On Thursday, October 27, the FCC passed its long-awaited data security and privacy rules for broadband internet access service (BIAS) providers on a 3-2 party line vote. While we won’t have the final language of the rules for several more weeks, Chairman Wheeler released a fact sheet earlier this month outlining what we should expect from the upcoming order. Unfortunately, albeit not surprisingly, the Commission has decided to move forward with its ex ante prescriptive approach and will not follow the FTC’s case-by-case framework.
However, based on the fact sheet and today’s discussion, the Commission has made significant positive changes to at least two sections of the rules about which CompTIA expressed concerns in our comments earlier this year. Both the data breach notification rules and the consumer consent requirements are in a better place than they were in the initial proposed rules, but new concerns have arisen as well.
From what we can glean so far, the changes to the data breach notification rules are some of the most notable of any changes the FCC has made since receiving feedback on its proposed rules. The Commission appears to have removed simple “access” to customer information from its definition of “breach,” as we had requested. They also have included a harm trigger, allowing for ISPs to establish “that no harm is reasonably likely to occur” before requiring notification. Finally, the Commission dispatched with its proposed 10-day breach notification window, and instead extended it to a more-reasonable 30 days. These changes comport with the standards for data breach notification currently imposed by the states, will help prevent consumer over notification, and allow ISPs adequate time to conduct risk assessments.
The FCC has also shifted its model of consumer consent to more-closely mirror the FTC’s approach. In its proposed rules last spring the Commission laid out a specific list of data uses for which opt-out consent was appropriate, which meant all other uses required opt-in consent. Fearing this approach could harm innovation, stakeholders across the spectrum, including CompTIA and the FTC itself, suggested that the FCC shift to a model in which opt-in consent is only required for use of sensitive data, and the FCC has obliged . . . sort of.
The FCC has implemented a sensitivity-based approach for when opt-in consent is necessary, but it has also expanded the definition of “sensitive information” far beyond anything the FTC has ever used. Particularly it has included web browsing and app usage history in its definition. This now creates an incongruous standard for when opt-in consent is necessary depending on who is collecting this data, with ISPs on one side and everyone else on the other.
We will have to wait several more weeks before we have the rules in full and can see if the Commission adopted some of the other changes we requested in our comments. Based on what we know, however, the FCC got part of the way towards getting these rules right, but ultimately came up short.