Broadband Privacy Rules Published, FCC Stakes Out Role as Privacy Cop
On December 2, 2016, the FCC’s Broadband Privacy Report and Order (“Order”) was published in the Federal Register, triggering the 30-day deadline for petitions for reconsideration, and the effective dates for certain new requirements adopted in the Order, as we discuss below. In addition, petitions for review in a court of appeals may be filed within 60 days. The Republican Commissioners in dissenting statements and in public comments have criticized the Commission for applying “asymmetric regulation”, since the new rules regulate the privacy practices of broadband providers but do not regulate similar practices of edge providers. In many respects, the Order follows the traditional sector approach applied by the FTC and other federal agencies in protecting sensitive personal information that is protected under specific federal statutes, such as financial and health information. The Order, however, expands upon these prior privacy approaches to extend heightened privacy protection to web browsing and mobile application usage history collected by broadband providers, which was previously outside the scope of protection.
Certain of the new privacy rules take effect in the next several months, including:
- The prohibition on conditioning the provision of Broadband Internet Access Service (“BIAS”) upon a customer’s agreement to waive privacy rights, which will take effect on January 1, 2017; and
- New data security requirements, which will take effect on March 2, 2017
Other aspects of the new rules, including the Order’s notice and consumer choice rules and breach notification procedures, will require Office of Management and Budget approval under the Paperwork Reduction Act. This may provide opponents of the new rules an early opportunity to get the ear of the new Administration, and to challenge their effectiveness outside the FCC, though it is widely expected that parties will seek reconsideration before the Commission or pursue a court challenge to the rules.
Who Must Abide by the New Privacy Framework?
The privacy framework applies to a newly adopted definition of “telecommunications carrier” for the purposes of the new rules that includes: (1) all telecommunications carriers providing telecommunications services subject to Title II, including BIAS providers; and (2) interconnected VoIP providers. The rules do not govern non-telecommunications services, such as edge services that BIAS providers may offer, including email, websites, cloud storage services, social media sites, music streaming services, and video streaming services.
Who is Protected under the New Rules?
For the purposes of the new rules, the Commission broadly defines “customer” as either a current or former subscriber to a telecommunication service, or an applicant for a telecommunications service. In addition, all activity on an account is considered attributable to the holder of the account. Thus, the activity of any user on a subscriber account (e.g., a household member or guest) is attributable to the subscriber.
What Types of Information Do the New Rules Cover?
The new rules cover customer proprietary information (“customer PI”) which includes individually identifiable customer proprietary network information (“CNPI”), personally identifiable information (“PII”), and the content of communications.
Customer Proprietary Network Information
With regard to CPNI, the Commission adopted the statutory definition of CPNI in 47 U.S.C. § 222(h)(1) for all telecommunications services, including BIAS.
(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier; except that [CPNI] does not include subscriber list information.
The Commission acknowledged that Section 222(h)(1)(B) of the definition is not relevant to BIAS, since it focuses on telephone exchange and telephone toll services. In interpreting the application of Section 222(h)(1)(A) to BIAS, the Commission broadly interpreted the phrase “made available to the carrier by the customer solely by virtue of the carrier-customer relationship” to include any CPNI information that the BIAS provider collects or accesses in connection with its provision of BIAS, including any information that may also be available to other entities. In addition, consistent with the Commission’s 2013 CPNI Declaratory Ruling, the Commission concluded that information that a BIAS provider causes to be collected or stored on a customer’s device, including customer premises equipment (CPE) and mobile devices, also meets the statutory definition of CPNI.
As it has done in the past, the Commission declined to provide an exhaustive list of all items that could be considered CPNI, but rather provided a representative list of information that the Commission would consider CPNI in the BIAS context, which are related to the “quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service”:
- Broadband Service Plans -- Plans detailing subscription information, including: type of service (e.g., fixed or mobile; cable or fiber; prepaid or term contract), speed, pricing and capacity (e.g., data caps).
