Federal Communications Commission FCC 16-148
1
Before the
Federal Communications Commission
Washington, D.C. 20554
In the Matter of
Protecting the Privacy of Customers of Broadband
and Other Telecommunications Services
)
)
)
)
WC Docket No. 16-106
REPORT AND ORDER
Adopted: October 27, 2016 Released: November 2, 2016
By the Commission: Chairman Wheeler and Commissioner Rosenworcel issuing separate statements;
Commissioner Clyburn approving in part, concurring in part and issuing a statement; Commissioners Pai
and O’Rielly dissenting and issuing separate statements.
TABLE OF CONTENTS
Para.
I. INTRODUCTION.................................................................................................................................. 1
II. EXECUTIVE SUMMARY.................................................................................................................... 6
III. ESTABLISHING BASELINE PRIVACY PROTECTIONS FOR CUSTOMERS OF
TELECOMMUNICATIONS SERVICES ........................................................................................... 19
A. Background and Need for the Rules .............................................................................................. 20
B. Scope of Privacy Protections under Section 222 ........................................................................... 38
1. The Rules Apply to Telecommunications Carriers and Interconnected VoIP Providers ........ 39
2. The Rules Protect Customers’ Confidential Information........................................................ 41
3. Scope of Customer Information Covered by These Rules ...................................................... 46
4. De-identified Data ................................................................................................................. 106
C. Providing Meaningful Notice of Privacy Policies ....................................................................... 122
1. Required Privacy Disclosures................................................................................................ 126
2. Timing and Placement of Notices ......................................................................................... 137
3. Form and Format of Privacy Notices .................................................................................... 144
4. Advance Notice of Material Changes to Privacy Policies..................................................... 156
5. Harmonizing Voice Rules ..................................................................................................... 164
D. Customer Approval Requirements for the Use and Disclosure of Customer PI.......................... 166
1. Applying a Sensitivity-Based Customer Choice Framework................................................ 172
2. Congressionally-Recognized Exceptions to Customer Approval Requirements for
Use and Sharing of Customer PI ........................................................................................... 201
3. Requirements for Soliciting Customer Opt-Out and Opt-In Approval ................................. 221
4. Customers’ Mechanisms for Exercising Privacy Choices..................................................... 228
5. Eliminating Periodic Compliance Documentation................................................................ 234
E. Reasonable Data Security ............................................................................................................ 235
1. BIAS and Other Telecommunications Providers Must Take Reasonable Measures to
Secure Customer PI............................................................................................................... 238
2. Practices That Are Exemplary of Reasonable Data Security ................................................ 248
3. Extension of the Data Security Rule to Cover Voice Services.............................................. 256
F. Data Breach Notification Requirements ...................................................................................... 261
1. Harm-Based Notification Trigger.......................................................................................... 263
Federal Communications Commission FCC 16-148
2
2. Notification to the Commission and Federal Law Enforcement ........................................... 275
3. Customer Notification Requirements.................................................................................... 283
4. Record Retention................................................................................................................... 292
5. Harmonization....................................................................................................................... 293
G. Particular Practices that Raise Privacy Concerns ........................................................................ 294
1. BIAS Providers May Not Offer Service Contingent on Consumers’ Surrender of
Privacy Rights ....................................................................................................................... 295
2. Heightened Requirements for Financial Incentive Practices................................................. 298
H. Other Issues.................................................................................................................................. 304
1. Dispute Resolution ................................................................................................................ 304
2. Privacy and Data Security Exemption for Enterprise Voice Customers ............................... 306
I. Implementation ............................................................................................................................ 310
1. Effective Dates and Implementation Schedule for Privacy Rules......................................... 311
2. Uniform Timeline for BIAS and Voice Services .................................................................. 316
3. Treatment of Customer Consent Obtained Prior to the Effective and Implementation
Date of New Rule.................................................................................................................. 317
4. Limited Extension of Implementation Period for Small Carriers.......................................... 320
J. Preemption of State Law.............................................................................................................. 324
IV. LEGAL AUTHORITY....................................................................................................................... 332
A. Section 222 of the Act Provides Authority for the Rules ............................................................ 333
1. Section 222 Applies to BIAS Providers Along With Other Telecommunications
Carriers .................................................................................................................................. 334
2. Section 222(a) Provides Authority for the Rules as to Customer PI ..................................... 343
3. Section 222(c) Provides Authority for the Rules as to CPNI................................................ 364
B. Sections 201(b) and 202(a) Provide Additional Authority to Protect Against Privacy
Practices That Are “Unjust or Unreasonable” or “Unjustly or Unreasonably
Discriminatory” ........................................................................................................................... 368
C. Title III of the Communications Act Provides Independent Authority........................................ 371
D. The Rules Are Also Consistent With the Purposes of Section 706 of the 1996 Act ................... 372
E. We Have Authority to Apply the Rules to Interconnected VoIP Services .................................. 373
F. Constitutional Considerations...................................................................................................... 375
1. Our Sensitivity-Based Choice Framework Is Supported by the Constitution ....................... 375
2. Other First Amendment Arguments ...................................................................................... 388
G. Severability .................................................................................................................................. 393
V. PROCEDURAL MATTERS.............................................................................................................. 394
A. Regulatory Flexibility Analysis ................................................................................................... 394
B. Paperwork Reduction Act............................................................................................................ 395
C. Congressional Review Act........................................................................................................... 397
D. Accessible Formats ...................................................................................................................... 398
VI. ORDERING CLAUSES..................................................................................................................... 399
APPENDIX A Final Rules
APPENDIX B Final Regulatory Flexibility Analysis
I. INTRODUCTION
1. In this Report and Order (Order), we apply the privacy requirements of the
Communications Act of 1934, as amended (the Act) to the most significant communications technology
of today—broadband Internet access service (BIAS). Privacy rights are fundamental because they protect
important personal interestsfreedom from identity theft, financial loss, or other economic harms, as
well as concerns that intimate, personal details could become the grist for the mills of public
embarrassment or harassment or the basis for opaque, but harmful judgments, including discrimination.
In adopting Section 222 of the Communications Act, Congress recognized the importance of protecting
the privacy of customers using telecommunications networks. Section 222 requires telecommunications
Federal Communications Commission FCC 16-148
3
carriers to protect the confidentiality of customer proprietary information. By reclassifying BIAS as
telecommunications service, we have an obligation to make certain that BIAS providers are protecting
their customers’ privacy while encouraging the technological and business innovation that help drive the
many benefits of our increasingly Internet-based economy.
2. Internet access is a critical tool for consumersit expands our access to vast amounts of
information and countless new services. It allows us to seek jobs and expand our career horizons; find
and take advantage of educational opportunities; communicate with our health care providers; engage
with our government; create and deepen our ties with family, friends and communities; participate in
online commerce; and otherwise receive the benefits of being digital citizens. Broadband providers
provide the “on ramp” to the Internet. These providers therefore have access to vast amounts of
information about their customers including when we are online, where we are physically located when
we are online, how long we stay online, what devices we use to access the Internet, what websites we
visit, and what applications we use.
3. Without appropriate privacy protections, use or disclosure of information that our
broadband providers collect about us would be at odds with our privacy interests. Through this Order, we
therefore adopt rules that give broadband customers the tools they need to make informed choices about
the use and sharing of their confidential information by their broadband providers, and we adopt clear,
flexible, and enforceable data security and data breach notification requirements. We also revise our
existing rules to provide harmonized privacy protections for voice and broadband customersbringing
privacy protections for voice telephony and other telecommunications services into the modern
framework we adopt today.
4. In response to the NPRM, we received more than 275,000 submissions in the record of
this proceeding, including comments, reply comments, and ex parte communications from consumers;
broadband and voice providers and their associations; public interest groups; academics; federal, state,
and local governmental entities; and others. We have listened and learned from the record. In adopting
final rules, we rely on that record and in particular we look to the privacy and data security work done by
the Federal Trade Commission (FTC), as well as our own work adopting and revising rules under Section
222. We have also taken into account the concepts that animate the Administration’s Consumer Privacy
Bill of Rights (CPBR), and existing privacy and data security best practices.
5. The privacy framework we adopt today focuses on transparency, choice, and data
security, and provides heightened protection for sensitive customer information, consistent with customer
expectations. In adopting these rules we honor customer’s privacy rights and implement the statutory
requirement that carriers protect the confidentiality of customer proprietary information. These rules do
not prohibit broadband providers from using or sharing customer information, but rather are designed to
protect consumer choice while giving broadband providers the flexibility they need to continue to
innovate. By bolstering customer confidence in broadband providers’ treatment of confidential customer
information, we also promote the virtuous cycle of innovation in which new uses of the network lead to
increased end-user demand for broadband, which drives network improvements, which in turn lead to
further innovative network uses, business growth, and innovation.
II. EXECUTIVE SUMMARY
6. Today we adopt rules protecting the privacy of broadband customers. We also revise our
current rules to harmonize our rules for all telecommunications carriers. In this Order, we first offer some
background, explaining the need for these rules, and then discuss the scope of the rules we adopt. In
discussing the scope of the rules, we define “telecommunications carriers” that are subject to our rules
and the “customers” those rules are designed to protect. We also define the information protected under
Section 222 as customer proprietary information (customer PI).
1
We include within the definition of
1
See 47 U.S.C. § 222(a) (“Every telecommunications carrier has a duty to protect the confidentiality of proprietary
information of, and relating to . . . customers.”).
Federal Communications Commission FCC 16-148
4
customer PI three types of information collected by telecommunications carriers through their provision
of broadband or other telecommunications services that are not mutually exclusive: (i) individually
identifiable Customer Proprietary Network Information (CPNI) as defined in Section 222(h);
2
(ii)
personally identifiable information (PII); and (iii) content of communications. We also adopt and explain
our multi-part approach to determining whether data has been properly de-identified and is therefore not
subject to the customer choice regime we adopt for customer PI.
7. We next adopt rules protecting consumer privacy using the three foundations of
privacytransparency, choice, and security:
8. Transparency. Recognizing the fundamental importance of transparency to enable
consumers to make informed purchasing decisions, we require carriers to provide privacy notices that
clearly and accurately inform customers about what confidential information the carriers collect, how they
use it, under what circumstances they share it, and the categories of entities with which they will share it.
We also require that carriers inform their customers about customers’ rights to opt in to or opt out (as the
case may be) of the use or sharing of their confidential information. We require that carriers present their
privacy notice to customers at the point of sale, and that they make their privacy policies persistently
available and easily accessible on their websites, applications, and the functional equivalents thereof.
Finally, consistent with FTC best practices and with the requirements in the CPBR,
3
we require carriers to
give their customers advance notice of material changes to their privacy policies.
9. Choice. We find that because broadband providers are able to view vast swathes of
customer data, customers must be empowered to decide how broadband providers may use and share their
data. In this section, we adopt rules that give customers of BIAS and other telecommunications services
the tools they need to make choices about the use and sharing
4
of customer PI, and to easily adjust those
choices over the course of time. In adopting rules governing customer choice, we look to the best
practices framework recommended by the FTC in its 2012 Privacy Report
5
as well as the choice
framework in the Administration’s CPBR and adopt a framework that provides heightened protections for
sensitive customer information. For purposes of the sensitivity-based customer choice framework we
adopt today, we find that sensitive customer PI includes financial information, health information, Social
Security numbers, precise geo-location information, information pertaining to children, content of
communications, web browsing history, application usage history, and the functional equivalents of web
browsing history or application usage history. With respect to voice services, we also find that call detail
information is sensitive information. We also adopt a tiered approach to choice, by reference to consumer
expectations and context that recognizes three categories of approval with respect to use of customer PI
obtained by virtue of providing the telecommunications service:
2
Consistent with the statutory definition of CPNI, we define CPNI with respect to BIAS providers as “information
that relates to the quantity, technical configuration, type, destination, location, and amount of use of a
telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made
available to the carrier by the customer solely by virtue of the carrier-customer relationship.” See infra Part
III.B.3.a(i).
3
See Executive Office of the President, Administration Discussion Draft: Consumer Privacy Bill of Rights Act
(2015), https://www.whitehouse.gov/sites/default/files/omb/legislative/letters/cpbr-act-of-2015-discussion-draft.pdf
(“2015 Administration CPBR Discussion Draft” or “CPBR”).
4
Section 222 addresses the conditions under which carriers may “use, disclose, or permit access to” customer
information. 47 U.S.C. § 222(c)(1), (c)(3), (d), (f). For simplicity throughout this document we sometimes use the
terms “disclose” or “share” in place of “disclose or permit access to.”
5
See generally Fed. Trade Commn, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations
for Businesses and Policymakers (2012), https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-
commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf
(2012 FTC Privacy Report).
Federal Communications Commission FCC 16-148
5
Opt-in Approval. We adopt rules requiring carriers to obtain customers’ opt-in approval for
use and sharing of sensitive customer PI (and for material retroactive changes to carriers’
privacy policies). A familiar example of opt-in practices appears when a mobile application
asks for permission to use geo-location information.
Opt-out Approval. Balancing important governmental interests in protecting consumer
privacy and the potential benefits that may result from the use of non-sensitive customer PI,
we adopt rules requiring carriers to obtain customers’ opt-out approval for the use and
sharing of non-sensitive customer PI.
Congressionally-Recognized Exceptions to Customer Approval Requirements. Consistent
with the statute, we adopt rules that always allow broadband providers to use and share
customer data in order to provide broadband services (for example to ensure that a
communication destined for a particular person reaches that destination), and for certain other
purposes.
10. Data Security and Breach Notification. At its most fundamental, the duty to protect the
confidentiality of customer PI requires telecommunications carriers to protect the customer PI they collect
and maintain. We encourage all carriers to consider data minimization strategies and to embrace the
principle of privacy by design. To the extent carriers collect and maintain customer PI, we require BIAS
providers and other telecommunications carriers to take reasonable measures to secure customer PI. To
comply with this requirement, a carrier must adopt security practices appropriately calibrated to the nature
and scope of its activities, the sensitivity of the underlying data, the size of the provider, and technical
feasibility. We decline to mandate specific activities that carriers must undertake in order to meet the
reasonable data security requirement. We do, however, offer guidance on the types of data security
practices we recommend providers strongly consider as they seek to comply with our data security
requirement, while recognizing that what constitutes “reasonable” data security evolves over time.
11. We also adopt data breach notification requirements. In order to ensure that affected
customers and the appropriate federal agencies receive notice of data breaches that could result in harm,
we adopt rules requiring BIAS providers and other telecommunications carriers to notify affected
customers, the Commission, and the FBI and Secret Service unless the carrier is able to reasonably
determine that a data breach poses no reasonable risk of harm to the affected customers. In the interest of
expedient law enforcement response, such notice must be provided to the Commission, the FBI, and
Secret Service within seven business days of when a carrier reasonably determines that a breach has
occurred if the breach impacts 5,000 or more customers; and must be provided to the applicable federal
agencies at least three days before notice to customers. For breaches affecting fewer than 5,000
customers, carriers must notify the Commission without unreasonable delay and no later than thirty (30)
calendar days following the carrier’s reasonable determination that a breach has occurred. In order to
allow carriers more time to determine the specifics of a data breach, carriers must provide notice to
affected customers without unreasonable delay, but within no more than 30 days.
12. Particular Practices that Raise Privacy Concerns. Next, we find that take-it-or-leave-it
offerings of broadband service contingent on surrendering privacy rights are contrary to the requirements
of Sections 222 and 201 of the Act, and therefore prohibit that practice. We also adopt heightened
disclosure and affirmative consent requirements for BIAS providers that offer customers financial
incentives, such as lower monthly rates, in exchange for the right to use the customers’ confidential
information. Because the record contains very little about financial incentive practices of voice providers,
this section of the Order is limited to BIAS providers.
13. Next we address several other issues raised in our rulemaking, including dispute
resolution; the request for an exemption for enterprise customers of telecommunications services other
than BIAS; federal preemption; and the timeline for implementation.
14. Dispute Resolution. We reaffirm customers’ right to use the Commission’s existing
dispute resolution procedures and commit to initiating a rulemaking on the use of mandatory arbitration
Federal Communications Commission FCC 16-148
6
requirements in consumer contracts for broadband and other communications services, acting on a notice
of proposed rulemaking in February 2017.
15. Exemption for Enterprise Customers of Telecommunications Services other than BIAS.
Recognizing that enterprise customers of telecommunications services other than BIAS have different
privacy concerns and the capacity to protect their own interests, we find that a carrier that contracts with
an enterprise customer for telecommunications services other than BIAS need not comply with the
privacy and data security rules we adopt today if the carrier’s contract with that customer specifically
addresses the issues of transparency, choice, data security, and data breach and provides a mechanism for
the customer to communicate with the carrier about privacy and data security concerns. As with the
existing, more limited business customer exemption from our existing authentication rules, carriers will
continue to be subject to the statutory requirements of Section 222 even where this exemption applies.
16. Preemption. In this section, we adopt the proposal in the NPRM and announce our intent
to continue to preempt state privacy laws, including data security and data breach laws, only to the extent
that they are inconsistent with any rules adopted by the Commission. This limited application of our
preemption authority is consistent with our precedent in this area and with our long appreciation for the
valuable role the states play in protecting consumer privacy.
17. Implementation Timeline. The Order provides a timeline for orderly transition to the new
rules with additional time given for small carriers to the extent that they may need to change their
practices.
18. Legal Authority. Finally, the Order closes by discussing our legal authority to adopt the
rules.
III. ESTABLISHING BASELINE PRIVACY PROTECTIONS FOR CUSTOMERS OF
TELECOMMUNICATIONS SERVICES
19. In this section, we adopt a set of rules designed to protect the privacy of customers of
BIAS and other telecommunications services. The rules we adopt today find broad support in the record,
and are consistent with and build on existing regulatory and stakeholder-driven frameworks, including the
Commission’s prior decisions and existing Section 222 rules, other federal privacy laws, state privacy
laws, and recognized best practices. The framework for our baseline privacy protections focuses on
providing transparency of carriers’ privacy practices; ensuring customers have meaningful choice about
the use and disclosure of their private information; and requiring carriers to adopt robust data security
practices for customer information. In this section, we explain the rules we adopt to protect the privacy of
customers of BIAS and other telecommunications services.
A. Background and Need for the Rules
20. The Commission has a long history of protecting customer privacy in the
telecommunications sector. Section 705 of the Communications Act, for example, is one of the most
fundamental and oldest sector-specific privacy requirements, and protects the privacy of information
carried by communications service providers.
6
As early as the 1960s the Commission began to wrestle
with the privacy implications of the use of communications networks to provide shared access to
computers and the sensitive, personal data they often contained.
7
Throughout the 1980s and 1990s, the
6
47 U.S.C. § 605.
7
See, e.g., Bernard Strassburg, Address to the Ass’n for Comp. Machinery, The Marriage of Computers and
Communications: Some Regulatory Implications (Oct. 20, 1966), in 9 Jurimetrics J. 12-18 (1966), available at
http://heinonline.org/HOL/Page?handle=hein.journals/juraba9&div=9&g_sent=1&collection=journals.
Federal Communications Commission FCC 16-148
7
Commission imposed limitations on incumbent telephone companies’ use and sharing of customer
information.
8
21. Then, in 1996, Congress enacted Section 222 of the Communications Act providing
statutory protections to the privacy of the data that all telecommunications carriers collect from their
customers. Congress recognized that telecommunications networks have the ability to collect information
from consumers who are merely using networks as conduits to move information from one place to
another “without change in the form or content” of the communications.
9
Specifically, Congress sought
to ensure “(1) the right of consumers to know the specific information that is being collected about them;
(2) the right of consumers to have proper notice that such information is being used for other purposes;
and (3) the right of consumers to stop the reuse or sale of that information.”
10
22. Section 222(a) imposes a duty on all telecommunications carriers to protect the
confidentiality of their customers’ “proprietary information,” or PI.
11
Section 222(c) imposes restrictions
on telecommunications carriers’ use and sharing of customer proprietary network information (CPNI)
without customer approval, subject to certain exceptions including as necessary to provide the
telecommunications service (or services necessary to or used in providing that telecommunications
service), and as otherwise provided for by law.
12
While we recognize, applaud, and encourage existing
and continued marketplace self-regulation and privacy innovations, Congress has made clear that
telecommunications carriers’ privacy practices must comply with the obligations imposed by Section 222.
We therefore reject arguments that we rely entirely on self-regulatory mechanisms.
13
23. Over the last two decades, the Commission has promulgated, revised, and enforced
privacy rules for telecommunications carriers that are focused on implementing the CPNI requirements of
Section 222. As practices have changed, the Commission has refined its Section 222 rules. For example,
after the emergence and growth of an industry made possible by “pretexting”the practice of improperly
accessing and selling details of residential telephone callsthe Commission strengthened its Section 222
rules to add customer authentication and data breach notification requirements.
14
The current Section 222
rules focus on transparency, choice, data security, and data breach notification.
8
See Amendment of Section 64.702 of the Commission’s Rules and Regulations, Final Order, 77 FCC 2d 384 (1980)
(Computer II), recon., 84 FCC 2d 50 (1980), further recon., 88 FCC 2d 512 (1981), aff’d sub nom. Computer and
Commc’n Indus. Ass’n v. FCC, 693 F.2d 198 (D.C. Cir. 1982), cert. denied, 461 U.S. 938 (1983); Amendment of
Section 64.702 of the Commission’s Rules and Regulations, Phase I, 104 FCC 2d 958 (1986); Application of Open
Network Architecture and Nondiscrimination Safeguards to GTE Corp., Report and Order, 9 FCC Rcd 4922, 4944-
45, para. 45 (1994); Application of Open Network Architecture and Nondiscrimination Safeguards to GTE Corp.,
Memorandum Opinion and Order, 11 FCC Rcd 1388, 1419-25, paras. 73-86 (1995); Furnishing of Customer
Premises Equipment by Bell Operating Telephone Companies and the Independent Telephone Companies, Report
and Order, 2 FCC Rcd 143 (1987), recon. on other grounds, 3 FCC Rcd 22 (1987); aff’d, Ill. Bell Tel. Co. v. FCC,
883 F.2d 104 (D.C. Cir. 1989).
9
See 47 U.S.C. § 153(50).
10
See Joint Explanatory Statement of the Committee of Conference, 104th Cong., 2d Sess. 204; see also H.R. Rep.
No. 204, 104th Cong., 1st Sess. 91 (1995).
11
47 U.S.C. § 222(a) (“Every telecommunications carrier has a duty to protect the confidentiality of proprietary
information of, and relating to, other telecommunications carriers, equipment manufacturers, and customers. . . .”).
12
47 U.S.C. § 222(c)(1). Section 222(d) enumerates exceptions to this prohibition. 47 U.S.C. § 222(d).
13
See, e.g., Electronic Transaction Association (ETA) Comments at 2; AT&T Comments at 1; Multicultural Media,
Telecom and Internet Council et al. (MMTC et al.) Comments at 2; Interactive Advertising Bureau (IAB) Comments
at 5 (“IAB believes that industry self-regulation is the preferred approach to address online privacy.”).
14
See generally Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of
Customer Proprietary Network Information and Other Customer Information; IP-Enabled Services, CC Docket No.
(continued….)
Federal Communications Commission FCC 16-148
8
24. Meanwhile, as consumer use of the Internet exploded, the FTC, using its authority under
Section 5 of the FTC Act to prohibit “unfair or deceptive acts or practices in or affecting commerce,”
15
has entered into a series of precedent-setting consent orders addressing privacy practices on the Internet,
held workshops and conferences, and issued influential reports about privacy.
16
Taken together, the
FTC’s privacy work has focused on the importance of transparency; honoring consumers’ expectations
about the use of their personal information and the choices they have made about sharing that
information; and the obligation of companies that collect personal information to adopt reasonable data
security practices. Because common carriers subject to the Communications Act are exempt from the
FTC’s Section 5 authority, the responsibility falls to this Commission to oversee their privacy practices
consistent with the Communications Act.
17
25. Last year the Administration proposed a Consumer Privacy Bill of Rights. The goal of
the CPBR is to “establish baseline protections for individual privacy in the commercial arena and to foster
timely, flexible implementations of these protections through enforceable codes of conduct developed by
diverse stakeholders.”
18
It recognizes that Americans “cherish privacy as an element of their individual
freedom,” and that “[p]reserving individuals’ trust and confidence that personal data will be protected
appropriately, while supporting flexibility and the free flow of information, will promote continued
innovation and economic growth in the networked economy.”
19
26. Prior to 2015, BIAS was classified as an information service, which excluded such
services from the ambit of Title II of the Act, including Section 222, and the Commission’s CPNI rules.
20
Instead, broadband providers were subject to the FTC’s unfair and deceptive acts and practices
authority.
21
In the 2015 Open Internet Order, we reclassified BIAS as a telecommunications service
subject to Title II of the Act, an action upheld by the D.C. Circuit in United States Telecom Ass’n v.
FCC.
22
While we granted BIAS forbearance from many Title II provisions, we concluded that application
and enforcement of the privacy protections in Section 222 to BIAS is in the public interest and necessary
for the protection of consumers.
23
However, we questioned whether “the Commission’s current rules
(Continued from previous page)
96-115, WC Docket No. 04-36, Report and Order and Further Notice of Proposed Rulemaking, 22 FCC Rcd 6927
(2007) (2007 CPNI Order).
15
15 U.S.C. § 45(a)(1).
16
See FTC Staff Comments at 4-6.
17
See 15 U.S.C. §§ 45(a)(2) (exempting “common carriers subject to the Acts to regulate commerce”), 44 (defining
“Acts to regulate commerce” as including “the Communications Act of 1934 and all Acts amendatory thereof and
supplementary thereto”); 47 U.S.C. § 153(51) (providing that “[a] telecommunications carrier shall be treated as a
common carrier under [the Communications Act] only to the extent that it is engaged in providing
telecommunications services”). See also FTC Staff Comments at 2, n.5.
18
See 2015 Administration CPBR Discussion Draft, § 4(a)(1).
19
Id.
20
See Protecting and Promoting the Open Internet, GN Docket No. 14-28, Report and Order on Remand,
Declaratory Ruling, and Order, 30 FCC Rcd 5601, 5736-42, paras. 314-27 (2015), aff’d United States Telecom Ass'n
v. F.C.C., 825 F.3d 674 (D.C. Cir. 2016) (2015 Open Internet Order) (discussing the historical classification of
broadband Internet access service).
21
See 15 U.S.C. § 45(a)(1) (prohibiting unfair or deceptive acts or practices in or affecting commerce).
22
2015 Open Internet Order, 30 FCC Rcd at 5733, para. 306; see also United States Telecom Ass'n v. F.C.C., 825
F.3d at 712.
23
2015 Open Internet Order, 30 FCC Rcd at 5821-22, paras. 463-64 (concluding that “forbearance from the
application of section 222 with respect to broadband Internet access service is not in the public interest . . . and that
section 222 remains necessary for the protection of consumers . . . .”); see also Enforcement Bureau Guidance:
Broadband Providers Should Take Reasonable, Good Faith Steps to Protect Consumer Privacy, Enforcement
(continued….)
Federal Communications Commission FCC 16-148
9
implementing section 222 necessarily would be well suited to broadband Internet access service,” and
forbore from the application of these rules to broadband service, “pending the adoption of rules to govern
broadband Internet access service in a separate rulemaking proceeding.”
24
27. In March 2016, we adopted the Broadband Privacy NPRM, which proposed a framework
for applying the longstanding privacy requirements of the Act to BIAS.
25
In the NPRM, we proposed
rules protecting customer privacy using the three foundations of privacytransparency, choice, and
securityand also sought comment on, among other things, whether we should update rules that govern
the application of Section 222 to traditional telephone service and interconnected VoIP service in order to
harmonize them with the results of this proceeding.
26
28. A number of broadband providers, their associations, as well as some other commenters
argue that because broadband providers are part of a larger online eco-system that includes edge
providers, they should not be subject to a different set of regulations.
27
These arguments ignore the
particular role of network providers and the context of the consumer/BIAS provider relationship, and the
sector specific privacy statute that governs the use and sharing of information by providers of
telecommunications services. Based on our review of the record, we reaffirm our earlier finding that a
broadband provider “sits at a privileged place in the network, the bottleneck between the customer and the
rest of the Internet”
28
a position that we have referred to as a gatekeeper.
29
As such, BIAS providers can
collect “an unprecedented breadth” of electronic personal information.
30
(Continued from previous page)
Advisory No. 2015-03, 30 FCC Rcd 4849 (Enf, Bur. 2015) (Enf. Bur. Privacy Advisory) (providing guidance “to
broadband providers about how the Enforcement Bureau intends to enforce Section 222 in connection with BIAS
during the time between the effective date of the Open Internet Order and any subsequent Commission action
providing further guidance and/or adoption of regulations applying Section 222 more specifically to BIAS”).
24
2015 Open Internet Order, 30 FCC Rcd at 5823, para. 467.
25
See generally Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC
Docket No. 16-106, Notice of Proposed Rulemaking, 31 FCC Rcd 2500 (2016) (Broadband Privacy NPRM).
26
Id. at 2510, para. 24.
27
See, e.g., NTCAThe Rural Broadband Association (NTCA) Comments at 11; see also CTIAThe Wireless
Association (CTIA) Comments at 106; Letter from Mike Montgomery, Executive Director, CALinnovates, to
Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-016, at 1-2 (filed Oct. 19, 2016).
28
See Letter from Paul Ohm, Professor, Georgetown University Law Center, to Marlene H. Dortch, Secretary, FCC,
GN Docket No. 16-106 Attach., Testimony Before the Subcommittee on Communications and Technology,
Committee on Energy and Commerce, U.S. House of Representatives at 3 (filed June 19, 2016) (Paul Ohm
Testimony).
29
See 2015 Open Internet Order, 30 FCC Rcd at 5629, para. 80 (noting that “once a consumer chooses a broadband
provider, that provider has a monopoly on access to the subscriber”).
30
Letter from Kathleen McGee, Bureau Chief, Bureau of Internet and Technology, New York State Attorney
General, to Tom Wheeler, Chairman, FCC, WC Docket No. 16-106 at 2 (filed June 30, 2016) (NY Attorney General
June 30, 2016 Ex Parte) (also claiming that BIAS providers can collect not only a consumer’s name, address and
financial information but also every website he or she visited, the links clicked on those websites, geo-location
information, and the content of electronic communications”); see also, e.g., Ghostery Apr. 29, 2016 Ex Parte
Attach. at 3-5; Consumer Action Comments at 1; Consumer Watchdog Comments at 4 (“The ISP is in a unique
position to amass deeply revealing personal profiles, share the data with third parties or use it for its own
purposes.”); Public Knowledge et al. Comments, Attach. Public Knowledge White Paper, Protecting Privacy,
Promoting Competition: A Framework for Updating the Federal Communications Commission Privacy Rules for
the Digital World at 51-52, 55-56 (Public Knowledge White Paper); American Association for Justice (AAJ)
Comments at 8 (explaining that BIAS providers are now privy to an extensive amount of personal information
about their customers”); Electronic Frontier Foundation (EFF) Comments at 1.
Federal Communications Commission FCC 16-148
10
29. We disagree with commenters that argue that BIAS providers’ insight into customer
online activity is no greater than large edge providers because customers’ Internet activity is “fractured”
between devices, multiple Wi-Fi hotspots, and different providers at home and at work.
31
As commenters
have explained, “customers who hop between ISPs on a daily basis often connect to the same networks
routinely,”
32
and as such, over time, “each ISP can see a substantial amount of that user’s Internet
traffic.”
33
30. While we recognize that there are other participants in the Internet ecosystem that can
also see and collect consumer data,
34
the record is clear that BIAS providers’ gatekeeper position allows
them to see every packet that a consumer sends and receives over the Internet while on the network,
including, absent encryption, its contents.
