On October 27, 2016, in a typically bitter 3-2 decision made along party lines, the FCC adopted new privacy rules for Internet service providers (ISPs) in WC Docket 16-106. The new rules impose stricter privacy rules on ISPs than the Federal Trade Commission (FTC) imposes on edge (content) providers, but are somewhat less onerous than originally proposed. 

The privacy rules are the result of the FCC seizing authority over ISPs from the FTC in its 2015 Open Internet Order when it reclassified them as common carriers subject to Title II of the Telecommunications Act. As common carriers, ISPs are now subject to section 222 of the Act, which permits the Commission to develop rules for the handling of customer data.

Edge providers such as Google and Facebook are not common carriers and remain subject to the FTC’s authority. That agency has limited authority to create specific privacy regulation and simply monitors company data collection practices to ensure there's no misuse or fraud. 

The new rules for ISPs go well beyond the FTC requirements and create artificial distinctions between edge providers and ISPs even though both types of companies collect and utilize the same customer data. Moreover, good luck to any consumer who rationally tries to figure out the rules that govern his or her sensitive data, since there really is no rationale for separate rules.  

The ISP privacy rules will work by separating the use and sharing of customer information into three categories, and according to the Commission, provide clear guidance for both ISPs and customers about the transparency, choice and security requirements for that information. The three categories include:

Opt-in - ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.

Opt-out - ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations. 

Exceptions to consent requirements - Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

In addition, the rules include:

Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences;

A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.

Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information.

The new rules are similar to ones proposed by the Commission earlier this year in that the three buckets (opt-in, opt-out and exceptions) are retained. However, in the original proposal all data not explicitly covered in one of two buckets of data (either opt-in or opt-out) would have been be subject to the opt-in requirements. In the new actual rules, the opt-in bucket is limited to a select group of sensitive data categories.

Clearly ISPs will not be happy with this outcome. They strongly believe, and with considerable justification, that they should not be treated any differently than edge providers. Perhaps most importantly for ISPs, the requirement affirmed in the new rules, that consumers must opt- in to the marketing of their web histories will almost assuredly severely limit their opportunities for millions of dollars of customer advertising revenues.  While those advertising revenues will remain available to edge providers. Thus, do not be surprised when ISPs appeal this Order. 

We will have a lot more to say when the text of the Order is released in the next few days.

By Andy Regitsky, CCMI