What Do the New FCC Privacy and Security Rules Mean for Internet Service Providers and Their Subscribers?
On October 27, 2016, the FCC adopted rules (the “Rules”) that govern how Internet service providers (“ISPs”) use and share subscribers’ “Proprietary Information” generated while using the Internet and regulate the security measures that must be taken by ISPs. The Rules do not apply to providers of content, services, and applications over the Internet, such as email, websites, cloud storage services, social media sites, music streaming services, and video streaming services like Google, Facebook, YouTube, Amazon, and Apple’s iTunes.
According to the Rules, “Proprietary Information” includes individually identifiable customer proprietary network information, personally identifiable information, and the content of communications. The Rules impose significant obligations on ISPs, including: (1) implementing “Approval Requirements” within twelve (12) months1 after publication of the Rules in the Federal Register (which occurred on November 2, 2016) (“Publication”), and (2) complying with the “Security Requirements” within ninety (90) days after Publication.
The Rules apply to ISPs that offer telecommunications, broadband and interconnected VoIP services (the “Services”).
Subscriber Opt-In/Opt-Out Approval Requirements
The Rules require ISPs to comply with customer consent requirements based on the sensitivity of the Proprietary Information.
- Proprietary Information which includes precise geo-location, children’s information, health information, financial information, social security numbers, web browsing history, app usage history, and the content of communications, is considered “sensitive” and requires ISPs to obtain affirmative consent (“Opt-In Approval”) from the customer to enable the ISP to use and share such Proprietary Information.
- Non-sensitive Proprietary Information is allowed to be used and shared by ISPs unless the customer affirmatively opts-out of allowing the ISP to use and share such information (“Opt-Out Approval”).
Additionally, if Proprietary Information is de-identified, ISPs do not have to comply with the Approval Requirements provided that the de-identified Proprietary Information satisfies a three-part test to ensure the Proprietary Information is not re-identifiable.
The Rules prohibit ISPs from refusing to provide Services to a customer who does not consent to the use and sharing of Proprietary Information. However, under heightened disclosure requirements, ISPs may provide for “pay for privacy” plans, which provide discounts or other incentives to Subscribers in exchange for the Subscribers’ Opt-in Approval. The legitimacy of such plans is subject to review by the FCC on a case-by-case basis.
The Rules require that ISPs must take “reasonable measures” to protect customer Proprietary Information. An ISP’s security measures must be designed to address the nature and scope of the ISP’s activities, the sensitivity of the underlying data, the size of the ISP, and the technical feasibility to adopt such measures. The Rules do not prescribe specific requirements, but they do set forth guidelines for the measures that ISPs should consider developing in order to establish a viable security policy.
1 The only exception to the Approval Requirements compliance deadline is for small providers (providers with 100,000 or fewer broadband connections or 100,000 or fewer voice subscriber lines), which are afforded an additional twelve (12) months to implement the Approval Requirements.