Doug Jarrett and Tracy Marshall Published in Law 360: "The Potentially Sweeping Effects Of FCC's ISP Regulations"
Law360, New York (May 10, 2016, 12:16 PM ET) --
As widely reported, the Federal Communications Commission adopted a notice of proposed rulemaking on March 31, 2016, requesting comment on a comprehensive set of proposed rules intended to protect the confidentiality and security of customer proprietary network information (CPNI) and personally identifiable information (PII) (collectively referred to as “customer proprietary information” or "customer PI”) that broadband internet access service (BIAS) providers acquire by virtue of their business relationship with customers. The NPRM is broad in scope and addresses a range of privacy and security issues, but reflects uncertainty as to how to best protect customer PI, effectively asking the public to weigh in on a host of proposals involving hundreds of discrete questions.
One justification for the commission’s sweeping proposals is that BIAS customers cannot readily switch from one broadband provider to another, whereas consumers can readily change browsers and search engines. Fundamentally, the NPRM seeks to grant BIAS customers greater control over the extent to which broadband providers use customer PI and share it with affiliates and unaffiliated third parties, but adoption of the major proposals would impact other parties in the ecosystem with whom broadband providers interact and share data. In addition, the NPRM repeatedly asks whether the FCC should seek to “harmonize” existing rules applicable to voice, cable and satellite providers with those adopted in this proceeding. While the NPRM applies to a limited set of services (and the NPRM proposes that “communications-related services” not include edge services offered by broadband providers), the proposed definitions and principles could have a significant ripple effect on the entire digital ecosystem.
Background
The NPRM tracks the approach staked out in the commission’s 2015 open internet order, which reversed the long-standing position that high speed internet access service is a lightly regulated “information service,” and reclassified BIAS as a more highly regulated “telecommunications service.” The intended effect of “reclassification” is that the FCC positioned itself to exercise its extensive statutory authority under Title II of the Communications Act over cable companies, wireline telecom carriers, fixed wireless (for-profit Wi-Fi service providers) and mobile wireless carriers offering BIAS. In particular, Section 222 of Title II imposes certain privacy and confidentiality obligations on “telecommunications carriers” that receive or obtain CPNI by virtue of providing a telecommunications service. In the 2015 open internet order, which is on appeal before the D.C. Circuit, the FCC expressly deferred the question of how Section 222 of the Communications Act should be applied to BIAS. The order also expressly excluded high speed internet access service provided to “enterprise customers” from the definition of BIAS, and this distinction is carried forward in the NPRM.
The NPRM adds further complexity to the evolving U.S. privacy and data security landscape. Unlike other countries that have overarching privacy laws, the U.S. landscape is comprised of a host of sector-specific federal laws (e.g., laws governing health, financial and children’s information), state consumer protection, data breach notification and data security laws, industry guidelines, and self-regulatory frameworks. A broad set of actors has enforcement authority under these laws. At the federal level, the most prominent is the Federal Trade Commission through its authority over unfair or deceptive acts or practices under Section 5 of the Federal Trade Commission Act, but the FCC has taken a heightened interest in online privacy matters over the last few years.
The reclassification of BIAS as a “telecommunications service” in the 2015 open internet order affected the FTC’s long-standing authority over the privacy practices of broadband providers under Section 5 of the FTC Act, as telecommunications carriers are not subject to the FTC’s jurisdiction when engaging in telecommunications carrier activities. Through a memorandum of understanding issued in November of last year, the FCC and FTC confirmed their ongoing cooperation on consumer protection matters and complementary authority with regard to practices by telecommunications carriers. In separate dissenting statements to the NPRM, however, FCC Commissioners Micahel O’Rielly and Ajit Pai questioned the FCC’s authority and expertise to regulate privacy and data security, and opined that those matters would be better addressed by agencies with more experience enforcing privacy and data security laws in a technology-neutral manner, such as the FTC.
Key Definitions
The new definitions proposed in the NPRM are essential to the scope and potential impact of the proposed rules on broadband providers and other participants in the internet ecosystem.
CPNI in the Broadband Context
The NPRM seeks to expand the existing definition of CPNI in Section 222(h) of the Communications Act and apply it to the broadband context. As currently defined, CPNI includes principally “information that relates to the quantity, technical configuration, type, destination, location and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.”
