The Federal Communications Commission recently released a 219-page order issuing a comprehensive overhaul of its existing privacy rules, an ambitious new regime that will set expectations for data use, handling, and protection for years to come.
The rules aim to provide customers with greater control over the data they give to telecommunications companies, as well as confidence as to how the data they provide will be used, shared, and secured. While the rules apply to legacy companies such as voice and data telecommunications service providers and interconnected VoIP service providers, the main impact of the new rules is that they – for the first time – regulate the privacy practices of internet service providers.
FCC (News - Alert) Chairman Tom Wheeler, who lobbied heavily for the new rules, heralded the order as empowering consumers. “What this item does is to say that the consumer has the right to make a decision about how her or his information is used,” Wheeler said prior to voting for the order at the October Open Meeting. Wheeler later added, “before today, there were no protections.”
At the center of the new regime is consent. Before a telecommunications company uses or shares sensitive customer data – including precise location, children’s information, health information, financial information, social security numbers, web browsing history, and the content of communications – the company must obtain consent from its customer. Take it or leave it offers that require a customer to grant consent to sign up for a service are prohibited.
Consent is not required for non-sensitive personal data. That said, companies will be required to comply with customer requests not to use or share their personal information. The rules also provide limited exceptions allowing a company to use customer information with or without consent to provide the purchased service.
As noted above, the order primarily impacts ISPs. The FCC first promised to regulate ISP privacy practices in 2015, when the agency classified ISPs as regulated telecommunications services in its Open Internet Order. At the time, the FCC’s stated purpose of regulating ISPs was to promote net neutrality, which generally prohibits ISPs from favoring specific websites or content. ISP privacy regulation, previously beyond the reach of regulators like the FCC, suddenly became legally possible and defensible.
Crucially, the FCC’s privacy rules do not apply to websites, advertising networks, or social media companies, thus disadvantaging ISPs in the internet ecosystem and frustrating some industry members as well as FCC Commissioner Ajit Pai, who called the new rules “one-sided.” Chairman Wheeler countered that ISPs should be treated differently given their unrestricted insight into customer online behavior. Removing any doubt that the FCC could regulate ISPs and effectively treat them differently, a federal appellate court last year upheld the Open Internet Order, paving the way for the FCC to fast track its new privacy rules.
Besides ISPs, traditional voice and data telecommunications companies will also be impacted by the rules. The order sets privacy rules and expectations for ISPs, common carriers providing wired and wireless telecommunications services, and interconnected VoIP service providers, creating one comprehensive telecommunications privacy regulation. Traditional telecommunications service providers were required to comply with CPNI rules by obtaining consent for using data for specific purposes. The FCC’s rewrite of CPNI rules releases traditional carriers from some regular reporting burdens, but requires companies to revise their privacy policies, contracts, and data flows to ensure compliance with the new rules.
The new privacy rules also involve a number of new compliance responsibilities for telecommunications companies. Companies will be required to comply with rules regarding posting privacy notices, informing customers of changes to privacy notices, handling of anonymized data, and rules relating to financially incentivizing customers to provide data to the company. In the event of a data breach, companies will be required to notify their customers and the FCC of breaches that could cause harm to their customers, as well as law enforcement for breaches involving 5,000 or more customers.
As elements of the new rules come into effect over the course of the next year, companies will face a series of decisions and obstacles requiring changing habits, revising expectations, and, perhaps crucially, determining the impact of the new rules on their bottom lines. Now may be the right time for telecommunications companies to prepare for the new regulations. If history is a guide, the FCC’s Enforcement Bureau will be monitoring the industry closely during the transition, seeking its first test case to demonstrate the reach and impact of the new privacy rules.
Alexander Schneider and Linda McReynolds are attorneys in the Information Privacy, Data Security and Consumer Protection practice group at Marashlian & Donahue PLLC, The CommLaw Group.
Edited by Alicia Young