On November 2, 2016, the FCC released a comprehensive Privacy Order that covers both broadband Internet and other telecommunications services.  These rules flow from the FCC’s 2015 reclassification of broadband Internet access service (“BIAS”) as a Title II telecommunications service and the FCC’s decision not to forbear from applying Section 222 of the Communications Act – Privacy of Customer Information (“Section 222”) to broadband.  If the rules are permitted to go into effect, they will govern how BIAS providers collect, use and protect their subscribers’ personal information as well as how they communicate with subscribers about their personal information.  In general, the rules employ a sensitivity-based approach to consumer choice, require adequate notice, reasonable data security practices and prompt data breach notification. 

We say “if” the rules are permitted to go into effect because the election will have significant consequences for regulatory policy, including empowering the ability of Republican FCC Commissioners Pai and O’Rielly to help shape FCC policy.  These Commissioners dissented from both the 2015 reclassification decision and the Privacy Order, and the upcoming change in administration may lead to the new FCC to stay or overturn the Order or, at the very least, significantly alter the new rules.  Additionally, Congress may issue a legislative disapproval of the newly issued privacy regulations under the Congressional Review Act, which would effectively repeal them.

Despite the uncertainty surrounding the ultimate fate of the Privacy Order, all telecommunications carriers should familiarize themselves with the FCC’s interpretation of what the statute requires in terms of protecting the privacy of BIAS subscribers and its new interpretations of the key terms in Section 222 as they apply to all telecommunications carriers for several reasons. 

• Many of the new rules may go into effect before the new FCC can take action, particularly those establishing new categories of protected information.  The staggered schedule of effective dates for the various rules are set forth below.
• BIAS will remain classified as a Title II telecommunications service, leaving BIAS providers subject to the privacy provisions of Section 222, until the FCC or Congress changes the classification.  Likewise, BIAS providers will remain common carriers until the classification is changed.
• Common carriers are additionally subject to Section 201 and 202 requirements that their practices in connection with the service be “just and reasonable.”
• Any person can file a complaint against a common carrier for violations of the provisions of Title II either with the FCC or in federal court.  A court could look to the Privacy Order for guidance by the expert agency as to an appropriate interpretation of Section 222’s requirement that carriers protect the confidentiality of customer proprietary information even if the Order never appears in the Federal Register or is otherwise stayed by the FCC. 

For these reasons, all BIAS providers and telecommunications carriers should familiarize themselves with the FCC’s new categories of protected information and rules, review existing privacy policies and data breach notification procedures, and review their methods of obtaining consent to use customer proprietary information to ensure consistency with their privacy obligations under Section 222.

Background

In its 2015 Open Internet Order, the FCC reclassified BIAS as a Title II telecommunications service.  This action subjects the service to a variety of common carrier obligations under the Communications Act, including Section 222, which imposes a duty on telecommunications carriers to protect their customers’ proprietary information and to use such information only for authorized purposes.  At the same time, the FCC exercised its forbearance authority with respect to broadband privacy requirements to the limited extent of refraining from imposing its voice CPNI rules on broadband.   In the Privacy Order, the FCC adopted an expansive interpretation of Section 222 requirements and applied it to BIAS and other telecommunications services, including legacy voice and interconnected VoIP.  Consistent with the FCC’s desire to “harmonize” its privacy rules, the Privacy Order adopts a single set of governing definitions and obligations and also eliminates several privacy obligations currently imposed on voice and interconnected VoIP services.

Customer Proprietary Information – Overview

The Privacy Order focuses on three widely recognized core privacy principles – transparency, choice and security.  The Privacy Order aims to ensure that consumers (i) have the information needed to understand what data the BIAS provider is collecting and what it does with that information, (ii) can decide how their information is used, and (iii) are protected against the unauthorized disclosure of their information.  The Order is based on the FCC’s view that BIAS providers play a unique role in the Internet ecosystem in that they see all of a subscriber’s traffic as opposed to the “slice” of traffic that an edge provider sees, as well as possess unique data in terms of names, addresses, phone numbers, dynamic IP addresses, and customer billing history.

