On October 27, 2016, just days before a presidential election, the Federal Communications Commission (FCC) passed new broadband consumer privacy rules. The new rules were passed with a 3-2 vote—straight on party lines, with all the Democrats voting for the rules and the two Republicans voting against. Now, however, the Republican commissioners have a majority and the new privacy rules could very well be overturned. The new rules require internet service providers to obtain permission from consumers before sharing their data with third parties. Of particular significance is the sharing of web browsing data with third party advertisers, who use the information to customize brand experience to particular consumers.
For over 80 years, the FCC has exercised the power granted by the Communications Act of 1934 to regulate telecommunications and broadcasting. From regulating monopoly telephone services to protecting net neutrality, the FCC has confronted some of the most complicated and quickly-changing legal issues. Today, personal information data breaches are now one of the most divisive and important issues that consumers, providers, and regulators face—and the new privacy rules attempt to address these issues by placing some of the control in how and when personal information is used back into the hands of consumers. Data breaches are all too common. In fact, there is “widespread evidence of data breaches and vulnerabilities related to consumer information.” Further, there is an increased risk in data breaches when companies share sensitive or confidential information with third party vendors. The new FCC privacy provisions will affect how and when consumer data can be gathered by internet service providers before sharing that sensitive data with third parties.
Section 222 of Title II of the Communications Act provides that every telecommunications carrier “has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufactures, and customers.” Further, all telecommunications carriers are limited in their ability to share such information with third parties. Prior to the new privacy provisions, internet service providers were not restricted by this statute to share information with third party marketing groups. Instead, broadband internet service providers were classified as “information services.” The new privacy provisions reclassify internet service providers as telecommunication services—imposing the statutory duty of Section 222.
Now, opt-in consent is required before the exchange of broadband consumer information to third parties. This opt-in consent requirement means that internet service providers must obtain consumer permission over categorically sensitive information, including precise geo-location, children’s information, health information, financial information, Social Security numbers, web browsing history, app usage history, and the content of communication. This significant change to Section 222 for broadband internet service providers creates a higher obligation to protect consumer privacy when exchanging information to third parties, which could limit the number of personal information breaches. In fact, the “strong security protections are crucial to protecting consumers’ data from breaches and other vulnerabilities that undermine consumer trust.”
The FCC outlines that the new privacy rules will strengthen the protection of customer information by requiring internet service providers to implement industry best practices and data breach notification requirements. By allowing customers to opt-in to the sharing of personal information, consumers themselves can limit their own personal risk of a data breach. While these rules could change the game in the number and type of data breaches, their effect may not be felt by consumers. The data breach notification requirements will not become effective until 6 months after the publication of the rules in the Order in the Federal Register, which took place in January. Now with a new head of the FCC and a Republican majority, the new requirements may never reach implementation—and the future of consumer privacy on the internet remains a complicated issue with no clear answer.
Wire or Radio Communication, 47 U.S.C. § 151-62 (2012).
FTC Privacy Report, Protecting Consumer Privacy in an Era of Rapid Change 12 (2012).
Ponemon Institute LLC, Data Risk in the Third-Party Ecosystem, Ponemon Research Blog (April 2016), https://www.ponemon.org/local/upload/file/Data%20Risk%20in%20the%20Third%20Party%20Ecosystem_BuckleySandler%20LLP%20and%20Treliant%20Risk%20Advisors%20LLC%20Ponemon%20Research%202016%20-%20FINAL2.pdf.
 Privacy of Customer Information, 47 U.S.C. § 222 (2012).
 Federal Communication Commission, Fact Sheet: FCC Adopts Order to Give Broadband Consumers Increased Choice Over Their Personal Information, (2016) http://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db1027/DOC-341938A1.pdf.