On January 3, several US trade associations and internet service providers (ISPs) submitted petitions requesting that the Federal Communications Commission (FCC) reconsider its broadband privacy rules mandating consumer opt-in before using data for marketing purposes.
Among those groups submitting petitions are the United States Telecom Association, NCTA - Internet and Television Association, Competitive Carriers Association, Association of National Advertisers, American Association of Advertising Agencies, American Advertising Federation, Data & Marketing Association, Interactive Advertising Bureau, and Network Advertising Initiative.
On October 27, 2016, the FCC voted 3-2 along party lines to adopt a Report and Order imposing a set of uniform, comprehensive data security and privacy regulations on all telecommunications carriers, which include broadband internet access service (BIAS) providers, traditional voice providers, providers of other telecom services, and providers of interconnected Voice over Internet Protocol (VoIP) services. On December 2, 2016, a Final Rule was published in the Federal Register. The rules in the Final Rule become effective on a staggered basis starting January 3, 2017. See our previous post for background information and more details on the FCC’s original Notice of Proposed Rulemaking.
The FCC’s contested rules are based on three “foundations of privacy”—transparency, choice, and security—and impose several new requirements on carriers. The following are some of the highlighted requirements set forth in more detail in the Final Rule:
Carriers will be required to provide clear and accurate privacy notices to customers at the point of sale regarding the specific information collected and how it will be used. Customers must also be informed of their rights to opt-in or opt-out of the use of their confidential information.
Carriers must adopt security practices appropriately adjusted to the size of the provider and nature of its activities, the sensitivity of relevant data, and technical feasibility. However, specific carrier activities to meet these requirements are not delineated by the FCC.
In the event of a data breach, unless carriers can reasonably determine that there is no reasonable risk of harm to customers, carriers must notify the affected customers, the FCC, the FBI, and the Secret Service within seven days of determination that such a breach occurred, if the breach impacts 5,000 or more customers. If the breach affects fewer than 5,000 customers, carriers must notify the FCC no later than 30 days following reasonable determination that a breach occurred.
Some petitioners argue that the new rules violate First Amendment rights on commercial speech. Others say they will be unduly burdensome on certain smaller carriers and cause confusion among customers. An overarching argument, however, is that the Final Rule is unlawful and that the FCC does not have legal authority to impose its rules.
Given certain recent shifts in the political environment, it is difficult to predict the likelihood of the survival of the Final Rule. However, carriers should still closely review the new rules, understand their responsibilities, and assess existing privacy, data security, and other relevant policies and practices to determine if any changes are necessary to ensure compliance.