- Geo-location information -- Information regarding the physical or geographical location of a customer or customer’s device(s), regardless of how the information is obtained. Examples include: GPS, service address, identification of nearby Wi-Fi networks, nearby cell towers, and radio-frequency beacons.
- Media Access Control (“MAC”) Addresses and Other Device Identifiers
- IP Addresses and Domain Name Information -- Includes source and destination IP addresses and dynamic IP addresses.
- Traffic Statistics -- Includes short-term measurements (e.g., packet sizes and spacing) and long-term measurements (e.g., monthly data consumption, average speed, or frequency of contact with particular domains and IP addresses).
- Port Information
- Application Header -- Includes any information that a BIAS provider places into the application header, e.g., a unique identifier header.
- Application Usage -- Information detailing a customer’s use of applications
- Application Payload -- Examples include: body of a webpage, text of an email or instant message, video shared by streaming service, audiovisual stream in a video chat, or maps served by a ride-sharing app.
- Customer Premises Equipment and other Customer Device Information -- Includes any device capable of being connected to broadband services, such as smartphones and tablets, regardless of whether the device was provided by the BIAS provider and traditional CPE.
Customer Proprietary Information (Customer PI)
Section 222(a) of the Communications Act requires telecommunications carriers “to protect the confidentiality of proprietary information of, and relating to, … customers.” Building on an approach to privacy under Section 222 first enunciated in a 2014 Notice of Apparent Liability against Lifeline telecom providers TerraCom and YourTel (which was later resolved through a consent decree), the Commission, over the strenuous objections of Republican Commissioners O’Reilly and Pai, broadly interprets the protections of “proprietary information” under Section 222(a) as extending in scope beyond traditional CPNI to all “information that BIAS providers and other telecommunications carriers acquire in connection with their provision of service, which customers have an interest in protecting from disclosure.” The Commission has named this information, Customer PI. Customer PI includes: (1) individually identifiable CPNI, (2) personally identifiable information (PII), and (3) the content of communications.
The Commission defines PII as “any information that is linked or reasonably linked to an individual or device.” Information is considered “linked” or “reasonably linkable” if it can “reasonably be used on its own, in context, or in combination to identify an individual or device, or to logically associate with other information about a specific individual or device.” Notably, PII includes information that is linked or reasonably linked to not only an individual, but also to a customer device. Examples of PII include, but are not limited to: name, Social Security Number, date of birth, mother’s maiden name; government-issued identifiers (e.g., driver’s license number); physical address; email address or other online contact information; phone numbers; MAC addresses or other unique device identifiers; IP addresses; and persistent online or unique advertising identifiers.
In addition to PII and CPNI, the Commission also includes the content of communications as customer PI, which the Commission defines as “any part of the substance, purpose, or meaning of a communication.” The definition does not distinguish between inbound communications and outbound communications. Content includes:
- the application payload of an IP packet, e.g., text of an email or instant message, streaming video content, audiovisual content from a video chat, and maps from a ride share app.;
- an application header;
- application usage information;
- “communications on social media”;
- “search terms”;
- “web site comments”;
- “items in shopping carts”;
- “inputs on web-based forms”;
- “consumers’ documents, photos, videos, books read, and movies watched”
What is the Process for De-Identifying Data?
Information that would otherwise be customer PI (PII, individually identifiable CPNI or content) can be de-identified data so that it is not reasonably linked to an individual or device. In order to de-identify customer PI, a carrier must meet a three-part test in which the carrier: “(1) determines that information is not reasonably linkable to an individual or device; (2) publicly commits to maintain and use the data in a non-individually identifiable fashion and to not attempt to re-identify the data; and (3) contractually prohibits any entity to which it discloses or permits access to the de-identified data from attempting to re-identify the data.” The Commission will evaluate compliance with this test on a case-by-case basis.
What are the Commission’s New Notice Requirements?