While the NPRM invites parties to identify any data elements that should be deemed CPNI in the broadband context, the FCC proposes, at a minimum, the following categories: (1) service plan information (including transmission technology), speed, pricing and data cap information; (2) geo-location; (3) media access control (MAC) addresses and other device identifiers; (4) IP addresses and domain name information; and (5) traffic statistics. In addition, the FCC seeks comment on whether port information, application headers, application usage and information regarding customer premises equipment should be considered CPNI.
Personally Identifiable Information
The NPRM breathes life into the undefined and largely ignored statutory term “customer proprietary information” in Section 222(a). This is accomplished through an expansive definition of PII that includes “any information that is linked or linkable to an individual.” The FCC proposed an extensive list of information that could constitute PII, which the NPRM refers to as “illustrative” and “nonexhaustive.” It largely encompasses the proposed definition of CPNI and includes the following:
□ Name
□ Social Security number
□ Date and place of birth
□ Mother’s maiden name
□ Driver’s license, passport, and other government identification numbers
□ Physical address
□ Email address or other online contact information
□ Phone numbers
□ MAC address or other unique device identifiers
□ IP addresses
□ Persistent online identifiers
□ Eponymous and noneponymous online identities
□ Account numbers and information (including account login information)
□ Internet browsing history
□ Traffic statistics
□ Application usage data
□ Current or historical geolocation
□ Financial information
□ Shopping records
□ Medical and health information
□ The fact of a disability and information relating to a disability
□ Biometric information
□ Education information
□ Employment information
□ Information relating to family members
□ Race
□ Religion
□ Sexual identity or orientation
□ Other demographic information
□ Information identifying personally owned property (e.g., license plates and device serial numbers)
The NPRM also inquires whether the content of customer communications should fall within the definition of PII or CPNI, recognizing that the Electronic Communications Privacy Act, Communications Assistance for Law Enforcement Act, and Section 705 of the Communications Act protect such content. Given the breadth of the defined terms CPNI and PII and the important role they play in the commission’s proposals, affected parties should consider proposing more honed, realistic alternatives and provide practical examples of adverse business implications should the commission’s definitions be adopted.
Major Proposals
Customer Consent
The NPRM asserts that the commission’s proposals are based on the principles of transparency, choice and security, and are intended to ensure that consumers have a clear understanding of what data is being collected, choice as to how their data is used, and assurances that their data is secure. Of particular significance, the FCC has proposed that customers have the ability to opt-out from broadband providers (or their affiliates) using customer PI to market “communications-related services” (a term that the FCC also seeks comment on) that are unrelated to services they have purchased, and that broadband providers obtain affirmative, opt-in consent from customers before using customer PI for any other purposes. Thus, opt-in consent would be required before a broadband provider can share any customer PI with noncommunications-related affiliates or with unaffiliated third parties, such as content providers, social networks and companies that serve online ads.
The broad list of elements proposed to be defined as customer PI goes well beyond existing laws and guidelines, which reserve heightened forms of consent for the most sensitive types of information (e.g., health, children’s or geolocation information). The NPRM proposes that privacy notices and mechanisms like dashboards to exercise choice must be “persistently available,” creating questions of whether this will disrupt the user experience and how “persistently available” will be defined. The commission’s proposals would subject broadband providers to more stringent obligations than those imposed on other companies in the internet ecosystem over whom the FTC maintains jurisdiction, and adversely impact their affiliates, business partners and vendors.
Data Security
The NPRM proposes data security requirements to protect customer PI against breaches and other vulnerabilities, as well as data breach notification requirements. The FCC is advocating for “security practices calibrated to the nature and scope of the BIAS provider’s activities, the sensitivity of the underlying data, and technical feasibility.” Specifically, the FCC has proposed that broadband providers, at a minimum, adopt risk management practices, institute training for employees and agents, adopt customer authentication requirements, identify a senior manager responsible for data security, and assume accountability for the use and protection of customer PI by third parties. The impact will depend in large part on how broadly the FCC defines customer PI that is subject to this enhanced protection, but treating traffic data, IP addresses and Social Security numbers identically seems like an ill-conceived approach to managing data security.
Data Breach Notification
In the event of a breach affecting customer PI, the NPRM proposes that ISPs must notify affected customers within 10 days after discovering the breach, notify the FCC within seven days after discovering the breach, and notify the Federal Bureau of Investigation and U.S. Secret Service of breaches affecting more than 5,000 customers within seven days after discovering the breach. These time frames are much shorter than those under existing federal and state laws, and more agencies must be notified. The FCC acknowledged the inherent harms in over-notification, and therefore indicated that the NPRM provides a “trigger” as to when notice of a breach is required. The trigger is when any person, “without authorization or exceeding authorization, has gained access to, used or disclosed [customer PI]” (emphasis added).
