On December 2, 2016, the Federal Communications Commission (FCC or Commission) published its Consumer Broadband Privacy Report and Order in the Federal Register. The Report and Order, released by the FCC on Wednesday, November 2, 2016—just one week after adoption—imposes significant restrictions on the use of sensitive customer proprietary information by retail broadband internet access service providers (ISPs) and is based on the FCC’s net neutrality decision applying elements of Title II of the Communications Act (Act) to ISPs.
The new rules interpret Section 222 of the Act as requiring protection of “customer proprietary information,” which the FCC defines to include three types of information: (1) individually identifiable Customer Proprietary Network Information, such as broadband service plans, geo-location, IP address and domain name identifiers; (2) personally identifiable information, which includes “any information that is linked or reasonably linkable to an individual or device”; and (3) content of communications, which includes “any part of the substance, purport or meaning of a communication or any other part of a communications that is highly suggestive” of the same. The rules also prohibit or restrict other practices the FCC believes raise privacy concerns, prohibiting “take-it-or-leave-it” offers and requiring heightened requirements for consumer incentive deals.
Interestingly, the new rules create a “separate-but-unequal” system of privacy governance where website operators with access to much of the same sensitive information (e.g., website use) are subject to the Federal Trade Commission’s ex post case-by-case regulatory review, whereas ISPs must now implement stringent ex ante rules.
The Presidential election results and the strenuous opposition from the FCC’s Republican members call into question the likelihood that the net neutrality rules—and as a result, application of Section 222 to ISPs—will survive the new administration. The “new” Commission could seek to reverse or revise the FCC’s action.
With the exception of sections 64.2003, 64.2004, 64.2006, and 64.2011(b), which contain information collection requirements that have not yet been approved by OMB, the rules are set to go into effect on January 3, 2017. Also, Section 64.2005, which addresses data security and requires carriers to take “reasonable measures to protect customer proprietary information from unauthorized use, disclosure or access,” will be effective March 2, 2017.