35
By contrast, edge providers only see a slice of any given
consumers Internet traffic. As explained in the record, edge providers’ visibility into consumers’ web
browsing activity is necessarily limited. According to the record, only three companies (Google,
Facebook, and Twitter) have third party tracking capabilities across more than 10 percent of the top one
million websites, and none of those have access to more than approximately 25 percent of web pages.
36
In contrast, a BIAS provider sees 100 percent of a customer’s unencrypted Internet traffic.
37
31. At the same time, users have much more control over tracking by web third parties than
over tracking by BIAS providers. A range of browser extensions are largely effective at blocking
31
See, e.g., Peter Swire, Associate Director, The Institute for Information Security & Privacy at Georgia Tech, et al.,
Working Paper, Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by
Others at 24-25 (filed May 27, 2016) (Peter Swire Working Paper); see also AT&T Comments at 4; CTIA
Comments at 7-8.
32
National Consumers League (NCL) Reply at 11.
33
See, e.g., Upturn Comments at 6.
34
See, e.g., Peter Swire Working Paper at 4 (stating that “non-ISPs are increasingly gathering commercially
valuable information about online user activity from multiple context”); National Black Caucus of State Legislators
(NBCSL) Comments at 1 (“Webmail, Internet videos, social media, and other firms, and even devices like open-
source smartphones, all track and use enormous volumes of sensitive data”); Advanced Communications Law &
Policy (ACLP) Comments at 13; Howard Beales Comments at 5 (“Each provider has particular insights into the
consumer’s online activities, but there is no entity in a ‘unique’ position to assemble a ‘comprehensive’ picture of
online behavior.”); Consumer Workers of America (CWA) Comments at 2-3 ; International Center for Law &
Economics (ICLE) Comments at 9 ; AT&T Comments at 3 (arguing that “ISPs have less, not more, comprehensive
visibility than many edge providers into their users’ online activities”); Verizon Comments at 18 (asserting that
“repeated and prolonged interactions provide social networking sites with access to vast amounts of commercially
valuable information about their users, including user-generated content and metadata, which they use to facilitate
targeted advertising”); CenturyLink Comments at 6 (arguing that to “the extent that user information (for example,
web browsing activity and location information) is visible to the user’s broadband provider, it also is visible to, and
collected by, various third-party entities”).
35
See, e.g., Paul Ohm Testimony at 3; EFF Comments at 1 (“No edge provider enjoys the ability to see everything a
consumer does online. The technology now available for telecommunications providers allows for the possibility
that every communications, activity, and movement can be tracked in real or near-real time.”).
36
See Dillon Reisman and Arvind Narayanan, Princeton Center for Information Technology Policy, WC Docket No.
16-106, Ex Parte Presentation at 32 (filed June 17, 2016) (Reisman and Narayanan June 17, 2016 Ex Parte)
(showing that Google and Twitter are present on approximately 20 percent of websites and Facebook is present on
approximately 25 percent of websites). By “third party tracking capability,” we mean any method by which one
party injects a tracking mechanism into a customer’s traffic in order to monitor the customer’s activity when the
customer interacts with other parties. Cookies are a common third party tracker, but there are many other methods.
See id. at 31 (explaining that “[t]hird parties on the web are any resources (images, tracking pixels, advertisements,
code, etc.) loaded on a webpage that come from domains that are not the main domain you visited”).
37
See Reisman and Narayanan June 17, 2016 Ex Parte at 32.
Federal Communications Commission FCC 16-148
11
prominent third parties, but these tools do nothing to stop data collection on the wire.”
38
Further,
Professor Nick Feamster explains that unlike other Internet participants that see Domain Name System
(DNS) lookups only to their own domains (e.g., google.com, facebook.com, netflix.com), BIAS providers
can see DNS lookups every time a customer uses the service to go to a new site.
39
32. Return Path explains additional unique data to which only BIAS providers have access:
Many BIAS customers are assigned a dynamic (‘changing’) IP address when they
connect to their provider. In these cases, each time a consumer’s computer (or router) is
rebooted, the ISP dynamically assigns a new IP address to the networking device. While
the BIAS provider will have a record of precisely which user was connected to an IP
address at a specific point in time, any third party will not, unless they subpoena the
BIAS provider for data.
40
Furthermore, as Mozilla explains, “[b]ecause these are paid services, [the broadband provider has] the
subscriber’s name, address, phone number and billing history. The combination gives ISPs a very unique,
detailed and comprehensive view of their users that can be used to profile them in ways that are
commercially lucrative.”
41
33. We agree with commenters that point out that encryption can significantly help protect
the privacy of consumer content from BIAS providers.
42
However, even with encryption, by virtue of
providing BIAS, BIAS providers maintain access to a significant amount of private information about
their customers’ online activity, including what websites a customer has visited, how long and during
what hours of the day the customer visited various websites, the customer’s location, and what mobile
device the customer used to access those websites.
43
Moreover, research shows that encrypted web traffic
38
Id. at 35.
39
See Feamster Edge Provider Comments at 2; see also Upturn Comments at 6 (“DNS queries are almost never
encrypted.”).
40
Return Path Comments at 3.
41
Mozilla Comments at 4-5.
42
See National Cable & Telecommunications Association (NCTA) Reply at 21-24; AT&T Comments at 3-4;
Howard Beales Comments at 4; CenturyLink Comments at 7; CTIA Comments at 14; Comcast Comments at 28
(explaining that if traffic is “encrypted using [Hypertext Transfer Protocol] HTTPS, the ISP only sees the top-level
domain used to deliver packets, but otherwise is prevented from seeing either the contents of packets received or
transmitted by the customer, or the full website address . . . of the websites that the customer visits); Employment
and Training Association (ETA) Comments at 6-7; Information Technology and Innovation Foundation (ITIF)
Comments at 3-5; T-Mobile Comments at 5.
43
Public Knowledge et al. Comments at 6 (“At an even more basic level, the timing of packet traffic can reveal data
about a subscriber.”); see also id. (“Traffic timing can reveal the hours when a subscriber is awake, asleep, or at
work. It can reveal a person’s religious beliefs (as with observance of the Sabbath), or unexpected changes in
lifestyle, such as holidays, new relationships, or lost jobs.”); Paul Ohm Testimony at 4 (“When you visit a website
protected by the most widespread form of encryption in use, https or http over TLS, even though your BIAS
provider cannot tell which individual page you are visiting on the website, it still can tell the domain name of the
website you are communicating with, how often you return, roughly how much data you send and receive, and for
how long each visit lasts.”); Greenlining Institute and Media Alliance (Greenlining Institute) Comments at 5-6;
Mozilla Comments at 4 (“All of a user’s network traffic goes through their ISP, which means they have unfettered
access to usage patterns and metadata. Usage patterns and metadata can be as revealing, or in some ways even more
revealing, than content. Furthermore, users typically don’t think about the potential for disclosure of private
information that can come from metadata.”); Software & Information Industry Association (SIIA) Comments at 3
(“Broadband service providers are unique in their ability to see the domains that their subscribers visit, even in cases
where a website uses encryption.”).
Federal Communications Commission FCC 16-148
12
can be used to infer the pages within an encrypted site that a customer visits, and that the amount of data
transmitted over encrypted connections can also be used to infer the pages a customer visits.
44
34. The record also indicates that truly pervasive encryption on the Internet is still a long way
off, and that many sites still do not encrypt.
45
We observe that several commenters rely on projections
that 70 percent of Internet traffic will be encrypted by the end of 2016.
46
However, a significant amount
of this encrypted data is video traffic from Netflix, which, according to commenters, accounts for 35
percent of North American Internet traffic.
47
Moreover, “raw packets make for a misleading metric.”
48
As further explained by one commenter “watching the full Ultra HD stream of The Amazing Spider-Man
could generate more than 40GB of traffic, while retrieving the WebMD page for ‘pancreatic cancer’
generates less than 2MB.”
49
What’s more, research shows that approximately 84 percent of health
websites, 86 percent of shopping websites, and 97 percent of news websites remain unencrypted.
50
These
types of websites generate less Internet traffic but contain “much more personalized data.”
51
We
encourage continued efforts to encrypt personal information both in transit and at rest. At the same time,
our policy must account for the fact that encryption is not yet ubiquitous and, in any event, does not
preclude BIAS providers from having unique access to customer data.
52
35. Thus, the record reflects that BIAS providers are not, in fact, the same as edge providers
in all relevant respects. In addition to having access to all unencrypted traffic that passes between the
user and edge services while on the network, customers’ relationships with their broadband provider is
different from those with various edge providers, and their expectations concomitantly differ. For
example, customers generally pay a fee for their broadband service, and therefore do not have reason to
44
See Narayanan and Reisman Reply at 6; see also Upturn Comments at 8 (“A growing body of computer science
research demonstrates that a network operator can learn a surprising amount about the contents of encrypted traffic
without breaking or weakening encryption. By examining the features of the traffic like the size, timing and
destination of the encrypted packets it is possible to uniquely identify certain web page visits or otherwise reveal
information about what those packets likely contain.”); Feamster ISP Data Use Comments at 4.
45
See Upturn Comments at 3-6 (explaining that the fraction of total Internet traffic that is encrypted is a poor proxy
for the privacy interests of a typical user, as 85 percent of the top 50 sites in each of health, news, and shopping
categories still fail to encrypt browsing by default); see also Letter from Arvind Narayanan, Assistant Professor of
Computer Science, Princeton University, to Chairman Tom Wheeler, FCC, WC 16-106 at 2 (filed May 27, 2016)
(Narayanan Comments) (explaining that in their research, “we find that only 14.2% of the top 55,000 websites
default to HTTPS on their home pages as of January 2016. This number falls to 8.6% on the top 1 million websites.
Only a further 2.9% of the top 55,000 sites even offer HTTPS as an option”).
46
See Sandvine Comments at 10 (forecasting that “by the end of 2016, global Internet traffic will be more than 70%
encrypted, with some networks surpassing the 80% threshold”); see also Peter Swire Working Paper at 7; AT&T
Reply at 19; Comcast Comments at 5; USTelecom Reply at 5.
47
See Free Press Reply at 11; Reisman and Narayanan June 17, 2016 Ex Parte, Attach., Part 2: ISPs and Privacy at
1 (“The percentage of traffic that is encrypted is not the right choice of metric since it is skewed by video statistics,
especially Netflix.”); see also NCL Reply at 9 (stating that “video streaming websites such as Netflix, which itself
accounts for roughly 35 percent of North American internet traffic, are moving towards encryption”).
48
Reisman and Narayanan June 17, 2016 Ex Parte at 13.
49
Upturn Comments at 3. Upturn also explains that devices such as “smart thermostats, home voice integration
systems, and other appliances, fail to encrypt at least some of the traffic that they send and receive.” Id. at 5.
50
Reisman and Narayanan June 17, 2016 Ex Parte at 18.
51
See NCL Reply at 9.
52
See Narayanan Comments at 2 (explaining challenges to encryption that many “third parties do not support
encryption, and that this impedes the adoption of HTTPS by websites”); see also Upturn Comments at 4 (“In order
for a site to migrate to HTTPS without triggering warnings in its users’ browsers, each one of the third-party
partners that site uses on its pages must support HTTPS.”).
Federal Communications Commission FCC 16-148
13
expect that their broadband service is being subsidized by advertising revenues as they do with other
Internet ecosystem participants.
53
In addition, consumers have a choice in deciding each time whether to
useand thus reveal informationto an edge provider, such as a social network or a search engine,
whereas that is not an option with respect to their BIAS provider when using the service.
54
36. While some customers can switch BIAS providers, others do not have the benefit of
robust competition, particularly in the fixed broadband market. Moreover, we have previously observed
that “[b]roadband providers have the ability to act as gatekeepers even in the absence of ‘the sort of
market concentration that would enable them to impose substantial price increases on end users.’”
55
Their
position is strengthened by the high switching costs customers face when seeking a new service, which
could deter customers from changing BIAS providers if they are unsatisfied the providers’ privacy
policies.
56
Moreover, even if a customer was willing to switch to a new broadband provider, the record
shows consumers often have limited options.
57
We note, as stated in the 2016 Broadband Progress
Report, approximately 51 percent of Americans still have only one option for a provider of fixed
broadband at speeds of 25 Mbps download/3 Mbps upload.
58
Given all of these factors, we conclude
53
See, e.g., OTI Comments at 7 (“The context in which broadband customers share private information with BIAS
providers is specific and accompanied by cabined expectations: the customers share the information with BIAS
providers to facilitate provision of a service for which they have contracted. The information is therefore most
appropriately thought of as a loan to, rather than transferred to, broadband providers.”); see also Consumer
Federation of California (CFC) Comments at 5 (“When engaging in a transaction, a consumer may be required to
provide personal information . . . . The consumer expectation is that the information is provided to complete the
transaction, and not for other purposes.”).
54
See, e.g., Feamster Edge Provider Comments at 3 (“For example, in many cases, a user may register with an edge
provider using a pseudonym. The user may simply elect not to provide certain personal information or data to a
social network, or even to not use the social network at all.”).
55
2015 Open Internet Order, 30 FCC Rcd at 5633, para. 84.
56
See New York State Attorney General Reply at 1-2 (“Consumers cannot avoid a BIAS provider the way
consumers can avoid (without penalty), or otherwise freely and easily choose between, search engines or other
websites, or smartphone applications.”); CFC Comments at 6-7 (explaining that if a consumer wants to switch BIAS
providers, the consumer must undertake the time-consuming, and often difficult, process of finding and establishing
broadband service with a new provider, which requires a new contract and possibly new equipment. The consumer
must also terminate service with the existing provider, which may cause the consumer to incur financial penalties.);
2015 Open Internet Order, 30 FCC Rcd at 5631, para. 81 (“Among the costs that consumers may experience are:
high upfront device installation fees; long-term contracts and early termination fees; the activation fee when
changing service providers; and compatibility costs of owned equipment not working with the new service. Bundled
pricing can also play a role, as ‘single-product subscribers are four times more likely to churn than triple-play
subscribers.’ These costs may limit consumers’ willingness and ability to switch carriers if such a choice is indeed
available.”). But see CTIA Comments at 15-16 (asserting that in the market for wireless broadband, providers are
adopting practices that drive down switching costs, e.g., “they are moving away from term-contracts with
cancellation penalties, and offering to pay switching costs for new customers”); Free State Foundation Comments at
5-6; Howard Beales Comments at 3 (claiming BIAS providers “are not protected by uniquely high costs of
switching that might justify different treatment”).
57
CFC Comments at 6 (“Even if a consumer could easily substitute a BIAS provider, consumers are usually limited
to the local dominant telephone provider and the local dominant cable television provider. Consumers do not have a
wide variety of choices in BIAS providers. They can only use the services of BIAS providers who have invested in
the infrastructure to deliver high-speed Internet in their local area.”); Paul Ohm Testimony at 3 (“It is also
appropriate for Congress to protect the privacy of information sent through a BIAS provider because of the relative
lack of choice consumers enjoy for BIAS services”).
58
See Inquiry Concerning the Deployment of Advanced Telecommunications Capability to All Americans in a
Reasonable and Timely Fashion, and Possible Steps to Accelerate Such Deployment Pursuant to Section 706 of the
Telecommunications Act of 1996, As Amended by the Broadband Data Improvement Act, 31 FCC Rcd 699, 736,
(continued….)
Federal Communications Commission FCC 16-148
14
that, contrary to assertions in the record,
59
BIAS providers hold a unique position in the Internet
ecosystem, and disagree with commenters that assert that rules to protect the privacy of broadband
customers are unnecessary.
60
37. As discussed above and throughout this Order, our sector-specific privacy rules are
necessary to address the distinct characteristics of telecommunications services. The record demonstrates
that strong customer privacy protections will encourage broadband usage and, in turn investment.
61
We
further find that when consumers are confident that their privacy is protected, they will be more likely to
adopt and use broadband services.
62
As aptly explained by Mozilla, “[t]he strength of the Web and its
economy rests on a number of core building blocks that make up its foundational DNA. When these
building blocks are threatened, the overall health and well-being of the Web are put at risk. Privacy is
one of these building blocks.”
63
The privacy framework we adopt today will bolster consumer trust in the
broadband ecosystem, which is essential for business growth and innovation.
64
B. Scope of Privacy Protections under Section 222
38. In adopting rules to protect the privacy of customers of BIAS and other
telecommunications services, we must begin by specifying the entities and information at issue. We look
to the language of the statute to determine the appropriate scope of our implementing rules. As discussed
above, Section 222(a) specifies that telecommunications carriers have a duty to protect the confidentiality
of proprietary information of and relating to their customers, while Section 222(c) provides direction
about protections to be accorded “customer proprietary network information.” We therefore first adopt
rules identifying the set of “telecommunications carriers” that are subject to our rules and define the
(Continued from previous page)
para. 86 (2016) (2016 Broadband Progress Report) (explaining further that in rural areas, only 13 percent of
Americans have more than one option for service compared to 44 percent in urban areas).
59
See, e.g., NCTA Comments at 54 (“The NPRM fails to cite any empirical evidence to support the notion that
consumers believe there should be different privacy and data protection regimes depending upon whether their data
is used by an ISP rather than by a search engine, Web site, app provider, or any of the advertising, analytics or other
third party entities working with such edge providers.”); Howard Beales Comments at 3 (claiming BIAS providers
“do not pose a unique or more comprehensive privacy risk than other participants in the Internet ecosystem”);CTIA
Comments at 7 (arguing “ISPs’ access to online consumers’ personal information in this ecosystem is neither
comprehensive nor unique”).
60
See, e.g., American Advertising Federation (AAF) et al. Comments at 2; Association of National Advertisers
(ANA) Comments at 9 (arguing the Commission, offers insufficient evidence that privacy concerns are legitimate or
that they will result in tangible harm to consumers); T-Mobile Comments at 11 (“The NPRM also fails to identify a
problem with BIAS provider practices that needs to be remedied, or to demonstrate that the existing privacy
framework or the marketplace is not protecting consumers.”); SIIA Comments at 4.
61
NCL Reply at 13 (“Despite claims that the Commission’s reclassification of BIAS as a common carrier under
Title II will discourage investment and impose costs, the telecommunications industry had a strong financial year in
2015); see also id. (explaining that “AT&T’s net income was over $13 billion, which marked a 60 percent increase
from 2014”).
62
See Public Knowledge et al. Reply at 7; OTI Comments at 10-11 (reporting that in January 2016, the City of
Portland, Oregon’s Office for Community Technology reported that in focus groups conducted by the city to
improve the city’s understanding of adoption challenges, privacy concerns were raised in every group); see also
2016 Broadband Progress Report, 31 FCC Rcd at 751-52, para. 126 (finding that consumers fearful of the loss of
privacy may be less likely to use broadband connectivity, thus decreasing the demand for broadband investment and
deployment); FTC Staff Comments at 2 (stating that “while consumers continue to increase their online presence,
privacy and security are important not just for consumers but is also a crucial component for building trust in the
online marketplace”).
63
Mozilla Comments at 1.
64
Broadband Privacy NPRM, 31 FCC Rcd at 2557, para. 167.
Federal Communications Commission FCC 16-148
15
“customers” these rules protect. Next we define “customer proprietary information” and include within
that definition “individually identifiable customer proprietary network information,” “personally
identifiable information,” and content of communications.
1. The Rules Apply to Telecommunications Carriers and Interconnected VoIP
Providers
39. For purposes of the rules we adopt today to implement Section 222, we adopt a definition
of “telecommunications carrier” that includes all telecommunications carriers providing
telecommunications services subject to Title II, including broadband Internet access service (BIAS). We
also include interconnected VoIP services, which have been covered since 2007.
65
Although not limited
to voice services, our existing rules have been focused on voice services.
66
When we reclassified BIAS as
a telecommunications service, we recognized that our existing CPNI rules were not necessarily well
suited to the broadband context, and we therefore forbore from applying the existing Section 222 rules to
BIAS.
67
As part of this rulemaking we have explored what privacy and data security rules we should
adopt for BIAS and whether we can harmonize our rules for voice and BIAS. Throughout this Order we
find that it is in the interests of consumers and providers to harmonize our voice and broadband privacy
rules. We therefore adopt a single definition of telecommunications carrier for purposes of these rules,
and except as otherwise provided, adopt harmonized rules governing the privacy and data security
practices of all such telecommunications carriers.
40. Because we adopt a single definition of telecommunications carrier we need not change
the definitions of “telecommunications carrier or carrier” currently in our rules implementing Section
222.
68
We do amend the definition of telecommunications service to conform to the definition of
telecommunications carrier. We also observe that because BIAS is now a telecommunications service,
BIAS providers are now telecommunications carriers within the meaning of those rules. To remove any
doubt as to the scope of these rules, we define BIAS for purposes of our rules pursuant to Section 222
identically to our definition in the 2015 Open Internet Order.
69
We define “broadband Internet access
service provider” or “BIAS provider” to mean a person engaged in the provision of BIAS.
70
Under the
65
See 2007 CPNI Order, 22 FCC Rcd at 6929, para. 3.
66
See generally Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of
Customer Proprietary Network Information and Other Customer Information, Declaratory Ruling, 28 FCC Rcd
9609, 9611-12, paras. 9-11 (2013) (2013 CPNI Declaratory Ruling).
67
2015 Open Internet Order, 30 FCC Rcd at 5822-23, para. 466.
68
See 47 CFR § 64.2003(o), (p) (defining “telecommunications carrier or carrier” and “telecommunications
service”). In accordance with these definitions, we continue to consider entities providing interconnected VoIP
service to be telecommunications carriers for the purposes of these rules. See infra Part IV.E. The Commission has
not classified interconnected VoIP service as telecommunications service or information service as those terms are
defined in the Act, and we need not and do not make such a determination today. See 47 U.S.C. § 153(24), (53)
(defining “information service” and “telecommunications service”); 2007 CPNI Order, 22 FCC Rcd at 6929, para. 3
(extending application of the CPNI rules to providers of interconnected VoIP service).
69
Specifically, a broadband Internet access service is “a mass-market retail service by wire or radio that provides the
capability to transmit data to and receive data from all or substantially all Internet endpoints, including any
capabilities that are incidental to and enable the operation of the communications service, but excluding dial-up
Internet access service. This term also encompasses any service that the Commission finds to be providing a
functional equivalent of the service described in the previous sentence, or that is used to evade the protections set
forth in this part.” 47 CFR § 8.2(a); 2015 Open Internet Order, 30 FCC Rcd at 5682, para. 187; see also
INCOMPAS Comments at 3 (distinction in BIAS definition between mass market and business services should
apply in Section 222 context); Information Technology Industry Council (ITIC) Comments at 6 (the definition of
BIAS should exclude Internet intermediary services and “over the top” services).
70
As used in the foregoing sentence and in the definition of “customer” below, a “person” includes any individual,
group of individuals, corporation, partnership, association, unit of government, or legal entity, however organized.
(continued….)
Federal Communications Commission FCC 16-148
16
2015 Open Internet Order’s definition of BIAS, the term BIAS provider does not include “premises
operators such as coffee shops, bookstores, airlines, private end-user networks (e.g., libraries and
universities), and other businesses that acquire broadband Internet access service from a broadband
provider to enable patrons to access the Internet from their respective establishments.”
71
Moreover,
consistent with the 2015 Open Internet Order,
72
our rules do not govern information that BIAS providers
obtain by virtue of providing other non-telecommunications services, such as edge services that the BIAS
provider may offer like email, websites, cloud storage services, social media sites, music streaming
services, and video streaming services (to name a few).
73
2. The Rules Protect Customers’ Confidential Information
41. Section 222 governs how telecommunications carriers treat the “proprietary” and
“proprietary network” information of their “customers.”
74
For purposes of the rules we adopt today
implementing Section 222, we define “customer” as (1) a current or former subscriber to a
telecommunications service; or (2) an applicant for a telecommunications service. We adopt a single
definition of customer, because we agree with those commenters that argue that harmonizing the
definition of “customer” for both BIAS and other telecommunications services will ease consumer
expectations, reduce confusion, and streamline compliance costs for BIAS providers, especially small
providers.
75
We also find that voice and BIAS customers face similar issues related to the protection of
their private information when they apply for, subscribe to, and terminate their telecommunications
services.
76
42. In adopting this definition of customer, we find that BIAS providers’ and other
telecommunications carriers’ duty to protect customer proprietary information under Section 222 begins
when a person applies for service and continues after a subscriber terminates his or her service. Our
existing rules for voice services apply only to current customers.
77
We are, however, persuaded by
commenters that argue that the existing rule’s limitation to current subscribers is too narrow.
78
As data
(Continued from previous page)
Cf. Preserving the Open Internet, Report and Order, 25 FCC Rcd 17905, 17937, para. 54 n.172 (2010) (2010 Open
Internet Order); 47 CFR § 54.8(a)(6).
71
2015 Open Internet Order, 30 FCC Rcd at 5685, para. 191.
72
See, e.g., 2015 Open Internet Order, 30 FCC Rcd at 5773, para. 377 (explaining that email and cloud-based
storage are “separable information services” from the broadband Internet access service).
73
See Letter from Loretta Polk, Vice President & Associate General Counsel, NCTA, to Marlene H. Dortch,
Secretary, FCC, WC Docket No. 16-106, at 1-2 (filed Oct. 20, 2016) (NCTA Oct. 20, 2016 Ex Parte).
74
See 47 U.S.C. § 222(a), (c).
75
See American Cable Association (ACA) Comments at 57 (supporting “a single privacy and data security
framework” and harmonization of Section 222 rules and definitions); Rural Wireless Association (RWA) Reply at 7
(“Harmonization provides several benefits, including increased provider efficiency, better customer understanding,
and higher compliance rates.”). Nex-Tech explains that “because it is already subject to the CPNI rules as a
provider of voice service, Nex-Tech has aligned its [BIAS] policies and procedures with respect to customer
information with its compliance of the Commission’s voice CPNI rules. Nex-Tech and WTA . . . generally believe
this is common across the board for RLECs.” Letter from Patricia Cave, Director, Government Affairs, WTA, to
Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 1 (filed April 25, 2016) (WTA & Nex-Tech Apr.
25, 2016 Ex Parte).
76
See, e.g., TerraCom, Inc. and YourTel America, Inc., Notice of Apparent Liability for Forfeiture, 29 FCC Rcd
13325, 13332-35 (2014) (TerraCom NAL) (voice services).
77
47 CFR § 64.2003(f).
78
See, e.g., OTI Comments at 14 (“Including only current customers would be too narrow because of the strong
incentives for BIAS providers to collect and retain data from all customers without limitation.”).
Federal Communications Commission FCC 16-148
17
storage costs decrease and computing power increases, previous barriers to data analysis based on cost,
time, or feasibility are receding.
79
BIAS providers and other telecommunications carriers have the
technical ability to retain and use applicant and customer information long after the application process or
termination of service.
80
If our rules do not protect applicants, consumers would lack basic privacy
protections when they share any confidential information in order to apply for a telecommunications
service. Similarly, current customers would be penalized for switching providers given that the “losing”
carrier would be free to stop protecting the confidentiality of any private information it retains.
81
These
outcomes would run counter to our firm commitment to promote broadband adoption, competition, and
innovation.
82
Making this change is consistent with the 2014 Notice of Apparent Liability issued in
TerraCom, in which we explained that that “the carrier/customer relationship commences when a
consumer applies for service.”
83
43. We disagree with commenters that assert that including prospective and former
customers within the definition of customer could unduly burden providers.
84
If carriers want to limit
their obligations with respect to applicants and former customers, they can and should adopt data
minimization practices and destroy applicants’ and former customers’ confidential information as soon as
practicable, in a manner consistent with any other applicable legal obligations.
44. In addition, for purposes of these rules, we find it appropriate to attribute all activity on a
subscription to the subscriber. We recognize that multiple people often use the BIAS or voice services
purchased by a single subscriber. For example, residential fixed broadband and voice services often have
a single named account holder, but all household members and their guests may use the Internet
connection and voice service purchased by that subscriber. Likewise, enterprise customers may have
many users on the same account. And, for mobile services, multiple users using separate devices may
79
See, e.g., FTC, Big Data: A Tool for Inclusion or Exclusion?, at 1 (2016), https://www.ftc.gov/reports/big-data-
tool-inclusion-or-exclusion-understanding-issues-ftc-report (2016 FTC Big Data Report) (“A common framework
for characterizing big data relies on the ‘three Vs,’ the volume, velocity, and variety of data, each of which is
growing at a rapid rate as technological advances permit the analysis and use of this data in ways that were not
possible previously.”); Executive Office of the President, Big Data: Seizing Opportunities, Preserving Values at 1
(2014), https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf (2014
Administration Big Data Report) (“The collection, storage, and analysis of data is on an upward and seemingly
unbounded trajectory, fueled by increases in processing power, the cratering costs of computation and storage, and
the growing number of sensor technologies embedded in devices of all kinds.”).
80
See, e.g., OTI Comments at 14 (“Including only current customers would be too narrow because of the strong
incentives for BIAS providers to collect and retain data from all customers without limitation.”). But see WISPA
Reply at 26-28 (stating that the rules should not protect applicants and former customers).
81
See Rafi Goldberg, NTIA, Lack of Trust in Internet Privacy and Security May Deter Economic and Other Online
Activities (May 13, 2016), https://www.ntia.doc.gov/blog/2016/lack-trust-internet-privacy-and-security-may-deter-
economic-and-other-online-activities (discussing, inter alia, how privacy concerns can deter many Americans from
engaging in important economic and civic online activities).
82
47 U.S.C. § 1302(a); see generally 2016 Broadband Progress Report, 31 FCC Rcd 699.
83
TerraCom NAL, 29 FCC Rcd at 13333, para. 23. In TerraCom we observed, inter alia, that “consumers applying
for telecommunications services have a reasonable expectation that the carrier will protect the confidentiality of the
[proprietary information] they provide as part of that transaction” and that the carriers themselves treated applicants
as “customers” in their forms and policies. Id. at 13332-35, paras. 21-28.
84
See WISPA Comments at 23-24 (asserting that applicants should be excluded because they can review a
provider’s privacy policy before sharing personal information); CTIA Comments at 95 (asserting that inclusion
would hinder providers’ ability to solicit prospective customers); Sprint Comments at 4; T-Mobile Comments at 56;
INCOMPAS Comments at 9-10 (including former customers could hinder providers’ ability to try to win them
back); NTCA Comments at 13-17 (asserting that other industries are not required to protect applicant and former
customers beyond FTC standard; the inclusion will burden small providers).
Federal Communications Commission FCC 16-148
18
share one account.
85
However, treating each individual user as a separate customer would be burdensome
because the provider does not have a separate relationship with each of those users, outside of the
relationship with the subscriber. To minimize burdens on both providers and customers, we find it is
reasonable to define “customer” to include users of the subscription (such as household members and
their guests), but treat the subscriber as the person with authority to make privacy choices for all of the
users of the service.
86
As such, we disagree with commenters who argue that every individual using a
BIAS subscription should qualify as a distinct customer with separate privacy controls.
87
45. We recognize that some BIAS or voice subscriptions identify multiple users. For
example, some mobile BIAS providers offer group plans in which each person has their own identified
device, user ID, and/or telephone number. If a BIAS or other telecommunications provider is already
treating each user as distinct and the subscriber authorizes the other users to control their account settings,
we encourage carriers to give these users individualized privacy controls.
