On October 27, 2016, the FCC adopted rules requiring broadband Internet Service Providers (ISPs) to protect the privacy of their customers. As predicted (see JSI’s October 7e-Lert), the rules implement privacy requirements that have been enforced under Section 222 of the Communications Act, and establish requirements for providing customers with transparency, choice and security of customers’ personal information.

New Requirements
While the text of the adopted Order is not yet publicly available, the FCC’s News Release and related Fact Sheet indicate that ISPs will be required to use affirmative opt-in consent from consumers to use and share sensitive information, such as precise geo-locations, financial information, health information, children’s information, social security numbers, web browsing history, app usage history, and the content of communications. Opt-out consent may be used by ISPs for all other individually identifiable customer information, such as email addresses or service tier information. Customer consent to the use and sharing of customer information is inferred for the provision and billing of broadband services when the customer is already a broadband subscriber.

In addition, the new rules require ISPs to:

  • Provide customers with clear, conspicuous and persistent notice about the information being collected, how it may be used, and with whom it may be shared, as well as how the customer can change their privacy preferences;
  • Engage in reasonable data security practices, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and properly disposing of data consistent with Federal Trade Commission best practices and the Consumer Privacy Bill of Rights; and
  • Notify appropriate law enforcement and customers of failures to protect confidential customer data.

Implementation Timeline
Per the FCC’s Fact Sheet, the Order adopts the following implementation timeline:

  • The data security requirements will go into effect 90 days after publication of the summary of the Order in the Federal Register.
  • The data breach notification requirements will become effective approximately six months after publication of the summary of the Order in the Federal Register.
  • The Notice and Choice requirements will become effective approximately 12 months after publication of the summary of the Order in the Federal Register. Small providers will have an additional 12 months to comply.

JSI remains committed to assisting interested clients with compliance activities associated with the new rules. After the text of the Order is released, JSI will hold a webinar to cover all of the details and offer helpful tools for companies to use in training their employees. Additionally, our broadband privacy team will be available to answer any questions and assist in drafting the required customer notices, privacy policies and data security practices. Please contact John Kuykendall or Terri Parrilla in JSI’s Maryland office at 301-459-7590, Dee Dee Longenecker in JSI’s Texas office at 512-338-0473, or Lans Chase in JSI’s Georgia office at 770-569-2105 for more information.

Source: JSI e-Lert