On October 27, 2016, the Federal Communications Commission (FCC) adopted an Order requiring broadband Internet service providers and all other telecommunications carriers providing telecommunications services to take greater steps to protect the privacy of their customers, including current and former subscribers and new applicants. Specifically, the new rules create three categories for the use and sharing of customer information based on sensitivity: opt-in, opt-out, and exceptions to the consent requirements. Acting pursuant to its authority under Section 222 of the Communications Act, which governs the protection of telecommunications service customers’ proprietary information (defined as (i) individually identifiable Customer Proprietary Network Information (CPNI); (ii) personally identifiable information (PII); and (iii) content of communications), the FCC clarified that the new rules are designed to ensure that customers are in control regarding use of their information.

The Order was issued on November 2, 2016 and is available here. Here’s a summary of the key obligations imposed on carriers:

Clear Notice

Carriers must clearly and conspicuously notify customers (in their selected language of communication) about what types of information they collect, how and for what purposes the information is used and shared, and the different categories of entities with which the carrier shares the information. Carriers must also inform customers about their rights to opt in to or out of the use or sharing of their confidential information, and the exercise of these options should be simple and easy to use. Customers should be notified that denying the provider the ability to use or share their proprietary information will not affect their ability to receive the service, and that their privacy choices will remain in effect until the customers change them, which they may do at any time. This notice must be provided at the point of sale and be persistently available on the carrier’s website or mobile app. Sufficient advance notice must be provided to existing customers if the carrier’s privacy policy is significantly changed, indicating what changes are being made and the customers’ rights with respect to the material change as it relates to their proprietary information. However, carriers are no longer obligated to provide periodic notice on an annual or bi-annual basis.

The Order does not mandate a particular form of notice, but the FCC has directed the Consumer Advisory Committee to formulate a proposed standardization notice format by no later than June 1, 2017, which could be used as a voluntary safe harbor to prove compliance with the requirements that a notice is clear, conspicuous, comprehensible and not misleading.

Use of Proprietary Information

Opt-in  — Except as otherwise required by law, carriers will have to obtain affirmative consent from customers to use and share “sensitive” proprietary information, which includes at minimum the following: precise geo-location, health information, financial information, social security numbers, children’s information, web browsing history, app usage history, and the content of communication. Carriers must also obtain opt-in approval for material retroactive changes to their privacy policies if these changes entail use or sharing of sensitive customer proprietary information.

Opt-out — All other proprietary customer information, i.e. information that is not classified as sensitive, such as email addresses or service tier information, can be subject to opt-out consent. Opt-out consent should be obtained for material retroactive changes to privacy policies that entail the use and sharing of non-sensitive customer proprietary information.

Exceptions to consent requirements — Consent is inferred for certain purposes, including the provision of the broadband service, billing and collection, and protection from fraudulent use of the carrier’s network. Carriers may also use and share non-sensitive information to provide and market services and equipment typically marketed with the service, as well as for research and certain specified emergency situations, provided the carrier takes reasonable steps to minimize disclosure and any privacy risks.

Carriers must give effect to a customer’s grant, denial or withdrawal of approval promptly. Broadband internet service providers may “grandfather” any consumer consent that was obtained prior to the effective date of the Order that is consistent with the new requirements.

In addition, carriers may use and share de-identified information without acquiring consent, provided the following conditions are met: the information cannot be reasonably linked to a specific individual or device, the carrier publicly commits to maintain and use the information in an unidentifiable format, and it contractually prohibits any entity to which it discloses the information from attempting to re-identify the shared information.

Protection of Customer Information

Carriers must take reasonable measures to protect customer data from breaches and other vulnerabilities. While there are no enumerated requirements for complying with this rule, the FCC has provided guidelines to advise carriers on steps they should consider taking, such as: implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with the Federal Trade Commission (FTC) best practices. Generally, the security practices must be appropriately calibrated to the nature and scope of the carrier’s activities, the sensitivity of the underlying data, the size of the provider and technical feasibility.

Common-Sense Data Breach Notification

If the carrier determines that an unauthorized access, use or disclosure of a customer’s proprietary information has occurred, unless the carrier reasonably concludes that no harm is reasonably likely to occur, it must notify affected customers as soon as possible, but no later than 30 days after reasonable determination of such breach (and without unreasonable delay for any affected customers identified thereafter). A breach involving sensitive customer proprietary information presumptively poses a reasonable likelihood of customer harm. The FCC must be notified within the same time period for breaches affecting fewer than 5,000 customers. If 5,000 or more customers are affected by a breach, the carrier must notify the FCC, the FBI and the U.S. Secret Service no later than seven business days after reasonable determination of such breach; such notice must be provided to the applicable federal agencies at least three days before notice to customers to give the agencies time to evaluate the threat.

Notice about the breach should include the following basic facts: the date or estimated date of breach, a description of the customer proprietary information that was affected, information about how to contact the carrier or applicable government agencies, and if the breach creates a risk of financial harm, information about national credit-reporting agencies and steps customers can take to guard against identity theft.

Carriers must keep record of the dates on which the reportable breaches are determined to have occurred, the dates when customers were notified, and written copies of all customer notifications, for at least two years from the reasonably determined date of breach.

Additional Provisions

In addition to the above obligations, the Order prohibits take-it-or-leave it offers, heightens disclosures and affirmative consent requirements for financial incentives offered in exchange for the right to use customer proprietary information, and reaffirms the right of customers to use the FCC’s informal dispute resolution process. The FCC has additionally committed to initiating a rulemaking on the use of mandatory arbitration requirements in consumer contracts for broadband and other communications services.

The Order also applies to voice services in an effort to harmonize the rules. The FCC further clarified that the Order preempts state privacy laws only to the extent that the laws are inconsistent with any rules adopted by the FCC — in all other cases, organizations must comply with both federal and state privacy laws.

Scope of Impact

The Order does not apply to companies over which the FCC does not have authority. Those companies are regulated, for the most part, by the FTC, which has its own set of guidelines and rules. The Order similarly does not regulate the privacy practices of websites, apps and other “edge services” over which the FTC has authority, and does not address issues of government surveillance, encryption or law enforcement.

However, companies not bound by the Order should still take note of the Order as it tracks the European standard of requiring opt-in consent for the collection of sensitive data.  As discussed in some of our other Alerts, the FTC has recently increased enforcement action against companies for privacy and data security violations under Section 5 of the FTC Act, and the FCC’s Order may signal a shift in how U.S. regulatory bodies (such as the FTC) address privacy and data security issues moving forward.

Implementation Timelines

The data security requirements will go into effect 90 days after publication of the summary of the Order in the Federal Register. The data breach notification requirements will become effective the later of (a) approval from the Office of Management and Budget pursuant to the Paperwork Reduction Act (PRA) or (b) six months after publication of the summary of the Order in the Federal Register. The notice and choice requirements will become effective the later of (a) PRA approval or (b) 12 months after publication of the summary of the Order in the Federal Register. The prohibition on conditioning broadband service on waiving privacy rights, and all other privacy rules adopted in the Order, will become effective 30 days after publication of the summary of the Order in the Federal Register. Small providers (i.e. broadband internet service providers with 100,000 or fewer broadband connections, aggregated over all the providers’ affiliates) will have an additional 12 months to comply with the new rules.