16.Today the Commission issues this NPRM proposing a framework for applying the traditional privacy requirements of the Communications Act to BIAS. Throughout, we seek public comment on our proposals and pose questions on the best approach to protecting consumers’ privacy when they use broadband services. Proposals are not decisions, which is why comment from individuals, industry, interested public-interest organizations, academics, and federal and state agencies is so critical. We implement the core principles of transparency, choice, and security by proposing regulations to ensure that consumers (i) have the information needed to understand what data the BIAS provider is collecting and what it does with that information, (ii) can decide how their information is used, and (iii) are protected against the unauthorized disclosure of their information.
17.In this Notice, we first propose to define the information that would be protected under Section 222 as customer proprietary information (customer PI). NOTEREF _Ref445303279 We propose to include within the definition of customer PI protected by Section 222(a) both CPNI as established by Section 222(h); NOTEREF _Ref445303279 and personally identifiable information (PII) collected by the broadband providers through their provision of BIAS.
18.The Notice then proposes rules protecting consumer privacy using the three foundations of privacy – transparency, choice, and security:
19.Transparency. In recognition of the widespread agreement that companies should inform consumers about their privacy practices, NOTEREF _Ref445303279 we propose rules to enhance the ability of consumers to make informed choices through effective disclosure of broadband providers’ privacy policies that would include:
What customer information they collect and for what purposes;
What customer information they share and with what types of entities; and
How, and to what extent, customers can opt in or opt out of use and sharing of their personal information.
20.Choice. Because broadband providers are able to view vast swathes of customer data, some of it highly sensitive, including healthcare and financial information, consumers must be empowered to decide how broadband providers may use and share their data. Of course, the use of information for the delivery of broadband services is inherent in the customer-broadband provider relationship. But beyond that important questions arise, including, for example, when customer data can be used for other purposes or when it can be shared with affiliates and third parties. Thus, the section on customer choice proposes rules aimed at empowering customers to decide the extent to which broadband providers can use and share a customer’s proprietary information, while providing guidance to broadband providers about the nature of their obligations. It looks to the framework of best practices for providing consumers with privacy choices that was recommended by the FTC in its 2012 Privacy Report NOTEREF _Ref445303279 and proposes a tiered approach to choice, by reference to consumer expectations and context that recognizes three categories of approval with respect to use of customer PI obtained by virtue of providing the broadband service:
Approval that is inherent in the creation of the customer-broadband provider relationship. Consistent with the statute, the NPRM proposes rules that always allow broadband providers to use and share customer data in order to provide broadband services (for example to ensure that a communication destined for a particular person reaches that destination), and for certain other purposes that make sense within the context of the broadband providers’ relationships with their customers without additional approval from the customer.
Opt-out approval. The NPRM proposes to allow broadband providers themselves (or through their affiliates that provide communications-related services) to use customer PI to market other communications-related services subject to opt-out approval of the customer. Opt-out must be clearly disclosed, easily used, and continuously available. As proposed, communications-related services would not include edge services offered by the broadband provider.
Opt-in approval. The NPRM proposes to require broadband providers to receive opt-in approval from their customers before sharing customer information with non-communications-related affiliates or third parties or before using customer information themselves (or through their communications-related affiliates) for any purpose outside of those described above. We believe that, in an era in which broadband providers are or may be affiliated with content providers, social networks, or companies that serve online ads and forms of social media, opt-in approval is needed to protect the reasonable expectations of consumers, who may not understand that their broadband provider can sell or otherwise share their information with unrelated companies for diverse purposes (such as targeted advertising), or can repurpose customer information for such purposes. A familiar example of opt-in practices appears when a mobile application asks for permission to use geo-location information, contact lists, or photographs on a consumer’s smartphone.