88
3. Scope of Customer Information Covered by These Rules
46. In this section, we define the scope of information covered by the rules implementing
Section 222. Specifically, we import the statutory definition of customer proprietary network information
(CPNI) into our implementing rules, and define customer proprietary information (customer PI) as
including individually identifiable CPNI, personally identifiable information (PII), and content of
communications. We recognize that these categories are not mutually exclusive, but taken together they
identify the types of confidential customer information BIAS providers and other telecommunications
carriers may collect or access in connection with their provision of service. Below, we provide additional
guidance on the scope of these categories of customer information in the telecommunications context.
a. Customer Proprietary Network Information
47. Consistent with the preexisting voice rules, we adopt the statutory definition of customer
proprietary network information (CPNI) for all telecommunications services, including BIAS. Since this
is our first opportunity to address this definition’s application to BIAS, to offer clarity we provide
guidance on the meaning of CPNI as it applies to BIAS. We focus on Section 222(h)(1), which defines
CPNI to mean:
(A) information that relates to the quantity, technical configuration, type,
destination, location, and amount of use of a telecommunications service
subscribed to by any customer of a telecommunications carrier, and that
is made available to the carrier by the customer solely by virtue of the
carrier-customer relationship; and (B) information contained in the bills
pertaining to telephone exchange service or telephone toll service
85
See, e.g., Paul Vixie Comments at 3-4; Center for Digital Democracy (CDD) Comments at 14 (asserting that the
rules should protect each user in a household).
86
See Common Sense Kids Action Comments at 9 (supporting a “‘customer dashboard’ in which a main subscriber
can set different privacy preferences for different devices or log-ins.”). See infra Part III.H.2.
87
See Access Now Comments at 4. But see Sprint Comments at 4-5 (including “all conceivable users of the
network would lead to unworkable obligations for providers”); Security and Software Engineering Research Center
(S
2
ERC) Comments at 5-6 (only the account holder should qualify as a customer); NTCA Comments at 17-18
(same).
88
See OTI Comments at 17-18 (“Separate accounts for other members of the household provide a straightforward
mechanism for providing notice of privacy practices and acquiring opt-in or opt-out consent for those practices.”);
CDD Comments at 14 (“[T]hose with a login (or are identified as a distinct customer by the subscriber) should be
provided with the same fair treatment for their privacy.”); Access Now Comments at 4 (supporting protections for
users other than the primary account holder); Paul Vixie Comments at 3-4 (same); Consumer Federation of
California Comments at 14 (same).
Federal Communications Commission FCC 16-148
19
received by a customer of a carrier; except that [CPNI] does not include
subscriber list information.
89
We agree with commenters that, due to its explicit focus on telephone exchange and telephone toll
service, Section 222(h)(1)(B) is not relevant to BIAS.
90
48. We interpret the phrase “made available to the carrier by the customer solely by virtue of
the carrier-customer relationship” in Section 222(h)(1)(A) to include any information falling within a
CPNI category that the BIAS provider collects or accesses in connection with the provision of BIAS.
91
This includes information that may also be available to other entities. We disagree with commenters who
propose that the phrase “made available to the carrier by the customer solely by virtue of the carrier-
customer relationship” means that only information that is uniquely available to the BIAS provider may
satisfy the definition of CPNI.
92
These commenters contend that if a customer’s information is available
to a third party, it cannot qualify as CPNI, focusing on the term “solely” in the clause. However, the term
“solely” modifies the phrase “by virtue of,” not the phrase “made available to the carrier.” We therefore
conclude that “solely by virtue of the carrier-customer relationship” means that information constitutes
CPNI under Section 222(h)(1)(A) if the provider acquires the information as a product of the relationship
and not through an independent means.
93
49. We also agree with the Center for Democracy and Technology that the fact that third-
parties might gain access to the same data when a consumer uses their services “does not negate the fact
that the BIAS provider has gained access to the data only because the customer elected to use the BIAS
provider’s telecommunications service.”
94
The statute is silent as to whether such information might be
available to other parties, which indicates that Congress did not intend for the definition of CPNI to hinge
on such information being solely available to the customers’ carrier.
95
Indeed, in the voice context, CPNI
certainly is available to other parties besides the customer’s carrier and Section 222 protects that data.
For example, when a customer calls someone else, CPNI is also made available to the recipient’s carrier
and intermediaries facilitating the completion of the call. Furthermore, we find that commenters’ narrow
definition of CPNI is inconsistent with the privacy-protective purpose of the statute.
96
We agree with
89
47 U.S.C. § 222(h)(1).
90
See 47 U.S.C. § 222(h)(1)(B); Comcast Comments at 78-79 (BIAS “does not fit the definition of either” telephone
exchange service or telephone toll service); NTCA Comments at 19 (agreeing that (h)(1)(B) is inapplicable to
BIAS); accord USTelecom Comments at 6.
91
See CDT Reply at 19; OTI Reply at 5-6.
92
See CTIA Comments at 44 (arguing that unlike voice context, many types of BIAS CPNI are available to third
parties); USTelecom Comments at 6-7 (“the same data, and even more, is available to other members of the Internet
ecosystem); Cincinnati Bell Tel. Co. (Cincinnati Bell) Comments at 6 (information “sent onto the open Internet in
order to make the service work” should not qualify as CPNI); CenturyLink Comments at 15-16 (information “easily
obtained by multiple parties . . . cannot be deemed CPNI”); NTCA Comments at 21-22 (arguing that source IP
addresses should not be protected because customers share them with third parties).
93
See, e.g., OTI Reply at 5-6 (“Whether other online entities have access to this information is irrelevant to the
statutory determination. . . . The mere fact that third parties have access to similar or even identical information does
not factor into the statute because that information was not provided to the carrier by the customer.”). We note, for
clarity, that both inbound and outbound traffic are made available to the carrier by the customer solely by virtue of
the carrier-customer relationship. The directionality of the traffic is irrelevant as to whether it satisfies the statutory
definition of CPNI.
94
CDT Reply at 19.
95
See, e.g., OTI Reply at 5-6.
96
See U.S. West, Inc. v. FCC, 182 F.3d 1224, 1236 (10th Cir. 1999) (“[T]he specific and dominant purpose of § 222
is the protection of customer privacy.”); CDT Reply at 19 (“[I]t does not follow that BIAS providers should be able
(continued….)
Federal Communications Commission FCC 16-148
20
some commenters’ assertions that when a BIAS provider acquires information wholly apart from the
carrier-customer relationship, such as purchasing public records from a third party, that information is not
CPNI.
97
50. However, consistent with the Commission’s 2013 CPNI Declaratory Ruling, we find that
information that a BIAS provider causes to be collected or stored on a customer’s device, including
customer premises equipment (CPE) and mobile stations, also meets the statutory definition of CPNI.
98
The “fact that CPNI is on a device and has not yet been transmitted to the carrier’s own servers also does
not remove the data from the definition of CPNI, if the collection has been done at the carrier’s
direction.”
99
51. BIAS providers also have the ability, by virtue of the customer-carrier relationship, to
create and append CPNI to a customer’s Internet traffic. For example, if a carrier inserts a unique
identifier header (UIDH), that UIDH is CPNI because, as we will discuss in greater detail below, it is
information in the application layer header that relates to the technical configuration, type, destination,
and amount of use of a telecommunications service.
100
52. We do not believe it is necessary to categorize all personally identifiable information
(PII) as CPNI, as suggested by Public Knowledge.
101
While we agree with Public Knowledge’s sentiment
that PII is confidential information that deserves protection under the Act, and we agree that some
information is both PII and CPNI, we find that the Act categorizes and protects all PII as proprietary
information, under Section 222(a), as discussed below.
102
(i) Guidance Regarding Information that Meets the Statutory
Definition of CPNI in the Broadband Context
53. In keeping with the Commission’s past practice,
103
we decline to set out a comprehensive
list of data elements that do or do not satisfy the statutory definition of CPNI in the broadband context.
104
We agree with commenters that “no definition of CPNI should purport or aim to be comprehensive and
exhaustive, as technology changes quickly and business models continually seek new ways to monetize
(Continued from previous page)
to freely share sensitive information simply because some other actors are already privy to it. That the data exists in
the hands of certain other entities does not mean that further dissemination by the BIAS provider no longer
implicates consumer privacy.”).
97
See CTIA Comments at 49 (“Data acquired from third parties falls wholly outside of this definition.”); accord
Comcast Comments at 75-76.
98
See 2013 CPNI Declaratory Ruling, 28 FCC Rcd at 9618, para. 27. CPE is “equipment employed on the premises
of a person (other than a carrier) to originate, route, or terminate telecommunications.” 47 U.S.C. § 153(16); see
also 47 CFR § 64.2003(h). A mobile station is “a radio-communication station capable of being moved and which
ordinarily does move.” 47 U.S.C. § 153(34). See infra para. 80.
99
2013 CPNI Declaratory Ruling, 28 FCC Rcd at 9618, para. 27.
100
See infra para. 76; See Cellco P’ship, d/b/a Verizon Wireless, Order, 31 FCC Rcd 1843 (Enf. Bur. 2016) (Verizon
UIDH Consent Decree).
101
See Public Knowledge Comments at 27-28; Public Knowledge White Paper at 60-61. See also infra Part
III.B.3.c.
102
See infra Part III.B.3.b.
103
See 2013 CPNI Declaratory Ruling, 28 FCC Rcd at 9617, para. 24 n.54.
104
See Broadband Privacy NPRM, 31 FCC Rcd at 2514, para. 40; 2013 CPNI Declaratory Ruling, 28 FCC Rcd at
9617, para. 24 n.54.
Federal Communications Commission FCC 16-148
21
and market user data.”
105
In the past, the Commission has enumerated certain data elements that it
considers to be voice CPNIincluding call detail records (including caller and recipient phone numbers,
and the frequency, duration, and timing of calls) and any services purchased by the customer, such as call
waiting; these data continue to be voice CPNI going forward.
106
Similarly, we follow past practice and
identify a non-exhaustive list of the types of information that we consider to constitute CPNI in the BIAS
context. We find that such guidance will help provide direction regarding the scope of providers’
obligations and help to increase customers’ confidence in the security of their confidential information as
technology continues to advance.
107
We find that the following types of information relate to the quantity,
technical configuration, type, destination, location, and amount of use of a telecommunications service
subscribed to by any customer of a telecommunications carrier, and as such constitute CPNI when a BIAS
provider acquires or accesses them in connection with its provision of service:
Broadband Service Plans
Geo-location
MAC Addresses and Other Device Identifiers
IP Addresses and Domain Name Information
Traffic Statistics
Port Information
Application Header
Application Usage
Application Payload
Customer Premises Equipment and Device Information
54. We will first give a brief overview of the structure of Internet communications, to help
put these terms in context, and then discuss why each of these types of information, and other related
components of Internet Protocol packets, qualify as CPNI.
(a) Background Components of an Internet Protocol
Packet
55. The layered architecture of Internet communications informs our analysis of CPNI in the
broadband context. While the concept of layering is not unique to the Internet, layering plays a uniquely
prominent role for Internet-based communications and devices. For that reason, we begin with a brief
technical overview of the layered structure of Internet communications.
56. Multiple layersoften represented as a vertical stackcomprise every Internet
communication. Each layer in the stack serves a particular logical function and uses a network protocol
that standardizes communication between systems,
108
enabling rapid innovation in Internet-based
105
Access Now Comments at 4. Accord Electronic Frontier Foundation (EFF) Comments at 3 (supporting
illustrative examples instead of a comprehensive list).
106
2007 CPNI Order, 22 FCC Rcd at 6931; see also 47 CFR § 64.2003(d); 47 CFR § 64.5103(c).
107
See EFF Comments at 3 (“Illustrative examples . . . will provide useful guidance for providers and reduce
compliance costs without risking obsolescence.”); Jon Peha Reply at 6 (broad definition of CPNI necessary given
BIAS providers’ gatekeeping role).
108
See James F. Kurose & Keith W. Ross, Computer Networking: A Top-Down Approach 47-50 (6th ed. 2013)
(Kurose & Ross).
Federal Communications Commission FCC 16-148
22
protocols and applications.
109
Within one device, information is typically transmitted vertically through
the various layers.
110
When an application sends data over the Internet, the process begins with
application data moving downwards through the layers. Each layer adds additional networking
information and functionality, wrapping the output of the layers above it with a “header.” The
communication sent out over the Internetconsisting of the application data wrapped in headers from
each layeris called a “packet.”
111
When a device receives data over the Internet, the reverse process
occurs. Data moves upwards through the layers; each layer unwraps its associated information and passes
the output upward, until the application on the recipient’s device recovers the original application data.
112
As a component of their provision of service, BIAS providers may analyze each of these layers for
reasonable network management.
113
57. Common representations of the Internet’s architecture range from four to seven layers.
114
To highlight design properties relevant to the broadband CPNI analysis, we describe a five-layer model in
this explanation. From top to bottom, the layers are: application payload, application header, transport,
network, and link. We will briefly describe each of the five layers, from top to bottom:
58. Application Payload. The information transmitted to and from each application a
customer runs is commonly referred to as the application layer payload.
115
The application payload is the
substance of the communication between the customer and the entity with which she is communicating.
Examples of application payloads include the body of a webpage, the text of an email or instant message,
the video served by a streaming service, the audiovisual stream in a video chat, or the maps served by a
turn-by-turn navigation app.
59. Application Header. The application will usually append one or more headers to the
payload; these headers contain information about the application payload that the application is sending
or requesting. For example, in web browsing, the Uniform Resource Locator (URL) of a webpage
constitutes application header information. In a conversation via email, instant message, or video chat, an
application header may disclose the parties to the conversation.
116
60. Transport Layer. Below the application header layer is the transport layer, which
forwards data to the intended application on each device and can manage the flow of communications
from one device to another device.
117
Port numbers are an example of data within the transport layer
header; a port number specifies which application on a device should handle a network communication.
109
See, e.g., David D. Clark et al., Tussle in Cyberspace: Defining Tomorrow's Internet, 13 IEEE/ACM
Transactions on Networking 462-475 (2005); Kurose & Ross at 49-53.
110
Across all devices, equivalent layers perform the equivalent functions. This compatibility and interoperability is
typically represented as horizontal relationships. Kurose & Ross at 53-55.
111
See Internet Engineering Task Force, Requirements for Internet Hosts Communications Layers, RFC 1122
(Oct. 1989), https://tools.ietf.org/html/rfc1122.
112
See Kurose & Ross at 53-55.
113
See id. at 756-60.
114
See id. at 47-55; Internet Engineering Task Force, Requirements for Internet Hosts Communications Layers,
RFC 1122 (Oct. 1989), https://tools.ietf.org/html/rfc1122.
115
See, e.g., Kurose & Ross at 55.
116
See id., Chapter 2.
117
See id., Chapter 3. Two transport protocols are widely deployed on the Internet: the Transmission Control
Protocol (TCP), which ensures that data arrives intact, and the User Datagram Protocol (UDP), which provides
fewer guarantees about data integrity. Id.
Federal Communications Commission FCC 16-148
23
61. Network Layer. The network layer is below the transport layer, and contains information
used to route packets across the Internet from one device to another device. Almost all Internet traffic
uses the Internet Protocol (IP) at the network layer.
118
IP addresses are the most common example of data
at the network layer; an IP address in a network header indicates the sender or recipient of an Internet
packet.
119
62. Link Layer. The final layer is the link layer, which is below the network layer. Link
layer protocols route data between devices on the same local network. For example, devices on the same
wired or wireless network can usually communicate directly with each other at the link layer.
120
MAC
addresses are an example of data at the link layer, and a wide range of link technologies (Ethernet,
DOCSIS, Wi-Fi, and Bluetooth, among others) use them. A MAC address functions as a globally unique
device identifier, ensuring that every device on a local network has a distinct address for sending and
receiving data.
121
(b) Specific Examples of CPNI in the BIAS Context
63. With this understanding of the architecture of Internet communications, we can now
examine how the components of an IP data packet map to the statutory definition of CPNI.
122
Below, we
provide guidance addressing how various data elements constitute CPNI under Section 222.
64. Broadband Service Plans. We find that broadband service plans meet the statutory
definition of CPNI in the broadband context because they relate to the quantity, type, amount of use,
location, and technical configuration of a telecommunications service.
123
We agree with NTCA that
“information related to a customer’s broadband service plan can be viewed as analogous to voice
telephony service plans,”
124
which the Commission has long considered to be CPNI in the voice
context.
125
These plans detail subscription information, including the type of service (e.g., fixed or
mobile; cable or fiber; prepaid or term contract), speed, pricing, and capacity (e.g., data caps). These data
relate to the “type” of telecommunications service to which the customer subscribes, as well as how the
BIAS provider will adjust the “technical configuration” of their network to serve that customer.
Information pertaining to subscribed capacity and speed relate to the “quantity” of services the customer
purchases, as well as the “amount” of services the customer consumes. Service plans often include the
118
See id., Chapter 4.
119
See id.
120
See id., Chapter 5.
121
See id.
122
In this section, we provide guidance on what data elements constitute CPNI; this is distinct from the question of
whether a data element constitutes individually identifiable CPNI and is thus “customer proprietary information.”
See infra Appx. A, § 64.2002(f).
123
See 47 U.S.C. § 222(h)(1)(A).
124
NTCA Comments at 20.
125
See 2007 CPNI Order, 22 FCC Rcd at 6931, para. 5; see also Implementation of the Telecommunications Act of
1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer
Information; Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act
of 1934, As Amended; 2000 Biennial Regulatory ReviewReview of Policies and Rules Concerning Unauthorized
Changes of Consumers’ Long Distance Carriers, Third Report and Order and Third Further Notice of Proposed
Rulemaking, 17 FCC Rcd 14860, 14864, para. 7 (2002) (2002 CPNI Order). In 2011, the Sixth Circuit agreed with
AT&T’s argument that information in a service plan “clearly constitutes CPNI” in the voice context. CMC
Telecomm, Inc. v. Mich. Bell Tel. Co., 637 F.3d 626, 630 (6th Cir. 2011).
Federal Communications Commission FCC 16-148
24
customer’s address (for billing purposes or to identify the address of service), which relates to the location
of use of the service.
65. Geo-location. Geo-location is information related to the physical or geographical
location of a customer or the customer’s device(s), regardless of the particular technological method used
to obtain this information. Providers often need to know where their customers are so that they can route
communications to the proper network endpoints. The Commission has already held that geo-location is
CPNI,
126
and Congress emphasized the importance of geo-location data by adding Section 222(f).
127
66. We disagree with commenters who ask us to draw technology-based distinctions for what
types of location information are sufficiently precise to qualify as geo-location CPNI.
128
BIAS providers
can use many types of dataeither individually or in combinationto locate a customer, including but
not limited to GPS, address of service, nearby Wi-Fi networks, nearby cell towers, and radio-frequency
beacons.
129
We caution that these and other forms of location information in place now or developed in
the future constitute geo-location CPNI when made available to the BIAS provider solely by virtue of the
carrier-customer relationship.
67. Media Access Control (MAC) Addresses and Other Device Identifiers. We conclude that
device identifiers, such as MAC addresses, are CPNI in the broadband context because they relate to the
technical configuration and destination of use of a telecommunications service.
130
Link layer protocol
headers convey MAC addresses, along with other link layer protocol information.
131
A MAC address
uniquely identifies the network interface on a device, and thus uniquely identifies the device itself
(including the device manufacturer and often the model).
132
MAC addresses relate to the technical
configuration and destination of communications because BIAS providers use them to manage their
networks and route data packets to the appropriate network device.
133
For the same reasons, we conclude
that other device identifiers and other information in link layer protocol headers are CPNI in the
126
See 2013 CPNI Declaratory Ruling, 28 FCC Rcd at 9616, para. 22 (“The location of a customer’s use of a
telecommunications service also clearly qualifies as CPNI.”); 47 U.S.C. § 222(h)(1)(A).
127
Wireless Communications and Public Safety Act of 1999, Pub. L. No. 106-81, § 5, 113 Stat. 1285, 1289 (1999)
(codified at 47 U.S.C. § 222(f) (“Authority to use location information”)).
128
See, e.g., CTIA Comments at 135 (urging rules to “cover only precise GPS location information”); Future of
Privacy Forum Reply at 6-7; NCTA Comments at 61.
129
See, e.g., Future of Privacy Forum Comments at 20-25; S
2
ERC Comments at 6; Farsight Security Comments at 5.
130
See 47 U.S.C. § 222(h)(1)(A). See also CDT Reply at 18-19; Letter from Laura Moy, Institute for Public
Representation, Counsel, New America’s Open Technology Institute, to Marlene H. Dortch, Secretary, FCC, WC
Docket No. 16-106, at 4-6 (filed Oct. 13, 2016) (OTI Oct. 13, 2016 Ex Parte).
131
See supra Part III.B.3.a(i)(a).
132
See, e.g., Kurose & Ross at 463-65. Cf. NTCA Comments at 21 (“a MAC address is associated to a device”).
See also CDT Reply at 19 (“It is believed that some future forms of BIAS network architectures may remove the
need for a network modem, making available a MAC address farther up into the BIAS provider’s network outside of
the home network.”); EFF Comments at 3-4 (device identifiers implicate customers’ privacy interests and should be
protected). The Commission has previously recognized that unique device identifiers such as an “electronic serial
number” are “call data information” in the TRS CPNI context. 47 CFR § 64.5103(c).
133
See Kurose & Ross at 463-65; Front Porch Comments at 2 (“ISPs use this address for internal network
management purposes, including access permissions, data consumption, and service tier monitoring.”); CDT
Comments at 13-14 (“MAC addresses and other device identifiers relate to the destination of a telecommunications
service because they are used to route packets to individual devices connected to a network.”); NCTA Comments at
62-63 (“device identifiers or other data elements . . . may be used by broadband providers to facilitate email traffic
routing”). We disagree with Sandvine, which argues that link layer information such as MAC addresses do not
relate to the technical configuration of network traffic or the destination of packets. See Sandvine Comments at 22-
23.
Federal Communications Commission FCC 16-148
25
broadband context because they relate to the technical configuration and destination of use of a
telecommunications service.
134
68. Internet Protocol (IP) Addresses and Domain Name Information. We conclude that
source and destination IP addresses constitute CPNI in the broadband context because they relate to the
destination, technical configuration, and/or location of a telecommunications service.
135
An IP address is
a routable address for each device on an IP network,
136
and BIAS providers use the end user’s and edge
provider’s IP addresses to route data traffic between them.
137
As such, source and destination IP
addresses are roughly analogous to telephone numbers in the voice telephony context.
138
69. We agree with those commenters that argue that the IP addresses a customer uses and
those with which she exchanges packets constitute CPNI because both source and destination IP
addresses relate to the destination of use of a telecommunications service; one links to the destination for
inbound traffic while the other links to the destination for outbound traffic.
139
IP addresses are also
frequently used in geo-location.
140
As Public Knowledge explains, “IP addresses can easily be mapped to
geographic locations, meaning that both the subscriber and the service can be located.”
141
IP addresses
relate to technical configuration because BIAS providers configure their systems to use IP addresses in
the network layer to communicate data packets between senders and receivers.
142
70. We disagree with commenters who argue that a customer’s IP address is not CPNI.
Some commenters argue that a customer’s IP address is not CPNI because the BIAS provider assigns the
134
For a brief overview of Internet architecture and layering, see supra Part III.B.3.a(i)(a).
135
See 47 U.S.C. § 222(h)(1)(A).
136
See Internet Engineering Task Force, The Internet Numbers Registry System, RFC 7020 (2013),
https://tools.ietf.org/html/rfc7020 (discussing non-reserved globally unique unicast IP addresses assigned through
the Internet Numbers Registry System).
137
See, e.g., Kurose & Ross at 130, 331-63.
138
The Commission has previously held telephone numbers dialed to be CPNI. See 2007 CPNI Order, 22 FCC Rcd
at 6931, para. 5. Further, our CPNI rules for TRS providers recognize IP addresses as call data information. 47
CFR § 64.5103(c). By this analogy, we mean only that both are “roughly similar numerical identifiers” used to
route telecommunications. See Internet Society June 6, 2016 Ex Parte at 2. We do not intend to imply that IP
addresses are or should be administered in the same manner as telephone numbers. See id. at 1-2 (discussing the
differences in each identifier’s governance). This definitional change to our regulations in no way asserts
Commission jurisdiction over the assignment or management of IP addressing.
139
See Comcast Comments at 78 (“IP addresses identify the ‘logical’ location of a device for purposes of routing
Internet traffic” (footnote omitted)); CDT Comments at 14 (citations omitted); Sandvine Comments at 22-23 (IP
addresses relate to destination); NCTA Comments at 62 (“IP addresses . . . may be used by broadband providers to
facilitate email traffic routing” (citation omitted)); CDT Comments at 14 (“IP addresses are the destinations to
which BIAS providers deliver packets and also may be associated with physical locations.”); S
2
ERC Comments at
6-7.
140
See, e.g., CDD Comments at 15; CDT Comments at 14. A BIAS provider is uniquely capable of geo-locating an
IP address. Most notably, in the case of mobile broadband Internet access service, the provider knows the geo-
location of the cell towers to which the customer’s device connects and can use this to determine the customer’s
device location.
141
Harold Feld, et al., Public Knowledge, Protecting Privacy, Promoting Competition: A Framework for Updating
the Federal Communications Commission Privacy Rules for the Digital World 47 (2016) (Public Knowledge White
Paper) (citing Dan Jerker B. Svantenson, Geo-Location Technologies and Other Means of Placing Borders on the
“Borderless” Internet”, 23 J. Marshall J. Computer & Info. L. 101, 10911 (2004)).
142
See supra Part III.B.3.a(i)(a); Sandvine Comments at 22-23 (arguing that IP addresses relate to technical
configuration).
Federal Communications Commission FCC 16-148
26
IP address to the customer,
143
and thus it is not “made available to the carrier by the customer solely by
virtue of the carrier-customer relationship.”
144
This reading of the text undermines the privacy-protective
purpose of the statute. First, as the Commission has previously held, information that the provider causes
to be generated by a customer’s device or appended to a customer’s traffic, in order to allow the provider
to collect, access, or use that information, can qualify as CPNI if it falls within one of the statutory
categories.
145
Second, while the provider generates and assigns the number that will become the
customer’s IP address, that number is ultimately just a proxy for the customer, translated into a language
that Internet Protocol understands. But for the carrier-customer relationship, the customer would not have
an IP address. Other commenters argue that IP addresses should not qualify as CPNI because “this
information is necessarily sent onto the open Internet in order to make the service work.”
146
However, as
discussed above, whether information is available to third parties does not affect whether it meets the
statutory definition of CPNI.
147
71. We also disagree with commenters who assert that dynamic IP addresses
148
do not meet
the statutory definition of CPNI. As Return Path explains, “[w]hile the BIAS provider will have a record
of precisely which user was connected to [a dynamic] IP address at a specific point in time, any third
party will not.”
149
A dynamic IP address may be used for a shorter period of time than a static IP
address.
150
But a dynamic IP address still meets the statutory definition of CPNI because it relates to the
technical configuration, type, destination, and/or location of use of a telecommunications service, for the
reasons discussed above.
72. We also conclude that information about the domain names visited by a customer
constitute CPNI in the broadband context. Domain names (e.g., “fcc.gov”) are common monikers that the
143
See, e.g., Comcast Comments at 77; NCTA Comments at 21.
144
47 U.S.C. § 222(h)(1)(A).
145
See 2013 CPNI Declaratory Ruling, 28 FCC Rcd at 9618, para. 27; Verizon UIDH Consent Decree, 31 FCC Rcd
at 1843-44, paras. 2-5.
146
Cincinnati Bell Comments at 6; accord Comcast Comments at 81; William Rinehart Comments at 3 (Rinehart);
see also S
2
ERC Comments at 6-7 (arguing that IP addresses are widely accessible, but also can be “sensitive
information”); Peter Swire & Justin Hemmings (Swire & Hemmings) Reply at 7-8 (arguing that IP addresses are
available to intermediaries between the customer and the content provider).
147
See supra para. 49.
148
A dynamic IP address is one that the BIAS provider can change. See generally Network Working Group,
Internet Eng’g Task Force, RFC 2131: Dynamic Host Configuration Protocol (1997),
https://tools.ietf.org/html/rfc2131; Network Working Group, Internet Eng’g Task Force, RFC 3315: Dynamic Host
Configuration Protocol for IPv6 (DHCPv6) (2003), https://tools.ietf.org/html/rfc3315.
149
Return Path Comments at 3. See also, e.g., Comcast, Comcast Legal Response Ctr., Law Enforcement Handbook
(Rev. May 1, 2015) at 10 (2015),
https://www.comcast.com/~/Media/403EEED5AE6F46118DDBC5F8BC436030.ashx (noting that Comcast retains
dynamic IP address log files for 180 days).
150
We note that these potential privacy benefits of dynamic IP addresses depend upon the specific network
configuration and practices of the BIAS provider. For example, a provider may assign a dynamic IP address to a
customer for a long period of time, such that it is effectively equivalent to a static IP address. In certain
configurations (e.g., IPv6 without privacy extensions), a dynamic IP address can be more revealing than a static IP
address, because it includes other network identifiers (such as a MAC address). See, e.g., Network Working Group,
Internet Eng’g Task Force, RFC 3041: Privacy Extensions for Stateless Address Autoconfiguration in IPv6 at 3
(2001), https://tools.ietf.org/html/rfc3041; Comcast, Comcast Legal Response Ctr., Law Enforcement Handbook
(Rev. May 1, 2015) at 10, https://www.comcast.com/~/Media/403EEED5AE6F46118DDBC5F8BC436030.ashx
(noting that Comcast retains dynamic IP address log files for 180 days).
Federal Communications Commission FCC 16-148
27
customer uses to identify the end point to which they seek to connect.
151
Domain names also translate
directly into IP addresses. Because of this easy translation, domain names relate to the destination and
technical configuration of a telecommunications service.
73. As discussed above, Internet traffic is communicated through a layered architecture,
including a network layer that uses protocol headers containing IP addresses to route communications to
the intended devices.
152
Similar to IP addresses, other information in the network layer protocol headers
is CPNI in the broadband context. BIAS providers configure their networks to use this information for
routing, network management, and security purposes. These headers will also indicate the total size of
the packet.
153
As such, other information in the network layer protocol headers relates to the technical
configuration and amount of use of a telecommunications service.
154
74. Traffic Statistics. We conclude that traffic statistics meet the statutory definition of CPNI
in the broadband context because they relate to the amount of use, destination, and type of a
telecommunications service.
155
We use the technology-neutral term “traffic statistics” to encompass any
quantification of the communications traffic, including short-term measurements (e.g., packet sizes and
spacing) and long-term measurements (e.g., monthly data consumption, average speed, or frequency of
contact with particular domains and IP addresses).
156
We believe that traffic statistics are analogous to
call detail information regarding the “duration[] and timing of [phone] calls” and aggregate minutes used
in the voice telephony context, both of which are CPNI.
157
BIAS providers use traffic statistics to
optimize the efficiency of their networks and protect against cyber threats, but can also use this data to
draw inferences that implicate the amount of use, destination, and type of a telecommunications service.
For example, BIAS providers can use traffic statistics to determine the amount of use (e.g., date, time, and
duration), and to identify patterns such as when the customer is at home, at work, or elsewhere, or reveal
other highly personal information. Traffic statistics related to browsing history and other usage can reveal
the “destination” of customer communications. Further, a BIAS provider could deduce the “type” of
application (e.g., VoIP or web browsing) that a customer is using based on traffic patterns, and thus the
purpose of the communication.
75. Port Information. We conclude that port information is CPNI in the broadband context
because it relates to the destination, type, and technical configuration, of a telecommunications service.
158
A port is a logical endpoint of communication with the sender or receiver’s application, and consequently
151
See Feamster ISP Data Use Comments at 5. Whether or not the customer uses the BIAS provider’s in-house
DNS lookup service is irrelevant to whether domain names satisfy the statutory definition of CPNI. See Farsight
Security Comments at 7.
152
See supra Part III.B.3.a(i)(a).
153
CDT Comments at 14 (citing Internet Eng’g Task Force, RFC 791: Internet Protocol - DARPA Internet Program
Protocol Specification 12 (1981), https://tools.ietf.org/html/rfc791).
154
See CDT Comments at 13-14; EFF Comments at 3-4.
155
See 47 U.S.C. § 222(h)(1)(A); see also EFF Comments at 4.
