Today, the Federal Communications Commission adopted new rules that apply to Internet Service Providers, but not “edge” providers such as Twitter or Facebook. (The Federal Trade Commission has jurisdiction over edge providers.) The 3-2 vote divided along party lines. The rules seek to protect consumer privacy and security. Here are some highlights.
Opt-In Requirement for Sensitive Information
ISPs must obtain affirmative opt-in consent from a consumer prior to using or sharing “sensitive” information. The FCC Fact Sheet released today lists the following as “sensitive” information:
- Geolocation data
- Children’s information
- Health information
- Financial information
- Social Security Numbers
- Web browsing history
- App usage history
- Content of communications
All other information is considered “non-sensitive” and requires ISPs to allow consumers to opt-out of the use or sharing of that information, if the consumer is personally identifiable.
To the extent the consumer has been de-identified, the use or sharing of that information is not covered by either the opt-in or opt-out consent regime. But, because de-identified (or anonymized) information can be easily re-identified to a specific consumer, the ISPs must:
- Alter the customer information so that it can’t be reasonably linked to a specific individual or device.
- Publicly commit to maintain and use information in an unidentifiable format and to not attempt to re-identify the data.
- Contractually prohibit the re-identification of shared information
This three-part test comes from the Federal Trade Commission’s 2012 Report, “Protecting Consumer Privacy in an Era of Rapid Change.”
Data Breach Notification Rules
In addition to adopting data security guidelines, such as implementing “robust customer authentication tools” and proper data disposal practices, the FCC adopted data breach notification rules. The rules do not require notification for every unauthorized disclosure of a customer’s personal information. Instead, an ISP is required to notify the potentially affected consumers only once it determines that “harm is reasonably likely to occur.”
Once an ISP determines that harm is reasonably likely to occur, it must notify:
- Affected customers of breaches of their data as soon as possible, but no later than 30 days after reasonable determination of a breach.
- The FCC, the Federal Bureau of Investigation, and the U.S. Secret Service of breaches affecting 5,000 or more customers no later than 7 business days after reasonable determination of the breach.
- The FCC at the same time as customers are first notified of breaches affecting fewer than 5,000 customers.
None of the rules adopted today are in effect yet. There are various timelines, all of which are based on when a summary of this order is published in the Federal Register. The first set of rules that will become effective are the data security guidelines (90 days after publication), followed by the data breach notification requirements (six months after publication), and lastly, the consent requirements ( 12 months after publication.)
The adoption of these rules today is far from the end of an ongoing and contentious conversation about privacy and security law in the quickly developing digital age. The Washington Post described these rules as “unprecedented.” They are likely to be challenged in court, as the authority of the FCC to adopt such rules has been questioned, including by Commissioner Michael O’Rielly who cast one of the two dissenting votes. On the other hand, Jeffrey Chester, executive director of the Center for Digital Democracy, praised the FCC’s action: “For the first time, the public will be guaranteed that when they use broadband to connect to the internet, whether on a mobile device or personal computer, they will have the ability to decide whether and how much of their information can be gathered.”