With the exception of those privacy policies qualifying for a future safe harbor, privacy policies must: (1) inform customers about the collection and use of confidential information and under what circumstances such information will be shared with affiliates and third parties (described not individually, but listed in categories); (2) inform a customer, in a clear and conspicuous manner, about the right to opt in to or out of the use or sharing of their confidential information; (3) be presented to customers at the point of sale prior to the purchase of service and consistently available and be accessible on provider websites, apps and their equivalent; and (4) give customers advance notice of material changes to privacy policies. The Commission declined to require provision of notice on an annual or bi-annual basis.
As a result of the new notice requirement requiring prior notice of material changes and the requirement that policies be made consistently available, the Order eliminates the requirements that reminder notices of privacy practices be re-sent to customers every 2 years that the customer “has a right, and the carrier has a duty, under federal law, to protect the confidentiality of CPNI.” Likewise, the Commission eliminated the requirement that emails containing notices of material changes contain specific subject lines.
Opt-In Approval Required for Sensitive Customer PI
Providers must receive express informed consent (i.e., opt-in approval) from customers for use and sharing of sensitive customer PI, including:
- precise geo-location,
- health information,
- financial information,
- children’s information,
- Social Security numbers,
- content, and
- Web browsing and application usage histories and their functional equivalents.
For voice providers, call detail information, which has traditionally been CPNI, is also considered sensitive customer PI. Providers must also provide customers with an “easy-to-use, persistent mechanism” to modify their choices. To the extent that carriers need to use and share information to fulfill their obligations under the Communications Act (i.e., complying with law enforcement or regulatory obligations), a carrier will be permitted to use/share such information. The new rules also require that a carrier must get customer opt-in consent for any material retroactive changes to the use or sharing of both sensitive and non-sensitive information.
Opt-Out Approval Only for Non-Sensitive PI
Carriers must obtain the customer’s opt-out approval, i.e., by means of a solicitation, to use, disclose, or permit access to non-sensitive customer PI. If a customer does not object to a request for consent involving the use of non-sensitive customer PI, the customer will be considered to have consented to such use. Unlike the prior CPNI rules, the new opt-out rules will not require a thirty-day waiting period prior to the opt-out taking effect.
What are the Exceptions to Customer Approval Requirements?
Additional customer consent is not required for a carrier to use and share customer PI in order to provide the telecommunications service from which the information is derived. Carriers may use and share customer PI to: (1) initiate, render, bill and collect for telecommunications services; (2) protect the rights or property of the carrier, or to protect users and other carriers from fraudulent, abusive, or unlawful use of, or subscription to, telecommunications services; (3) provide inbound telemarketing, referral, or administrative services to the customer for the duration of the call; and (4) provide customer location information and non-sensitive customer PI in specified emergency situations. The specified emergency situations include: (1) providing customer PI in response to a customer’s emergency call for information; (2) request from a user’s legal guardian or immediate family member, in an emergency situation that involves risk of death or serious physical harm; and (3) providing customer PI to providers of information or database management services solely for the purpose of assisting in emergency services in the case of emergency.
What are the Requirements for Solicitation of Customer Opt-Out and Opt-In Approval?
Carriers must solicit approval at the point of sale and may seek further solicitations at any time after the point of sale. The Commission declined to mandate a specific format for the solicitations, however, the solicitation must clearly and conspicuously inform customers of the types of customer PI involved. The solicitation must be translated into another language if business transactions are conducted in that language.
Carriers must provide a “choice mechanism” for customers to use to opt-in or opt-out, as required, that is easy to use, clear and available at no additional cost to the customer. Examples of a choice mechanism include a website link, email address, or toll-free number. The choice mechanism must always be available to the customer.
How quickly must a customer’s choice be placed in effect?
The Commission did not specify a precise deadline for making a customer’s opt-in/opt-out request effective, but simply states that a carrier must “promptly” place the customer’s request into effect and that choice must remain in effect until changed by the customer.