Customer Proprietary Information.  The Order defines three types of “customer proprietary information” protected under Section 222:  (i) customer proprietary network information (known as “CPNI”) as defined in Section 222(h); (ii) a broader category of personally identifiable information (“PII”) collected by broadband providers through their provision of broadband Internet access service; and (iii) a new category, “content of communication,” which the FCC defines as “any part of the substance, purport, or meaning of a communication or any other part of a communication that is highly suggestive of the substance, purpose, or meaning of a communication.”  The FCC disagreed with commenters that argued that the word “proprietary” in Section 222(a) means that the statute only protects information the customer keeps secret from any other party, adopting instead a far broader definition.

CPNI.  The Privacy Order declined to set out a comprehensive list of data elements that satisfy the definition of CPNI in the BIAS context.  Instead, the FCC provided a non-exhaustive list of examples of information which constitutes CPNI when a BIAS provider acquires or accesses them in connection with its provision of service:

• Broadband Service Plans
• Geo-location (information related to the physical or geographical location of a customer or the customer’s device(s));
• MAC addresses and other device identifiers;
• IP addresses (both source and destination) and domain name information;
• Traffic statistics (ex: monthly data consumption, average speeds, or frequency of contact with particular domains and IP addresses);
• Port Information, which provide a strong indication of the type of application used, and thus the purpose of the communication;
• Application Header, which contains data for application-specific protocols to help request and convey application-specific content; type of applications used, the URLs requested, and the email destination all convey information intended for use by the edge provider to render its service;
• Application Usage;
• Application Payload, the substance of the communication between the customer and the entity with which he is communicating; and
• Customer Premises Equipment and Device Information (model, operating system, software and/or settings of the equipment).

PII.  The Privacy Order adopts a broad definition of PII – “any information that is linked or linkable to an individual.”  Some examples of data that would be considered PII include customer names, addresses, birth dates, Social Security Numbers, mother’s maiden name, government-issued identifiers, email addresses, phone numbers, IP and MAC addresses, and financial and employment information.  Several of the PII data elements may also be CPNI.   

Content of Communications.  Finally, the Order found that Section 222 protects the content of communications – both inbound and outbound – as customer proprietary information (“PI”), and defined content as “as any part of the substance, purport, or meaning of a communication or any other part of a communication that is highly suggestive of the substance, purpose, or meaning of a communication.”  

Because the categories of customer PI are not mutually exclusive, some content may also satisfy the definitions of CPNI and/or PII.  BIAS content includes, but is not limited to:

• Contents of emails;
• Communications on social media;
• Search terms;
• Web site comments;
• Items in shopping carts;
• Inputs on web-based forms; and
• Consumers’ documents, photos, videos, books read, movies watched.

De-identified Data.  The Order adopts the same three-part Federal Trade Commission (“FTC”) test to determine when customer PI has been “de-identified” and therefore not subject to the Privacy Order’s consent regime.  Customer PI is de-identified if the carrier:

• Determines that the information is not reasonably linkable to an individual or device;
• Publicly commits to maintain and use the data in a non-individually identifiable fashion and to not attempt to re-identify the data; and
• Contractually prohibits any entity to which it discloses or permits access to the de-identified data from attempting to re-identify the data.  This step is not required when the de-identified customer information is so highly abstracted that a reasonable data science expert would not consider it possible to re-identify it.

The FCC further emphasized that carriers relying on de-identification for use and sharing of customer proprietary information should employ well-accepted, technological best practices to meet the three-part test described above – and employ practices that keep pace with evolving technology and privacy science. 

 Harmonization with Voice Rules

The Privacy Order’s new rules apply to all providers of telecommunications services, effectively superseding the FCC’s existing CPNI rules.  In other words, BIAS and traditional telecommunications providers will operate under the same set of rules.  As a result, some existing CPNI requirements, including the authentication and annual certification requirements, are eliminated by the Privacy Order. 

Transparency/Notice Requirements

The Privacy Order builds on existing Open Internet requirements that BIAS providers include their privacy policies in their disclosure of commercial terms pursuant to the Open Internet Transparency Rule.  In recognition of the widespread agreement that companies should inform consumers about their privacy practices, the Privacy Order sets forth rules to enhance the ability of consumers to make informed choices through effective disclosure of broadband providers’ privacy policies.  This would include the obligation to inform consumers about:

• The type of customer PI that the carrier collects by virtue of its provision of service, and how the carrier uses that information.  If there is a data use program, it must be disclosed;
• Under what circumstances a carrier discloses or permits access to each type of customer PI that it collects, including the categories of entities to which the carrier discloses or permits access to customer PI and the purposes for which each category of entities will use the customer PI; and
• How customers can exercise their privacy choices, including how customers can exercise their opt-in and opt-out rights and a simple, easy-to-use mechanism for customers to do so. 