156
There are many common forms of traffic statistics, such as IPFIX, and we believe it is important to focus on how
BIAS providers use these data, rather than single out particular technologies. See Feamster ISP Data Use Comments
at 2-7.
157
2007 CPNI Order, 22 FCC Rcd at 6930-31, para. 5; see also 47 CFR § 64.5103(c); 2013 CPNI Declaratory
Ruling, 28 FCC Rcd at 9617, para. 25; 2007 CPNI Order, 22 FCC Rcd at 6936, para. 13 n.45.
158
See 47 U.S.C. § 222(h)(1)(A); OTI Comments at 20-21; CDT Comments at 14-15 (“Essentially, ports are a more
granular form of destination information than IP and MAC addresses, indicating [to] which applications particular
packets may be destined.”); Public Knowledge White Paper at 47-48.
Federal Communications Commission FCC 16-148
28
relates to the “destination” of a communication.
159
The transport layer protocol header of a data packet
contains the destination port number, which determines which application receives the communication.
160
Port numbers identify or at least provide a strong indication of the type of application used, and thus the
purpose of the communication, such as email, web browsing, or other activities.
161
BIAS providers
configure their networks using port information for network management purposes, such as to block
certain ports to ensure network security. As such, these practices relate to the “technical configuration” of
the telecommunications service. We agree with commenters that other transport layer protocol header
information is CPNI in the broadband context because it relates to the technical configuration and amount
of use of a telecommunications service.
162
BIAS providers use other header information in this layer to
configure their networks and monitor for security threats. For example, because UDP headers indicate
packet size, they can reveal the amount of data the customer is consuming, and because TCP headers
include sequence numbers, they can reveal information about a customer’s device configuration.
163
76. Application Header. We conclude that application header information is CPNI in the
broadband context because it relates to the destination, type, technical configuration, and amount of use of
a telecommunications service.
164
As discussed above, the top-most layer of network architecture is the
application layer; IP data packets contain application headers to instruct the recipient application on how
to process the communication.
165
Application headers contain data for application-specific protocols to
help request and convey application-specific content.
166
The application header communicates
159
See CDT Comments at 14 (“Network ports are subaddresses within the internet protocol and are used by
operating systems to sort and deliver packets to individual applications.”).
160
See Network Working Group, Internet Eng’g Task Force, RFC 1180: A TCP/IP Tutorial 23, 24 (1991),
https://tools.ietf.org/html/rfc1180 (“Well-defined port numbers are dedicated to specific applications.” Id. at 24).
Port destinations are analogous to telephone extensions in the voice context.
161
See NTCA Comments at 22 (port information “can be used to discern whether a person was using email or
browsing the Internet”); CDT Comments at 14-15 (“For instance, ports 109 and 110 indicate the use of the Post
Office Protocol (POP), marking the packet as an email transmission, while port 1214 indicates the use of the Kazaa
peer-to-peer file sharing protocol.”); OTI Comments at 20-21 (“For instance, port 80 is used for HTTP traffic and
port 443 is used for HTTPS traffic. Some ports are very specific, and information about traveling to those ports may
reveal even more detailed information about a BIAS customer’s use of the service. For example, port 194 is used for
Internet Relay Chat and port 666 for the 1993 video game Doom.”). Though sometimes port numbers may not
reveal anything of significance, see, e.g., Farsight Security Comments at 8 (“One result of the widespread use of
perimeter firewalls is that ‘everything’ seems to tunnel its traffic over port 80. Port numbers have largely gone from
reliable clues to the type of application generating traffic seen on the wire to either: [e]verything over port 80, or
[e]verything over a random dynamic port.”), they often do, and therefore we conclude that they relate to the
destination, type, or technical configuration of the service. See, e.g., Internet Assigned Numbers Authority, Service
Name and Transport Protocol Number Registry (Oct. 17, 2016), http://www.iana.org/assignments/service-names-
port-numbers/service-names-port-numbers.xhtml; see generally Internet Eng’g Task Force, RFC 6335: Internet
Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol
Port Number Registry (2011), https://tools.ietf.org/html/rfc6335.
162
See CDT Comments at 14-15 (“At the transport layer, the two most common protocols, Transmission Control
Protocol (TCP) and User Datagram Protocol (UDP) include header fields specifying source and destination ports as
well as packet size.”).
163
Id.
164
See 47 U.S.C. § 222(h)(1)(A); CDT Comments at 15 (discussing the uses of application headers).
165
See supra Part III.B.3.a(i)(a).
166
See Ctr. for Democracy & Tech., Applying Communications Act Consumer Privacy Protections to Broadband
Providers (2016), https://cdt.org/files/2016/01/2016-01-20-Packets_Layers_fnl.pdf (CDT White Paper).
Application headers are analogous in the voice telephony context to a customer’s choices within telephone menus
used to route calls within an organization (e.g., “Push 1 for sales. Push 2 for billing.”). See Broadband Privacy
NPRM, 31 FCC Rcd at 2517, para. 50.
Federal Communications Commission FCC 16-148
29
information between the application on the end user’s device and the corresponding application at the
other endpoint of the communication.
167
For example, application headers for web browsing typically use
the Hypertext Transfer Protocol (HTTP) and contain the Uniform Record Locator (URL), operating
system, and web browser; application headers for email typically contain the source and destination email
addresses.
168
The type of applications used, the URLs requested, and the email destination all convey
information intended for use by the edge provider to render its service. Application headers can also
reveal information about the amount of data being conveyed in the packet.
169
BIAS providers may
configure their networks using application headers for network management or security purposes.
77. Consistent with our decision in the 2013 CPNI Declaratory Ruling, we agree with
commenters
170
that any information that the BIAS provider injects into the application header, such as a
unique identifier header (UIDH), is also CPNI in the broadband context.
171
BIAS providers sometimes
append information to application headers, in particular HTTP headers, in order to uniquely tag
communications with a specific subscriber account.
172
Like other application header information, these
data relate to the technical configuration, type, destination, and amount of use of a telecommunications
service.
78. Application Usage. We conclude that information detailing the customer’s use of
applications is CPNI in the broadband context because it relates to the type and destination of a
telecommunications service.
173
Unlike an application payload, which contains the substance of a
communication in an IP packet, application usage information is data that reveals the customer’s use of an
application more generally. A BIAS provider often collects application usage information through its
provision of service.
174
Sometimes application usage information is quantifiedsimilar to traffic
statisticsinto short-term or long-term measurements. Such information can reveal the type of
applications the customer uses and with whom she communicates. As such, to the extent that the BIAS
167
See Kurose & Ross at 51; CDT Comments at 15; CDT White Paper.
168
See CDT Comments at 15. Application headers may also include information relating to persistent identifiers,
use of encryption, and virtual private networks (VPNs). Email headers may also include the subject line.
169
For example, HTTP has a field called “Content-Length.” See Network Working Group, Internet Engg Task
Force, RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1 at 119 (1999), https://www.ietf.org/rfc/rfc2616.txt.
170
See CDT Comments at 15 (“These identifiers also encompass each element of CPNI, relating [to] the quantity,
technical configuration, type, destination, location, and amount of use of a telecommunications service to an
individual subscriber.”).
171
See 2013 CPNI Declaratory Ruling, 28 FCC Rcd at 9618, para. 27; Verizon UIDH Consent Decree, 31 FCC Rcd
at 1843-44, paras. 1-5.
172
See CDT Comments at 15 (“In the practice known as ‘HTTP header injection,’ BIAS providers add a new HTTP
header line after the message leaves the customer’s browser. This header serves as a unique marker identifying all
HTTP messages sent from a single subscriber account.”).
173
See 47 U.S.C. § 222(h)(1)(A).
174
See T-Mobile, T-Mobile Privacy Policy (Nov. 25, 2015), http://www.t-
mobile.com/company/website/privacypolicy.aspx#fullpolicy (“We may also collect information about applications
on your device, the fact that an application has been added, when an application is launched or fails to launch, and
length of time an application has been running.”); AT&T, AT&T Privacy Policy (July 24, 2015),
https://www.att.com/gen/privacy-policy?pid=2506#print (AT&T collects “how often you open an application, how
long you spend using the app and other similar information.”); Sprint, Sprint Corporation Privacy Policy (July 22,
2016), https://www.sprint.com/legal/privacy.html (Sprint collects information about “applications purchased,
applications downloaded or used, and other similar information.”); Verizon, Verizon Full Privacy Policy,
http://www.verizon.com/about/privacy/full-privacy-policy (last visited Oct. 5, 2016) (Verizon collects “application
and feature usage”).
Federal Communications Commission FCC 16-148
30
provider directs the collection or storage of such information, we conclude that it is CPNI.
175
For the
reasons discussed above, we disagree with commenters who contend that we should not consider such
information to be CPNI because it is also available to other parties.
176
79. Application Payload. We conclude that the application payload, which is the part of the
IP packet containing the substance of the communication between the customer and entity with which the
customer is communicating, can be considered CPNI.
177
Examples of application payloads include the
body of a webpage, the text of an email or instant message, the video shared by a streaming service, the
audiovisual stream in a video chat, or the maps served by a ride-sharing app. It is available to the carrier
only because of the customer-carrier relationship and can relate to technical configuration, type,
destination and amount of the use of the telecommunications service. BIAS providers are technically
capable of configuring their networks to scan all parts of the data packet, including the payload, to detect
security threats and block malicious packets.
178
The application payload can help identify the parties to
the communication (e.g., the online streaming video distributor of a streaming video, or the homepage of
a news website), and thus the communication’s destination. The payload’s size and substance can also
indicate the amount of data the customer is using, the type of communication, and the duration of the use
of the service. Another way to think of the application payload is as the “content of the communication.”
Because of the importance given to protecting content of communications in our legal system, we also
discuss content separately as its own element of customer proprietary information.
179
80. Customer Premises Equipment (CPE) and other Customer Device Information.
Information pertaining to customer premises equipment (CPE) and other customer device information,
such as that relating to mobile stations, is CPNI in the broadband context because it relates to the
technical configuration, type, and destination of a telecommunications service.
180
The Act defines CPE as
“equipment employed on the premises of a person (other than a carrier) to originate, route, or terminate
telecommunications.”
181
The Commission has long-understood CPE to include customers’ mobile
devices, such as cell phones.
182
Given this precedent, we believe that other consumer devices capable of
being connected to broadband services, such as smartphones and tablets, also fall under the rubric of CPE,
along with more traditional CPE such as a customer’s computer, modem, router, videophone, or IP
caption phone. However, we also observe that such devices would be considered “mobile stations,”
which the Act defines as “a radio-communication station capable of being moved and which ordinarily
does move.”
183
We disagree with commenters that argue that only devices furnished by the BIAS
provider can qualify as CPE;
184
there is no such limitation in the statutory language.
81. We find that the traits of CPE and other customer devices (e.g., model, operating system,
software, and/or settings) a customer uses relates to the technical configuration and communications
175
See 2013 CPNI Declaratory Ruling, 28 FCC Rcd at 9615-16, para. 21-23.
176
See NTCA Comments at 22-23; see supra para. 48.
177
See supra Part III.B.3.a(i)(a); see also Public Knowledge White Paper at 48; CDT Comments at 17.
178
See Sandvine Comments at 2-3; CDT Reply at 14 (BIAS providers scan payloads to “searc[h] for protocol non-
compliance . . . viruses and spam, interference, and for collecting network statistics.”). BIAS providers also use
various network management techniques to minimize network congestion while transmitting application payloads.
179
See infra Part III.B.3.d.
180
See 47 U.S.C. § 222(h)(1)(A).
181
47 U.S.C. § 153(16); 47 CFR § 64.2003(h).
182
See generally Bundling of Cellular Customer Premises Equipment and Cellular Service, Report and Order, 7
FCC Rcd 4028 (1992).
183
47 U.S.C. § 153(34).
184
See NTCA Comments at 25.
Federal Communications Commission FCC 16-148
31
protocols the BIAS provider uses to interface that device with its network, as well as the type of service to
which the customer subscribes (e.g., fixed or mobile, cable or fiber). CPE and mobile station information
relates to the destination of the use of BIAS because it can identify the endpoint for inbound
communications.
82. We disagree with commenters who argue that we should not consider CPE and by
extension other customer device information to be CPNI because CPE and other customer devices are
also used for purposes other than BIAS, or because such information may be available to other parties.
185
As discussed above,
186
what matters is the nature of the information made available to the BIAS provider
through its provision of service.
83. We disagree with NTCA, which misinterprets the Bureau-level 1998 CPNI Clarification
Order to argue that the Commission has previously found that CPE is not covered by Section 222.
187
In
the 1998 CPNI Clarification Order, the Bureau addressed the issue of “customer information
independently derived from the carrier’s prior sale of CPE to the customer or the customer’s subscription
to a particular information service offered by the carrier in its marketing of new CPE[.]”
188
By contrast,
here we are addressing information about the CPE itself that is made available to the carrier by the
customer solely by virtue of the carrier-customer relationship, i.e., information derived in the course of
providing BIAS or another telecommunications service.
84. Other Types of CPNI. We reiterate that the examples of CPNI discussed above are
illustrative, not exhaustive. To the extent that other types of information satisfy the statutory definition of
CPNI, those data may also be CPNI, either in the BIAS context or in the context of other
telecommunications services.
b. Customer Proprietary Information (Customer PI)
85. Section 222(a) imposes a general duty on all telecommunications carriers “to protect the
confidentiality of proprietary information of, and relating to, . . . customers.”
189
“[P]roprietary
information of, and relating to, . . . customers” is information that BIAS providers and other
telecommunications carriers acquire in connection with their provision of service, which customers have
an interest in protecting from disclosure.
190
We call this information “customer proprietary information”
or “customer PI.” Customer PI consists of three non-mutually-exclusive categories: (1) individually
identifiable customer proprietary network information (CPNI), (2) personally identifiable information
(PII), and (3) content of communications.
191
This interpretation of Section 222(a) is consistent with other
provisions of the Communications Act that use the term “proprietary information,”
192
and with the
185
See id. at 23-25.
186
See supra para. 49
187
See NTCA Comments at 25; Implementation of the Telecommunications Act of 1996: Telecommunications
Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, Order, 13 FCC Rcd
12390, 12392-93, paras. 2-4 (CC Bur. 1998) (1998 CPNI Clarification Order).
188
1998 CPNI Clarification Order, 13 FCC Rcd at 12393, para. 4.
189
47 U.S.C. § 222(a).
190
See TerraCom NAL, 29 FCC Rcd at 13330-32, paras. 14-20 (defining the scope of the term “proprietary
information”).
191
See infra Parts III.B.3.c, III.B.3.d.
192
See TerraCom NAL, 29 FCC Rcd at 13330-31, para. 15 (“In the context of public broadcasting, for example, the
Corporation for Public Broadcasting (CPB) must maintain for public inspection certain financial information about
programming grants. But Congress also recognized that ‘proprietary, confidential, or privileged information’ should
not be made public, and Congress thus expressly excluded such information from public disclosure. Similarly, . . .
[r]ecognizing that [entities that review interoperability of telephone equipment] necessarily gain access to extremely
(continued….)
Federal Communications Commission FCC 16-148
32
Commission’s use of that term before enactment of Section 222.
193
As we discuss in more detail below,
protecting PII and content is at the heart of most privacy regimes
194
and we recognized in TerraCom that
the Communications Act protects them as customer PI because it “clearly encompasses private
information that customers have an interest in protecting from public exposure.”
195
86. As we previously explained, “[i]n the context of Section 222, it is clear that Congress
used the term ‘proprietary information’ broadly to encompass all types of information that should not be
exposed widely to the public, whether because that information is sensitive for economic reasons or for
reasons of personal privacy.
196
We reaffirm our conclusion that ‘proprietary information’ in Section
222(a), as applied to customers . . . clearly encompass[es] private information that customers have an
interest in protecting from public exposure.”
197
As such, we disagree with commenters that argue that the
word “proprietary” in Section 222(a) means the statute only protects information the customer keeps
secret from any other party.
198
If only secret information qualified as private information, then not even
Social Security numbers would be “proprietary” and subject to the protections of Section 222 and our
implementing rules.
199
People regularly give their Social Security numbers to banks, doctors, utility
companies, telecommunications carriers, employers, schools, and other parties in order to obtain various
services but this does not mean the information is not “proprietary” to them. To define “proprietary” as
these commenters propose would render Section 222(a) at worst meaningless and at best leaving a gap
whereby sensitive proprietary information like a Social Security number would be unprotected.
200
87. We disagree with commenters that assert that defining the category of customer PI in
this way would dramatically expand the scope of providers’ duties to protect private customer
(Continued from previous page)
valuable trade secrets, Congress explicitly prohibited those review entities from ‘releasing or otherwise using any
proprietary information’ belonging to the manufacturer without written authorization.”); see also CDT Comments at
12.
193
See Furnishing of Customer Premises Equipment and Enhanced Services by American Telephone & Telegraph
Co., Order, 102 F.C.C.2d 655, 692-93, para. 64 (1985) (discussing 47 C.F.R. § 64.702 (1984) and noting that
“customer proprietary information … belongs to the customers, and many may not want it to be made public”).
194
See infra Part III.B.3.c. See, e.g., 18 U.S.C. § 2710 (Video Privacy Protection Act); 18 U.S.C. §§ 2721-2725
(Driver’s Privacy Protection Act); 45 CFR pt. 164 (HIPAA rules); 16 CFR pt. 313 (Gramm-Leach-Bliley Act rules);
16 CFR pt. 682 (Fair Credit Reporting Act rules); 12 CFR pt. 1022 (Fair and Accurate Credit Transaction Act
disposal rule); 45 CFR pt. 5b (Privacy Act rules); 34 CFR pt. 99 (FERPA rules); 16 CFR pt. 312 (COPPA rules);
2015 Administration CPBR Discussion Draft § 4(a)(1). See also CDT Comments at 8-9; Electronic Privacy
Information Center (EPIC) Comments at 14-15.
195
TerraCom NAL, 29 FCC Rcd at 13330-31, paras. 14, 17.
196
Id., para. 14.
197
Id.
198
See CTIA Comment at 33-34 (arguing that information cannot be proprietary if it is available to others); NTCA
Comments at 28-29 (many types of PII are publicly available). But see Free Press Reply at 8-10 (“That edge
providers may have access to certain kinds of ‘Proprietary Information’ is immaterial to whether the FCC can
protect the use of that information by broadband ISPs.”).
199
See Daniel J. Solove, Nothing to Hide 178 (2011) (“The problem with the secrecy paradigm is that we do expect
some degree of privacy in public. We don’t expect total secrecy, but we also don’t expect somebody to be recording
everything we do.”) (emphasis in original). A panopticon limited to the public sphere can still infringe the dignity of
the private individual. See United States v. Jones, 132 S.Ct. 945, 955 (2012) (Sotomayor, J., concurring) (“GPS
monitoring generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail
about her familial, political, professional, religious, and sexual associations.”).
200
See Corley v. United States, 556 U.S. 303, 314 (2009) (“a statute should be construed so that effect is given to all
its provisions, so that no part will be inoperative or superfluous, void or insignificant”) (internal quotation marks,
alterations, and citation omitted).
Federal Communications Commission FCC 16-148
33
information.
201
Based on the record before us, we find that BIAS providerslike other
telecommunications carriersare already on notice that they have a duty to keep such information secure
and confidential based on, among other things, FTC guidance that applied to them prior to the
reclassification of broadband in the 2015 Open Internet Order.
202
According to FTC staff, “[t]o date, the
FTC has brought over 500 cases protecting the privacy and security of consumer information.”
203
We
have held providers responsible for protecting these private data under Section 222(a).
204
In TerraCom,
we also found that the failure to protect customer’s private information was an unjust and unreasonable
practice under Section 201(b).
205
Likewise, providers have been required to protect the content of
communications for decades.
206
Moreover, customers reasonably expect and want their providers to keep
these data secure and confidential.
207
Surveys reflect that 74 percent of Americans believe it is “very
important” to be in control over their own information; as a Pew study found, “[i]f the traditional
American view of privacy is the ‘right to be left alone,’ the 21st-century refinement of that idea is the
right to control their identity and information.”
208
We agree with the Center for Democracy &
Technology that “[e]xcluding PII from the proposed rules would be contrary to decades of U.S. privacy
regulation and public policy.”
209
We also observe that omitting PII from the scope of these rules would
201
See Competitive Carriers Association (CCA) Comments at 4 (proposal is a “significant expansion” of coverage);
CenturyLink Comments at 35-36 (“broad scope” of coverage could increase compliance costs); INCOMPAS
Comments at 8 (“sweeping alterations to the current framework”); Internet Commerce Coalition (ICC) Comments at
13 (broader coverage than previous rules); USTelecom Comments at 7 (“massive expansion” of coverage under
Section 222); WISPA Comments at 12-13 (“vast expansion of the universe of information that would be subject to
protection”).
202
See 2012 FTC Privacy Report at v, vii-ix, 15-22; see also ACLU Comments at 2-3 (“The nation’s mail,
telephone, and telegraph infrastructures have long been subject to rules protecting [Americans’] privacy.”).
203
FTC Staff Comments at 4. See, e.g., FTC v. E.M.A. Nationwide, Inc., 767 F.3d 611 (6th Cir. 2014); FTC v.
Accusearch, Inc., 570 F.3d 1187 (10th Cir. 2009); FTC v. INC21.com Corp., 688 F.Supp.2d 927 (N.D. Cal. 2010),
aff’d, 475 Fed. Appx. 106 (9th Cir. 2012); Snapchat, Inc., Decision & Order, FTC Docket No. C-4501 (Dec. 23,
2014), https://www.ftc.gov/enforcement/cases-proceedings/132-3078/snapchat-inc-matter; Accretive Health, Inc.,
Decision & Order, FTC Docket No. C-4432 (Feb. 5, 2014), https://www.ftc.gov/enforcement/cases-
proceedings/122-3077/accretive-health-inc-matter; Compete, Inc., Decision & Order, FTC Docket No. C-4384 (Feb.
20, 2013), https://www.ftc.gov/enforcement/cases-proceedings/102-3116/compete-inc.
204
See, e.g., TerraCom NAL, 29 FCC Rcd at 13325, para. 2; Cox Commc’n Inc., Order, 30 FCC Rcd 12302, 12303,
para. 4. (Enf. Bur. 2015) (Cox Consent Decree); Verizon UIDH Consent Decree, 31 FCC Rcd at 1843, para. 2.
205
See TerraCom NAL, 29 FCC Rcd at 13325, para. 2.
206
See 47 U.S.C. § 605; 18 U.S.C. § 2511 (ECPA); see also infra Part III.B.3.d.
207
See Lee Rainie, The State of Privacy in post-Snowden America, Pew Research Center (Sept. 21, 2016),
http://www.pewresearch.org/fact-tank/2016/09/21/the-state-of-privacy-in-america/ (91 percent of Americans agree
that consumers have lost control of how personal information is collected and used by companies and 68 percent
support more protective privacy and data retention laws); Rafi Goldberg, NTIA, Lack of Trust in Internet Privacy
and Security May Deter Economic and Other Online Activities (May 13, 2016),
https://www.ntia.doc.gov/print/blog/2016/lack-trust-internet-privacy-and-security-may-deter-economic-and-other-
online-activities (consumers change their online behavior if they believe their privacy is compromised); Morrison &
Foerster, Consumer Outlooks on Privacy, 7 (2016),
www.mofo.com/~/media/Files/Resources/2016/MoFoInsightsConsumerOutlooksPrivacy.pdf (describing consumer
privacy expectations).
208
Lee Rainie, The State of Privacy in post-Snowden America, Pew Research Center (Sept. 21, 2016),
http://www.pewresearch.org/fact-tank/2016/09/21/the-state-of-privacy-in-america/.
209
CDT Comments at 8-9 (citing regulations issued under Health Insurance Portability and Accountability Act
(HIPAA), Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Fair and Accurate Credit
(continued….)
Federal Communications Commission FCC 16-148
34
result in a gap in protection for PII under the Act’s primary privacy regime for telecommunications
services.
210
Thus, were PII not included within the scope of customer PI, sensitive PII like Social Security
numbers or private medical records would receive fewer protections than a broadband plan’s monthly
data allowance, a result we do not think intended by Congress. We discuss and define PII below.
c. Personally Identifiable Information (PII)
88. Protecting personally identifiable information is at the heart of most privacy regimes.
211
Historically, legal definitions of PII have varied. Some incorporated checklists of specific types of
information; others deferred to auditing controls. Privacy protections must evolve and improve as
technologyand our understanding of its potentialevolves and improves.
212
Our definition
incorporates this modern understanding of data privacy and tracks the FTC, the Administration’s
proposed CPBR, and National Institute of Standards and Technology (NIST) guidelines on PII.
213
89. We define personally identifiable information, or PII, as any information that is linked or
reasonably linkable to an individual or device.
214
Information is linked or reasonably linkable to an
individual or device if it can reasonably be used on its own, in context, or in combination to identify an
individual or device, or to logically associate with other information about a specific individual or
device.
215
The “linked or reasonably linkable” standard for determining the metes and bounds of
personally identifiable information is well established and finds strong support in the record.
216
In
addition to NIST, CPBR, and the FTC, the Department of Education, the Securities and Exchange
(Continued from previous page)
Transactions Act (FACTA), Privacy Act, Family Educational Rights and Privacy Act (FERPA), the
Communications Act, Telephone Consumer Protection Act (TCPA), Children’s Online Privacy Protection Act
(COPPA), and CAN-SPAM Act of 2003).
210
The Act also protects the PII of cable and satellite subscribers. See 47 U.S.C. § 338(i); 47 U.S.C. § 551
(collectively, “Satellite and Cable Privacy Acts”).
211
See, e.g., Satellite and Cable Privacy Acts; 18 U.S.C. § 2710 (Video Privacy Protection Act (VPPA)); 18 U.S.C.
§§ 2721-2725 (Driver’s Privacy Protection Act (DPPA)); 45 CFR pt. 164 (HIPAA rules); 16 CFR pt. 313 (GLBA
rules); 16 CFR pt. 682 (FCRA rules); 12 CFR pt. 1022 (FACTA disposal rule); 45 CFR pt. 5b (Privacy Act rules);
34 CFR pt. 99 (FERPA rules); 16 CFR pt. 312 (COPPA rules); 2015 Administration CPBR Discussion Draft §
4(a)(1). See also CDT Comments at 8-9; EPIC Comments at 14-15.
212
Compare Olmstead v. United States, 277 U.S. 438, 474 (1928) (Brandeis, J., dissenting) (“[O]ur contemplation
cannot be only of what has been, but of what may be. The progress of science in furnishing the government with
means of espionage is not likely to stop with wire tapping. Ways may some day be developed by which the
government, without removing papers from secret drawers, can reproduce them in court, and by which it will be
enabled to expose to a jury the most intimate occurrences of the home.”), with Riley v. California, 134 S.Ct. 2473,
2490 (2014) (“Today, by contrast, it is no exaggeration to say that many of the more than 90% of American adults
who own a cell phone keep on their person a digital record of nearly every aspect of their livesfrom the mundane
to the intimate.”).
213
In the TerraCom NAL, we found NIST guidelines to be “informative” for determining the scope of PII; similarly
we use those guidelines to inform our rule here. See TerraCom NAL, 29 FCC Rcd at 13331, para. 17; NIST, Guide
to Protecting the Confidentiality of Personally Identifiable Information (PII) at § 2.1 (2010),
http://www.nist.gov/manuscript-publication-search.cfm?pub_id=904990 (NIST PII Guide); 2012 FTC Privacy
Report at 18-22; 2015 Administration CPBR Discussion Draft at § 4(a)(1). See also Cox Consent Decree, 30 FCC
Rcd at 12306-07, paras. 2(s), 4.
214
See infra Appx. A, at § 64.2002.
215
See NIST PII Guide § 2.1 (defining linked and linkable); CDT Comments at 9 (“‘Identifiable’ information is
increasingly contextual; while one or two data points alone may not identify an individual, these data could be
linked to that person if combined with other data.”).
216
See, e.g., Access Now Comments at 5; CDT Comments at 9-10; EFF Comments at 5; EPIC Comments at 18-19;
Front Porch Comments at 2; FTC Staff Comments at 9; Public Knowledge Comments at 28.
Federal Communications Commission FCC 16-148
35
Commission, the Department of Defense, the Department of Homeland Security, the Department of
Health and Human Services, and the Office of Management and Budget all use a version of this standard
in their regulations and policies.
217
90. We agree with the FTC staff that “[w]hile almost any piece of data could be linked to a
consumer, it is appropriate to consider whether such a link is practical or likely in light of current
technology.”
218
While we recognize that “‘[i]dentifiable’ information is increasingly contextual”
219
especially when a provider can cross-reference multiple types and sources of informationanchoring the
standard to a mere “possibility of logical association”
220
could result in “an overly-expansive
definition.”
221
Thus, we adopt the recommendation of the FTC staff and others to add the term
“reasonably” to our proposed “linked or linkable” definition of PII.
222
This conclusion has broad support
in the record.
223
91. We also adopt the FTC staff recommendation that PII should include information that is
linked or reasonably linkable to a customer device.
224
We agree with the FTC staff that “[a]s consumer
devices become more personal and associated with individual users, the distinction between a device and
its user continues to blur.”
225
The Digital Advertising Alliance likewise recognizes the connection
between individuals and devices, stating in its guidance that information “connected to or associated with
a particular computer or device” is identifiable.
226
While some commenters argue that we should not
include information linkable to a device in the definition of PII,
227
we find that such identifiers are often
and easily linkable to an individual, as we discussed above.
228
217
See NIST PII Guide §§ 2.1-2.2; 2012 FTC Privacy Report at 18-22; 2015 Administration CPBR Discussion Draft
at § 4(a)(1); 34 CFR §§ 99.3, 303.29; 17 CFR § 227.305(b); 32 CFR §§ 310.4, 311.3(g), 329.3; 6 CFR § 37.3; 45
CFR § 75.2; 2 CFR § 200.79. See also Clay Johnson III, Deputy Director for Management, Office of Management
and Budget, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, at 1 n.1
(2007), https://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf.
218
FTC Staff Comments at 9 (emphasis in original).
219
CDT Comments at 10.
220
NIST PII Guide § 2.1.
221
Software & Information Industry Association (SIIA) Comments at 11-12.
222
FTC Staff Comments at 9.
223
See AT&T Reply at 39-40 (supporting reasonableness qualifier); T-Mobile Comments at 20 (linkability standard
overbroad without a reasonableness qualifier like the FTC); CompTIA Comments at 2-3 (same); CTIA Comments at
38 (same); NCTA Reply at 40 (same); SIIA Reply at 3 (same); WISPA Reply at 16-17; Cincinnati Bell Comments
at 5 (“[T]he Commission’s PII regime should mirror the existing FTC definitions.”).
224
FTC Staff Comments at 10. As discussed above, devices in the BIAS context include a customer’s smartphone,
tablet, computer, modem, router, videophone, IP caption phone, and other consumer devices capable of connecting
to broadband services. See supra para. 80.
225
FTC Staff Comments at 10. Accord EPIC Comments at 18 (discussing how persistent identifiers like device
information can be used to map out an individual’s interactions); SIIA Comments at 12 (supporting the FTC’s test
for linkability to a “consumer, computer, or device”).
226
Digital Advertising Alliance, Application of Self-Regulatory Principles to the Mobile Environment, 6 (July
2013), http://www.aboutads.info/DAA_Mobile_Guidance.pdf (DAA Mobile Guidance) (defining “De-Identification
Process”).
227
See Audience Partners Comments at 9-17; Future of Privacy Forum Comments at 5.
228
See supra paras. 67-71.
Federal Communications Commission FCC 16-148
36
92. We disagree with commenters that argue that PII should only include information that is
sensitive or capable of causing harm if disclosed.
229
The ability of information to identify an individual
defines the scope of PII. Whether or not any particular PII is sensitive or capable of causing harm if
disclosed is a separate question from the definitional question of identifiability.