21.The NPRM also seeks comment on the precise boundaries of these three categories. Should we draw a distinction between affiliates whose relationship to the broadband provider is clear to the consumer, for example, where the affiliate and the broadband provider operate under the same brand? Should a broadband provider obtain some form of consumer consent before combining data acquired from third parties with information it obtained by virtue of providing the broadband service? NOTEREF _Ref445303279
22.Content. The NPRM recognizes that the sensitivity and confidentiality of personal communications is one of the oldest and most established cornerstones of privacy law. NOTEREF _Ref445303279 We recognize that other federal laws, including Section 705 of the Communications Act and the Electronic Communications Privacy Act (including those provisions known as the Wiretap Act) already protect content carried over broadband networks. Is more protection needed? We seek comment on whether, and how, Section 222 should be applied to provide additional protection to some or all forms of content or to otherwise complement the effectiveness of existing federal laws.
23.Heightened Protection for Certain Types of Information. The NPRM also seeks comment on whether there are particular types of information, for example, Social Security numbers, financial account information, or geo-location information that, although included within the definition of customer PI, are so sensitive that they deserve special treatment. If so, should the Commission create a separate category of highly sensitive information, what should be included, how should such information be treated, and how would such a regime be administered in practice?
24.Data Security and Breach Notification. Threats to data security are now the stuff of the daily news – an everyday concern. The starting point for the Commission’s analysis is this: privacy and security are inexorably linked. Indeed, the unauthorized breach of personal data is a pernicious ingredient in identity theft. The Commission recognizes – and applauds – the efforts that America’s broadband providers take to protect the data that they carry from unauthorized access or disclosure. Drawing on FTC guidance, the NPRM proposes that consumers should be able to rely on their broadband provider to take reasonable steps to safeguard customer information from unauthorized use, disclosure, or access. It also seeks comment on whether there are other data security requirements that the Commission should adopt, such as data minimization requirements.
25.The NPRM also considers how and when consumers should be notified about data breaches, so that they can take steps to protect themselves. We acknowledge the myriad state laws requiring data breach notification, which inform our proposal. Recognizing the harms inherent in over-notification (or “notice fatigue”), the NPRM proposes to adopt a trigger as to when notice is needed, and seeks comment on under what circumstances BIAS providers should be required to notify customers of a breach of their PI. The NPRM proposes to require broadband providers to notify affected customers within 10 days of the discovery of a breach that triggers customer notification requirements, proposes to define a “breach,” and seeks comment on whether, in addition, broadband providers should notify customers after discovery of conduct that could reasonably be tied to a breach. It proposes to require that the Commission be notified of all data breaches, and that other federal law enforcement be notified of breaches that impact more than 5,000 customers. It also proposes to require notification to federal law enforcement within seven days of discovery of such a breach, and three days before notification to the customer. It allows law enforcement to seek delay of customer notification.
26.In addition, the NPRM asks for public comment on a series of closely-related questions including, for example, whether we should update rules that govern the application of Section 222 to traditional telephone service and interconnected VoIP service in order to harmonize them with the results of this proceeding. Likewise, we seek comment on adopting rules that harmonize the privacy requirements for cable and satellite providers under Sections 631 and 338(i) of the Communications Act with the rules for telecommunications providers. More generally, the NPRM inquires whether there are any uses of data collected by virtue of providing the broadband service that should be prohibited altogether or otherwise subject to particular requirements, for example, the practice of conditioning price discounts on a consumer’s willingness to waive certain privacy interests. Recognizing the importance of giving customers control over their data, the Notice also asks what barriers may exist to the ability of consumers to resolve disputes and it recognizes the right to access and correct the customer information their broadband provider maintains about them.
27.The Notice also seeks comment on a variety of other proposed frameworks for protecting the privacy of broadband customers, and it seeks comment on using multi-stakeholder processes to further the privacy principles we espouse in this NPRM.
28.The NPRM closes by discussing and inviting comment on our legal authority to adopt these proposed rules. As noted above, the Notice relies on Section 222. The Notice asks for comment on whether there are additional sources of statutory authority for any of the issues identified as a proposal or for which comment is sought. For example, the 2015 Open Internet Order explained how Sections 201 and 202 protect customer information for purposes of the application of its General Conduct rule. NOTEREF _Ref445303279 Similarly, the Commission has recognized that consumers fearful of the loss of privacy may be less likely to use broadband connectivity, thus decreasing the demand for broadband investment and deployment. NOTEREF _Ref445303279 In addition, Section 705 of the Communications Act provides protection for the content of communications.