Internet service providers (ISP) are being pressured for enhanced privacy practices by the Federal Communications Commission (FCC). Commissioner Wheeler’s proposal issued March 11th seeks to regulate ISPs and their handling of consumer information to heighten consumer privacy protection. The FCC issued its draft Notice of Proposed Rulemaking (NPRM) focusing on ISPs and not on websites, with its comment cycle commencing after its March 31st adoption.
The FCC clarifies that the Federal Trade Commission (FTC) has authority over websites and internet applications, but the point of rulemaking is to enhance consumer notification and consumer opportunity to consent in order for consumers to make informed consent decisions about how their information is managed and shared. The hinging aspect of the Commissioner’s proposal is the data security responsibility and data security reporting that will be newly expected of ISPs.
While the FTC has authority in many respects over ensuring privacy and data integrity oversight handling by entities, the FCC sees their best practices as a guideline to follow for ISPs. The impetus for risk management practices imposed and expected by the FTC will now be expected to be employed by ISPs. The measures include implementing customer authentication steps, personnel training, due diligence efforts to secure the confidentiality of customer information. In addition, ISPs will be expected to responsibly report timely data breaches to the Commission and law enforcement within seven days and to customers who are affected within ten days. The requirement for reporting to law enforcement, however, for some peculiar reason, is required only when more than 5000 customers are affected.
The FCC intends to trifurcate the levels of sharing of customer information. The three categories, if you will, are an opt-in consent, opt-out consent, and consent that is deemed approved upon ISP service subscription. The last category involving the inherent assumption of consent is based on the administrative function that an ISP would be allowed to share consumer information so long as it is pertinent to ISPs ability to provide its service and administer the account in question. ISP functions involving account billing, usage monitoring, and reporting, account reconciliation, and account collections would be considered consented to by customers without the need of their explicit consent.
The opt-out and opt-in categories address the ISPs’ permissible use of customer data as it seeks marketing activities with third-party vendors and services. Such would require the ISP to provide customers to designate their opt-out option. The determination of what constitutes “other communications-related services” remains pending. Other uses of customer data and personal information by ISPs will require the ISP to obtain opt-in consent from the customer. The overall sense of the NPRM is to enhance the privacy of consumer data and improve ISP role and their responsibility to secure consumer information and eventually be accountable for breaches. The ISPs are seen as gate-keepers of what the FCC terms as Customer Proprietary Network Information, i.e., CPNI.