Telecommunications carriers must provide these notices at the point of sale and make them persistently available through a clear and conspicuous link on the carriers’ website homepage and via any app supplied to customers to manage their service.  While the Order does not require carriers to provide the notices on a periodic basis, carriers must provide advance notice of material changes to existing customers via email or other means of active communication agreed upon by the customer.

Choice

To give customers of BIAS and other telecommunications services “the tools they need to make choices about the use and sharing of their personal information,” the Order adopts sensitivity-based choice rules.

Opt-in Approval.  The Order requires broadband providers to receive opt-in approval from a customer before the use and sharing of “sensitive” customer PI.  The types of information treated as sensitive include:  precise geo-location, children’s information, health information, financial information, social security numbers, web browsing history and app usage history (and their functional equivalents), along with the content of communications. For voice providers, call history is also considered sensitive information.  Opt-in consent is also required for retroactive changes to a carrier’s privacy policies.

One of the most controversial changes introduced by the Order concerns the classification and thus use of web browsing and app usage history.  To date, the FTC, the primary federal regulator of privacy practices, has not considered this information to be per se sensitive.  The FCC, however, based on its view that BIAS providers are in a unique position to view the entirety of a user’s unencrypted traffic, found that browsing and app usage history must be considered sensitive, thus requiring opt-in approval for the use and sharing of such information.  The Order does not apply to “edge providers” (i.e. search engines, social networks, and other apps), who remain subject only to FTC privacy regulation.

The mechanism provided by the carrier to inform customers of their privacy choices must be clear and conspicuous, and in language that is comprehensible and not misleading.  Small providers that lack choice mechanisms that customers can operate directly from their website or app may be able to accept customer preferences by providing on their websites or apps an email address or other easily accessible, persistently available means to exercise their privacy choices.

Opt-out Approval.  The Order allows BIAS providers (or their affiliates that provide communications-related services) to use and share non-sensitive customer PI subject to the customer’s “opt-out” approval, which must be clearly disclosed, easily used, and continuously available.

Inferred Consent.  Consistent with Communications Act, the Order’s rules allow BIAS providers to use and share customer data in order to provide broadband services, bill for that service, prevent fraudulent use of the provider’s network, and for certain other purposes that make sense within the context of the BIAS provider’s relationships with their customers without additional approval from the customer.

Take-It-or-Leave-It Offers.  The Privacy Order prohibits “take-it-or-leave-it” offers in which BIAS providers offer broadband service contingent on customers surrounding their privacy rights as contrary to the requirements of Sections 222, 201, and 202 of the Act. 

While the Privacy Order does not bar providing financial incentives in exchange for customers’ personal information, it provides heightened requirements.  When BIAS providers offer financial incentives in exchange for consent to use, disclose, and/or permit access to customer PI, they must provide a clear and conspicuous notice of the terms of any financial incentive program that is explained in a comprehensible and non-misleading way.  The explanation must include information about what customer PI will be collected, how it will be used, and what types of entities it will be shared with and for what purposes. 

Data Security

 The Privacy Order directs BIAS providers to take adopt “reasonable” security practices appropriately calibrated to the nature and scope of its activities, the sensitivity of the underlying data, the size of the provider, and technical feasibility.  While the FCC declined to adopt a safe harbor provision, the Order provides guidance on certain “best practices” that BIAS providers, including small ISPs, can use to help develop their own data security practices.  It strongly encourages BIAS providers to consider implementation of the mechanisms developed by the Communications, Security, Reliability, and Interoperability Council (CSRIC), which are based on cyber security and data risk management guidance from the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity found at NIST CSF.

The Privacy Order provides that development of a written comprehensive data security program will be considered a best practice in promoting reasonable data security.  It encourages BIAS providers to also consider stronger alternatives to relying on rudimentary forms of authentication like customer-generated passwords or static security questions, and are recommended to appoint a data security officer, providing employee privacy and data security training, and enter into enforceable data security commitments from third parties as conditions of disclosure.  Finally, the Order directs providers to look at the FTC’s “Disposal Rule” for guidance on the safe destruction and disposal of customer PI.  

