A.Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities

A.Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities

371.Meaningful Notice of Privacy Policies. As discussed above, this Notice proposes to require BIAS providers to provide meaningful notice of privacy policies. ^{NOTEREF _Ref445303279} The Notice proposes rules and/or seeks comment on the content, location, timing, and formatting of different types of privacy notices. In order to promote transparency and inform all BIAS customers of their privacy choices and security, these proposed rules will apply to small providers as well as large providers. The Notice seeks comment on alternative ways of achieving these goals. The Notice seeks comment on the compliance costs of these proposals for small providers. ^{NOTEREF _Ref445303279} The Notice also seeks comment on whether to harmonize these proposals with existing regulations regarding voice CPNI, and whether such harmonization can reduce compliance burdens. ^{NOTEREF _Ref445303279}

372.Customer Approval Requirements. As discussed above, this Notice proposes to require BIAS providers to obtain customer approval in order to use, access, or disclose customer proprietary information. ^{NOTEREF _Ref445303279} This Notice proposes and/or seeks comment on (1) the contexts in which BIAS providers need to seek opt-out and opt-in consent for uses of customer information; ^{NOTEREF _Ref445303279} (2) the requirements BIAS providers must meet to ensure that customers can easily learn about and effectively express their choices; ^{NOTEREF _Ref445303279} (3) the ways in which BIAS providers should document their compliance with customers’ choices. ^{NOTEREF _Ref445303279} In order to protect the privacy choices of all BIAS customers, these proposals will apply to small providers as well as large providers. The Notice seeks comment on the effects of these proposals on small providers, ^{NOTEREF _Ref445303279} as well as whether and how to harmonize these proposals with existing regulations regarding voice CPNI. ^{NOTEREF _Ref445303279}

373.Use and Disclosure of Aggregate Customer PI. As discussed above, this Notice proposes rules and seeks comment on BIAS provider use, access, and disclosure of aggregate customer PI. ^{NOTEREF _Ref445303279} Our proposed rules would allow BIAS providers, including small providers, to use, access, and disclose aggregate customer PI if the provider (1) determines that the aggregated customer PI is not reasonably linkable to a specific individual or device; (2) publicly commits to maintain and use the aggregate data in a non-individually identifiable fashion and to not attempt to re-identify the data; (3) contractually prohibits any entity to which it discloses or permits access to the aggregate data from attempting to re-identify the data; and (4) exercises reasonable monitoring to ensure that those contracts are not violated. ^{NOTEREF _Ref445303279} In order to promote all customers’ privacy interests in the transparency, choice, and security of how their data is used, these proposals will apply to small providers as well as large providers. We also seek comment on alternative approaches to handling aggregate customer PI, as well as the burdens our proposed rules would place on small providers. ^{NOTEREF _Ref445303279}

374.Securing Customer Proprietary Information. As discussed above, this Notice proposes rules and seeks comment on requiring BIAS providers to protect the security and confidentiality of customer PI by adopting security practices calibrated to the nature and scope of the BIAS provider’s activities, the sensitivity of the underlying data, and technical feasibility. ^{NOTEREF _Ref445303279} These proposals include requiring BIAS providers to protect against unauthorized use or disclosure of customer PI by (1) conducting risk management assessments; ^{NOTEREF _Ref445303279} (2) training employees to protect against reasonably anticipated unauthorized use or disclosure of customer PI; ^{NOTEREF _Ref445303279} (3) ensuring reasonable due diligence and corporate accountability; ^{NOTEREF _Ref445303279} and (4) requiring customer authentication for access to customer proprietary information. ^{NOTEREF _Ref445303279} We seek comment on how to hold BIAS providers accountable for third party misuse of customer PI ^{NOTEREF _Ref445303279} and whether we should impose reasonable data collection, retention, and disposal rules. ^{NOTEREF _Ref445303279} In order to protect the security of all BIAS customers’ private information, these proposals will apply to small providers as well as large providers. We also seek comment on alternative approaches to securing customer PI, the burdens the proposed rules would place on small providers, and whether to harmonize our security proposals with existing regulations for voice CPNI. ^{NOTEREF _Ref445303279}

375.Data Breach Notification Requirements. As discussed above, the Notice proposes rules and seeks comment on requiring telecommunications providers to give customers, the Commission, and other law enforcement notice when a breach of customer PI has occurred. ^{NOTEREF _Ref445303279} In addition, the Notice proposes to harmonize the existing voice CPNI data breach rules with these proposed rules for BIAS provider data breaches. These proposals include (1) requiring telecommunications providers to notify customers within ten days after the discovery of a data breach, subject to law enforcement needs, under circumstances enumerated by the Commission; ^{NOTEREF _Ref445303279} (2) the necessary content of a customer data breach notification; ^{NOTEREF _Ref445303279} (3) requiring telecommunications providers to notify the Commission within seven days, and to notify the Federal Bureau of Investigation and the U.S. Secret Service, in the event of a data breach affecting more than 5,000 customers, within seven days; ^{NOTEREF _Ref445303279} (4) two-year record retention rules for data breaches; ^{NOTEREF _Ref445303279} and (5) seeking comment on how to address third party data breaches. ^{NOTEREF _Ref445303279} In order to promote transparency and security for all telecommunications customers, these proposed rules will apply to small providers as well as large providers. The Notice also seeks comment on alternative data breach notification approaches as well as the burdens that our proposals will have on small providers. ^{NOTEREF _Ref445303279}

376.Other Practices Implicating Privacy. As discussed above, the Notice seeks comment on whether there are certain BIAS provider practices implicating privacy that our rules should prohibit, or to which we should apply heightened notice and choice requirements. ^{NOTEREF _Ref445303279} In particular, the Notice proposes to prohibit service offers conditioned on the waiver of privacy rights. ^{NOTEREF _Ref445303279} The Notice also seeks comment on how to address (1) financial inducement practices; ^{NOTEREF _Ref445303279} (2) deep packet inspection for purposes other than network management; ^{NOTEREF _Ref445303279} and (3) persistent tracking technologies. ^{NOTEREF _Ref445303279} In order to protect the privacy of all BIAS customers, any such rules may be applied to small providers as well as large providers. In the course of seeking comment on these subjects, the Notice seeks comment on alternative approaches and burdens to small providers. ^{NOTEREF _Ref445303279}

377.Dispute Resolution. As discussed above, the Notice seeks comment on whether the Commission’s current informal complaint resolution process is sufficient or if BIAS providers should offer additional dispute resolution mechanisms for broadband privacy disputes. ^{NOTEREF _Ref445303279} In order to promote all customers’ privacy interests in the transparency, choice, and security of how their data is used, any such resulting rules may apply to small providers as well as large providers. The Notice seeks comment as well on alternative approaches as well as the burdens any approaches would have on small providers. ^{NOTEREF _Ref445303279}