Is there still a record-keeping and annual certification requirement?
One notable modification to the existing CPNI requirements is that the Commission has eliminated the recordkeeping and annual certification requirements from Section 64.2009 of its Rules that had previously been required. The annual certification requirement, in particular, had been the source of significant enforcement activity over the years, where carriers that had registered as carriers but did not submit the CPNI annual certification, were subject to significant enforcement penalties.
What are the new data security requirements?
The Commission adopted a new affirmative data security obligation –its first- requiring carriers to take “reasonable measures” to protect customer PI from unauthorized use, disclosure, or access. In order to comply with the rule, a carrier must adopt security practices that account for “the nature and scope of its activities, the sensitivity of the underlying data, the size of the provider, and the technical feasibility.” While this rule is intended to provide carriers with flexibility in developing data security measures that work for their company and process, the Commission emphasizes that it will evaluate those measures based on best practices and encourages carriers to keep “in the know” about updated practices.
The Commission will consider the following as indicia of reasonable data security practices:
- Staying up-to-date on industry best practices
- Developing a written comprehensive data security program
- Designation of a senior management official or officials with personal responsibility and accountability for implementation and maintenance of data security and privacy practices.
- Training of employees and contractors on proper handling of customer PI.
- Ensuring accountability and oversight in contracting with third parties that have access to customer PI.
- Strong customer authentication practices, including customer notification of account changes and attempted account changes.
- Data minimization, i.e., minimizing the amount of data collected, the length of time it is retained and how it is disposed.
- Data encryption
- Lawful sharing of data on cyber incidents and threats
The Commission cautions that while the above practices are indicative of reasonable data security practices, a carrier could still fail to fulfill its data security obligations if it engages in these reasonable practices. In other words, compliance with these reasonable data security practices does not in and of itself constitute a safe harbor. Similarly, in the Commission’s view, a carrier could fulfill its data obligations without implementing any of the above practices.
What are the new data breach notification requirements?
Under the new rules, carriers are required to notify customers affected by a data breach (including a data breach involving a carrier’s vendors and contractors), along with the FCC, the FBI and Secret Service, unless the provider reasonably determines that no harm to customers is likely to occur.
The Commission-established “harm-based trigger” for breach notification requires that if harm to customers is reasonably likely to occur as a result of a data breach, the customer must be notified. The Order establishes a rebuttable presumption that any data breach involving sensitive customer PI is presumed to pose a reasonable likelihood of customer harm and therefore requires customer notification without any room for interpretation. If the carrier is uncertain whether a breach as to non-sensitive customer PI will cause harm to customers, the obligation could still be triggered, since there is at least a potential for harm. The scope of what constitutes harm to customers for purposes of the trigger includes: “financial, physical and emotional harm” and includes breaches of data in an encrypted form. The Commission further clarified that the harm-based notification trigger also applies to breaches involving encrypted data.
Who must be notified of a data breach?
Under the new rules, the Commission must be notified of any breach that satisfies the harm-based trigger. If the breach affects 5,000 or more customers, the Commission, the FBI and the Secret Service must be notified within seven (7) business days of when the carrier “reasonably determines” that there has been a breach and at least three (3) business days prior to notifying customers. If the breach affects less than 5,000 customers, a carrier must notify the Commission without unreasonable delay and no later than thirty (30) calendar days after the carrier has reasonably determined that there has been a breach. In all instances breach notification is only required in instances where the breach meets the harm-based trigger. The time period for notification runs from the time that a carrier has information indicating that a breach has occurred. The Commission plans to establish a centralized portal for reporting breaches which should standardize the reporting process.
