NOTEREF _Ref445303279 See 45 CFR § 164.404(d)(1). We believe that the HIPAA rule’s provision for substitute notice is not necessary here, where we would expect carriers to have reasonably current contact information about customers affected by a breach.
NOTEREF _Ref445303279 See, e.g., N.Y. Gen. Bus. Law § 899-aa(5); Arizona Rev. Stat. § 44-7501(D); Ark. Code § 4-110-105(e); Colo. Rev. Stat. § 6-1-716(1)(c). Some states, however, allow for substitute notice depending on the cost and number of affected individuals. See, e.g., Me. Stat. tit. 10 § 1347(4)(C) ($5,000 or 1,000 residents); Mich. Comp. Laws § 445.72(12)(5)(d) ($250,000 and 500,000 residents).
NOTEREF _Ref445303279 See,e.g., N.J. Stat. Ann. § 56:8-163(c)(1) (requiring notification of the state police); N.Y. Gen. Bus. Law § 899-aa(8)(a) (requiring notification of the state attorney general and the state police). But see, e.g., Md. Com. Law Code Ann. § 14-3504(h) (requiring notification of the state attorney general); Me. Stat. Rev. tit. 10 § 1348(5) (requiring notification to a state entity or to the attorney general).
NOTEREF _Ref445303279 See, e.g., Data Security and Breach Notification Act of 2015, H.R. 1770, 114th Cong. § 3(a)(5) (2015) (requiring 10,000 individuals); Data Security and Breach Notification Act of 2015, S. 177, 114th Cong. § 4 (2015) (requiring 10,000 individuals).
NOTEREF _Ref445303279 White House, Legislative Language for Personal Data Notification & Protection Act at 7-8 (2015), https://www.whitehouse.gov/sites/default/files/omb/legislative/letters/data-breach-notification.pdf (last visited Mar. 23, 2016) (requiring 5,000 individuals).
NOTEREF _Ref445303279 See, e.g., Ga. Code Ann. §10-1-912(d); Tex. Bus. & Com. Code Ann. §521.053(h). We note that these agencies are different from law enforcement, but the reason to contact either type of agency with such information is to monitor and protect against harmful misuse of the information.
NOTEREF _Ref445303279 47 CFR § 64.2011(b).
NOTEREF _Ref445303279 See supra para. 245.
NOTEREF _Ref445303279 47 CFR § 64.2011(b). See Federal Communications Commission, CPNI Breach Reporting Facility, https://www.fcc.gov/general/cpni-breach-reporting-facility (last visited Mar. 23, 2016). The website explains that “[p]ursuant to Section 64.2011 of the Commission’s rules (47 CFR § 64.2011), a telecommunications carrier or interconnected VOIP provider that determines that a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI is required to electronically notify the United States Secret Service and the Federal Bureau of Investigation through a central reporting facility. That facility is available at https://www.cpnireporting.gov.” Id. As explained above, our new proposal would make this the reporting facility for all telecommunications carriers.
NOTEREF _Ref445303279 See 47 CFR § 64.2011(d).
NOTEREF _Ref445303279 See supra Part 235.A.
NOTEREF _Ref445303279 2012 FTC Privacy Report at 52.
NOTEREF _Ref445303279 Id.
NOTEREF _Ref445303279 Natasha Singer, AT&T’s Offer: Share Your Data for Personalized Ads, or Pay More, N.Y. Times (Feb. 18, 2015), http://bits.blogs.nytimes.com/2015/02/18/atts-offer-share-your-data-for-personalized-ads-or-pay-more/?_r=0.
NOTEREF _Ref445303279 See, e.g., Bryan Pearson, Nailing Loyalty: 62% of Retailers Boosting Loyalty Budgets, But Do They Have the Right Tools?, Forbes (Oct. 12, 2015), http://www.forbes.com/sites/bryanpearson/2015/10/12/nailing-loyalty-62-of-retailers-boosting-loyalty-budgets-but-do-they-have-the-right-tools/#61afdc565830; Martin H. Bosworth, Loyalty Cards: Reward or Threat?, Consumer Affairs (July 11, 2005), http://www.consumeraffairs.com/news04/2005/loyalty_cards.html.
NOTEREF _Ref445303279 See, e.g., 2014 White House Big Data Report at 50 (“Advertising and marketing effectively subsidize many free goods on the Internet, fueling an entire industry in software and consumer apps.”).
