The FCC will vote later this month on a proposal from FCC Chairman Tom Wheeler spelling out rules for broadband providers to follow with regard to customer privacy. The Wheeler broadband privacy proposal currently circulating within the commission would require providers to obtain “opt-in” consent before using or sharing sensitive personal information, including a customer’s location obtained through a mobile device.
Broadband providers also would be required to notify customers about how their personal information is used and alert customers of any data breaches. The providers would be allowed to use de-identified customer data only if they meet Federal Trade Commission guidelines for ensuring consumer information is not re-identified.
According to an FCC fact sheet, personal data is defined to include:
- Children’s information
- Health information
- Financial information
- Social Security numbers
- Web browsing history
- App usage history
- The content of communications
Wheeler Broadband Privacy Proposal
The Wheeler broadband privacy proposal builds on a notice of proposed rulemaking that the commission adopted earlier this year. As outlined in the NPRM, the rules would allow broadband providers to use customer data for purposes such as billing and collection without obtaining opt-in consent.
Also as originally outlined, the broadband providers would gain new data security requirements aimed at protecting customer information. According to an FCC fact sheet issued today, “reasonable security practices” would include implementing industry best practices, providing appropriate accountability and oversight, implementing robust customer authentication tools and properly disposing of data in keeping with FTC best practices.
Some areas that the NPRM left open for further discussion are more tightly defined in the latest Wheeler broadband privacy proposal. For example, the NPRM left open the issue of whether broadband providers would be allowed to offer lower prices on services for customers who agree to share personal information. The latest proposal now fills in those details and would require “heightened disclosure” for such offerings. The fact sheet also notes that the commission would “determine on a case-by-case basis the legitimacy of programs that relate service price to privacy protections.”
Another area where more detail has now been filled in pertains to de-identified information. Under the current proposal, broadband providers would be able to use data that has been altered so that it is no longer associated with specific customers “outside the consent regime required for other consumer data.” However, if broadband providers want to exercise that option, they must:
- Alter the customer information so it can’t be linked to a specific individual or device
- Publicly commit to maintain and use information in an unidentifiable format and to not attempt to re-identify the data
- Contractually prohibit the re-identification of shared information
One area where the newly proposed guidelines are less strict than what was originally proposed relates to notification of data breaches. The initial proposal called for notifying customers of breaches within seven days but the new guidelines extend that to 30 days.
In a blog post, Wheeler likened the new guidelines to those that have long been in place for voice services. “[C]onsumers who use the network of the 21st century deserve similar protections,” he said.
Some service providers have criticized Wheeler’s plans for broadband privacy rules, arguing that the rules unfairly single out the broadband industry. But because Wheeler and two other Democratic commissioners have the majority on the five-member commission, there is a strong likelihood that the proposal will be adopted.