Customers must be notified of any breaches satisfying the harm-based trigger no later than 30 calendar days following the carrier’s reasonable determination that a breach has occurred, unless the carrier is asked by the FBI or Secret Service to withhold the notification. The breach notification must include the following information:
- The date, estimated date, or estimated date range of the breach;
- A description of the customer PI that was used, disclosed, or accessed, or reasonably believed to have been used, disclosed, or accessed, by a person without authorization or exceeding authorization as a part of the breach of security;
- Contact information for customer questions about the breach and information about customer PI maintained by the carrier;
- Contact information for the FCC and any relevant state regulatory agencies;
- In cases of risk of financial harm, information about national credit-reporting agencies and the steps a customer can take to guard against identity theft, including: credit monitoring, credit reporting, or credit freezes the telecommunications carrier is offering customers affected by the breach of security.
What records need to be maintained?
Carriers must keep records of the dates on which they determine that a reportable breach has occurred and the dates customers are notified. In addition, written copies of all customer notifications should be retained.
Can a customer be required to consent to share customer PI as a condition to receiving service?
The new rules prohibit BIAS providers from making the provision of broadband service contingent on consent to use of share a customer’s PI. Likewise, BIAS providers may not terminate service or refuse to provide service if a customer refuses to waive its rights not to opt in or opt out of the use of the use of its customer.
Can providers offer a customer financial incentives in exchange for use of their customer PI?
A BIAS provider may use “financial incentives”, such as a discount on monthly service as an incentive for customer consent to use, disclose, and/or access to customer PI. To do so, the provider must give clear and conspicuous notice of the terms of the program and obtain customer opt-in consent. The notice must inform the customer of what information the provider plans to collect, how it will be used, the type of entities it will be shared with and for what purposes. The notice must be given at the time the program is offered and at the time a customer chooses to participate in the program. The notification for any financial incentive program must be separate from other privacy notifications.
What enterprise customers are exempt from the new rules?
Carriers that contract with enterprise customers for telecommunications services other than BIAS are exempt from the need to comply with the new privacy and data security rules, so long as the carrier’s customer agreement specifically addresses the transparency, choice, data security, and data breach requirements of the new rules, and provides the customer with a mechanism for discussing privacy and data security concerns.
What are the implementation dates for the new rules?
Notice and Choice Rules – 47 C.F.R. §§ 64.2003-64.2005
The notice and choice rules will become effective the later of (1) Paperwork Reduction Act (PRA) approval, or (2) December 2, 2017, i.e., twelve months from the date the Order was published in the Federal Register. Small providers (BIAS providers with 100,000 or fewer broadband connections and voice providers with 100,000 or fewer subscriber lines as reported on the most recent Form 477) will have an additional twelve months to implement the notice and choice rules. After PRA approval, the Wireline Competition Bureau will release a public notice of the notice and choice rules, indicating that the rules are effective, and giving carriers a time period to come into compliance with the rules that is the later of (1) eight weeks from the date of the public notice, or (2) December 2, 2017.
Breach Notification Procedures – 47 C.F.R. § 64.2008
The data breach notification rule will become effective the later of (1) PRA approval, or (2) June 2, 2017, i.e. six months from publication of the Order in the Federal Register. The Wireline Competition Bureau is directed to issue a public notice after PRA approval of the rule, indicating its effective date and mandating compliance, the later of (1) eight weeks from the public notice, or (2) by June 2, 2017.
Data Security – 47 C.F.R. § 64.2007
The data security requirements will be effective on March 2, 2017.
Prohibition on Conditioning BIAS on Customer Agreement to Waive Privacy Rights – 47 C.F.R. § 64.2011(a)
The prohibition will be effective on January 1, 2017.
Will customer consent received prior to implementation of the new rules be valid after the effective date of the new rules?
If a carrier obtains customer consent prior to the effective date of the new rules that is consistent with the requirements of the new rules, such consent will be considered valid for purposes of the new rules.
Are state privacy laws preempted?
The Commission will preempt state privacy laws to the extent that they are inconsistent with the newly adopted rules. To the extent that a carrier may face separate state and federal requirements for customer breach notification, a carrier may propose a waiver from the Commission that will allow it to send a single notification.