NOTEREF _Ref445303279 See InfoSecurity Magazine, Loyalty cards: The Security Risks and the Rewards (Sept. 3, 2009), http://www.infosecurity-magazine.com/magazine-features/loyalty-cards-the-security-risks-and-the-rewards/; Katherine Albrecht, Supermarket Cards: The Tip of the Retail Surveillance Iceberg, 79 Denv. U. L. Rev. 534, 536 (2002). Further, consumers who are aware that their information is exchanged in these transactions may not be comfortable with these arrangements. See 2016 Pew Report at 2 (finding that 47 percent of Americans “say the basic bargain offered by retail loyalty cards—namely, that stores track their purchases in exchange for occasional discounts—is acceptable to them,” while 32 percent find the exchange unacceptable). Additionally, consumers may not fully understand how their information will be used, or the consequences of this information exchange. See Charles Duhigg, How Companies Learn Your Secrets, N.Y. Times Magazine (Feb. 16, 2012), http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html?pagewanted=9&_r=1&hp.
NOTEREF _Ref445303279 See 2016 FTC Big Data Report at 2, 9-11 (discussing how Big Data practices could exacerbate or perpetuate existing disparities); cf. 2014 White House Big Data Report at 50-51 (observing that there are both “enormous benefits associated with the rise of profiling and targeted advertising” and risks that such data could negatively affect “decisions about a consumer’s eligibility for—or the conditions for the provision of—employment, housing, health care, credit, or education”). See also Joseph W. Jerome, Buying and Selling Privacy: Big Data’s Different Burdens and Benefits, 66 Stan. L. Rev. Online 47 (2013) (“Ever-increasing data collection and analysis have the potential to exacerbate class disparities.”).
NOTEREF _Ref445303279 Public Knowledge White Paper at 64 (arguing that such “pay for privacy” arrangements require careful scrutiny).
NOTEREF _Ref445303279 See Michael Fertik, Big Data, Privacy and the Huge Opportunity in the Monetization of Trust, World Economic Forum: Davos Daily (Jan. 25, 2012), https://www.weforum.org/agenda/2012/01/davos-daily-big-data-privacy-and-the-huge-opportunity-in-the-monetization-of-trust (arguing that “[ISPs and telecommunications companies] can unlock huge value in collaboration with their end users” by working together to “monetize the latent value of [consumer] data”).
NOTEREF _Ref445303279 See Remarks of FTC Commissioner Maureen K. Ohlhausen, 33rd Annual Institute on Telecommunications Policy & Regulation, December 4, 2015 (arguing that consumers often benefit from the exchange of personal information and that “[a]s long as ISPs, just like others in the internet ecosystem, tell the truth about how they collect and use consumer data, companies should be free to offer different business models and consumers should be free to choose based on their privacy and other preferences”).
NOTEREF _Ref445303279 See Sandvine, Deep Packet Inspection (DPI), https://www.sandvine.com/technology/deep-packet-inspection.html (last visited Mar. 24, 2016); Cisco, Using the Service Control Engine and Deep Packet Inspection in the Data Center, http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/SCE_DPI.html (last visited Mar. 24, 2016).
NOTEREF _Ref445303279 See infra note 419.
NOTEREF _Ref445303279 See, e.g., Kirch v. Embarq et al., 702 F.3d 1245 (10th Cir. 2012).
NOTEREF _Ref445303279 In 2007, Comcast drew significant public ire when the Associated Press and the Electronic Frontier Foundation discovered that the network provider was using DPI technology to identify packets originating from peer-to-peer applications and then secretly blocking those packets while allowing other packets to pass through unimpeded. In November 2007, Free Press and other public interest organizations filed a petition with the Commission to demand that Comcast’s activities be stopped, and the Commission subsequently ruled against Comcast and ordered a halt to the company’s blocking practices. Following the Commission’s order, Comcast instituted a new network management system that does not discriminate against or in favor of any Internet applications. See M. Chris Riley & Ben Scott, Free Press, Deep Packet Inspection: The End of The Internet as We Know It? at 4 (2009), http://www.wired.com/images_blogs/threatlevel/files/dpi.pdf.
NOTEREF _Ref445303279 2012 FTC Privacy Report at 55-56.
NOTEREF _Ref445303279 Id.
NOTEREF _Ref445303279 Id. at 56.
NOTEREF _Ref445303279 Id. The Commission itself has also raised concerns about DPI, noting that it may be used in a manner that may harm the open Internet, such as by limiting access to certain Internet applications, engaging in paid prioritization, and even blocking certain content. See 2015 Open Internet Order, 30 FCC Rcd at 5634, para. 85.