The proposed trigger is set at a lower threshold than many existing data breach notification laws, in part because it does not provide for a risk of harm analysis or any other exceptions or mitigating factors. In addition, the proposal does not include a threshold number of individuals who must be affected before a breach must be reported to the FCC. Contrary to the commission’s assertion, this proposed threshold might not help alleviate overnotification to the extent that it is tied to an extremely broad definition of customer PI, as the unauthorized access to, or use or disclosure of, any one of the elements that the FCC has identified as CPNI or PII would trigger the breach notification requirements. In addition, the overnotification problem is inherent in the FCC’s proposed “access”-based approach absent an exemption for instances where “access” does not result in “use” or “disclosure.”
Problematic Practices
The FCC requests comment on specific practices relating to the marketing of BIAS that it believes raise significant privacy concerns, inquiring whether such practices should be prohibited or subject to heightened notice and choice requirements. Those practices include making service availability contingent on customers’ waiving their privacy rights, and offering discounts on monthly service charges if customers grant their providers the right to use browsing information to tailor ads and offers. While the NPRM cites opposition by public interest groups to this practice, it is grounded in the principle of customer choice and enables broadband providers to generate advertising revenues similar to search engines.
The NPRM takes a skeptical view of deep packet inspection (analyzing internet traffic beyond basic header information necessary to route a data packet over the internet) and persistent tracking technologies, principally unique identifier headers (UIDH) (commonly referred to as “supercookies” because they cannot be deleted). Expressing concern that these practices enable broadband providers to develop detailed profiles about their customers, the NPRM asks whether they should be prohibited, subject to opt-in or opt-out requirements, or subject to enhanced approval requirements. The FCC’s Enforcement Bureau entered into a consent decree with Verizon Wireless earlier this year relating to the company’s use of UIDH for targeted advertising purposes, and the commission is now seeking to adopt universal restrictions through the NPRM.
Limits on Arbitration
Another far-reaching proposal in the NPRM is to prohibit broadband providers from compelling arbitration, noting that it can “create an asymmetrical relationship” between broadband providers and consumers, placing consumers at a significant disadvantage. The NPRM offers this proposal despite at least one recent U.S. Supreme Court decision (AT&T Mobility LLC v. Concepcion) affirming the enforceability of mandatory arbitration provisions in wireless services agreements that prohibit class-wide arbitration. Arguably, the FCC has authority under Section 201(b) of the Communications Act to limit the use of mandatory arbitration provisions by telecommunications carriers, but the large number of entities considered to fall in this category has significant implications.
What's Next
Comments on the NPRM are due by May 27, 2016, and reply comments are due by June 27, 2016. Several parties requested extensions of the comment filing deadlines given the short time frame and breadth of the commission’s proposals, which the FCC summarily denied. We expect that a variety of companies, industry associations, and privacy and consumer advocates will weigh in, and several parties have already met with commission staff to express their positions.
Since the FCC’s legal basis for this proceeding is largely dependent on its 2015 open internet order, the D.C. Circuit’s decision on appeal will necessarily affect the outcome of this NPRM. Indeed, some parties have objected to the timing of the NPRM as premature for that reason. If the D.C. Circuit affirms the open internet order, in particular its reclassification of broadband as a “telecommunications service,” this proceeding could move quickly, as it appears to be a priority for FCC Chairman Tom Wheeler. If it does not, or if it upholds only parts of the open internet order, the implications remain uncertain.
It remains to be seen whether and to what extent the commission will streamline its initial proposals based on comments and advocacy efforts by affected parties or the D.C. Circuit’s decision, but this proceeding is clearly on a fast track. While the contours and timing of a final rule remain uncertain, a legal challenge — whatever the outcome — is virtually guaranteed. All entities concerned with privacy and data security will want to closely follow this proceeding and its impact on the evolving landscape, and consider the larger policy and practical implications of this proposal.
—By C. Douglas Jarrett and Tracy P. Marshall, Keller and Heckman LLP
Douglas Jarrett is a partner in Keller and Heckman's Washington, D.C., office. He specializes in telecommunications law, policy and procurement matters.
Tracy Marshall is a partner in Keller and Heckman's Washington, D.C., office. She assists clients with a range of business and regulatory matters, including privacy and data security matters.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.