230
We address the
treatment of sensitive versus non-sensitive information below.
231
93. We agree with commenters that we should offer illustrative, non-exhaustive examples of
PII.
232
We have analyzed descriptions of PII in the record, our prior orders,
233
NIST,
234
the FTC,
235
the
Administration’s proposed CPBR,
236
and other federal and state statutes and regulations.
237
We find that
examples of PII include, but are not limited to: name; Social Security number; date of birth; mother’s
maiden name; government-issued identifiers (e.g., driver’s license number); physical address; email
address or other online contact information;
238
phone numbers; MAC addresses or other unique device
identifiers; IP addresses; and persistent online or unique advertising identifiers. Several of these data
elements may also be CPNI.
94. We disagree with commenters that argue that we should not consider MAC addresses, IP
addresses, or device identifiers to be PII.
239
First, as discussed above,
240
a customer’s IP address and
229
See CenturyLink Comments at 16; Cincinnati Bell Comments at 7.
230
“I find little comfort in the Court’s notion that no invasion of privacy occurs until a listener obtains some
significant information by use of the device. . . . A bathtub is a less private area when the plumber is present even if
his back is turned.” Kyllo v. United States, 533 U.S. 27, 39 (2001) (quoting U.S. v. Karo, 468 U.S. 705, 735 (1984)
(Stevens, J., concurring in part and dissenting in part)). See also EPIC Comments at 18.
231
See infra Part III.D.1.
232
See, e.g., Access Now Comments at 5; CDT Comments at 8-10; Consumer Watchdog Comments at 5; EFF
Comments at 5; EPIC Comments at 18-19; OTI Comments at 22; Return Path Comments at 5.
233
See, e.g., TerraCom NAL, 29 FCC Rcd at 13331-32, paras. 17-18; see also AT&T Services, Inc., Order and
Consent Decree, 30 FCC Rcd 2808, 2811, para. 2(s) (Enf. Bur. 2015) (AT&T Consent Decree).
234
See NIST PII Guide §§ 2.1-2.2.
235
See, e.g., FTC v. Accusearch, Inc., 570 F.3d 1187 (10th Cir. 2009); Snapchat, Inc., Decision and Order, F.T.C.
Docket No. C-4501 (Dec. 23, 2014), https://www.ftc.gov/enforcement/cases-proceedings/132-3078/snapchat-inc-
matter; Accretive Health, Inc., Decision and Order, F.T.C. Docket No. C-4432 (Feb. 5, 2014),
https://www.ftc.gov/enforcement/cases-proceedings/122-3077/accretive-health-inc-matter; Compete, Inc., Decision
and Order, F.T.C. Docket No. C-4384 (Feb. 20, 2013), https://www.ftc.gov/enforcement/cases-proceedings/102-
3116/compete-inc; Craig Brittain, Decision and Order, F.T.C. Docket No. C-4564 (Dec. 28, 2015),
https://www.ftc.gov/enforcement/cases-proceedings/132-3120/craig-brittain-matter.
236
2015 Administration CPBR Discussion Draft § 4(a)(1).
237
See, e.g., DPPA, 18 U.S.C. § 2725(3)-(4); COPPA, 15 U.S.C. § 6501(8); COPPA Rule, 16 CFR § 312.2; GLBA,
15 U.S.C. § 6809(4); 12 CFR § 1022.3(g) (FCRA regulations); California Online Privacy Protection Act of 2003,
Cal. Bus. & Prof. Code § 22577(a); California Consumer Protection Against Computer Spyware Act, Cal. Bus. &
Prof. Code § 22947.1(k); Cal. Civ. Code § 1798.82(h); Conn. Gen. Stat. Ann. § 36a-701b(a); N.Y. Gen. Bus. Law
§§ 899-aa(1)(a), (b); La. Stat. Ann. § 51:3073(4); Fla. Stat. § 501.171(1)(g).
238
OTI asks us to clarify the meaning of “other online contact information.” OTI Comments at 22. The term is
meant to be technology neutral and encompass other methods of BIAS-enabled direct messaging. See also 16 CFR
§ 312.2 (defining “online contact information” for the COPPA Rule).
239
See Audience Partners Comment at 11-13 (“IP addresses are incapable of identifying an individual without being
linked to additional information”); Direct Marketing Association (DMA) Comments at 17 (information “that does
not, on its own, identify a specific individual” should not qualify as PII); IAB Comments at 10 (an “anonymous
identifier” should not qualify as PII); NCTA Comments at 22 (MAC addresses and IP addresses cannot identify an
individual on their own); Front Porch Comments at 2-3 (IP addresses should not qualify as PII because while they
(continued….)
Federal Communications Commission FCC 16-148
37
MAC address each identify a discrete customer and/or customer device by routing communications to a
specific endpoint linked to the customer. Information does not need to reveal an individual’s name to be
linked or reasonably linkable to that person. A unique number designating a discrete individualsuch as
a Social Security number or persistent identifieris at least as specific as a name.
241
Second, MAC
addresses, IP addresses, and other examples of PII do not need to be able to identify an individual in a
vacuum to be linked or reasonably linkable. BIAS providers can combine this information with other
information to identify an individual (e.g., the BIAS provider’s records of which IP addresses were
assigned to which customers, or traffic statistics linking MAC addresses with other data).
242
As the
Supreme Court has observed, “[w]hat may seem trivial to the uninformed, may appear of great moment to
one who has a broad view of the scene and may put the questioned item of information in its proper
context.”
243
95. Customer Contact Information Names, Addresses, and Phone Numbers of Individuals.
Names, addresses, telephone numbers, and other information that is used to contact an individual are
classic PII because they are linked or reasonably linkable to an individual or device.
244
Some commenters
argue that contact information is not protected under Section 222 because “Subscriber list information” is
exempt from the choice requirements for CPNI under Section 222(e). However, subscriber list
information, a relatively small subset of customer contact information, was subject to other considerations
at the time of enactment.
96. Subscriber list information is defined in the statute as “any information (A) identifying
the listed names of subscribers of a carrier and such subscribers’ telephone numbers, addresses, or
primary advertising classifications (as such classifications are assigned at the time of the establishment of
such service), or any combination of such listed names, numbers, addresses, or classifications; and (B)
that the carrier or an affiliate has published, caused to be published, or accepted for publication in any
directory format.”
245
Through this definition, Congress recognized that a dispositive factor is whether the
information has been published or accepted for publication in a directory format.
(Continued from previous page)
“might be issued to a subscriber for a period of time, a personal IP address can also change at any time, and
therefore, is not reliable.”).
240
See supra paras. 67-71.
241
In many cases, a unique numerical identifier will be more specific than the person’s actual name. See, e.g., Mona
Chalabi and Andrew Flowers, Dear Mona, What’s the Most Common Name in America?, FiveThirtyEight (Nov. 20,
2014), http://fivethirtyeight.com/features/whats-the-most-common-name-in-america/ (discussing the large number
of people with common names such as James Smith or Maria Garcia).
242
See CDT Comments at 13-14, 16 (discussing how MAC addresses and IP addresses in protocol headers, as well
as other traffic statistics, can be shared with BIAS providers, allowing the provider to link them to the subscriber);
Feamster Edge Provider Comments at 2 (BIAS providers can “link information about IP addresses seen in network
traffic traces to CPNI from its subscribers”). In situations where the BIAS provider sold or leased a device to a
customersuch as a smartphone, modem, or routerthe provider could associate device identifiers with the
customer from its records. See Sandvine Comments at 22 (“In some domains a device is fairly synonymous with a
person (e.g., mobile phone).”).
243
CIA v. Sims, 471 U.S. 159, 178 (1985) (internal quotation marks, alterations, and citation omitted); see also U.S.
v. Maynard, 615 F.3d 544, 561-63 (D.C. Cir. 2010), aff’d on other grounds sub nom., United States v. Jones, 132
S.Ct. 945 (2012) (“Prolonged surveillance reveals types of information not revealed by short-term surveillance, such
as what person does repeatedly, what he does not do, and what he does ensemble.”); 2016 FTC Big Data Report at
3-5 (discussing the “Life Cycle of Big Data”). See also Access Now Comments at 5 (“[S]eemingly anonymous
information can often—and easilybe re-associated with identified individuals.”).
244
FTC Staff Comments at 11.
245
47 U.S.C. § 222(h)(3).
Federal Communications Commission FCC 16-148
38
97. The legislative history shows that Congress created a narrow carve out from the
definition of CPNI for subscriber list information in order to protect the longstanding practice of
publishing telephone books and to promote competition in telephone book publishing.
246
The legislative
history is clear that Congress did not intend for subscriber list information “to include any information
identifying subscribers that is prepared or distributed within a company or between affiliates or that is
provided to any person in a non-public manner.”
247
Instead, Congress intended subscriber list information
to be “data that local exchange carriers traditionally and routinely make public. Subscribers have little
expectation of privacy in this information because, by agreeing to be listed, they have declined the
opportunity to limit its disclosure.”
248
Based on this legislative history, we find that the phrase
“published, caused to be published, or accepted for publication in any directory format” is best read as
limited to publicly available telephone books of the type that were published when Congress enacted the
statute, or their direct equivalent in another medium, such as a website republishing the contents of a
publicly available telephone book.
98. Unlike landline voice carriers, neither mobile voice carriers nor broadband providers
publish publicly-available directories of customer information.
249
Nor does the record reflect more than
speculation about any future interest in publishing directories.
250
Because publishing of broadband
customer directories is neither a common nor a long-standing practice, we find that broadband customers
have no expectation that that they are consenting to the public release of their name, postal address, or
telephone number when they subscribe to BIAS.
251
We therefore conclude that a directory of BIAS
customers’ names, addresses, and phone numbers would not constitute information published in a
“directory format” within the meaning of the statute, and therefore there is no “subscriber list
information” in the broadband context.
252
As such, we disagree with commenters who ask us to ignore
246
S. CONF. REP. NO. 104-230 at 205 (1996) (“The subscriber list information provision guarantees independent
publishers access to subscriber list information at reasonable and nondiscriminatory rates, terms and conditions from
any provider of local telephone service.”). In an earlier report, the Senate stated, “This provision is intended to
assure that persons who utilize subscriber information, including publishers of telephone directories unaffiliated
with local exchange carriers, are able to purchase published or to-be-published subscriber listings and updates from
carriers on reasonable terms and conditions.” S. REP. NO. 103-367 at 97 (1994). See also 47 U.S.C. § 222(e)
(requiring carriers providing telephone exchange service to make subscriber list information available to directory
publishers on nondiscriminatory and reasonable terms).
247
H.R. REP. NO. 104-204 at 91 (1995).
248
S. REP. NO. 103-367 at 97 (1994).
249
See T-Mobile Comments at 21-22 (“[B]roadband providers do not publish directories of customer information
today.”). Section 222(e) likewise recognizes that subscriber list information is the publication of directories in the
context of telephone exchange service. See 47 U.S.C. § 222(e) (“Notwithstanding subsections (b), (c), and (d) of
this section, a telecommunications carrier that provides telephone exchange service shall provide subscriber list
information gathered in its capacity as a provider of such service on a timely and unbundled basis, under
nondiscriminatory and reasonable rates, terms, and conditions, to any person upon request for the purpose of
publishing directories in any format.”).
250
See, e.g., T-Mobile Comments at 22 (stating that providers “may” publish directories in the future, but not
identifying any concrete plans to do so).
251
Cf. S. REP. NO. 103-367 at 97 (1994) (when subscribers “declin[e] the opportunity to limit [subscriber list
information’s] disclosure” they “have little expectation of privacy” in it). See also Greenlining Institute Comments
at 50 (“the ‘subscriber list’ exception to CPNI applies narrowly, relates only to listing information exchanged
between those actually in the business of publishing directories and actually used for that purpose”).
252
See, e.g., Greenlining Institute Comments at 45-46 (supporting this conclusion); S
2
ERC Comments at 8 (same).
Federal Communications Commission FCC 16-148
39
the publication requirement in order to exempt names, addresses, telephone numbers, and IP addresses
from these rules.
253
99. We recognize that the Commission has previously found that names, addresses, and
telephone numbers are not CPNI, even when not published as subscriber list information.
254
However, the
Commission has not analyzed whether such customer contact information is PII, and therefore subject to
protections under Section 222(a). As discussed above, we make clear today that it is PII.
255
100. Harmonization. We agree with the American Cable Association and various small
providers who urge us to harmonize our BIAS and voice definitions under Section 222.
256
Having one
uniform set of definitions will simplify compliance and reduce consumer confusion. This is especially
true for small providers who collect less customer information, use it for narrower purposes, and do not
have the resources to maintain a bifurcated system. Consequently, we extend this definition of PII to all
Section 222 contexts.
d. Content of Communications
101. We find that the Act protects the content of communications as customer PI. Content is
a quintessential example of a type of “information that should not be exposed widely to the public . . .
[and] that customers expect their carriers to keep private.”
257
Content is highly individualistic, private,
and sensitive.
258
Except in limited circumstances where savvy customers deploy protective tools, BIAS
providers often have access to at least some, if not most, content through their provision of service.
259
We
agree with FTC staff that “[c]ontent data can be highly personalized and granular, allowing analyses that
253
See T-Mobile Comments at 21-22; ICC Comments at 13-14 (arguing that IP addresses are analogous to
subscriber list information and that names and addresses are “widely available”); DMA Comments at 13-14 (seeking
“exemptions based on comparisons of” subscriber list information and certain types of information in the BIAS
context); NTCA Comments at 29-30 (arguing that customer names, addresses, and telephone numbers should not be
protected by these rules).
254
See Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer
Proprietary Network Information and Other Customer Information; Implementation of the Non-Accounting
Safeguards of Sections 271 and 272 of the Communications Act of 1934, As Amended, Order on Reconsideration and
Petitions for Forbearance, 14 FCC Rcd 14409, 14487, para. 146-47 (1999) (1999 CPNI Reconsideration Order)
(adopting the conclusions of the Common Carrier Bureau in the 1998 CPNI Clarification Order); 1998 CPNI
Clarification Order, 13 FCC Rcd at 12395-96, paras. 8-9 (finding that names, addresses, and telephone numbers are
not CPNI).
255
As PII, this information is subject to our customer choice rules, discussed in detail below. See infra Part III.D.
Our customer choice rules will continue to allow this information to be used to publish publicly available telephone
directories, consistent with the current practice of allowing customers to keep their information unlisted.
256
See ACA Comments at 57-58; WTA & Nex-Tech Apr. 25 Ex Parte at 1 (urging Commission to “harmonize
definitions, procedures and requirements in order to reduce the complexity of regulation of privacy and minimize the
burdens on small providers”).
257
TerraCom NAL, 29 FCC Rcd at 13330-31, paras. 14, 16.
258
See 2012 FTC Privacy Report at 55-56 (expressing concern regarding the potential for ISPs to use content for
purposes other than providing service); FTC Staff Comments at 20-21 (supporting privacy protection for content);
accord ACLU Comments at 7-8; AAJ Comments at 9; EFF Comments at 5; EPIC Comments at 26; OTI Comments
at 23; Public Knowledge White Paper at 59. See also infra Part III.D.1.a.(i).
259
See Public Knowledge White Paper at 48 (arguing that BIAS providers can view unencrypted payloads); CDT
Comments at 17 (“BIAS subscribers sending and receiving unencrypted transmissions are no less deserving of
privacy protections than subscribers who only visit sites supporting HTTPS or who employ proxy or VPN
services.”). BIAS providers’ inability to access encrypted content is irrelevant; what matters is the information the
BIAS providers can access. Moreover, even when traffic is encrypted, some content may remain visible or inferable
to the provider. See infra para. 180.
Federal Communications Commission FCC 16-148
40
would not be possible with less rich data sets.”
260
In recognition of its importance, Congress has
repeatedly and emphatically protected the privacy of communications content in various legal contexts,
expressly prohibiting service providers from disclosing the contents of communications they carry,
subject to statutorily enumerated exceptions, since at least 1912.
261
We agree with commenters that
“Americans do not expect their broadband providers to be reading their electronic communications any
more than they expect them to be keeping a list of their correspondents.”
262
The same rationale that
supports the treatment of the content of BIAS communications as customer PI supports the treatment of
the content carried through other telecommunications services as customer PI.
102. Definition of Content. At the outset, we define content as any part of the substance,
purport, or meaning of a communication or any other part of a communication that is highly suggestive of
the substance, purpose, or meaning of a communication. We sought comment on how to define content in
the NPRM, but received no substantive recommendations; consequently we base our definition on the
long-established terminology of ECPA and Section 705.
263
We recognize that sophisticated monitoring
techniques have blurred the line between content and metadata, with metadata increasingly being used to
make valuable determinations about users previously only possible with content.
264
This has complicated
traditional notions of how to define and treat content. We intend our definition to be flexible enough to
encompass any element of the BIAS communication that conveys or implies any part of its substance,
purport, or meaning. As a definitional matter, content in an inbound communication is no different from
content in an outbound communication. As discussed above, because the categories of customer PI are
not mutually exclusive, some content may also satisfy the definitions of CPNI and/or PII.
265
103. Multiple components of an IP data packet may constitute or contain BIAS content.
266
First and foremost, we agree with commenters that the application payload is always content.
267
As
260
FTC Staff Comments at 20.
261
See, e.g., An Act to Regulate Radio Communications, ch. 287, § 4, Reg. 19, 37 Stat. 302, 307 (1912); Radio Act
of 1927, ch. 169, § 27, 44 Stat. 1162, 1172; Communications Act of 1934, ch. 652, § 605, 48 Stat. 1064, 1103-04;
47 U.S.C. § 605; 18 U.S.C. §§ 2510-2522; 18 U.S.C. §§ 2701-2712; 18 U.S.C. §§ 3121-3127.
262
ACLU Comments at 7; see also OTI Comments at 23 (“Recognizing packet contents as communications
contents, and establishing an opt-in standard for content, would honor BIAS customers’ reasonable expectation that
their provider is not inspecting their traffic for purposes other than to provide service.”).
263
See 18 U.S.C. § 2510(8) (“‘[C]ontents’, when used with respect to any wire, oral, or electronic communication,
includes any information concerning the substance, purport, or meaning of that communication.”); 47 U.S.C. §
605(a) (restricting the disclosure of “the existence, contents, substance, purport, effect, or meaning” of a
communication by wire or radio). See also OTI Comments at 23 (quoting Section 705 and supporting content
protections).
264
See Mozilla Comments at 4 (“Usage patterns and metadata can be as revealing, or in some ways even more
revealing, than content.”); CDT Comments at 16 (“Such detailed information about a customer’s communications
may reveal more than just patterns of broadband usage; but also clues as to the content of those communications and
the behaviors and interests of that customer.”). See also, e.g., Riley v. California, 134 S.Ct. 2473, 2490 (2014) (Cell
phones carry “a digital record of nearly every aspect of [people’s] livesfrom the mundane to the intimate.”);
United States v. Maynard, 615 F.3d 544, 561-63 (D.C. Cir. 2010), aff’d on other grounds sub nom., United States v.
Jones, 132 S.Ct. 945 (2012) (“Prolonged surveillance reveals types of information not revealed by short-term
surveillance, such as what a person does repeatedly, what he does not do, and what he does ensemble.”).
265
See supra Part III.B.3.b. Because we conclude that Section 222(a) protects content as its own category of
customer PI, we need not determine which types of content are also CPNI or PII.
266
See supra Part III.B.3.a(i)(a).
267
See EPIC Comments at 26 (quoting Tim Berners-Lee) (“The access by an ISP of information within an internet
packet, other than that information used for routing, is equivalent to wiretapping a phone or opening sealed postal
mail.”); OTI Comments at 23 (“Recognizing packet contents as communications contents, and establishing an opt-in
(continued….)
Federal Communications Commission FCC 16-148
41
discussed above,
268
the application payload is the part of the IP packet containing the substance of the
communication between the customer and the entity with which she is communicating.
269
Examples of
application payloads include the body of a webpage, the text of an email or instant message, the video
served by a streaming service, the audiovisual stream in a video chat, or the maps served by a ride-sharing
app.
270
However, other portions of the packet also may contain content.
271
For example, as discussed
above, the application header may reveal aspects of the application payload from which the content may
be easily inferredsuch as source and destination email addresses or website URLs.
272
Application usage
information may also reveal content by disclosing the applications customers use or the substance of how
they use them.
273
We agree with FTC Staff that BIAS content includes, but is not limited to, the “contents
of emails; communications on social media; search terms; web site comments; items in shopping carts;
inputs on web-based forms; and consumers’ documents, photos, videos, books read, [and] movies
watched[.]”
274
We emphasize that our examples of BIAS content are not exhaustive and others may
manifest over time as analytical techniques improve.
104. We reject arguments that protecting BIAS content under Section 222 is unnecessary or
unlawful because Section 705 of the Act,
275
and the Electronic Communications Privacy Act (ECPA)
276
or
the Communications Assistance for Law Enforcement Act (CALEA),
277
already protect content.
278
Commenters do not claim that these various other laws are mutually exclusive with each other, belying
the notion that the existence of multiple sources of authority in this area is inherently a problem. Instead,
we find that Section 222 complements these other laws in establishing a framework for protecting the
(Continued from previous page)
standard for content, would honor BIAS customers’ reasonable expectation that their provider is not inspecting their
traffic for purposes other than to provide service.”).
268
See supra Part III.B.3.a(i)(a).
269
See Public Knowledge White Paper at 48 (“As revealing as the packet headers may be, the payloads potentially
reveal far more information.”).
270
BIAS providers’ use of application payloads for network management is also one reason why BIAS content is not
wholly equivalent to telephone conversations. Voice carriers do not scan a phone conversation to secure the
network or reduce congestion. Application payloads in the broadband Internet context are far more sophisticated
and complex than mere audio transmissions over a telephone line. See Public Knowledge White Paper at 59.
271
See Free Press Reply at 12 (arguing that BIAS providers can infer a significant amount about content by
examining other elements of the packet).
272
See supra para. 76; see also EPIC Comments at 26 (quoting Tim Berners-Lee) (“The URLs which people use
reveal a huge amount about their lives, loves, hates, and fears. This is extremely sensitive material.”); Andrew G.
West & Adam J. Aviv, On the Privacy Concerns of URL Query Strings, 2014 Proc. of the 8th Workshop on Web
2.0 Sec. and Privacy, available at http://w2spconf.com/2014/papers/privacy_query_strings.pdf; (Reisman and
Narayanan June 17, 2016 Ex Parte at 22-24 (observing that customer names and other PII are included in some
URLs).
273
See supra para. 78; Riley v. California, 134 S.Ct. at 2490 (The applications a person uses “can form a revealing
montage of the user’s life.”).
274
FTC Staff Comments at 20. See also Riley v. California, 134 S.Ct. at 2490 (“An Internet search and browsing
history . . . could reveal an individual’s private interests or concernsperhaps a search for certain symptoms of
disease, coupled with frequent visits to WebMD.”).
275
47 U.S.C. § 605(a).
276
18 U.S.C. §§ 2510-2522.
277
47 U.S.C. §§ 1001-1010.
278
See, e.g., Electronic Transactions Association Comments at 11; USTelecom Comments at 34; NCTA Comments
at 96.
Federal Communications Commission FCC 16-148
42
content carried by telecommunications carriers.
279
Given the importance of protecting content, it is
reasonable to interpret Section 222 as creating additional, complementary protection.
280
105. We also disagree with the argument that because the data protected by Section 705 “bear
scant resemblance” to content or other forms of customer PI, our interpretation of Section 222 is
erroneous.
281
Congress can enact two statutory provisions that contain different scopes, and it is a
cardinal principle of statutory construction that we should attempt to give meaning to both. Any
incongruity between the scope of Sections 222 and 705 only demonstrates that the statutes are
complementary and part of Congress’s broad scheme to protect customer privacy. Sections 222 and 705
independently require telecommunications carriers to protect communications content.
4. De-identified Data
106. In this section we describe a corollary regarding the circumstances in which information
that constituted customer PI (i.e., PII, content, or individually identifiable CPNI) can comfortably be said
to have been de-identified. As discussed below, based on the record we are concerned that carriers not be
allowed to skirt the protections of our rules by making unsupported assertions that customer PI has been
“de-identified” and thus is not subject to our consent regime, when in fact the information remains
reasonably linkable to an individual or device. As 38 public interest organizations pointed out in a joint
letter, “[i]t is often trivial to re-identify data that has supposedly been de-identified.
282
We accordingly
adopt a strong, multi-part approach regarding the circumstances under which carriers can properly
consider data to be de-identified, using the three part test for de-identification articulated by the FTC in
2012.
283
The Administration’s CPBR also uses this standard.
284
Specifically, we find that customer
proprietary information is de-identified if the carrier (1) determines that the information is not reasonably
linkable to an individual or device; (2) publicly commits to maintain and use the data in a non-
individually identifiable fashion and to not attempt to re-identify the data; and (3) contractually prohibits
any entity to which it discloses or permits access to the de-identified data from attempting to re-identify
the data.
285
We apply these requirements to both BIAS and other telecommunications services.
286
279
See ACLU Comments at 7-8 (“All of the reasons why Congress charged the Commission with protecting
customer information ‘that relates to the quantity . . . type, destination, location, and amount of use of a
telecommunications service’ without doubt apply to content as well. The Commission should make this clear
despite existing laws that have some bearing on the legality of content monitoring by BIAS providers.”); see also
EFF Comments at 2-3.
280
Similarly, for example, both the Children’s Online Privacy Protection Act and the Video Privacy Protection Act
may protect videos that young children watch online. See 18 U.S.C. § 2710; 15 U.S.C. § 6502.
281
CTIA Comments at 64 (“Additionally, the data types protected by Section 705the ‘existence, contents,
substance, purport, effect, or meaning’ of a communicationbear scant resemblance to many of the elements of
‘customer proprietary information’ that the Proposed Rules seek to covere.g., device identifiers, IP addresses, and
so forth. These incongruities demonstrate that Section 705 does not provide authority for the Proposed Rules.”)
(emphasis in original).
282
Letter from 38 Public Interest Organizations to the Honorable Tom Wheeler, Chairman, FCC at 2 (Sept. 7, 2016)
(https://www.fcc.gov/ecfs/filing/10907040663545). See also CDD Comments at 17; EPIC Comments at 21-23; OTI
Comments at 21-22; Privacy Rights Clearinghouse Comments at 5.
283
The FTC approach has broad support in the record. See, e.g., AT&T Reply at 36; Access Now Comments at 11;
Audience Partners Comments at 17; CTIA Comments at 38; Email Sender & Provider Coalition Comments at 7-8;
ICC Comments at 12; ITIF Comments at 19; Sprint Reply at 3-4; T-Mobile Comments at 35.
284
2015 Administration CPBR Discussion Draft at § 4(a)(2)(A).
285
As discussed in greater detail below, this third part of the test applies to entities with which the provider contracts
to share de-identified customer information. It does not apply to the general disclosure or publication of highly
aggregated summary statistics that cannot be disaggregatedfor example, the use of statistics in advertisements
(continued….)
Federal Communications Commission FCC 16-148
43
a. Adoption of the FTC’s Multi-Part Test
107. The record reflects that advances in technology and data analytics make it increasingly
difficult to de-identify information such that it is not re-identifiable.
287
The Administration’s 2014 Big
Data Report observed that “[m]any technologists are of the view that de-identification of data as a means
of protecting individual privacy is, at best, a limited proposition.”
288
As the Electronic Privacy
Information Center notes, “[w]idely-publicized anonymization failures have shown that even relatively
sophisticated techniques have still permitted researchers to identify particular individuals in large data
sets.”
289
We also agree with the FTC’s conclusion in its 2012 Privacy Report that “not only is it possible
to re-identify non-PII data through various means, businesses have strong incentives to actually do so.”
290
108. For these reasons, our approach to de-identification establishes a strong, technology-
neutral standard as well as safeguards to mitigate the incentives to re-identify customers’ proprietary
information. Furthermore, because companies, including BIAS providers, have incentives to re-identify
customer information so that it can be further monetized,
291
we agree with Privacy Rights Clearinghouse
that the burden of proving that individual customer identities and characteristics have been removed from
the data must rest with the provider.
292
Taking this burden assignment into account, we find that our
multi-part approach, grounded in FTC guidance, will ensure that as technology changes, customer
information is protected, while at the same time minimizing burdens and maintaining the utility of de-
identified customer information.
(Continued from previous page)
(e.g., “We offer great coverage in rural areas, because that is where 70% of our customers live.”); see also AT&T
Comments at 70-71. See infra Part III.B.4.a(iii).
286
The record does not demonstrate a need to treat de-identified information differently in the voice context versus
the BIAS context. We agree with the Greenlining Institute and other commenters that a uniform regime, “is easier
for the carriers, easier [for] enforcement, and easier for customers to understand[.]” Greenlining Institute Comments
at 16. See also ACA Comments at 57-58 (supporting harmonization of Section 222 rules).
287
See Privacy Rights Clearinghouse Comments at 5; OTI Comments at 6, 21-22 (stating that a recent study found
that supposedly de-identified datasets from medical records, search queries, social network data, genetic
information, geo-location data, and taxi-cab history could all be used to specifically identify individuals); accord
CDD Comments at 17; EFF Comments 14; EPIC Comments at 22; OTI Reply at 12-13; Public Knowledge White
Paper at 49-50. See also, e.g., Paul Ohm, Broken Promises of Privacy: Responding to the Surprising Failure of
Anonymization, 57 UCLA L. Rev. 1701 (2010); U.S. Public Policy Council of the Association for Computing
Machinery, Response to Request for Information, Big Data Review, 79 FR 12251 at 2,
https://usacm.acm.org/images/documents/BigDataOSTPfinal.pdf. In 2000, Latanya Sweeney, now the Director of
the Data Privacy Lab in the Institute for Quantitative Social Science at Harvard University, demonstrated that 87
percent of the population in the United States had reported characteristics that likely made them unique based only
on 5-digit ZIP, gender, and date of birth. Latanya Sweeney, Abstract, Uniqueness of Simple Demographics in the
U.S. Population (Carnegie Mellon Univ., Lab. For Int’l Data Privacy 2000),
https://dataprivacylab.org/projects/identifiability/index.html. In 2008, researchers at the University of Texas at
Austin succeeded in using publicly available information to identify Netflix subscribers in a dataset of movie ratings
from which personal identifiers had been removed, explaining that “[r]emoving identifying information is not
sufficient for anonymity.” Arvind Narayanan & Vitaly Shmatikov, Robust De-anonymization of Large Sparse
Datasets, in Proceedings of the 2008 IEEE Symposium on Security and Privacy, 111, 118 (2008),
https://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf.
288
2014 Administration Big Data Report at 8.
289
EPIC Comments at 22.
290
2012 FTC Privacy Report at 20.
291
See id.; CDD Comments at 20; EPIC Comments at 22-23.
292
See Privacy Rights Clearinghouse Comments at 5.
Federal Communications Commission FCC 16-148
44
109. As such, we disagree with those commenters who urge us to use a different de-
identification framework, such as that used in the HIPAA safe harbor context.
293
We find that the
framework we adopt enables flexibility to accommodate evolving technology and statistical methods. In
contrast, we find that developing a list of identifiers that must be removed from data to render such data
de-identified is not feasible given the breadth of data to which BIAS providers have access, and would
also rapidly become obsolete in the evolving broadband context.
110. The three-part test we adopt today for de-identification also contemplates the statutory
exception for “aggregate customer information,” as it defines the circumstances in which the Commission
will find that “individual customer identities and characteristics have been removed” from collective
data.
294
Likewise, our approach addresses arguments in the record that the Commission must give
meaning to the fact that the customer approval requirement of Section 222(c)(1) applies to “individually
identifiable” CPNI,
295
as our test for de-identification addresses whether an individual’s CPNI or PII will
not be deemed to be individually identifiable in practice due to steps taken by the carrier prior to using or
sharing the data.