NOTEREF _Ref445303279 See 2015 Open Internet Order, 30 FCC Rcd at 5634, para. 85 (discussing how DPI can be used for both reasonable network management and to monitor or constrain user activity).
NOTEREF _Ref445303279 See, e.g., Access, The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy (2015), https://www.accessnow.org/cms/assets/uploads/archive/AIBT-Report.pdf.
NOTEREF _Ref445303279 Id. at 5.
NOTEREF _Ref445303279 Verizon UIDH Consent Decree at 2-6, paras. 3-12.
NOTEREF _Ref445303279 Id. at 7, 9, paras. 18, 23.
NOTEREF _Ref445303279 47 U.S.C. § 222(b).
NOTEREF _Ref445303279 See1999 CPNI Reconsideration Order, 14 FCC Rcd at 14449-50, paras. 77-78 (finding that Section 222(b) restricts carriers’ use of the proprietary information of other carriers, including resellers); see alsoImplementation of the Subscriber Carrier Selection Changes Provision of the Telecommunications Act of 1996, Policies and Rules Concerning Unauthorized Changes of Consumers’ Long Distance Carriers, Second Report and Order and Further Notice of Proposed Rulemaking, CC Docket No. 94-129, 14 FCC Rcd 1508 (1998) (concluding that section 222(b) prohibits executing carriers from using carrier change information to verify a subscriber’s decision to change carriers after such change has been verified by the submitted carrier).
NOTEREF _Ref445303279 See 47 U.S.C. § 208; 47 CFR §§ 1.716-1.719; FCC, Consumer Help Center, https://consumercomplaints.fcc.gov/hc/en-us (last visited Feb. 2, 2016).
NOTEREF _Ref445303279 See, e.g.,National Consumer Disputes Advisory Committee, Am. Arbitration Ass’n, Consumer Due Process Protocol Statement of Principles (1998), https://www.adr.org/cs/idcplg?IdcService=GET_FILE&dDocName=ADRSTG_005014&RevisionSelectionMethod=LatestReleased. See also 2015 Open Internet Order, 30 FCC Rcd at 5718, paras. 266-67.
NOTEREF _Ref445303279 See generally The White House, Nat’l Strategy for Trusted Identities in Cyberspace at 30, 45 (2011), http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf (discussing redress mechanisms and accountability in the context of implementing the FIPPs).
NOTEREF _Ref445303279 See, e.g.,Jessica Silver-Greenberg & Robert Gebeloff, Arbitration Everywhere, Stacking the Deck of Justice, N.Y. Times (Oct. 31, 2015), http://www.nytimes.com/2015/11/01/business/dealbook/arbitration-everywhere-stacking-the-deck-of-justice.html?_r=1 (reporting that AT&T, Verizon, Sprint, and many other large companies have arbitration clauses in their customer contracts, and that, “[o]ver the last few years, it has become increasingly difficult to apply for a credit card, use a cellphone, get cable or Internet service, or shop online without agreeing to private arbitration”); Jessica Silver-Greenberg & Michael Corkery, In Arbitration, a ‘Privatization of the Justice System’, N.Y. Times (Nov. 1, 2015), http://www.nytimes.com/2015/11/02/business/dealbook/in-arbitration-a-privatization-of-the-justice-system.html (reporting that arbitration proceedings lack transparency, are often biased against consumers, and do not abide by traditional due process procedures).
NOTEREF _Ref445303279 2015 Open Internet Order, 30 FCC Rcdat 5718, para. 267.
NOTEREF _Ref445303279 In the 2015 Open Internet Order, we agreed with commenters who stated that, “[i]n most cases, consumers must pay filing fees and the arbitrator’s costs, which can amount to thousands of dollars.” These commenters also pointed out that the BIAS provider can select the arbitration location, making the process even costlier, and that arbitrated decisions are not reviewable and often not public, precluding consumers from uncovering potential biases in the process. 2015 Open Internet Order, 30 FCC Rcdat 5718, para. 267 n.689; see also Jessica Silver-Greenberg & Robert Gebeloff, Arbitration Everywhere, Stacking the Deck of Justice, N.Y. Times (Oct. 31, 2015), http://www.nytimes.com/2015/11/01/business/dealbook/arbitration-everywhere-stacking-the-deck-of-justice.html?_r=1; Jessica Silver-Greenberg & Michael Corkery, In Arbitration, a ‘Privatization of the Justice System’, N.Y. Times (Nov. 1, 2015), http://www.nytimes.com/2015/11/02/business/dealbook/in-arbitration-a-privatization-of-the-justice-system.html.
