Date: May 10, 2016
Law360, New York (May 10, 2016, 12:16 PM ET) --
As widely reported, the Federal Communications Commission adopted a notice of proposed rulemaking on March 31, 2016, requesting comment on a comprehensive set of proposed rules intended to protect the confidentiality and security of customer proprietary network information (CPNI) and personally identifiable information (PII) (collectively referred to as “customer proprietary information” or "customer PI”) that broadband internet access service (BIAS) providers acquire by virtue of their business relationship with customers. The NPRM is broad in scope and addresses a range of privacy and security issues, but reflects uncertainty as to how to best protect customer PI, effectively asking the public to weigh in on a host of proposals involving hundreds of discrete questions.
One justification for the commission’s sweeping proposals is that BIAS customers cannot readily switch from one broadband provider to another, whereas consumers can readily change browsers and search engines. Fundamentally, the NPRM seeks to grant BIAS customers greater control over the extent to which broadband providers use customer PI and share it with affiliates and unaffiliated third parties, but adoption of the major proposals would impact other parties in the ecosystem with whom broadband providers interact and share data. In addition, the NPRM repeatedly asks whether the FCC should seek to “harmonize” existing rules applicable to voice, cable and satellite providers with those adopted in this proceeding. While the NPRM applies to a limited set of services (and the NPRM proposes that “communications-related services” not include edge services offered by broadband providers), the proposed definitions and principles could have a significant ripple effect on the entire digital ecosystem.
The NPRM tracks the approach staked out in the commission’s 2015 open internet order, which reversed the long-standing position that high speed internet access service is a lightly regulated “information service,” and reclassified BIAS as a more highly regulated “telecommunications service.” The intended effect of “reclassification” is that the FCC positioned itself to exercise its extensive statutory authority under Title II of the Communications Act over cable companies, wireline telecom carriers, fixed wireless (for-profit Wi-Fi service providers) and mobile wireless carriers offering BIAS. In particular, Section 222 of Title II imposes certain privacy and confidentiality obligations on “telecommunications carriers” that receive or obtain CPNI by virtue of providing a telecommunications service. In the 2015 open internet order, which is on appeal before the D.C. Circuit, the FCC expressly deferred the question of how Section 222 of the Communications Act should be applied to BIAS. The order also expressly excluded high speed internet access service provided to “enterprise customers” from the definition of BIAS, and this distinction is carried forward in the NPRM.
The NPRM adds further complexity to the evolving U.S. privacy and data security landscape. Unlike other countries that have overarching privacy laws, the U.S. landscape is comprised of a host of sector-specific federal laws (e.g., laws governing health, financial and children’s information), state consumer protection, data breach notification and data security laws, industry guidelines, and self-regulatory frameworks. A broad set of actors has enforcement authority under these laws. At the federal level, the most prominent is the Federal Trade Commission through its authority over unfair or deceptive acts or practices under Section 5 of the Federal Trade Commission Act, but the FCC has taken a heightened interest in online privacy matters over the last few years.
The reclassification of BIAS as a “telecommunications service” in the 2015 open internet order affected the FTC’s long-standing authority over the privacy practices of broadband providers under Section 5 of the FTC Act, as telecommunications carriers are not subject to the FTC’s jurisdiction when engaging in telecommunications carrier activities. Through a memorandum of understanding issued in November of last year, the FCC and FTC confirmed their ongoing cooperation on consumer protection matters and complementary authority with regard to practices by telecommunications carriers. In separate dissenting statements to the NPRM, however, FCC Commissioners Micahel O’Rielly and Ajit Pai questioned the FCC’s authority and expertise to regulate privacy and data security, and opined that those matters would be better addressed by agencies with more experience enforcing privacy and data security laws in a technology-neutral manner, such as the FTC.
The new definitions proposed in the NPRM are essential to the scope and potential impact of the proposed rules on broadband providers and other participants in the internet ecosystem.
CPNI in the Broadband Context
The NPRM seeks to expand the existing definition of CPNI in Section 222(h) of the Communications Act and apply it to the broadband context. As currently defined, CPNI includes principally “information that relates to the quantity, technical configuration, type, destination, location and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.”
While the NPRM invites parties to identify any data elements that should be deemed CPNI in the broadband context, the FCC proposes, at a minimum, the following categories: (1) service plan information (including transmission technology), speed, pricing and data cap information; (2) geo-location; (3) media access control (MAC) addresses and other device identifiers; (4) IP addresses and domain name information; and (5) traffic statistics. In addition, the FCC seeks comment on whether port information, application headers, application usage and information regarding customer premises equipment should be considered CPNI.
Personally Identifiable Information
The NPRM breathes life into the undefined and largely ignored statutory term “customer proprietary information” in Section 222(a). This is accomplished through an expansive definition of PII that includes “any information that is linked or linkable to an individual.” The FCC proposed an extensive list of information that could constitute PII, which the NPRM refers to as “illustrative” and “nonexhaustive.” It largely encompasses the proposed definition of CPNI and includes the following:
□ Social Security number
□ Date and place of birth
□ Mother’s maiden name
□ Driver’s license, passport, and other government identification numbers
□ Physical address
□ Email address or other online contact information
□ Phone numbers
□ MAC address or other unique device identifiers
□ IP addresses
□ Persistent online identifiers
□ Eponymous and noneponymous online identities
□ Account numbers and information (including account login information)
□ Internet browsing history
□ Traffic statistics
□ Application usage data
□ Current or historical geolocation
□ Financial information
□ Shopping records
□ Medical and health information
□ The fact of a disability and information relating to a disability
□ Biometric information
□ Education information
□ Employment information
□ Information relating to family members
□ Sexual identity or orientation
□ Other demographic information
□ Information identifying personally owned property (e.g., license plates and device serial numbers)
The NPRM also inquires whether the content of customer communications should fall within the definition of PII or CPNI, recognizing that the Electronic Communications Privacy Act, Communications Assistance for Law Enforcement Act, and Section 705 of the Communications Act protect such content. Given the breadth of the defined terms CPNI and PII and the important role they play in the commission’s proposals, affected parties should consider proposing more honed, realistic alternatives and provide practical examples of adverse business implications should the commission’s definitions be adopted.
Tracy Marshall is a partner in Keller and Heckman's Washington, D.C., office. She assists clients with a range of business and regulatory matters, including privacy and data security matters.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.