(i) Part One Not Reasonably Linkable
111. First, for information to be de-identified under our rules, we require providers to
determine that the information is not linked or reasonably linkable to an individual or device.
296
Because
we are describing the scope of what is identifiable, we think it is appropriate to use the same standard that
we use to define personally identifiable information (PII).
297
Above we define PII as information that is
linked or reasonably linkable to an individual or device, and conversely we find it appropriate to limit de-
identified information to information that is not linked or reasonably linkable to an individual or device.
As we discussed above in our definition of PII, we agree with commenters that the “linked or reasonably
linkable” standardused by the FTC in its Privacy Reportprovides useful guidance on what it means
for information to be individually identifiable without being either overly rigid or vague.
298
As we
discussed above, information is linked or reasonably linkable to an individual or device if it can
reasonably be used on its own, in context, or in combination (1) to identify an individual or device, or (2)
to logically associate with other information about a specific individual or device.
299
New methods are
increasingly capable of re-identifying information previously thought to be sufficiently anonymized.
300
For these reasons, we will not specify an exhaustive list of identifiers, nor will we declare certain
293
See, e.g., IMS Health Comments at 15.
294
47 U.S.C. § 222(h)(2) (“The term ‘aggregate customer information’ means collective data that relates to a group
or category of services or customers, from which individual customer identities and characteristics have been
removed.”).
295
See, e.g., AT&T Reply at 36-39; CTIA Comments at 36-37; CenturyLink Comments at 17; Comcast Reply at 47-
48; Sprint Reply at 3-4; T-Mobile Comments at 34-35; Verizon Comments at 44.
296
See 2012 FTC Privacy Report at 21; see also 2015 Administration CPBR Discussion Draft at Sec. 4(a)(2)(A);
Access Now Comments at 11; CDT Comments at 9-10; EFF Comments at 14; EPIC Comments at 21-23; FTC Staff
Comments at 9; Public Knowledge Comments at 28.
297
See supra Part III.B.3.c.
298
See 2012 FTC Privacy Report at 21-22; NTCA Comments at 57; see also supra note 283. See also 2015
Administration CPBR Discussion Draft at Sec. (4)(a)(2)(A) (defining “de-identified data” and requiring that it be
“alter[ed] such that there is a reasonable basis for expecting that the data could not be linked as a practical matter to
a specific individual or device”). See also supra para. 89.
299
See supra Part III.B.3.c.
300
See supra note 287.
Federal Communications Commission FCC 16-148
45
techniques to be per se sufficient or insufficient to achieve de-identification.
301
The test instead focuses
on the outcome required, that is, that to be de-identified, the data must no longer be linked or reasonably
linkable to an individual or device. We also agree with AT&T that we should not “dictate specific
approaches to de-identifying data” because “[a]ny Commission-mandated approach would quickly
become obsolete as new de-identification techniques are developed.”
302
112. We make clear that reasonableness depends on ease of re-identification, not the cost of
de-identification.
303
As discussed above, customers’ privacy interests include many noncommercial
values, such as avoidance of embarrassment, concern for one’s reputation, and control over the context of
disclosure of one’s information.
304
The decisive question here is not how difficult it is to de-identify the
information, but rather the ease with which the information could be re-identified.
305
The FTC’s
linkability standard aligns with our approach: “[W]hat qualifies as a reasonable level of [de-identification]
depends upon the particular circumstances, including the available methods and technologies. In
addition, the nature of the data at issue and the purposes for which it will be used are also relevant.”
306
113. Consistent with the FTC’s guidance and the carrier’s burden to prove that information is
in fact de-identified, if carriers choose to maintain customer PI in both identifiable and de-identified
formats, they must silo the data so that one dataset is not reasonably linkable to the other.
307
Cross-
referencing the datasets links the de-identified information with an identified customer, thus rendering the
de-identified information linked or reasonably linkable.
308
We agree with Verizon that “providers should
not be allowed to use de-identification and re-identification to circumvent consumers’ privacy choices.”
309
114. We disagree with commenters who argue that the linkability standard should apply only
to individuals and should not extend to devices.
310
As explained above, we agree with the FTC staff that
“[a]s consumer devices become more personal and associated with individual users, the distinction
between a device and its user continues to blur.”
311
This is not an uncommon conclusion in the Internet
301
See, e.g., AT&T Reply at 38 n.102; EFF Comments at 14 (“the field of reidentification is constantly advancing,
and any [pre-set list of identifiers] would quickly become obsolete”); NTCA Comments at 57; S
2
ERC Comments at
14 (agreeing that “the categories of what can potentially be reasonably linkable information will continue to
evolve”).
302
AT&T Reply at 38.
303
Cf. id. at 36 (claiming that the FTC framework adopted a commercial reasonableness standard); CTIA Comments
at 43 (CPNI is de-identified if the provider uses “commercially reasonable techniques”).
304
See supra para. 1.
305
See EPIC Comments at 21-22 (“Because not all de-identification techniques adequately anonymize data, it is
important that the process employed is robust, scalable, transparent, and shown to provably prevent the
identification of consumer information.”); see also supra note 287.
306
2012 FTC Privacy Report at 21.
307
See 2012 FTC Privacy Report at 22 n.113. See, e.g., WTA & Nex-Tech Apr. 25, 2016 Ex Parte at 1-2 (data
retention mandates are burdensome for small providers).
308
See Verizon Reply at 23-24 (“[P]roviders should be allowed to use and disclose de-identified data as long as the
providerand anyone it shares the data withhonors a consumer’s choices prior to using that data in a way that
would target the customer.”).
309
Verizon Comments at 44; see also id. at 44-45.
310
See AT&T Comments at 69; Audience Partners Comments at 10-11, 14-17; NCTA Comments at 67; NTCA
Comments at 56.
311
FTC Staff Comments at 10. Accord EFF Comments at 5; EPIC Comments at 18-19 (discussing how persistent
identifiers like device information can be used to map out an individual’s interactions); Software & Info. Indus.
Ass’n Comments at 12 (supporting the FTC’s test for linkability to a “consumer, computer, or device”).
Federal Communications Commission FCC 16-148
46
ecosystem; the Digital Advertising Alliance also recognizes the connection between individuals and
devices in its definition of de-identification, stating that “[d]ata has been De-Identified when . . . the data
cannot reasonably . . . be connected to or associated with a particular computer or device.”
312
115. Similarly, for the reasons discussed above,
313
we disagree with commenters who argue
that IP addresses and MAC addresses should not be considered reasonably linkable to an individual or
device on the theory that “[t]hey only identify Internet endpoints, each of which, in turn, may reach
multiple people or devices.”
314
The question in this test is whether the information in question is
reasonably linkable to an individual or device. Consider, for example, a typical fixed residential
customer. The BIAS provider assigns that customer an IP address, and associates that customer with that
IP address in its records. It is difficult to portray that scenario as not involving PII. On the other hand, if
the BIAS provider shares the IP address with a third party without other identifying information, it may
well be the case that the provider has not shared information that is “reasonably linkable” to an individual
or device. Again, when confronted with the question, the Commission will look at all facts available and
make a pragmatic determination of whether the information in question is “reasonably linkable” to an
individual or device.
315
(ii) Part Two Public Commitments
116. Second, for information to meet our definition of de-identified, carriers must publicly
commit to maintain and use de-identified information in a de-identified fashion and to not attempt to re-
identify the data. Such public commitments inform customers of their legal rights and the provider’s
practices, and “promot[e] accountability.”
316
As we discussed above, this level of transparency is a
cornerstone of privacy best practices generally and these rules specifically.
317
As such, we disagree with
commenters who argue that such public commitments are unnecessary.
318
This part of the test is
consistent with FTC guidance
319
which has broad support in the record
320
and the CPBR.
321
We agree
312
Digital Advertising Alliance, Application of Self-Regulatory Principles to the Mobile Environment at 6 (July
2013), http://www.aboutads.info/DAA_Mobile_Guidance.pdf (defining “De-Identification Process”).
313
See supra paras. 67-71.
314
See NCTA Oct. 20, 2016 Ex Parte at 12.
315
NCTA expresses concern that finding that IP addresses can constitute PII will undermine judicial precedent under
the Video Privacy Protection Act. NCTA Oct. 20, 2016 Ex Parte at 11. As noted, we are not making categorical
findings, but rather are looking to the “reasonably linkable” standard in finding whether information constitutes PII.
We also observe that we are confronted with interpreting Section 222 of the Communications Act and its
requirements concerning the protection of “proprietary information of, and relating to,. . . customers.” This is
distinct from the language of the VPPA, which more specifically defines PII as “information which identifies a
person as having requested or obtained specific video materials or services from a video tape service provider.” 18
U.S.C. § 2710(a)(3). Accordingly, a Commission finding that certain information is or is not PII for purposes of
Section 222 of the Communications Act does not answer the question of whether or not a court should consider that
information to be PII under the VPPA or any other statutory provision.
316
2012 FTC Privacy Report at 22.
317
See supra para. 8; infra Part III.C.
318
See NTCA Comments at 57; IMS Health Comments at 16; S
2
ERC Comments at 13-14; Paul Vixie Comments at
21 (“Public commitments are mere theater. Commission investigations with sanctions against violators would speak
far more loudly and far more credibly than the most earnest of BIAS provider ‘pinkie promises’ to be good.”).
319
See 2012 FTC Privacy Report at 21-22.
320
See supra note 283.
321
See 2015 Administration CPBR Discussion Draft at Sec. 4(a)(2)(A)(ii). See also 2014 Administration Big Data
Report at 8 (“In practice, data collected and de-identified is protected in this form by companies’ commitments to
not re-identify the data[.]”).
Federal Communications Commission FCC 16-148
47
that “[c]ompanies that can demonstrate that they live up to their privacy commitments have powerful
means of maintaining and strengthening consumer trust.”
322
Further, we find that this requirement will
impose a minimal burden on providers, as a carrier can satisfy this requirement with a statement in its
privacy policy.
323
(iii) Part Three Contractual Limits on Other Entities
117. Third, for information to meet our definition of de-identified, we require
telecommunications carriers to contractually prohibit recipients of de-identified information from
attempting to re-identify it. This requirement is consistent with the FTC’s de-identification guidelines
and the Administration’s CPBR, as well as industry best practices.
324
118. Businesses are often in the best position to control each other’s practices. For example,
AT&T’s Privacy FAQ explains, “When we provide individual anonymous information to businesses, we
require that they only use it to compile aggregate reports, and for no other purpose. We also require
businesses to agree they will not attempt to identify any person using this information . . . .”
325
The record
demonstrates that such contractual prohibitions are an important part of protecting consumer privacy
because re-identification science is rapidly evolving.
326
We agree with Verizon and other commenters
that “anyone with whom the provider shares such de-identified data should be prohibited from trying to
re-identify it.”
327
It is our expectation that carriers will need to monitor their contracts to maintain the
carriers’ continued adherence to these requirements.
328
Consequently, we need not adopt a separate part
of the test to delineate monitoring requirements.
329
Further, we observe that third parties will have every
incentive to comply with their contractual obligations to avoid both civil liability and enforcement actions
by the FTC or the Commission (depending on the agency with authority over the third party). If
322
Executive Office of the President, Consumer Data Privacy in a Networked World: A Framework for Protecting
Privacy and Promoting Innovation in the Global Digital Economy at 22 (2012) (2012 White House Privacy
Blueprint), https://www.whitehouse.gov/sites/default/files/privacy-final.pdf.
323
See Audience Partners Comments at 17-18 (arguing that providers should be able to satisfy this part of the test
with a statement in their privacy policies); WTA Comments at 24-25 (supporting a privacy policy statement and
observing that such a requirement would align with the FTC’s unfair and deceptive practices guidance).
324
Digital Advertising Alliance, Application of Self-Regulatory Principles to the Mobile Environment at 6 (July
2013), http://www.aboutads.info/DAA_Mobile_Guidance.pdf (“An entity should take reasonable steps to protect the
non-identifiable nature of data if it is distributed to non-Affiliates and obtain satisfactory written assurance that such
entities will not attempt to reconstruct the data in a way such that an individual may be re-identified and will use or
disclose the de-identified data only for uses as specified by the entity.”). The DAA guidance also requires that these
commitments from recipients of the data be passed along to any further downstream recipients as well, which we
support. Id.
325
AT&T, Privacy FAQ, http://about.att.com/sites/privacy_policy/terms#aggregate (last visited Oct. 5, 2016) (under
the heading “Do you provide companies with individual anonymous data as part of your External Marketing &
Analytics Program?”).
326
See supra note 287; see also FTC Staff Comments at 9.
327
Verizon Reply at 23-24. See also Audience Partners Comments at 18-19; IMS Health Comments at 16; NTCA
Comments at 57.
328
Verizon Comments at 44 (“Providers should exercise reasonable monitoring to ensure these contracts are not
violated.”); see also Sprint Reply at 4 (carriers should take “appropriate safeguards [to] mitigate privacy risks”
associated with de-identified data); AT&T Reply at 38 (“ISPs should of course take reasonable safeguards to keep
de-identified data from re-identification.”).
329
See Broadband Privacy NPRM, 31 FCC Rcd at 2556, para. 162. See also NTCA Comments at 57 (fourth prong
is unnecessary); accord Audience Partners Comments at 18-19; IMS Health Comments at 17; Cincinnati Bell
Comments at 14-15.
Federal Communications Commission FCC 16-148
48
violations occur, we expect carriers to take steps to protect the confidentiality of customer’s proprietary
information.
330
119. We agree with commenters who recommend a narrow clarification to the third part of the
de-identification framework in situations involving disclosure of highly abstract statistical information.
These situations include, for example, mass market advertisements or annual reports that reference the
total number of subscribers or the percentage of customers at certain speed thresholds.
331
AT&T explains
that these scenarios can involve customer information that is so “highly abstract[ed]” that it is, “in many
circumstances, simply impossible” to re-identify the data.
332
Professor Narayanan concurs, noting that
when statistical data is highly abstract, there is minimal risk of re-identification.
333
We agree.
Consequently, we will not require contractual commitments when the de-identified customer information
is so highly abstracted that a reasonable data science expert would not consider it possible to re-identify it.
120. A number of commenters also ask for a narrow exception to this part of the de-
identification test for the purposes of various types of cybersecurity or de-identification research.
334
As
explained below, we find that certain uses and disclosures of customer PI for the purpose of conducting
research to improve and protect
335
networks and/or services are part of the telecommunications service or
“necessary to, or used in” the provision of the telecommunications service for the purposes of these
rules.
336
(iv) Case-by-case application
121. In adopting a technology-neutral standard to determine whether otherwise personally
identifiable customer PI has been de-identified, we have eschewed an approach that finds particular
techniques to be per se acceptable or unacceptable.
337
That said, by adopting the three-part test, we have
made clear that a carrier cannot “make an end-run around privacy rules simply by removing certain
identifiers from data, while leaving vast swaths of customer details largely intact.”
338
As Professor Ohm
330
See 2012 FTC Privacy Report at 21 (arguing that companies sharing customer information should “exercise
reasonable oversight to monitor compliance with these contractual provisions and take appropriate steps to address
contractual violations”); Lehr et al. Comments at 6; CDT Reply at 13-14. See also 47 U.S.C. § 217 (“In construing
and enforcing the provisions of this chapter, the act, omission, or failure of any officer, agent, or other person acting
for or employed by any common carrier or user, acting within the scope of employment, shall in every case be also
deemed to be the act, omission, or failure of such carrier or user as well as that person.”).
331
AT&T Comments at 70-71.
332
Id. at 70; see also IMS Health Comments at 16-17.
333
Reisman and Narayanan June 17, 2016 Ex Parte at 48,
https://www.fcc.gov/ecfs/filing/60002158273/document/60002354966
334
See EFF Comments at 15-16; Messaging Malware Mobile Anti-Abuse Working Group (M
3
AAWG) Comments
at 5; Feamster July 13, 2016 Ex Parte.
335
Since telecommunications carriers must be able to provide secure networks to their customers, we include
security research within the scope of research allowed under this limitation. Security research also falls under the
exception covered in Part III.D.2.b, infra, regarding uses of customer PI to protect the rights and property of a
carrier, or to protect users from fraud, abuse, or unlawful use of the networks.
336
See infra Part III.D.2.a.
337
We accordingly need not resolve the longstanding debate in the broader privacy literature concerning the
circumstances under which data may be said to be reasonably de-identified, including the specific debate in the
record concerning the appropriate role of aggregation. See generally, e.g., Paul Ohm, Broken Promises of Privacy:
Responding to the Surprising Failure of Anonymization, 57 UCLA L. Rev. 1701 (2010); Future of Privacy Forum
Comments.
338
Letter from 38 Public Interest Organizations to the Honorable Tom Wheeler, Chairman, FCC at 1 (Sept. 7, 2016)
(https://www.fcc.gov/ecfs/filing/10907040663545).
Federal Communications Commission FCC 16-148
49
has stated, the FTC guidance on which we pattern our standard is “a very aggressive and appropriately
strong form of de-identification”
339
and it is one that requires strong technological protections as well as
business processes in its implementation. The Commission will carefully monitor carriers’ practices in
this area. We emphasize that carriers relying on de-identification for use and sharing of customer
proprietary information should employ well-accepted, technological best practices in order to meet the
three-part test described above and employ practices that keep pace with evolving technology and
privacy science.
340
C. Providing Meaningful Notice of Privacy Policies
122. In this section, we adopt privacy policy notice requirements for providers of broadband
Internet access services and other telecommunications services. There is broad recognition of the
importance of transparency as one of the core fair information practice principles (FIPPs),
341
and it is an
essential component of many privacy laws and regulations, including the Satellite and Cable Privacy
Acts.
342
Customer notification is also among the least intrusive and most effective measures at our
disposal for giving consumers tools to make informed privacy decisions.
343
In fact, it is only possible for
customers to give informed consent to the use of their confidential information if telecommunications
carriers give their customers easy access to clear and conspicuous, comprehensible, and not misleading
information about what customer data the carriers collect; how they use it; who it is shared with and for
what purposes; and how customers can exercise their privacy choices.
344
Therefore, we adopt rules to
ensure that BIAS providers’ and other telecommunications carriers’ privacy notices meet these essential
criteria, which provide transparency and enable the exercise of choice.
123. In adopting these transparency requirements, we build on and harmonize our existing
Section 222 rules for voice providers
345
with BIAS providers’ existing requirement to disclose their
339
Letter from Paul Ohm, Professor of Law, Georgetown University Law Center, to Marlene H. Dortch, Secretary,
FCC, WC Docket No. 16-106, at 3 (filed July 28, 2016) (Paul Ohm July 28, 2016 Ex Parte).
340
Latanya Sweeney, Only You, Your Doctor, and Many Others May Know, JOTS Technology Science (Sept. 29,
2015), http://techscience.org/a/2015092903/ (“Policy should adopt best practices, which improve over time as
privacy technology and the science of data privacy advances. Society can learn from cycles of published re-
identifications, because the knowledge of vulnerabilities will rapidly lead to improved techno-policy protections. It
is an evolutionary cycle. First, a re-identification vulnerability becomes known, which leads to improved practices
and technical solutions, which in turn leads to other re-identifications, and so on, until eventually we achieve robust
technical, policy, or administrative solutions.”).
341
See Broadband Privacy NPRM, 31 FCC Rcd at 2527, para. 82; see also 2012 FTC Privacy Report at 61-64;
Letter from Matthew M. Polka, President & CEO, American Cable Association, et al., to the Honorable Tom
Wheeler, Chairman, FCC (March 1, 2016) (on file with WCB) (Industry Framework); New America’s Open
Technology Institute, The FCC’s Role in Protecting Online Privacy 7 (2016) (OTI White Paper); Letter from Marc
Rotenberg, Executive Director, EPIC, et al., to Tom Wheeler, Chairman, FCC, at 3 (Jan. 20, 2016); Letter from
Jason Kint, Digital Content Next, to Tom Wheeler, Chairman, FCC, at 3-4 (Feb. 26, 2016).
342
See 47 U.S.C. §§ 551(a), 338(i)(1) (directing cable providers and satellite carriers, respectively, to “clearly and
conspicuously” notify their subscribers of data collection and disclosure practices).
343
See 2015 Open Internet Order, 30 FCC Rcd at 5669, para. 154 (citing Howard Beales, Richard Craswell &
Steven C. Salop, The Efficient Regulation of Consumer Information, 24 J. L. & Econ. 491 at 513 (1981); Howard
Beales, Richard Craswell & Steven C. Salop, Information Remedies for Consumer Protection, 71 Am. Econ. Rev.
410 at 411 (Papers & Proceedings, May 1981); Alissa Cooper, How Regulation and Competition Influence
Discrimination in Broadband Traffic Management: A Comparative Study of Net Neutrality in the United States and
United Kingdom, at Section 2.4.3 (Sept. 2013)).
344
See infra note 354.
345
47 CFR §§ 64.2001-64.2011.
Federal Communications Commission FCC 16-148
50
privacy policy under the 2010 and 2015 Open Internet Orders.
346
For today’s rules, we look to the record
in this proceeding, which includes submissions from providers, consumer advocates, other government
agencies,
347
and others about what does and does not work with respect to privacy policies.
348
Based on
that record, we adopt rules that require providers to disclose their privacy practices, but decline to be
prescriptive about either the format or specific content of privacy policy notices in order to provide
flexibility to providers and to minimize the burden of compliance levied by this requirement.
349
In the
interest of further minimizing the burden of transparency, particularly for small providers, we also direct
the Consumer Advisory Committee to convene a multi-stakeholder process to develop a model privacy
policy notice that will serve as a safe harbor for our notice requirements.
124. We recognize that some commenters have criticized privacy notice requirements as
providing incomplete protections for consumers. Notices by themselves do not give consumers the power
to control their information; notices are not always read or understood, and newer developments in
tracking and analytics can reveal more about consumers than most people realize.
350
However, none of
these criticisms eliminates the fundamental need for and benefit of privacy notices.
351
If consumers do
not have access to the information they need to understand what personal data is being collected and how
their data is being used and shared, they cannot make choices about those practices. The fact that poorly
written or poorly distributed notices can confound consumer understanding does not make well-formed
notices useless, and while one consumer may ignore a notice, another who has a compelling desire to
protect her privacy will benefit substantially from it. Notice also remains an essential part of today’s
privacy frameworks, even as big data analysis creates new privacy challenges. As the recent
346
See 2010 Open Internet Order, 25 FCC Rcd at 17939, para. 56; 2015 Open Internet Order, 30 FCC Rcd at 5673,
para. 164.
347
We observe in particular that notice is fundamental to the FTC’s privacy regime, acting as a basis for its
implementation of FIPPs and forming required components of their enforcement proceedings. See 2012 FTC
Privacy Report; Facebook, Inc., Decision and Order, F.T.C. File No. 092-3184 (2012),
https://www.ftc.gov/enforcement/cases-proceedings/092-3184/facebook-inc (Facebook Consent Order); Google,
Inc., Decision and Order, F.T.C. File No. 102-3136 (2011), https://www.ftc.gov/enforcement/cases-
proceedings/102-3136/google-inc-matter (Google Consent Order).
348
See, e.g., Comcast Comments at 16-17, 22 (“[C]ompanies must provide consumers with understandable privacy
notices . . . [and] should make an effort to educate consumers about their data privacy practices.”); CTIA Comments
at 103; Hughes Network Systems (Hughes) Comments at 3; Industry Framework at 5 (arguing that carriers should
provide notices “describing the CPNI that it collects, how it will use the CPNI, and whether and for what purposes it
may share that CPNI with third parties”); INCOMPAS Comments at 9 (supporting FIPPs of transparency, choice,
and security); Consumer Action Comments at 2 (“Consumers deserve to know what information is being collected
about them, how it’s being used and why it will be shared with other entities.”); EPIC Reply at 3 (asserting that FCC
should ensure fair information practices); CDT Comments at 6-7; Mozilla Comments at 6 (Our users and our
community have told us through surveys, comments and emails that transparency and control matter to them.
They want to know what is happening with their data; they want to control what data is shared, understand how their
data is used and what they get for that exchange.”); Aleecia M. McDonald (McDonald) Reply at 1 (“Even the most
minimal set of FIPPs include notice, choice, access, integrity, and enforcement.”).
349
Moreover, the record reflects that many BIAS providers and other telecommunications carriers already provide
thorough notice of their privacy practices. See infra note 360.
350
See EPIC Comments at 6; CDD Comments at 17; Behavioral Economics Consulting Group Comments at 3 (“In
many cases, disclosure has no effect on behavior. . . Research has shown that transparency is only effective in
preventing deception when the information shared is meaningful and comprehensible to the recipient.”).
351
2014 Administration Big Data Report at 55 (“For the vast majority of today’s ordinary interactions between
consumers and first parties, the notice and consent framework adequately safeguards privacy protections.”); id. at 61
(“While notice and consent remains fundamental in many contexts, it is now necessary to examine whether a greater
focus on how data is used and reused would be a more productive basis for managing privacy rights in a big data
environment.”).
Federal Communications Commission FCC 16-148
51
Administration Big Data Report explains, notice and choice structures may not be sufficient to account
for all privacy effects of “big data,”
352
but such frameworks are necessary to protect consumers from a
range of active privacy threats.
125. Below we lay out the specific transparency requirements we adopt today. First, we
require that those privacy notices inform customers about what confidential information the providers
collect, how they use it, and under what circumstances they share it. We also require that providers
inform their customers about customers’ rights to opt in to or out of (as the case may be) the use or
sharing of their confidential information. This information must be presented in a way that is clear and
conspicuous, in language that is comprehensible and not misleading.
353
Second, we require that providers
present their privacy notice to customers at the point of sale prior to the purchase of service, and that they
make their privacy policies persistently available and easily accessible on their websites, apps, and the
functional equivalents thereof. Finally, we require providers to give their customers advance notice of
material changes to their privacy policies. In adopting these transparency rules, we are implementing, in
part, Sections 222(a) and 222(c)(1), under which we find that supplying customers with the information
they need to make informed decisions about the use and sharing of their personal information is an
element of “informed” approval within the meaning of Section 222, as well as necessary to protecting the
confidentiality of customer proprietary information.
354
1. Required Privacy Disclosures
126. Customers must have access to information about the personal data that a BIAS provider
or other telecommunications carrier collects, uses, and shares, in order to make decisions about whether to
do business with that provider, and in order to exercise their own privacy decisions. Absent such notice,
the broad range of data that a provider is capable of gathering by virtue of providing service could leave
customers with only a vague concept of how their privacy is affected by their service provider.
355
We also
agree with the FTC that disclosing this information “provides an important accountability function,”
356
as
disclosure of this information “constitute[s] public commitments regarding companies’ data practices.”
357
352
2014 Administration Big Data Report at 54 (“[F]ocusing on controlling the collection and retention of personal
data, while important, may no longer be sufficient to protect personal privacy.”); see also Technology Policy
Institute (TPI) Comments, Attach., Thomas Lenard and Scott Wallsten White Paper, An Economic Analysis of the
FCC’s Privacy Notice of Proposed Rulemaking at 24 (Lenard and Wallsten White Paper) (citing 2014
Administration Big Data report in criticizing notice and consent); SIIA Comments at 8-9 (same).
353
We will consider information to be misleading if it includes material misrepresentations or omissions.
354
See Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer
Proprietary Network Information and Other Customer Information; Implementation of the Non-Accounting
Safeguards of Sections 271 and 272 of the Communications Act of 1934, As Amended, Second Report and Order and
Further Notice of Proposed Rulemaking, 13 FCC Rcd 8061, 8117-18, para. 73 (1998) (1998 CPNI Order); see also,
e.g., ViaSat Comments at 3 (stating that “transparency is critical for ‘consumers to make informed choices’
regarding the collection and use of customer information”); California Attorney Gen. (California AG) Reply at 4
(“Consumers can only exercise privacy choices when they are aware of them and understand their implications.”);
U.S. Dep’t of Health, Educ. And Welfare, Sec’y’s Advisory Comm. on Automated Data Systems., Records,
Computers, and the Rights of Citizens 41 (1973) (HEW Report) (“There must be a way for an individual, to find out
what information about him is in a record and how it is used.”); FTC, Privacy Online: A Report to Congress (1998)
(“[D]ata collectors must disclose their information practices before collecting personal information from
consumers”).
355
See, e.g., Privacy Rights Clearinghouse Comments at 3 (“BIAS providers’ data practices are largely invisible to
customers and data is becoming increasingly valuable and easy to collect, store, and share. This highlights the need
for clear, conspicuous, and easy-to-understand privacy notices.”).
356
FTC Staff Comments at 12.
357
Id. (explaining that privacy advocates, regulators, the press, consumers, and others will have access to
information about how companies collect, use, and share data).
Federal Communications Commission FCC 16-148
52
To enable customers to exercise informed choice, and to reduce the potential for confusion,
misunderstanding, and carrier abuse,
358
we find that a carrier’s privacy notices must accurately describe
the carrier’s privacy policies with regard to its collection, use, and sharing of its customers’ data.
Therefore, we adopt rules that require each telecommunications carrier’s notice of privacy policies to
accurately specify and describe:
The types of customer PI that the carrier collects by virtue of its provision of service, and how the
carrier uses that information;
Under what circumstances a carrier discloses or permits access to each type of customer PI that it
collects, including the categories of entities to which the carrier discloses or permits access to
customer PI and the purposes for which the customer PI will be used by each category of entities;
and
How customers can exercise their privacy choices.
We address each of these requirements in turn.
127. Types of Customer PI Collected, and How It Is Used. In order to make informed
decisions about their privacy, customers must first know what types of their information their provider
collects through the customers’ use of the service. Therefore, we require BIAS providers and other
telecommunications carriers to specify the types of customer PI that they collect by virtue of provision of
the telecommunications service, and how they use that information.
359
Pursuant to the voice rules and the
2010 Open Internet Order, all BIAS providers already provide customers with information about their
privacy policies.
360
As such, we find that this requirement will not impose a significant burden on
providers, and in some cases will decrease existing burdens.
361
128. Likewise, customers have a right to know how their information is being used and under
what circumstances it is being disclosed in order to make informed privacy choices.
362
Notices that omit
these explanations fail to provide the context that customers need to exercise their choices. We
emphasize that the notice must be sufficiently detailed to enable a reasonable consumer to make an
informed choice
129. We do not require providers to divulge the inner workings of their data use programs.
Instead, we find that to the extent that the notice requires providers to divulge the existence of such
programs, the benefits to the market of more complete information, as well as the benefits to customers in
knowing how their information is used, outweighs any individual advantage gained by any one
competitor in keeping the existence of the programs secret. We therefore disagree with commenters that
358
See 1998 CPNI Order, 13 FCC Rcd at 8161, para. 135.
359
Comcast Comments at 22 (“Each ISP should provide notice to its customers that describes the CPNI that it
collects.”); EPIC Comments at 9-10 (asserting that notices “must include . . . the type of data collected about
consumers”).
360
See CTIA Comments at 98 (“ISPs already publish privacy policies, providing their customers with significant
information about their data practices, including a description of the type of information they collect, how they use
it, with whom (and under what circumstances) they share it, and so forth.”); T-Mobile Comments at 39; Hughes
Comments at 3; AT&T Comments at 48-49 (“ISP privacy policies clearly set forth what information ISPs collect
and how it is used.”); Verizon Comments at 6 (“Verizon informs customers about what information it collects and
gives consumers choices about how their data may be used.”).
361
In particular, we eliminate a number of specific requirements for voice providers’ notices regarding customers’
CPNI. See infra Part III.C.5.
362
See CDD Comments at 20; OTI Comments at 33; T-Mobile Comments at 39; CTIA Comments at 98; AT&T
Comments at 48-49; Verizon Comments at 6.
Federal Communications Commission FCC 16-148
53
argue that these descriptions of how consumers’ information will be used unduly jeopardize their
competitive efforts.
