A.Steps Take to Minimize the Significant Economic Impact on Small Entities and Significant Alternatives Considered

A.Steps Take to Minimize the Significant Economic Impact on Small Entities and Significant Alternatives Considered

379.The Commission expects to consider the economic impact on small providers, as identified in comments filed in response to the Notice and this IRFA, in reaching its final conclusions and taking action in this proceeding. Moreover, in formulating these rules, we seek to provide flexibility for small providers whenever possible, by setting out standards and goals for the providers to reach in whichever way is most efficient for them. ^{NOTEREF _Ref445303279}

380.Definitions. As discussed above, in proposing definitions to accompany these proposed rules we seek comment on alternative formulations, including alternatives that could reduce burdens on small providers. ^{NOTEREF _Ref445303279} We seek comment on alternative definitions of the terms affiliate; ^{NOTEREF _Ref445303279} customer; ^{NOTEREF _Ref445303279} CPNI; ^{NOTEREF _Ref445303279} customer PI; ^{NOTEREF _Ref445303279} opt-out and opt-in approval; ^{NOTEREF _Ref445303279} communications-related services; ^{NOTEREF _Ref445303279} breach; ^{NOTEREF _Ref445303279} and other terms ^{NOTEREF _Ref445303279} and ask how such alternatives could affect the benefits and burdens to small providers. ^{NOTEREF _Ref445303279} In addition to these requests for comment, we seek comment generally on alternative definitions that would reduce burdens on small providers.

381.Providing Meaningful Notice of Privacy Policies. As discussed above, we seek comment on alternative approaches to our proposed privacy notice rules that would alleviate burdens on small providers. ^{NOTEREF _Ref445303279} In particular, we seek comment on notice practices currently in use and industry best practices, in order to develop efficient and effective options. ^{NOTEREF _Ref445303279} We seek comment on the compliance burden associated with our proposed rules and alternatives that would alleviate the burden on small providers in particular. ^{NOTEREF _Ref445303279} We seek comment on whether a privacy policy safe harbor rule would ease the regulatory burden on small providers. ^{NOTEREF _Ref445303279} We also seek comment on other alternatives for simplifying and standardizing privacy notices and whether these approaches, such as the creation of a privacy dashboard, could alleviate burdens on small providers. ^{NOTEREF _Ref445303279} For notices of material changes to privacy policies, we specifically seek comment on burdens, compliance costs, and alternatives for small providers. ^{NOTEREF _Ref445303279}

382.Customer Approval Requirements for the Use and Disclosure of Customer PI. As discussed above, we seek comment on alternative customer approval rules that could alleviate burdens on small providers while preserving the ability of all BIAS customers to have meaningful choices in the use and disclosure of their personal information. ^{NOTEREF _Ref445303279} Choice is a critical component of protecting the confidentiality of customer proprietary information. We seek comment on ways to minimize the burden of our proposed customer choice framework on small BIAS providers. ^{NOTEREF _Ref445303279} In particular, we seek comment on whether there are any small-provider-specific exemptions that we might build into our proposed approval framework. For example, should we allow small providers who have already obtained customer approval to use their customers’ proprietary information to grandfather in those approvals? Should this be allowed for third parties? Should we exempt providers that collect data from fewer than 5,000 customers a year, provided they do not share customer data with third parties? ^{NOTEREF _Ref445303279} Are there other such policies that would minimize the burden of our proposed rules on small providers? If so, would the benefits to small providers of any suggested exemptions outweigh the potential negative impact of such an exemption on the privacy interests of the customers of small BIAS providers? Further, were we to adopt an exemption, how would we define what constitutes a “small provider” for purposes of that exemption?

383.Use and Disclosure of Aggregate Customer PI. As discussed above, we seek comment on alternative approaches to the use and disclosure of aggregate customer PI that could alleviate burdens on small BIAS providers. ^{NOTEREF _Ref445303279} In particular, we seek comment on an approach to aggregate customer PI that is similar to that used by HIPAA, and whether such an approach would be less burdensome to small BIAS providers. ^{NOTEREF _Ref445303279} We also ask that as commenters consider whether we should adopt each of the prongs of our proposed rule, and any proposed alternatives, that they also consider how we could limit any burdens associated with compliance, particularly for small providers. ^{NOTEREF _Ref445303279}

384.Securing Customer Proprietary Information. As discussed above, we seek comment on alternative approaches to secure customer proprietary information that could alleviate burdens on small BIAS providers. ^{NOTEREF _Ref445303279} We propose that any specific security measures employed by a BIAS provider take into consideration the nature and scope of the BIAS provider’s activities, because we believe that this sliding scale approach will afford sufficient flexibility for small providers while still protecting their customers. ^{NOTEREF _Ref445303279} The Commission has previously explained that “privacy is a concern which applies regardless of carrier size or market share.” ^{NOTEREF _Ref445303279} However, we recognize that the same data security protections may not be necessary in all cases. For example, a small provider with only a few customers may not store, use, or disclose customer PI in the same manner as a large provider. In such a case, what constitutes “reasonable” safeguards might be different. We seek comment on current data security practices in the industry and alternative structures that can build on current best practices to alleviate burdens. ^{NOTEREF _Ref445303279} We seek comment on alternatives to our proposed rule on account change notifications that could reduce burdens on small providers. ^{NOTEREF _Ref445303279} When discussing whether to require multi-factor authentication or contractual data security commitments from third party recipients of customer PI, we seek comment on the burdens such proposals could place on small providers and alternatives that could reduce such burdens. ^{NOTEREF _Ref445303279} We also ask that comments and proposals regarding data destruction discuss potential burdens for small providers. ^{NOTEREF _Ref445303279}

385.Data Breach Notification Requirements. As discussed above, we seek comment on alternative approaches to data breach notifications that could alleviate burdens on small providers. ^{NOTEREF _Ref445303279} In particular we propose a threshold of 5,000 affected customers for breach notification of the Federal Bureau of Investigation and U.S. Secret Service, and seek comment on how such a threshold could benefit or burden small providers. ^{NOTEREF _Ref445303279} We also seek comment on record retention rules and alternatives that could reduce compliance burdens. ^{NOTEREF _Ref445303279}

386.Other Practices Implicating Privacy. As discussed above, in seeking comment on whether to prohibit specific practices implicating privacy, we also seek comment on how proposals and alternatives can alleviate burdens on small providers. ^{NOTEREF _Ref445303279} In particular, when seeking comment on whether heightened notice and choice requirements are necessary for some practices, we specifically ask commenters to address the burdens of their proposals on small providers, and alternatives to reduce such burdens. ^{NOTEREF _Ref445303279}

387.Dispute Resolution. As discussed above, in seeking comment on potential approaches to dispute resolution, we also seek comment on how proposals and alternatives can benefit or burden small providers. ^{NOTEREF _Ref445303279}