FCC Publishes New Privacy Rules for ISPs

FCC Publishes New Privacy Rules for ISPs

Effective January 3, 2017, the FCC’s new rule, “Protecting the Privacy of Consumers of Broadband and Other Telecommunications Services,” establishes streamlined privacy guidelines applicable to Broadband Internet Access Service (“BIAS”) and all telecommunication carriers.  Prior to this rule, BIAS providers were not subjected to the same privacy standards as telecommunication carriers.  The new rule focuses on creating transparency, choice, and data security to provide “heightened protection for sensitive consumer information, consistent with consumer expectation.”

To promote transparency, the rule requires that carriers “provide privacy notices that clearly and accurately inform customers about what confidential information the carriers collect, how they use it, under what circumstances they share it, and the categories of entities with which they will share it.”  To promote choice, the rule allows customers to opt-in or opt-out of approval for the sharing of sensitive customer personal information.  To promote data security, carriers must “adopt security practices appropriately calibrated to the nature and scope of its activities, the sensitivity of the underlying data, the size of the provider, and technical feasibility.”

Another important aspect of the rule is the adoption of data breach notification requirements, which is particularly relevant considering recent data breaches of large United States companies such as Target and Yahoo!.  Information regarding data breaches must be reported to the FCC, FBI, and Secret Service “within seven business days of when the carrier reasonably determines that a breach has occurred if the breach impacts 5,000 or more customers.”  Carriers are now required to notify affected customers without “unreasonable delay, but within no more than 30 days.”

While these rules are set to take effect January 3, 2017, its fate remains unclear with the Trump Administration taking control and Court challenges accepted until January 31.   However, the implementation of the rule should help protect consumers’ personally identifiable information and allow them to be more informed with what is collected and who it is shared with.