363
130. Sharing of Customer PI with Affiliates and Third Parties. We also require that providers’
privacy policies notify customers about the types of affiliates and third parties with which they share
customer information, and the purposes for which the affiliates and third parties will use that information.
A critical part of deciding whether to approve of the sharing of information is knowing who is receiving
that information and for what purposes.
364
This information will allow customers to gauge their comfort
with the privacy practices and incentives of those other entities, whether they are affiliates or third parties.
It will also promote customer confidence in their telecommunications service by providing concrete
information and reducing uncertainty as to how their information is being used by the various parties in
the data-sharing and marketing ecosystems. While our existing CPNI rules are more specific in requiring
that individual entities be disclosed,
365
we seek to minimize customer confusion and provider burden by
adopting an approach used by the FTC by allowing disclosure of categories of entities. We also
encourage carriers to make these categories of entities as useful and understandable to customers as
possible. By way of example, the FTC’s regulations implementing the GLBA privacy rules will find a
covered institution in compliance with its rules if it lists particular categories of third party entities that it
shares information with, distinguishing, for instance, between financial services providers, other
companies, and other entities.
366
The FTC’s rules further specify that institutions should provide
examples of businesses in those categories.
367
In the context of communications customers’ information,
relevant categories might include providers of communications and communications-related services,
customer-facing sellers of other goods and services, marketing and advertising companies, research and
development, and nonprofit organizations.
131. We find that requiring providers to disclose categories of entities with which they share
customer information and the purposes for which the customer PI will be used by each category of
entities balances customers’ rights to meaningful transparency with the reality of changing circumstances
and the need to avoid overlong or over-frequent notifications.
368
We therefore reject calls to mandate
disclosure of a list of the specific entities that receive customer PI.
369
While some customers may benefit
from receiving such detailed information, we are persuaded by commenters who assert that requiring such
granularity would be unduly burdensome on carriers and induce notice fatigue in many customers. For
instance, carriers would be faced with the near-continuous need to provide new notices every time
contracts with particular vendors change or if third parties alter their corporate structureand customers,
363
See CTIA Comments at 105-06.
364
See EFF Comments at 12-13; EPIC Comments at 9-10; OTI Comments at 33; CTIA Comments at 98.
365
47 CFR § 64.2008(c)(2) (requiring telecommunications carriers to describe the “specific entities” to which CPNI
will be disclosed).
366
16 CFR § 313.6(c)(3).
367
Id. (listing “illustrative examples” of financial service providers as “mortgage bankers, securities broker-dealers,
and insurance agents” and “non-financial companies” as “retailers, magazine publishers, airlines, and direct
marketer.”).
368
See, e.g., FTC Staff Comments at 11-12 (supporting disclosure of categories of entities); CTIA Comments at 103
(“ISPs should be able to report general categories of data-sharing partners, rather than listing each and every
affiliate, vendor, or contractor with whom the ISP works.”). Because we harmonize these rules across BIAS and
other telecommunications services, we eliminate the requirement that telecommunications services specify the
“specific entities” that receive customer information in their notices of privacy policies accompanying solicitations
for customer approval. 47 CFR § 64.2008(c)(2) (“the notification must specify the. . . specific entities that will
receive the CPNI. . .”).
369
See, e.g., OTI Comments at 33; EFF Comments at 12-13; EPIC Comments at 9-10.
Federal Communications Commission FCC 16-148
54
in turn, would be inconvenienced with an overabundance of notices.
370
Furthermore, a list of specific
entities may not in itself aid the average consumer in making a privacy decision more than the
requirement that we adopt, which ensures that consumers understand what third parties that receive their
information do as a general matter. We therefore adopt the requirement that carriers need only provide
categories of entities with whom customer PI is shared, minimizing the burden on telecommunications
carriers. If a provider finds that providing notice of the specific entities with which it shares customer PI
would increase customer confidence, nothing prevents a provider from doing so, and we would encourage
notices to include as much useful information to customers as possible, while maintaining their clarity,
concision, and comprehensibility, as discussed in Part III.C.3, below.
371
Doing so does not require
bombarding customers with pages of dense legal language; providers may make use of layered privacy
notices or other techniques to ease comprehension and readability as necessary.
372
132. Customers’ Rights with Respect to Their PI. We also adopt our NPRM proposal to
require BIAS provider and other telecommunications carrier privacy notices to provide certain minimum
information. Carriers need not, however, repeat any of these “rights” statements verbatim, and we
encourage carriers to adapt these statements in manners that will be most effective based on their
extensive experience with their customer base. Specifically, carriers’ privacy notices must:
Specify and describe customers’ opt-in and opt-out rights with respect to their own PI. This
includes explaining that:
o a denial of approval to use, disclose, or permit access to customer PI for purposes
other than providing telecommunications service will not affect the provision of the
telecommunications services of which they are a customer.
o any approval, denial, or withdrawal of approval for use of the customer PI for any
purposes other than providing telecommunications service is valid until the customer
affirmatively revokes such approval or denial, and that the customer has the right to
deny or withdraw access to such PI at any time. However, the notice should also
explain that the carrier may be compelled, or permitted, to disclose a customer’s PI
when such disclosure is provided for by other laws.
Provide access to a simple, easy-to-use mechanism for customers to provide or withdraw
their consent to use, disclose, or permit access to customer PI as required by these rules.
373
133. These notice requirements are intended to ensure that providers inform their customers
that they have the right to opt into or out of the use and sharing of their information, as well as how to
make those choices known to the provider. We discuss the choice mechanism itself in Part III.D.4, infra.
Requiring providers to describe in a single place how information is collected, used, and shared, as well
as what the consumers’ rights are to control that collection, use, and sharing, enhances the opportunity for
370
See CTIA Comments at 105 (“ISPs may enter into agreements with third-party agents, independent contractors,
and other entities for a variety of different purposes, ranging from one-off transactions to repeat interactions.”);
NTCA Comments at 39-40 (“[T]his would create an administrative nightmare and hamstring a provider’s ability to
create arrangements in real market timewith third parties. . . Moreover, this requirement could be triggered if a
third party undergoes an internal corporate restructuring, and then foists upon the provider a liability whose cause of
action rests solely within the domain of the restructured third-party.”).
371
See EFF Comments at 12-13 (disclosure of specific entities can encourage customers to opt in to sharing when
they trust particular third parties); see also CDD Comments at 17 (stating that providers “should be able to be both
candid and succinct” and should be able to “test layout and design factors to ensure their privacy policies are
actually in view (as the industry is able to do with ‘viewability’ of digital ads”).
372
See CDD Comments at 19; T-Mobile Comments at 39 (describing existing layered approach to privacy notices);
WISPA Comments at 16 (asserting that “a layered privacy policy notice . . . should be considered” as a voluntary
safe harbor).
373
This mechanism is described below in Part III.D.4.
Federal Communications Commission FCC 16-148
55
customers to make informed decisions.
374
Likewise, requiring the notice to provide access to the choice
mechanism ensures that the mechanism is easily available and accessible as soon as the customer receives
the necessary privacy information. This is important, since studies have shown that “adding just a 15-
second delay between the notice and the loading of [a] webpage where subjects choose whether to reveal
their information eliminates the privacy-protective effect of the notice.”
375
As discussed further below,
376
we decline to specify particular formats for carriers to provide access to their choice mechanisms,
recognizing that different forms of access to the choice mechanism (e.g., a link to a website, a mobile
dashboard, or a toll-free number) may be more appropriate depending on the context in which the notice
may be given (e.g., on a provider’s website, in a provider’s app, or in a paper disclosure presented in a
provider’s store).
377
134. Studies have shown that customers are often resigned to an inability to control their
information, and may be under a mistaken impression that exercising their rights may result in degraded
service.
378
Thus, we require providers’ notice of privacy policies to also inform customers that denying a
provider the ability to use or share customer PI will not affect their ability to receive service.
379
This
parallels the existing Section 222 rules, which require carriers to “clearly state that a denial of approval
will not affect the provision of any services to which the customer subscribes.”
380
Since providers
drafting their notices have clear incentives to encourage customers to permit the use and sharing of
customer PI, it can be easy for customers to misconstrue exactly what is conditioned upon their
permission.
381
These provisions are intended to make customers aware that the offer of choice is not
merely pro forma.
135. We permit providers to make clear and neutral statements about potential consequences
when customers decline to allow the use or sharing of their personal information. We require that any
such statements be clear and neutral in order to prevent them from obscuring the basic fact of the
customer’s right to prevent the use of her information without loss of service. Allowing difficult-to-read
or biased statements would run counter to our goal of ensuring that notices overall are clear and
conspicuous, comprehensible, and not misleading.
382
NTCA recommends that we remove or modify from
the NPRM’s proposal the requirement that the explanation be brief.
383
In the interest of allowing more
374
See, e.g., OTI Comments at 33-34, 36; Online Trust Alliance Comments at 2.
375
See Lauren Willis (Willis) Reply at 7 (citing Idris Adjerid, et al., Sleights of Privacy: Framing, Disclosures, and
the Limits of Transparency, Symposium on Usable Privacy & Security (2013)).
376
See infra Part III.D.4.
377
See, e.g., NTCA Comments at 36-38; CTIA Comments at 104-05.
378
See, e.g., Lee Rainie and Maeve Duggan, Privacy and Information Sharing, Pew Research Center, December
2015, http://www.pewinternet.org/files/2016/01/PI_2016.01.14_Privacy-and-Info-Sharing_FINAL.pdf; Joseph
Turow, et al., The Tradeoff Fallacy: How Marketers are Misrepresenting American Consumers and Opening Them
Up to Exploitation, Univ. of Penn. Annenberg School of Comm’n (June 2015), available at
https://www.asc.upenn.edu/sites/default/files/TradeoffFallacy_1.pdf; Joseph Turow, et al., Americans Reject
Tailored Advertising and Three Activities that Enable it (September 29, 2009); available at SSRN:
http://ssrn.com/abstract=1478214; see also CDD Comments at 5 (citing consumer belief that they lack control over
their data); Free Press Reply at 25-26; CDD Reply at 2.
379
See infra Part III.G.1. As noted below, this provision does not mean that carriers categorically cannot engage in
financial incentive practices. See infra Part III.G.2.
380
47 CFR § 64.2008(c)(3).
381
See, e.g., California AG Reply at 3 (asserting “the choices offered to individuals [are often] illusory, frequently
amounting to ‘take it or leave it’ or ‘all or nothing’”).
382
See infra Part III.C.3.
383
NTCA Comments at 37-38 (footnote omitted).
Federal Communications Commission FCC 16-148
56
flexibility, we remove this requirement, with the understanding that brevity is often, but not always, a
component of clarity.
136. We require providers to inform customers that their privacy choices will remain in effect
until the customers change them, and that customers have the right to change them at any time. We
acknowledge that “[c]ustomers may make hasty decisions in the moment simply to obtain Internet access
. . . [and] therefore appreciate the reminder that they have the opportunity to change their mind.”
384
We
expect carriers’ privacy promises to customers and the privacy choices customers make to be honored,
including, for example, in connection with a carrier’s bankruptcy.
385
2. Timing and Placement of Notices
137. There is broad agreement that, in order to be useful, privacy policy notices must be
clearly, conspicuously, and persistently available, and not overly burdensome to the carrier or fatiguing to
the customer.
386
We therefore require telecommunications carriers to provide notices of privacy policies
at the point of sale prior to the purchase of service, and also to make them clearly, conspicuously, and
persistently available on carriers’ websites and via carriers’ apps that are used to manage service, if any.
We also eliminate periodic notice requirements from the voice CPNI rules.
138. Point of Sale. We agree with commenters that requiring notices at the point of sale
ensures that notices are relevant in the context in which they are given,
387
since this is a time when a
customer can still decide whether or not to acquire or commit to paying for service, and it also allows
customers to exercise their privacy choices when the carrier begins to collect information from them. In
this, we agree with the FTC, which finds that the most relevant time is when consumers sign up for
service.
388
The proximity in time between sale and use of information means that a point-of-sale notice,
in many if not most instances, serves the same function as a just-in-time noticethat of providing
information at the most relevant point in time. Consumer groups such as the Center for Digital
Democracy and providers such as Sprint also appear to agree on this point.
389
The point-of-sale
requirement is also consistent with the transparency requirements of the 2010 Open Internet Order, which
384
OTI Comments at 40.
385
As the FTC has done in its groundbreaking work in this area, the FCC will be vocal in support of customer
privacy interests that a carrier’s bankruptcy may raise. See, e.g., Letter from Jessica L. Rich, Director, FTC’s
Bureau of Consumer Protection to Elise Frejka, Esq. (May 16, 2015), available at https://www.ftc.gov/public-
statements/2015/05/letter-jessica-rich-director-bureau-consumer-protection-bankruptcy-court (letter to bankruptcy
court-appointed Consumer Privacy Ombudsperson expressing concern about possible sale of certain PII and
suggesting conditions to protect customer privacy); FTC v. Toysmart, No. 00-11341-RGS (D. Mass. 2000),
available at https://www.ftc.gov/enforcement/cases-proceedings/x000075/toysmartcom-llc-toysmartcom-inc
(consent order relating to sale in bankruptcy of children’s information, including shopping preferences).
386
See Comcast Comments at 44 (noting potential fatigue with repeated notices); CTIA Comments at 101-102
(recommending against periodic notices); NCTA Reply at 53 (arguing the most relevant time for notice is at point of
sale).
387
See, e.g., FTC Staff Comments at 24-25 (stating that customers should receive choice solicitations at “most
relevant time,” which is when they “sign up for service”); CDD Comments at 20 (“[P]rivacy decisions should be at
or near the point of sale.”); Sprint Comments at 12 (stating that notices may be most effective at the outset of the
provider-customer relationship); Comcast Reply at 12 (citing FTC Staff Comments at 24); cf., e.g., Privacy Rights
Clearinghouse Comments at 4 (citing Consumer Fin. Prot. Bureau, CFPB Finalizes Rule to Promote More Effective
Privacy Disclosures, October 20, 2014, http://www.consumerfinance.gov/about-us/newsroom/cfpb-finalizes-rule-to-
promote-more-effective-privacy-disclosures/) (stating that frequency of notice presentation irrelevant as long as
other standards are met); USTelecom Comments at 12 (citations omitted) (approving of a single initial notice).
388
FTC Staff Comments at 24-25.
389
CDD Comments at 20; Sprint Comments at 12.
Federal Communications Commission FCC 16-148
57
requires disclosure of privacy policies at the point of sale.
390
As such, we find that this requirement will
impose a minimal incremental burden on BIAS providers. The record further indicates that providing
notice at the point of sale can be less burdensome for a carrier, in part because it allows the provider to
walk a customer through the terms of the agreement.
391
Providing notice at the point of sale, and not after
a customer has committed to a subscription, can also allow carriers to compete on privacy.
392
139. We clarify that a “point of sale” need not be a physical location. Where the point of sale
is over voice communications, we require providers to give customers a means to access the notice, either
by directing them to an easily-findable website, or, if the customer lacks Internet access, providing the
text of the notice of privacy policies in print or some other way agreed upon by the customer. We find
that this requirement adequately addresses record concerns about the burdens associated with
communicating polices orally to customers.
393
140. Clear, Conspicuous, and Persistent Notice. We also require telecommunications carriers
to make their notices persistently available through a clear and conspicuous link on the carrier’s
homepage, through the provider’s application (if it provides one for account management purposes), and
any functional equivalents of the homepage or application.
394
This requirement also reflects the
transparency requirements in the 2010 Open Internet Order, which mandate “at a minimum, the
prominent display of disclosures on a publicly available . . . website,”
395
and as such, should add a
minimal burden for BIAS providers. Persistent and visible availability is critical; customers must be able
to review the notice and understand the carrier’s privacy practices at any time since they may wish to
reevaluate their privacy choices as their use of services change, as their personal circumstances change, or
as they evaluate and learn about the programs offered by the provider.
396
Persistent access to the notice of
privacy policies also ensures that customers need not rely upon their memory of the notice that they
viewed at the point of sale; so long as they have access to the provider’s website, app, or equivalent, they
can review the notice. As such, we require providers to at least provide a link to the web-hosted notice in
390
See 2010 Open Internet Order, 25 FCC Rcd at 17939-40, paras. 56-57; see also FCC Enforcement Bureau and
Office of General Counsel Advisory Guidance for Compliance with Open Internet Transparency Rule, Public
Notice, 26 FCC Rcd 9411, 9413-14 (2011) (2011 Open Internet Transparency Guidance).
391
CTIA Comments at 143; see also NTCA Comments at 52-53.
392
See Cincinnati Bell Comments at 12-13; Lenard and Wallsten White Paper at 18; FTC Staff Comments at 13
(citing 2012 FTC Privacy Report at 61); see also INCOMPAS Comments at 6; NTCA Comments at 7 (citation
omitted).
393
ITTA Comments at 21 (noting potential difficulty in providing notice if point of sale is over the telephone);
ViaSat Comments at 3-4 (asserting that “the Commission should permit BIAS providers at the point of sale to direct
consumers to such online disclosures orally or in writingrather than, for example, requiring BIAS providers to
have employees read privacy notices aloud to potential customers when signing them up for service over the
phone”).
394
See, e.g., Hughes Comments at 3 (“Hughes provides all consumers with 24 hour access to our plain language
privacy policy on our website . . . Accordingly, Hughes, an early adopter of consumer privacy protections, fully
supports the FCC requiring all broadband providers to provide clear, transparent privacy disclosures on their website
to prospective customers and current subscribers.”); OTI Comments at 40 (supporting proposal); NTCA Comments
at 36-38 (supports homepages links as persistent access to notice); ViaSat Comments at 3 (“[P]rivacy disclosures
should be readily available to customers through the provider’s website.”).
395
2010 Open Internet Order, 25 FCC Rcd at 17939-40, para. 57.
396
OTI Comments at 40 (“[C]onsumers generally cannot adequately account for privacy harms that result from
information disclosure far in the future . . . circumstances may have changed, particularly if customers can access
the information BIAS providers have collected about them . . . . Customers may make hasty decisions in the moment
simply to obtain Internet access [and] therefore appreciate the reminder that they have the opportunity to change
their mind.”); Hughes Comments at 5 (stating that persistent notice and choice mechanisms allow customers to re-
evaluate their choices); Mozilla Comments at 7 (stating that customers should be able to easily change their minds).
Federal Communications Commission FCC 16-148
58
a clear and conspicuous location on its homepage, to ensure that customers who visit the homepage may
easily find it.
397
141. We require the notice of privacy policies to be clearly and conspicuously present not only
on the provider’s website, but to be accessible via any application (“app”) supplied to customers by the
provider that serves as a means of managing their subscription to the telecommunications service. As
more consumers rely upon mobile devices to access online information, a provider’s website may become
less of a central resource for information about the provider’s policies and practices. Certain mobile apps
serve much the same function as a mobile website interface, giving customers tools to manage their
accounts with their providers.
398
As a significant point of contact with the customer, such apps are an
ideal place for customers to be able to find the notice of privacy policies.
399
We do not, however, expect
that every app supplied by a provider must carry the notice of privacy policies for the entire servicefor
instance, a mobile broadband provider that bundles a sports news app or a mobile game with its phones
and services would not need to provide the privacy notice we require here with those apps.
400
Nor do we
require providers who lack an app to develop one.
401
However, we require carriers that provide apps that
manage a customer’s billing or data usage, or otherwise serve as a functional equivalent to a provider’s
website, to ensure that those apps provide at least a link to a viewable notice of privacy policies.
402
142. Providing the notice both via the app and on the provider’s website increases customers’
ability to access and find the policy regardless of their primary point of contact with the provider. We do,
however, wish to ensure that customers can still reach notices even as providers may develop other
channels of contact with their customers, and thus require that the notice be made available on any
functional equivalents of the website or app that may be developed. While we anticipate that all BIAS
providers and most other telecommunications providers have a website, those that do not may provide
their notices to customers in paper form or some other format agreed upon by the customer.
143. No Periodic Notice Requirement. We decline to require periodic notice on an annual or
bi-annual basis. While periodic notices might serve to remind customers of their ability to exercise
privacy choices,
403
we remain mindful of the potential for notice fatigue and find that notices at the point
of sale, supplemented by persistently available notices on providers’ websites, and notices of material
change to privacy policies,
404
is sufficient to keep customers informed.
405
Additionally, we believe that
periodic notices might distract from notices of material changes, reducing the amount of customer
397
NTCA Comments at 35-38; ViaSat Comments at 3-4 (“[T]he Commission should permit BIAS providers at the
point of sale to direct consumers to such online disclosures orally or in writingrather than, for example, requiring
BIAS providers to have employees read privacy notices aloud to potential customers when signing them up for
service over the phone.”).
398
See NTCA Comments at 36 (noting the existence of mobile apps that track data usage and consumption, or
enable bill payment).
399
See NTCA Comments at 35-36; Privacy Rights Clearinghouse Comments at 4. The notice may be provided
either within the application itself or through a link in the application to a different location hosting the notice.
400
See, e.g., NTCA Comments at 35-36; S
2
ERC Comments at 11.
401
See S
2
ERC Comments at 11.
402
See NTCA Comments at 35-36 (approving of links to privacy policies on apps that serve as mobile web
interfaces).
403
See CDD Comments at 19 (suggesting marketing techniques can prevent customers from being overwhelmed by
regular notices); OTI Comments at 34-35 (recommending annual reminders of choice options).
404
See infra Part III.C.4.
405
See Privacy Rights Clearinghouse Comments at 4; WTA Comments at 15; XO Comments at 15; Rural Wireless
Association Comments at 7.
Federal Communications Commission FCC 16-148
59
attention to such changes.
406
We find that annual or periodic notices are unnecessary or even
counterproductive in this context, and we reduce burdens on all telecommunications carriersincluding
smaller carriersby eliminating the pre-existing every-two-year notice requirement from our Section 222
rules.
407
3. Form and Format of Privacy Notices
144. Recognizing the importance of flexibility in finding successful ways to communicate
privacy policies to consumers, we decline to adopt any specific form or format for privacy notices. We
agree with commenters that, in addition to running the risk of providing insufficient flexibility, mandated
standardized requirements may unnecessarily increase burdens on providers, and prevent consumers from
benefitting from notices tailored to a specific provider’s practices. For example, the record reflects
concerns that mandated standardized requirements can increase burdens on providers, and can also create
a number of problems, including a lack of flexibility to account for the fact that different carriers may
have different needs, such as creating comprehensive policies across different services.
408
This concern is
especially prevalent for smaller carriers.
409
At the same time, we agree with commenters that whatever
form of privacy notices a provider adopts, in order to adequately inform customers of their privacy rights,
such privacy notices must clearly and conspicuously provide information in language that is
comprehensible and not misleading, and be provided in the language used by the carrier to transact
business with its customer.
410
We therefore require providers to implement these general principles in
formatting their privacy policy notices.
145. These basic requirements for the form and format of privacy policies build on existing
Commission precedent regarding notice requirements for voice providers and open Internet transparency
requirements for BIAS providers, and incorporate FTC guidance on customer notice standards.
411
These
basic principles are well suited to accommodating providers’ and customers’ changing needs as new
business models develop or as providers develop and refine new ways to convey complex information to
customers.
412
Within these basic guidelines, providers may use any format that conveys the required
information, including layering and adopting alternative methods of structuring the notice or highlighting
its provisions.
413
We encourage innovative approaches to educating customers about privacy practices
and choices.
146. While we decline to mandate a standardized notice at this time, the record demonstrates
that voluntary standardization can benefit both customers and providers.
414
As such, as described below,
406
See supra note 403.
407
See NTCA Comments at 41; WTA Reply at 7; see also infra Part III.C.5.
408
See, e.g., CTIA Comments at 102-03; Mobile Future Comments at 4 (citing 2012 FTC Privacy Report at 27);
NCTA Comments at 85; WTA Comments at 14; ACA Reply at 14-15.
409
See, e.g., Rural Wireless Association Comments at 6-7 (expressing concern “about the financial burdens that the
proposed privacy notice framework will impose on small providers”); NTCA Comments at 41-42; WTA Comments
at 10.
410
See FTC Staff Comments at 14 (citing 16 CFR § 437.3(a) (“business opportunity rule”); 16 CFR § 14.9
(“requirements concerning clear and conspicuous disclosures in foreign language advertising and sales materials”)).
411
See 47 CFR §§ 64.2001-2011; 2010 Open Internet Order, 25 FCC Rcd at 17939, para. 56; 2015 Open Internet
Order, 30 FCC Rcd at 5673, para. 164; FTC Staff Comments at 11-15; 2012 FTC Privacy Report at 60-64.
412
See, e.g., T-Mobile Comments at 41-42; Future of Privacy Forum Reply at 6.
413
T-Mobile Comments at 39 (noting T-Mobile’s existing layered privacy notices); WISPA Comments at 16
(suggesting voluntary layered notices). We note that as standard business practices for conveying complex
information improve, we expect notices of providers’ privacy policies to keep pace.
414
See infra note 427.
Federal Communications Commission FCC 16-148
60
we adopt a voluntary safe harbor for a disclosure format that carriers may use in meeting the rules’
standards for being clear and conspicuous, comprehensible, and not misleading.
147. Clear, Conspicuous, Comprehensible and Not Misleading. Consistent with existing best
practices, we require providers’ privacy notices to be readily available and written and formatted in ways
that ensure the material information in them is comprehensible and easily understood. The record reflects
broad agreement that providers’ privacy practices “should be easily available [and] written in a clear
way.”
415
A number of commenters noted that certain practices frustrate the ability of customers to find
and identify the important parts of privacy notices, observing, for example, that notices could be
presented among or alongside distracting material, use unclear or obscure language, presented with
significant delays in ability for consumers to act, or be placed only at the bottom of “endless scrolling”
pages.
416
By mandating that notices be clear, conspicuous, comprehensible, and not misleading, we
prohibit such practices and others that render notices unclear, illegible, inaccessible, or needlessly
obtuse.
417
148. The NPRM framed these requirements in several ways, including that notices be “clear
and conspicuous,” as well as “clearly legible, use sufficiently large type, and be displayed in an area so as
to be readily apparent to the consumer.”
418
In adopting these rules, we streamline these requirements by
interpreting “conspicuous” to include requirements for prominent display, and eliminate the requirement
for “sufficiently large type,” based upon the understanding that insufficiently large type would not be
“comprehensible” or “clear and conspicuous.” Removing this specific requirement also preserves the
ability for providers who may be able to convey the necessary information through images or other non-
textual means.
419
149. We agree with the FTC’s observation that existing notices of privacy policies are
frequently too long and unclear;
420
overlong notices are often inherently less comprehensible.
421
As T-
Mobile states, “today’s busy consumers often have limited ability to fully review the hundreds of privacy
415
Consumer Action Comments at 2 (“The provider’s privacy practices should be easily available, written in a clear
way and linked to a user-friendly opt-out and preference page.”); Comcast Comments at 42-43 (“Two of the key
tenets of the FTC’s regime and Administration’s Consumer Privacy Bill of Rights are transparency and choice,
including making privacy practices as simple and clear as possible so that consumers can make informed
decisions.”); FTC Staff Comments at 11 (“FTC staff supports the proposed requirement to clearly and conspicuously
disclose privacy policies.”); Privacy Rights Clearinghouse Comments at 3 (“BIAS providers’ data practices are
largely invisible to customers. . . . This highlights the need for clear, conspicuous, and easy-to-understand privacy
notices.”); EPIC Comments at 9-10 (“Internet-based services must provide individuals in concise and easily
understandable language, accurate, clear, timely, and conspicuous information about the covered entity’s privacy
and security practices.”); CCA Reply at 34 (asserting that policies should be easily findable by customers).
416
Free Press Comments at 15 (criticizing notices presented among distractions); Greenlining Comments at 34-40
(noting examples of confusing or obscure language); Willis Reply at 7-8 (noting that firms can “sabotage”
disclosures through, inter alia, distractions, delays between notice and ability to act, and placing disclosures at the
end of lengthy processes to exhaust consumers); Willis Reply at 11-12 (detailing techniques that discourage
customer action on privacy notices); OTI Comments at 34 (criticizing “endless scrolling” pages obscuring privacy
notices).
417
See Greenlining Institute Comments at 33 (“It is unlikely that a customer reads and digests any of this
information.”); CDD Comments at 4 n.6 (arguing that “oblique and disingenuous” policies provider little consumer
notice but shield providers from liability); OTI Comments at 34 (calling for enforcement against inadequately
readable notices).
418
Broadband Privacy NPRM, 31 FCC Rcd at 2527-29, paras. 82, 83.
419
See Willis Reply at 5.
420
FTC Staff Comments at 12.
421
FTC Staff Comments at 12-13; New York Attorney General Reply at 2.
Federal Communications Commission FCC 16-148
61
policies that apply to the apps, websites, and services they use, and prefer simpler notices that provide
meaningful information.”
422
We recognize that providers must balance conveying the required
information in a comprehensive and comprehensible manner,
423
and therefore encourage, but do not
require, providers to make their notices as concise as possible while conveying the necessary information.
Layered notices, lauded by a few commenters, may be one of several ways to achieve these parallel
objectives.
424
150. The record also reflects that transparency is only effective in preventing deception when
the information shared is meaningful to the recipient.
425
We agree with the California Attorney General
that companies should “alert consumers to potentially unexpected data practices,” and as such require that
providers’ notices not be misleading in addition to being comprehensible.
426
This requirement is also
consistent with FTC precedent.
427
151. Other Languages. We agree with the FTC that providers should convey notices to their
customers in a language that the customers can understand.
428
We therefore require providers to convey
their entire notices of privacy policies to customers in another language, if the telecommunications carrier
transacts business with the customer in that other language.
429
This requirement ensures that customers
who are advertised to in a particular language may also understand their privacy rights in that same
language.
430
We conclude that this obligation appropriately balances accommodating customers who
primarily use languages other than English and reducing the burden on providers, especially small
providers, to translate notices into languages that are unused by their particular customers.
431
152. Mobile-Specific Considerations. We decline to mandate any additional requirements for
notices displayed on mobile devices. The record indicates that providers desire flexibility to adapt notices
to be usable in the mobile environment for their customers, while consumer advocates stress that the
requirements for usability must be met in some way, regardless of the specific formatting.
432
So long as
422
T-Mobile Comments at 39.
423
ADTRAN Comments at 10-11.
424
See, e.g., T-Mobile Comments at 39; WISPA Comments at 16; Ghostery Apr. 29, 2016 Ex Parte at 18.
425
Behavioral Economics Consulting Group Comments at 3; see also McDonald Reply at 3 (noting misleading
characterizations of targeted advertising).
426
California Attorney General Reply at 4-5; see also 2014 Administration Big Data Report at 56 (advocating a “no
surprises” rule based upon respecting the context of a consumer’s expectations of contextual use); INCOMPAS
Comments at 12 (noting heightened privacy implications for provisions that would surprise customers); T-Mobile
Comments at 29 (same); Mozilla Comments at 6 (advocating “no surprises” as a data principle).
427
See, e.g., Snapchat Consent Decree at 3 (prohibiting Snapchat from misrepresenting the extent which Snapchat or
its products or services maintain and protect the privacy, security, or confidentiality of any covered information,
including but not limited to: “(1) the extent to which a message is deleted after being viewed by the recipient; (2) the
extent to which respondent or its products or services are capable of detecting or notifying the sender when a
recipient has captured a screenshot of, or otherwise saved, a message; (3) the categories of covered information
collected; or (4) the steps taken to protect against misuse or unauthorized disclosure of covered information”).
428
FTC Staff Comments at 14; Asian American and Pacific Islander Technology & Telecommunications Table
(AAPI) Comments at 1.
429
Cf. Requirements concerning clear and conspicuous disclosures in foreign language advertising and sales
materials, 16 CFR § 14.9; Business Opportunity Rules, 16 CFR § 437.3(a).
