Extends CPNI Section 222 to Broadband
The Open Internet Order does not forbear from applying Section 222 of the Act to broadband Internet access service providers. It does, however, forbear from applying its existing customer proprietary network information (“CPNI”) rules, in recognition that those rules deal with the privacy of customer information connected with their use of the traditional telephone network, and thus do not readily apply in the broadband context. The question of applying Section 222 to broadband is likely to be both complex and contentious as the Commission proceeds in this area.
Section 222 and the CPNI Rules
Section 222 governs the protection and use of certain customer information by telecommunications carriers. The FCC found that forbearance from Section 222 was not in the public interest because “[b]roadband providers . . . are in a position to obtain vast amounts of personal and proprietary information about their customers.” Consequently, without regulatory privacy protections, “use or disclosure of that information” could be at odds with consumer interests. In justifying this conclusion, the Commission also returned to its “virtuous cycle” theory: failing to apply privacy protections for broadband Internet customers could “lower the likelihood of broadband adoption and [lead to] decreasing consumer demand.”
The Commission concluded, however, that forbearance is appropriate with respect to the existing CPNI rules because those rules are not necessarily “well-suited” to broadband service. For example, the Commission noted that the current rules focus on information related to voice services, such as “call detail” records, but do not readily apply to many of the types of information that a broadband Internet provider would have access to, such as a customer’s web browsing history. The Commission indicated that this forbearance was only temporary, pending the adoption of Internet-specific rules pursuant to a separate rulemaking.
We anticipate that the rulemaking will commence over the summer, and will likely probe providers’ current operations and practices, including their handling of customers’ Internet and data usage information. The Order suggests that the Commission may consider whether providers’ use of broadband customer information for purposes beyond traffic routing should be proscribed under new regulations. The Commission may also adopt a wide range of use limitations (including marketing restrictions), opt-out/-in consents, notice, authentication, disclosure and breach reporting rules (consistent with the framework of existing rules for voice customer information).
Interaction with Other Laws
By not forbearing from Section 222, the Commission has expanded the scope of privacy obligations under that provision, but the Commission confirmed that nothing in the Order supersedes or limits providers’ existing duties to comply with law enforcement, national security, emergency communications and public safety mandates under other security and privacy statutes like CALEA, FISA, and ECPA. Notably absent from the Order was any reference to interaction with Section 631 of the Act, which governs the collection, use, and disclosure of subscriber “personally identifiable information” by a cable operator when providing a cable service or “other service.” The Commission’s rulemaking to establish the new Section 222 rules may address and clarify the interaction between these two statutes.
The Commission did not alter the current requirement to disclose privacy policies as part of its “enhancements” to the transparency rule, which requires providers to make certain disclosures regarding its network management practices, performance characteristics and commercial terms (including consumer privacy issues such as the collection, inspection, storage, disclosure and use of network traffic).
Notably, the Order refers to the use of packet inspection technologies by broadband Internet providers to monitor traffic for network management purposes and determine the lawfulness of certain sites and content, which has often been the subject of criticism by consumer privacy advocates. The Commission determined, however, that the rules adopted in the Order, accompanied by the privacy tools available to consumers, adequately addressed the privacy concerns.
The Order indicates that the FCC’s Consumer Advisory Committee will develop a format for network management disclosures that will offer a safe harbor to those that utilize it, so broadband Internet providers should review that format when it is approved. To the extent providers do not include this information directly in their published privacy policies, they should consider including a referral link to their existing network management disclosures.
Enforcement & Jurisdictional Challenges
The Order also presents a heightened risk of potential privacy enforcement actions. The agency has recently initiated enforcement actions based on claimed data breaches (not addressed by existing regulations under Section 222), alleging that such breaches violate a carrier’s duties under both Section 222(a) and Section 201(b). Although viability of such actions remains questionable, this Order reaffirms the Commission’s intent to broadly construe the scope of providers’ extensive (and presently undefined) privacy duties under those statutes.
In the absence of applicable CPNI rules, the Commission is likely to use this broad authority to police and enforce providers’ compliance with statements and practices they set forth in their privacy policies, akin to the privacy and information security enforcement activities of the Federal Trade Commission. The FTC, in turn, has publicly criticized the FCC’s assumption of a new enforcement role, asserting that the enlarged scope of activities for “common carriers” will lead to enforcement challenges between the agencies. Before reclassification, the FTC could ostensibly use its Section 5 enforcement authority to enforce the privacy promises and security practices of broadband Internet providers. After reclassification, the FTC’s role could be significantly reduced pursuant to the FTC Act’s common carrier exemption. In a pending enforcement action, however, the FTC has taken the position that the common carrier exemption is a narrow “activity-based” exception that only applies to the degree the entity is engaged in “common carrier activities.” Until the courts or Congress determine how jurisdiction should be allocated between the agencies, providers could be subject to both FTC and FCC enforcement actions (and jurisdictional battles).