the FTC’s authority in this area is more limited. The FTC enforces the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce. Pursuant to this authority, the FTC is authorized to monitor and regulate data collection practices, and ensure that companies are following their own privacy policies, but cannot create rules for online privacy. The FCC’s authority to regulate “utilities” is much broader. Provided Congress does not take action to change the scope of these regulators’ authority, the disparity will likely continue.
If you have any questions or would like additional information, please contact a member of the Data Privacy & Information Security Practice at Ulmer & Berne LLP.