Breach Notification

The Privacy Order implements notice requirements for data breaches, unless a carrier can reasonably determine that no harm to customers is reasonably likely to occur because of the breach.  Carriers must take the investigative steps necessary to reach a reasonable determination that no such harm is reasonably likely, considering that “harm” can encompass financial, physical, and emotional harm.  The Order establishes a rebuttable presumption that any breach involving sensitive customer PI presumptively poses a reasonable likelihood of customer harm and would therefore require customer notification.

Carries must notify customers and the FCC within 30 days of the determination of a reportable breach.  Customer notifications must include following elements:

• The estimated date range of the breach;
• A description of the customer PI that was reasonably believed to have been used, access, or disclosed by a person without authority;
• Information the customer can use to contact the carrier to inquire about the breach;
• Information about how to contact the FCC and state regulatory agencies; and
• If the breach creates a risk of financial harm, information about the national credit-reporting agencies and the steps customers can take to guard against identify theft.

When more than 5,000 customers are affected, the carrier must notify the FCC, FBI, and secret service within seven business days, and at least three business days before notifying customers.  

Records of any breaches and notifications to customers need to be retained for two years from the date a breach was reasonably determined to have occurred.

Effective Dates

Importantly, the Privacy Order staggers the effective dates of these various requirements. Under the new framework, the following rules will become effective at these times:

• Take-it-or-leave-it Prohibition:  30 days after publication in the Federal Register.
• Data Security Rule:  90 days after publication in the Federal Register.
• Data Breach Notification Rule:  The later of (i) Paperwork Reduction Act (“PRA”) approval or six months after publication in the Federal Register.
• Notice and Choice Rules: The later of (i) PRA approval or (ii) 12 months after publication in the Federal Register. 

• Small providers – Those with 100,000 or fewer broadband connections (according to their most recent Form 477) will have an additional 12 months to comply.

The FCC will treat as valid or “grandfather” any consumer consent obtained prior to the effective date of the rules, so long as the consent is consistent with the new rules.  Opt-out consent obtained before the release date of the Order is valid for two years after it was obtained and opt-in consent remains valid as long as it is valid under the legacy rules.

Exemption for Enterprise Customers of Telecommunications Services other than BIAS.  Recognizing that enterprise customers of telecommunications services other than BIAS have different privacy concerns and the capacity to protect their own interests, the Order provides that a carrier that contracts with an enterprise customer for telecommunications services other than BIAS need not comply with the privacy and data security rules adopted in the Order if the carrier’s contract with that customer specifically addresses the issues of transparency, choice, data security, and data breach and provides a mechanism for the customer to communicate with the carrier about privacy and data security concerns. 

Next Steps

It is widely believed that Republican control of both houses of Congress and the White House will mean a substantial paring back of federal regulation in all sectors, and particularly those regulated by the FCC.  However, these changes could take some time to work through the system, even after the FCC is reconstituted under a new Chairman and anticipated vacancies are filled.

Until the next FCC or Congress revisits the reclassification question, all telecommunications carriers, including BIAS providers, remain subject to the requirements of Sections 222 to protect the confidentiality of customer proprietary information and the requirements of Sections 201 and 202 to refrain from engaging in unjust or unreasonable acts and practices.  During that period, carriers remain subject to enforcement through the complaint process, including complaints filed in federal court.

Prior to adoption of the Privacy Order, the FCC’s Enforcement Bureau issued an FCC Enforcement Advisory advising BIAS providers to “take reasonable good faith steps to protect consumer privacy” that are “in line with their privacy policies and core tenants of basic privacy protections.”  The FCC’s approach in the Privacy Order is based in many significant respects on specialized federal privacy requirements and the work of other federal and state agencies and advisory committees in the area of customer privacy protection, including the formulation of best practices.

For these reasons, and despite the uncertainty about if and when the new privacy rules will take effect, all telecommunications carriers should familiarize themselves with the approach to protecting customer privacy contained in the Privacy Order and review their current privacy policies and data security practices.

If you have questions about CPNI, cable privacy rules, or your obligations to protect subscriber privacy as a broadband ISP, please contact Barbara Esbin at besbin@cinnamonmueller.com or (202) 872-6811, Bruce Beard at (314) 394-1535 or bbeard@cinnamonmueller.com or Scott Friedman at (312) 372-3930 or sfriedman@cinnamonmueller.com.