NOTEREF _Ref445303279 See 2007 CPNI Order, 22 FCC Rcd at 6958, para. 60; 2002 CPNI Order, 17 FCC Rcd at 14890-93, paras. 69-74.
NOTEREF _Ref445303279 See, e.g., California Online Privacy Protection Act of 2003, Cal. Bus. & Prof. Code § 22577(a); California Consumer Protection Against Computer Spyware Act, Cal. Bus. & Prof. Code § 22947.1(k); Cal. Civ. Code § 1798.82(h); Conn. Gen. Stat. Ann. § 36a-701b(a); N.Y. Gen. Bus. Law §§ 899-aa(1)(a), (b); La. Stat. Ann. § 51:3073(4); Fla. Stat. § 501.171(1)(g).
NOTEREF _Ref445303279 However, this approach does not preclude carriers from establishing that compliance with multiple different CPNI regulatory regimes is unworkable. See 2002 CPNI Order, 17 FCC Rcd at 14891-93 (recognizing the potential burdens associated with different regulatory requirements).
NOTEREF _Ref445303279 See 2002 CPNI Order, 17 FCC Rcd at 14891, para. 71 (observing that “our state counterparts . . . bring particular expertise to the table regarding competitive conditions and consumer protection issues in their jurisdictions, and privacy regulation, as part of general consumer protection, is not a uniquely federal matter”); 2007 CPNI Order, 22 FCC Rcd at 6958, para. 60.
NOTEREF _Ref445303279 See 2002 CPNI Order, 17 FCC Rcd at 14891-93 (declining to apply any presumption that more restrictive CPNI requirements would be vulnerable to preemption); 2007 CPNI Order, 22 FCC Rcd at 6958, para. 60.
NOTEREF _Ref445303279 See Letter from Matthew M. Polka, President & CEO, Am. Cable Ass’n, et al., to The Honorable Tom Wheeler, Chairman, FCC (March 1, 2016) (on file with WCB); New America Open Technology Institute, The FCC’s Role in Protecting Online Privacy (2016), https://static.newamerica.org/attachments/12325-the-fccs-role-in-protecting-online-privacy/CPNI__web.d4fbdb12e83f4adc89f37ebffa3e6075.pdf; Public Knowledge White Paper at 58-69; Letter from Marc Rotenberg, Executive Director, EPIC, et al., to Tom Wheeler, Chairman, FCC (Jan. 20, 2016). Letters from industry associations and public interest groups have also made general recommendations for privacy frameworks and guiding principles. See Letter from Am. Cable Ass’n, et al., to Tom Wheeler, Chairman, FCC (Feb. 11, 2016); Letter from 59 Public Interest Groups to Tom Wheeler, Chairman, FCC (Jan. 20, 2016); Doug Brake, Daniel Castro, & Alan McQuinn, Information Technology and Innovation Foundation, Broadband Privacy: The Folly of Sector-Specific Regulation, (2016), http://www2.itif.org/2016-broadband-privacy-folly.pdf; Letter from Jason Kint, CEO, Digital Content Next, to Tom Wheeler, Chairman, FCC (Feb. 26, 2016), https://digitalcontentnext.org/wp-content/uploads/2016/02/DCN-Comments-to-FCC-re-Sec-222-final.pdf.
NOTEREF _Ref445303279 FTC, Policy Statement on Unfairness, 104 F.T.C. 949, 1070 (Dec. 17, 1980) available at https://www.ftc.gov/public-statements/1980/12/ftc-policy-statement-unfairness; FTC, Policy Statement on Deception, 103 F.T.C. 110, 174 (Oct. 14, 1983), available at https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf.
NOTEREF _Ref445303279 Marc Rotenberg, Code of Fair Information Practices for the National Information Infrastructure (NII), in Ethics of Computing: Codes, Spaces for Discussion and Law 200 (Jacques Berleur and Kalus Brunnstein eds. 1996).
NOTEREF _Ref445303279 Doug Brake, Daniel Castro, & Alan McQuinn, Information Technology and Innovation Foundation, Broadband Privacy: The Folly of Sector-Specific Regulation (2016), http://www2.itif.org/2016-broadband-privacy-folly.pdf.
NOTEREF _Ref445303279 NTIA, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework at vii (2010), https://www.ntia.doc.gov/files/ntia/publications/iptf_privacy_greenpaper_12162010.pdf.