Federal Communications Commission Chairman Tom Wheeler today submitted a Notice of Proposed Rulemaking (NPRM) to officially announce his agency's bid to regulate the data privacy policies of broadband service providers.
The proposal will be voted on by the full commission on Mar. 31, after which time the complete document will be disclosed for public comment.
According to a fact sheet the FCC distributed today, the proposal will apply the privacy requirements of the Communications Act to ISPs. Privacy advocates and broadband providers had been anticipating this move after the FCC last year approved new net neutrality rules that classified broadband providers in the same legal category as telecom companies.
The proposal appears to address at least three key tenets: customer consent to share data, preventative data security protections and post-data breach notifications.
The NRPM fact sheet was most specific in delineating the FCC's breach notification requirements. The proposal requires broadband providers to alert affected customers of a breach within 10 days of its discovery. Companies would have only seven days to notify the FCC, as well as the FBI and Secret Service if the incident impacts over 5,000 customers.
Regarding preventative data security measures, the FCC's fact sheet states that broadband providers would be required to take “reasonable steps to safeguard customer information from unauthorized use or disclosure.” The document did not specify what the agency considers reasonable, but Will Wiquist, deputy press secretary of the FCC, told SCMagazine.com that, "We propose to evaluate whether a provider has taken reasonable steps by looking at what steps they have taken in light of the nature and the scope of the provider's activities and the sensitivity of the data at issue."
Moreover, the fact sheet noted that at minimum, broadband companies would need to “adopt risk management practices; institute personnel training practices; adopt strong customer authentication requirements; to identify a senior manager responsible for data security; and take responsibility for use and protection of customer information when shared with third parties.”
The fact sheet also outlined the FCC's proposed policy on customer permissions for sharing data. Under the submitted plan, service providers would have virtually unfettered leeway to share data for essential business services, including billing, e-mail communications and certain forms of relevant marketing. However, customers would have the option to opt out of data sharing agreements related to non-essential communications services and marketing of third-party communications services.
All other forms of data sharing would require customers to voluntarily opt in. Wiquist provided a scenario that would fall into this particular bucket: "If I don't opt in, the broadband service cannot sell information to an ad network about the fact that I visit a lot of websites about diabetes for the ad network to use to market diabetes products for me."
The policy will attempt to create standardized data privacy guidelines for broadband providers, on the heels of several recent FCC enforcement actions, including legal settlements with Cox Communications over a data breach and Verizon for use of its supercookies technology. However, some companies have complained that the FCC is undoing policies already established by the Federal Trade Commission, which was responsible for overseeing broadband providers prior to its net neutrality ruling.
Doug Brake, telecommunications policy analyst at the Information Technology and Innovation Foundation (ITIF), expressed disappointment, opining, “It is unfortunate that privacy activists have successfully convinced the FCC to ignore the benefits of FTC privacy oversight. The greater flexibility under the FTC enforcement framework allows room for new business models that could support expensive, next generation networks with revenue other than consumers' monthly bills. Instead, this vocal minority, who places a much higher price on their privacy than the average consumer, seeks to foreclose on the current balance of privacy with other important values.”
Omer Tene, Vice President of Research and Education at the policy-neutral International Association of Privacy Professionals (IAPP), acknowledged in an interview with SCMagazine.com that there is an inherent risk in shifting authority to a new agency because “you lose the guidelines and the standards that the FTC has set forth,” including “more than 150 enforcement actions.”
“When you suddenly shift to an agency that doesn't have that long and well-established of a track record, it's important to set down these rules,” added Tene, who was encouraged that many elements of the FCC's proposal seem to be “in line with… previous [FCC] enforcement actions” against broadband providers that were found to have committed privacy violations.
The key, added Tene, is making sure that FCC's policies continue to be communicated clearly to broadband providers moving forward. “For businesses, usually the most important thing is to know where they stand and to know what the rules of engagement are. That's usually more important than what the specific rules actually are,” he said.