430
FTC Staff Comments at 14. We note that for the purposes of this rule, “language” also includes American Sign
Language, meaning that if the customer transacts business with the carrier in American Sign Language, the notice
would need to be made available in that language.
431
AAPI Comments at 1.
432
See CTIA Comments at 103-04; EFF Comments at 14; Lehr et al. Comments at 4.
Federal Communications Commission FCC 16-148
62
notices on mobile devices meet the above guidelines and convey the necessary information, they will
comply with the rules. Providers are free to experiment within those broad guidelines and the capabilities
of mobile display technology to find the best solution for their customers.
153. Safe Harbor for Standardized Privacy Notices. To encourage adoption of standardized
privacy notices without mandating a particular form, we direct the Consumer Advisory Committee, which
is composed of both industry and consumer interests,
433
to formulate a proposed standardized notice
format, based on input from a broad range of stakeholders, within six months of the time that its new
membership is reconstituted, but, in any event, no later than June 1, 2017. There is strong support in the
record for creation of standardized notice, and for use of multi-stakeholder processes.
434
Standardized
notices can assist consumers in interpreting privacy policies, and allow them to better compare the
privacy policies of different providers, allowing increased competition in privacy protections.
435
Standardized notices can also reduce compliance costs for providers, especially small providers, by
ensuring they can easily adopt a compliant form and format for their notices.
436
154. The CAC has significant expertise in developing standard broadband disclosures and
other consumer disclosure issues.
437
We find that the Committee’s experience makes it an ideal body to
recommend a notice format that will be sufficiently clear and easy to read to allow consumers to easily
understand and compare the privacy practices of different providers. To ensure that the notice will be
clear and easy to read for all customers, it must also be accessible to persons with disabilities. We
delegate authority to the Wireline Competition Bureau, Wireless Telecommunications Bureau, and
Consumer & Governmental Affairs Bureau to work with the CAC on the draft standardized notice. If the
CAC recommends a form or format that do not meet the Bureaus expectations, the Bureaus may ask the
CAC to consider changes and submit a revised proposal for the Bureausreview within 90 days of the
Bureausrequest. The Bureaus may also seek public comment, as they deem appropriate, on any
standardized notice the CAC recommends. We also delegate authority to the Bureaus to issue a Public
Notice announcing any proposed format or formats that they conclude meet our expectations for the safe
harbor for making consumer-facing disclosures.
438
433
FTC Staff Comments at 13-14; Hughes Comments at 3-4 (noting the CAC has a precedent for developing
standard notices); WISPA Comments at 16 (approving of CAC process as a model for standardized notices);
WISPA Reply at 31 (specifically recommending the CAC develop standardized privacy notices). The Committee’s
purpose is to make recommendations to the Commission regarding consumer issues within the Commission’s
jurisdiction and to facilitate the participation of consumers in proceedings before the Commission.
434
ACA Reply at 14-15; NTCA Comments at 41-42 (supporting standardized safe harbor notice, but no mandated
standard); Privacy Rights Clearinghouse Comments at 3 (recommending standardized notice); Rural Wireless
Association Comments at 7; ViaSat Comments at 4; WISPA Comments at 16 (recommending standardized safe
harbor if notice is required); WISPA Reply at 31; Letter from Jodi Goldberg, Associate Corporate Counsel, Hughes
Network Systems, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, Attach. at 1 (filed Oct. 14, 2016)
(Hughes Oct. 14, 2016 Ex Parte) (supporting standardized notices as a safe harbor). We note that the record is
largely lacking on specific models for or details about how to format such notices.
435
FTC Staff Comments at 13; Greenlining Institute Comments at 41-42; EFF Comments at 13-14; ViaSat
Comments at 2 (“[P]rivacy practices often can be a point of competitive differentiation between service providers.”).
436
See, e.g., ACA Comments at 49-51; CTIA Comments at 104; EFF Comments at 13-14.
437
The Committee previously developed the Open Internet broadband consumer labels, as well as developed
guidelines on consumer disclosures via its Consumer Information Disclosure Task Force. Consumer and
Governmental Affairs, Wireline Competition, and Wireless Telecommunication Bureaus Approve Open Internet
Broadband Consumer Labels, GN Docket No. 14-28, Public Notice, 31 FCC Rcd 3358; FCC Consumer Advisory
Committee, Recommendations Regarding Pre-Sale Consumer Disclosures (Aug. 4, 2010), at
https://apps.fcc.gov/edocs_public/attachmatch/DOC-300826A1.pdf.
438
47 CFR §§ 0.291, 0.331, 0.361.
Federal Communications Commission FCC 16-148
63
155. Providers that voluntarily adopt a privacy notice format developed by the CAC and
approved by the Bureaus will be deemed to be in compliance with the rules’ requirements that notices be
clear, conspicuous, comprehensible, and not misleading. As with the Open Internet BIAS transparency
rules, use of the safe harbor notice is a safe harbor with respect to the format of the required disclosure to
consumers. A provider meeting the safe harbor could still be found to be in violation of the rules, for
example, if the content of that notice is misleading, otherwise inaccurate, or fails to include all mandated
information.
4. Advance Notice of Material Changes to Privacy Policies
156. We require telecommunications carriers to provide advance notice of material changes to
their privacy policies to their existing customers, via email or other means of active communication
agreed upon by the customer.
439
As with a provider’s privacy policy notice, any advance notice of
material changes to a privacy policy must be clear, conspicuous, comprehensible, and not misleading.
The notice also must be completely translated into a language other than English if the
telecommunications carrier transacts business with the customer in that language. This notice must
inform customers of both (1) the changes being made; and (2) customers’ rights with respect to the
material change as it relates to their customer PI.
440
In doing so, we follow our own precedent and that of
the FTC in recognizing the need for consumers to have up-to-date and relevant information upon which to
base their choices.
441
This requirement to notify customers of material change finds strong support in the
record.
442
157. The record reflects strong justifications for requiring providers to give customers advance
notice of material changes to their privacy policies.
443
In order to ensure that customer approval to use or
share customer PI is “informed” consent, customers must have accurate and up-to-date information of
what they are agreeing to in privacy policies.
444
The notice of material change requirement that we adopt
is consistent with the transparency requirements of the 2015 Open Internet Order, which require
providers to disclose material changes in, among other things, “commercial terms,”
445
which includes
privacy policies.
446
Notices of material change are essential to respecting customers’ informed privacy
choices; if a provider substantially changes its privacy practices after a customer has agreed to a different
set of practices, the customer cannot be said to have given informed consent, consistent with Section 222.
This is particularly important when providers are seeking a customer’s opt-out consent, since the
customer’s privacy rights could change whether or not they had actual knowledge of the change in policy.
We therefore disagree that such a requirement is outweighed by the risk of notice fatigue;
447
to the extent
439
See Broadband Privacy NPRM, 31 FCC Rcd at 2533-34, para. 96. As with our requirements for the notice of
privacy policy, if a carrier does not have a website, it may provide notices of material change notices to customers in
paper form or some other format agreed upon by the customer.
440
See id.
441
See 2015 Open Internet Order, 30 FCC Rcd at 5671-73, paras. 161-164; Facebook Consent Order; Google
Consent Order.
442
See, e.g., FTC Staff Comments at 14-15; EFF Comments at 13; Comcast Comments at 49; CTIA Comments at
122-23; T-Mobile Comments at 41; WISPA Comments at 14.
443
See FTC Staff Comments at 14-15; EFF Comments at 13; Comcast Comments at 49; CTIA Comments at 122-23;
T-Mobile Comments at 41; WISPA Comments at 14.
444
See, e.g., Online Trust Alliance Comments at 3; McDonald Reply at 3 (“Many ISPs provided limited information
to users, at best informing users that terms and conditions had changed without explaining the scale and scope of
privacy change. Some ISPs reportedly did not notify users at all.”).
445
2015 Open Internet Order, 30 FCC Rcd at 5671-72, para. 161.
446
Id. at 5672-73, para. 164.
447
See CTA Comments at 11 (arguing that material change notices will result in notice fatigue).
Federal Communications Commission FCC 16-148
64
that providers are frequently changing their policies materially, they should alert their customers to that
fact, or risk rendering their earlier efforts at transparency fruitless.
158. For the purposes of this rule, we consider a “material change” to be any change that a
reasonable customer would consider important to her decisions on her privacy. This parallels the
consumer interest-focused definition of “material change” used in the 2015 Open Internet Order.
448
Such
changes would primarily include any changes to the types of customer PI at issue, how each type of
customer PI is used or shared and for what purpose, or the categories of entities with which the customer
PI is shared. To provide guidance on the standard above, at minimum, if any of the required information
in the initial privacy notification changes, then the carrier must provide the required update notice. We
adopt this guidance because the initial notice contains the information on which customers are making
their privacy decisions, and changes to that information may alter how consumers grant permissions to
their carriers. We also limit carriers’ requirements under this section to existing customers, since only
existing customers (and not new applicants) would have a current privacy policy that could be materially
changed.
159. Delivering Notices of Material Changes. For consumers to understand carriers’ privacy
practices, carriers must keep them up to date and persistently available, but must also ensure that
customers’ knowledge of them is up to date. It is not reasonable, for instance, to expect consumers to
visit carriers’ privacy policies on a daily basis to see if anything has changed. Therefore, we require
telecommunications carriers to notify an affected customer of material changes to their privacy policies
by contacting the customer with an email or some other form of active communication agreed upon by the
customer.
160. We require active forms of communication with the customer because merely altering the
text of a privacy policy on the carrier’s website alone is insufficient. There is little chance that, absent
some form of affirmative contact, a customer would periodically visit and review a provider’s notices of
privacy policies for any changes.
449
We also recommend, but do not require, providers to solicit
customers’ contact preferences to enable customers to choose their preferred method of active contact
(such as email, text messaging, or some other form of alert), as not all customers have the same contact
preferences. This is particularly true for voice services, where it may be less likely that customers will
visit a provider’s website, and providers may not have a customer’s email address.
450
While this does
require each provider to have some means of contacting the customer, it does not require gathering more
customer information, since, by virtue of providing service, a provider will necessarily be able to contact
a customer, whether by email, text message, voice message, or postal mail.
451
Some commenters have
expressed concern that requiring carriers to send multiple notices in different formats for each material
change would present “significant logistical challenges.
452
The rules do not require multiple formats for
448
The definition differs from that in the 2015 Open Internet Order in two respects: the customer’s interest is
defined by the customer’s decisions on privacy, and not choice of provider, service, or application; and the reference
to edge providers, which are not relevant to the material changes at issue, has been removed. See WISPA
Comments at 14.
449
Cf. NTCA Reply at 42-43 (submitting that push notices and billing statements, supplemented by a notice on the
website, are sufficient); contra CenturyLink Comments at 21-22 (arguing that initial notice of privacy policies and
disclosure on a website is sufficient).
450
See NCTA Comments at 85 (suggesting text messages as one form of notice and solicitation).
451
But cf. CenturyLink Comments at 21-22 (arguing that actively contacting customer required further data
collection).
452
See, e.g., Letter from Rebecca Murphy Thompson, EVP & General Counsel, Competitive Carriers Association, to
Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 3 (filed Oct. 13, 2016) (CCA Oct. 13, 2016 Ex
Parte).
Federal Communications Commission FCC 16-148
65
each notice of material change, but allow carriers to use one method, whether that is email or some other
active method agreed upon by the customer.
161. The active notice requirements reflect the rationale behind the transparency requirements
of the 2015 Open Internet Order, which require directly notifying end users if the provider is about to
engage in a network practice that will significantly affect a user’s use of the service.
453
As explained in
that Order, the purpose is to “provide the affected [] users with sufficient information. . . ” to make
choices that will affect their usage of the service.
454
Given these existing obligations, we disagree with
commenters who suggest that providing more than one notice is overly burdensome.
455
162. In addition to the active notice required above, we encourage providers to include notices
of changes in customers’ billing statements, whether a customer has selected electronic billing, paper
bills, or some other billing format.
456
Providing notice via bills can help ensure that customers will
receive the notice, and makes it more likely that they will correctly attribute the notice as coming from
their provider.
457
163. Contents of Advance Notice of Material Changes. As proposed in the NPRM, the
advance notice of material change must specify and describe the changes made to the provider’s privacy
policies, including any changes to what customer PI the provider collects; how it uses, discloses, or
permits access to such information; and the categories of entities with which it shares that information.
458
This explanation should also include whether any changes are retroactive (i.e., they will involve the use or
sharing of past customer PI that the provider can access).
459
The entire notice must be clear and
conspicuous, comprehensible, and not misleading. The notice of material change need not contain the
entirety of the provider’s privacy policies, so long as it accurately conveys the relevant changes and
provides easy access to the full policies. Moreover, the notice of material change must not simply
provide fully updated privacy policies without specifically identifying the changesas stated above, the
changes must be identified clearly, conspicuously, comprehensibly, and in a manner that is not
misleading. For the same reasons that we impose this requirement with respect to the notice of privacy
policies, we also require that the notice of material change be translated into a language other than
English if the telecommunications carrier transacts business with the customer in that language. As with
the initial notice of privacy policies, the notice of material change must also explain the customer’s rights
with regard to this information. We do not, however, require that carriers use any particular language in
these explanations, and encourage carriers to adapt their notices in ways that best suit their customers.
We decline to specify how much advance notification providers must give their customers before making
material changes to their privacy policies, recognizing that the appropriate amount of time will vary, inter
453
2015 Open Internet Order, 30 FCC Rcd at 5677, para. 171.
454
Id.
455
See, e.g., CenturyLink Comments at 21-22.
456
See generally NTCA Comments at 40-41 (noting that many customers do not receive printed billing statements).
457
Cf. McDonald Reply at 3-4 (noting 11 percent of consumers in one survey who believed an opt-out notice was a
scam).
458
See Broadband Privacy NPRM, 31 FCC Rcd at 2533-35, paras. 96, 100; 31 FCC Rcd at 2605, Appendix A
(proposed §64.7001(c)(1)).
459
See FTC Staff Comments at 14-15; see also 2012 FTC Privacy Report at 57-58.; EFF Comments at 13; Comcast
Comments at 49; CTIA Comments at 122-23; T-Mobile Comments at 41; WISPA Comments at 14. The
Administration CPBR similarly notes that “previously collected personal data” calls for increased privacy controls
over ongoing collection. 2015 Administration CPBR Discussion Draft, § 102(e)(2). As discussed in Part
III.D.1.a(ii) below, if the material change affects previously collected information, then, consistent with FTC
precedent and recommendations, the carrier must obtain opt-in consent for that new use of previously collected
information.
Federal Communications Commission FCC 16-148
66
alia, based on the scope of the change or the sensitivity of the information at issue. However, BIAS
providers and other telecommunications carriers must give customers sufficient advance notice to allow
the customers to exercise meaningful choice with respect to those changed policies.
5. Harmonizing Voice Rules
164. As noted above, we apply these rules to all providers of telecommunications services.
Harmonizing the rules for broadband and other telecommunications services will allow providers that
offer multiple (and frequently bundled)
460
services within this category to operate under a more uniform
set of privacy rules, reducing potential compliance costs.
461
For example, our rules will enable providers
to provide the necessary notices for both voice and broadband services at the point of sale, allowing the
information to be conveyed in one interaction for customers purchasing bundles, minimizing burdens on
providers and customers alike.
462
Furthermore, this consistency also enhances the ability of customers
purchasing BIAS and other telecommunications services from a single provider to make informed choices
regarding the handling of their information.
165. In harmonizing our notice rules across BIAS and other telecommunications services, we
are able to reduce burdens on providers by eliminating certain existing requirements that we find are no
longer necessary. For instance, because we require that notice of privacy practices be readily available on
providers’ websites, an already common practice,
463
we eliminate the requirement that notices of privacy
practices be re-sent to customers every 2 years.
464
Further, because the record evinces the growing need
for flexibility in applying the principles of transparency, we eliminate requirements that notices provide
that “the customer has a right, and the carrier has a duty, under federal law, to protect the confidentiality
of CPNI”
465
a requirement that has apparently been interpreted as requiring that language to appear
verbatim in privacy policies.
466
Similarly, we eliminate requirements that emails containing notices of
material changes contain specific subject lines, leaving to providers the means by which they can meet the
general requirements that any communication must be clear and conspicuous, comprehensible, and not
misleading. We find that in lieu of these more prescriptive requirements, the common-sense rules we
adopt above better ensure that customers receive truly informative notices without unnecessary notice
fatigue or unnecessary regulatory burdens on carriers.
D. Customer Approval Requirements for the Use and Disclosure of Customer PI
166. In this section, we adopt rules that give customers of BIAS and other telecommunications
services the tools they need to make choices about the use and sharing
467
of their personal information,
and to easily adjust those choices over the course of time. Respecting the choice of the individual is
460
See Charter Reply at 13-14; NTCA Comments at 47; INCOMPAS Comments at 4-5; WTA Comments at 12.
461
See, e.g., NTCA Comments at 38-39; RWA Comments at 6-7; WTA Comments at 9; Letter from Catherine M.
Hilke, Assistant General Counsel, Verizon, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106 (filed
Aug. 17, 2016).
462
See Letter from Catherine M. Hilke, Assistant General Counsel, Verizon, to Marlene H. Dortch, Secretary, FCC,
WC Docket No. 16-106 at 1 (filed Oct. 13, 2016) (Verizon Oct. 13, 2016 Ex Parte).
463
See supra note 360.
464
See Privacy Rights Clearinghouse Comments at 4; WTA Comments at 15; XO Comments at 15.
465
See 47 CFR § 64.2008(c)(1).
466
See Letter from William H. Johnson, Senior Vice President, Federal Regulatory & Legal Affairs, Verizon, to
Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106 (filed June 23, 2016).
467
Section 222 addresses the conditions under which carriers may “use, disclose, or provide access to” customer
information. 47 U.S.C. § 222(c)(1), (c)(3), (d), (f). For simplicity throughout this document we sometimes use the
terms “disclose” or “share” in place of “disclose or provide access to.”
Federal Communications Commission FCC 16-148
67
central to any privacy regime,
468
and a fundamental component of FIPPs.
469
In adopting Section 222,
Congress imposed a duty on telecommunications carriers to protect the confidentiality of their customers’
information, and specifically required that carriers obtain customer approval for use and sharing of
individually identifiable customer information. In adopting rules to implement these statutory
requirements, we look to the record, which includes substantial discussion about customers’ expectations
in the context of the broader Internet ecosystem, as well as existing regulatory, enforcement, and best
practices guidance. We are persuaded that sensitivity-based choice rules are the best way to implement
the mandates of Section 222, honor customer expectations, and provide carriers the ability to engage their
customers.
167. We therefore adopt rules that require express informed consent (opt-in approval) from the
customer for the use and sharing of sensitive customer PI. As described in greater detail below, our rules
treat the following information as sensitive: precise geo-location, health, financial, and children’s
information; Social Security numbers; content; and web browsing and application usage histories and
their functional equivalents. For voice providers, our rules also treat call detail information as sensitive.
With respect to non-sensitive customer PI, carriers must, at a minimum, provide their customers the
ability to opt out of the carrier’s use or sharing of that non-sensitive customer information. Carriers must
also provide their customers with an easy-to-use, persistent mechanism to adjust their choice options.
470
168. The sensitivity-based choice approach we adopt is not monolithic. We recognize certain
congressionally-directed exceptions to customer approval rights. Most obviously, carriers can, and
indeed must, use and share customer PI in order to provide the underlying telecommunications service, to
bill and collect payment for that service, and for certain other limited purposes by virtue of delivering the
service. Congress also recognized that there are other laws and regulations that allow or require carriers
to use and share customer PI without consent. Therefore, we adopt exceptions to our choice framework
that allow carriers to use and share information for the congressionally directed purposes outlined in the
Communications Act, and as otherwise required or authorized by law.
169. In the first part of this section, we discuss our application of a sensitivity-based
framework to the use and sharing of customer PI. We explain what we consider to be sensitive customer
PI, and how our rules apply the sensitivity-based framework. In the second part of this section, we
explain and implement the limitations and exceptions to that choice framework.
170. In the next parts of this section, we discuss the mechanisms for customer approval
provided for in our rules. We explain how and when carriers must solicit and obtain customer approval to
use and share the customer’s PI under the framework we adopt today, and require carriers to provide
customers with easy access to a choice mechanism that is simple, easy-to-use, clearly and conspicuously
disclosed, persistently available, and made available at no additional cost to the customer. Finally, we
eliminate the requirements that telecommunications providers keep particular records of their use of
customer PI and periodically report compliance to the Commission.
171. These rules apply both to BIAS and other telecommunications services. The record
reflects strong support for consistency between privacy regimes for all telecommunications services, both
to reduce possible consumer confusion,
471
and to decrease compliance burdens for all affected
468
See, e.g., 47 U.S.C. §§ 551(c), 338(i)(4) (imposing on cable operators and satellite carriers, respectively,
requirements to obtain subscriber consent prior to disclosing personally identifiable information).
469
See supra note 341.
470
As discussed below, we do not consider a carrier’s sharing of customer PI with the carrier’s own agents to
constitute sharing with third parties that requires either opt-in or opt-out consent. See infra note 623.
471
See, e.g., Verizon Comments at 9 (“[H]aving to deal with different and even inconsistent privacy frameworks
will inevitably lead to consumer confusion and frustration.”); CTIA Comments at 96 (“The Commission likewise
should use data sensitivity and flexibility as its touchstones so that its rules. . . will meet consumer expectations,
avoid consumer confusion, and minimize other harms associated with disparate privacy regulation across the
(continued….)
Federal Communications Commission FCC 16-148
68
telecommunications carriers, particularly small providers.
472
Therefore, within the scope of our authority
over telecommunications carriers, we apply these rules to all BIAS providers and other
telecommunications carriers.
1. Applying a Sensitivity-Based Customer Choice Framework
172. Except as otherwise provided by law and subject to the congressionally-directed
exceptions discussed below, we adopt a customer choice framework that distinguishes between sensitive
and non-sensitive customer information. We adopt rules that require BIAS providers and other
telecommunications carriers to obtain a customer’s opt-in consent before using or sharing sensitive
customer PI.
473
We also adopt rules requiring carriers to, at a minimum, offer their customers the ability
to opt out of the use and sharing of non-sensitive customer information. Carriers may also choose to
obtain opt-in approval from their customers to use or share non-sensitive customer PI. To ensure that
consumers have effective privacy choices, we require carriers to provide their customers with a persistent,
easy-to-access mechanism to opt in to or opt out of their carriers’ use or sharing of customer PI.
173. In adopting a sensitivity-based framework, we move away from the purpose-based
frameworkin which the purpose for which the information will be used or shared determines the type of
customer approval requiredin the current rules and in the rules we proposed in the NPRM.
474
Having
sought comment on a sensitivity-based framework in the NPRM,
475
and having received substantial
support for it in the record, we find that incorporating a sensitivity element into our framework allows our
rules to be more properly calibrated to customer and business expectations. This approach is also
consistent with the framework recommended by the FTC in its comments and its 2012 staff report, and
(Continued from previous page)
ecosystem.”); CTIA Comments at 117 (agreeing “in principle that there may be significant advantages to
harmonizing regulations to create the right regulatory framework for voice, broadband, and cable services
including both the delivery of an improved and simplified customer experience, and the realization of saved
administrative costs.”); LGBT Technology Partnership Comments at 4 (“In this regard, we encourage the
Commission to adopt the FTC guidelines that protect date for all consumers and treats all companies equally thus
avoiding consumer confusion and conflicting regulations.”); Greenlining Institute Comments at 18 (“Commenters
believe that a uniform regime is not only easier for the carriers, easier of enforcement, and easier for customers to
understand, it is also consistent with the Open Internet Order in terms of law and policy.”); WISPA Comments at 16
(“A combined privacy policy would provide more clarity and less confusion to customers.”).
472
WTA & Nex-Tech Apr. 25, 2016 Ex Parte at 1 (urging the Commission to “harmonize definitions, procedures
and requirements in order to reduce the complexity of regulation of privacy and minimize the burdens on small
providers); Rural Wireless Association Comments at 7 (“RWA recommends that the Commission harmonize its
proposals with existing regulations regarding CPNI.”); WISPA Comments at 16-17 (“A combined privacy policy. . .
would reduce the administrative burdens and costs of developing and maintaining separate policies, especially for
small carriers that do not have sufficient resources.”); WTA Comments at 3 (“[T]he Commission should make
certain that its new broadband CPNI customer approval, security and notification rules correspond as much as
practicable to its existing rules for voice and cable television service.”); WTA Comments at 10 (“The Commission
should also harmonize customer solicitation and approval requirements for voice and broadband services.”).
473
We also require carriers to obtain customer opt-in consent for material retroactive uses of customer PI, as
discussed below. See infra para. 195.
474
Broadband Privacy NPRM, 31 FCC Rcd at 2543-46, paras. 122-30 (proposing to require opt-out consent for uses
of customer PI that were for the purpose of marketing communications-related services to customers, or for sharing
information with affiliates offering communications-related services for the purpose of marketing those
communications-related services to customers; and to require opt-in consent for all other purposes that require
consent).
475
Broadband Privacy NPRM, 31 FCC Rcd at 2548-49, para. 136 (seeking comment on a sensitivity-based
framework); see infra note 477.
Federal Communications Commission FCC 16-148
69
used by the FTC in its settlements.
476
We make this transition for both BIAS and other
telecommunications services because the record demonstrates that a sensitivity-based framework better
reflects customer expectations regarding how their privacy is handled by their communications carriers.
477
174. Some commenters argue that all customer information is sensitive, and that subjecting
only certain information to opt-in approval imposes an unnecessary burden on consumers who want to
protect the privacy of their information to opt-out.
478
While we appreciate that consumers are not
monolithic in their preferences, as discussed below, we think the rule we adopt today strikes the right
balance and gives consumers control over the use and sharing of their information. We decline to
conclude that all customer PI is sensitive by default, and instead identify specific types of sensitive
information, consistent with the FTC.
479
Other commenters express concern that drawing a distinction
between sensitive and non-sensitive information requires a broadband provider to analyze a customer’s
web browsing history and content to identify sensitive information, rendering the point of the distinction
moot.
480
Some commenters argue that carriers can use a system of whitelists to determine sensitive versus
non-sensitive web sites.
481
This argument mistakenly presumes that the sensitivity of a customer’s traffic
relies upon the type or contents of the sites visited, and not simply the fact of the customer having visited
them. However, this dispute and the concerns underlying it are themselves mooted by our decision to
treat content, browsing history, and application usage history as sensitive and subject to opt-in consent.
Thus, recognizing customer expectations and the comments reflecting them in the record, we adopt rules
that base the level of approval carriers must obtain from customers upon the sensitivity of the customer PI
at issue.
175. Adopting this choice framework implements the requirement in Section 222(c)(1) that
carriers, subject to certain exceptions, must obtain customer approval before using, sharing, or permitting
access to individually identifiable CPNI. Further, we find that except where a limitation or exception
discussed below applies, obtaining consent prior to using or sharing customer PI is a necessary
component of protecting the confidentiality of customer PI pursuant to Section 222(a). We also observe
that drawing distinctions that allow opt-out or opt-in approval is well-grounded in our Section 222
476
See FTC Staff Comments at 21-22 (citing 2012 FTC Privacy Report at 40, n.189). The Administration’s CPBR
similarly proposes that individuals’ control over the processing of their data be “in proportion to the privacy risk to
the individual and consistent with context.” 2015 Administration CPBR Discussion Draft §102(a).
477
See FTC Staff Comments at 21-22; Future of Privacy Forum Comments at 26 (citing the NAI and DAA
frameworks as drawing the sensitive/non-sensitive distinction); Future of Privacy Forum Reply at 8; Richard
Bennett Comments at 5; ICLE Comments at 18; CompTIA Comments at 7; Internet Commerce Coalition Comments
at 3; ACA Comments at 51-52; State Privacy & Security Coalition Comments at 5; CenturyLink Comments at 16,
28; Comcast Comments at 13; NCTA Comments at 3; WISPA Comments at 23; INCOMPAS Comments at 12; T-
Mobile Comments at 8, 29; AT&T Comments at 1, 96-97; ANA Comments at 18; FTC Commissioner Maureen
Ohlhausen (Ohlhausen) Comments at 1-2.
478
See National Consumers League Comments at 7 (“NCL views all information held by BIAS providers to be
sensitive and thus require the same, strict data security protections.”); Letter from Dallas Harris, Policy Fellow,
Public Knowledge, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 2 (filed May 9, 2016) (Public
Knowledge May 9, 2016 Ex Parte) (“[O]nly by treating all information as the most sensitive can the Commission
ensure that highly sensitive information will not be compromised.”).
479
See, e.g., OTI Oct. 13, 2016 Ex Parte at 3; Letter from Dallas Harris, Policy Fellow, Public Knowledge, to
Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 1 (filed Oct. 18, 2016).
480
See, e.g., Public Knowledge Comments at 24-26; Letter from Dallas Harris, Policy Fellow, Public Knowledge, to
Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 3 (filed July 26, 2016) (Public Knowledge July 26,
2016 Ex Parte); Paul Ohm Reply at 10-12; National Consumers League Comments at 2.
481
See, e.g., Future of Privacy Forum Reply at 8; see also Letter from Austin C. Schlick, Director, Communications
Law, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 1 (filed Oct. 3, 2016) (Google Oct. 3, 2016
Ex Parte).
Federal Communications Commission FCC 16-148
70
precedent and numerous other privacy statutes and regimes.
482
The Commission has long held that
allowing a customer to grant partial use of CPNI is consistent with one of the underlying principles of
Section 222: to ensure that customers maintain control over their own information.
483
176. Below, we explain the framework and its application. First, we define the scope of
sensitive customer PI and explain our reasons for requiring opt-in consent to use or share sensitive
customer PI. Consistent with FTC enforcement work and best practices guidance, we also require
telecommunications carriers that seek to make retroactive material changes to their privacy policies to
obtain opt-in consent from customers. Next, we discuss our reasons for allowing carriers to use and share
non-sensitive customer PI subject to opt-out approval.
a. Approval Requirements for the Use and Sharing of Sensitive
Customer PI
(i) Defining Sensitive Customer PI
177. For purposes of the sensitivity-based customer choice framework we adopt today, we
find that sensitive customer PI includes, at a minimum, financial information; health information; Social
Security numbers; precise geo-location information; information pertaining to children; content of
communications; call detail information; and a customer’s web browsing history, application usage
history, and their functional equivalents. Although a carrier can be in compliance with our rules by
providing customers with the opportunity to opt in to the use and sharing of these specifically identified
categories of information, we encourage each carrier to consider whether it collects, uses, and shares other
types of information that would be considered sensitive by some or all of its customers, and subject the
use or sharing of that information to opt-in consent.
178. In identifying these categories as sensitive and subject to opt-in approval, we draw on the
record and consider the context, which is the customer’s relationship with his broadband or other
telecommunications provider. The record demonstrates strong support for designating these specific
categories of information as sensitive: health information,
484
financial information,
485
precise geo-location
information,
486
children’s information,
487
and Social Security numbers. The FTC explicitly regards these
482
See, e.g., NCTA v. FCC, 555 F.3d 996 (D.C. Cir. 2009) (upholding the Commission’s CPNI framework which
required opt-in approval for certain uses and opt-out for others); 45 CFR §§ 164.508, 164.510 (HIPAA rule)
(requiring opt-in approval for certain uses, and allowing opt-out approval (i.e., “opportunity for the individual to
agree or to object”) for others); COPPA, 15 U.S.C. § 6502 (requiring opt-in consent for most uses of children’s
information, but permitting certain uses with disclosures).
483
See 1998 CPNI Order, 13 FCC Rcd at 8152, para. 118 (observing that “Section 222(c)(1) is silent on the issue of
whether a customer may grant a carrier partial use or access to CPNI outside the scope of Section 222(c)(1)” and
concluding that “[a] customer could grant approval for partial use, for example, by limiting the uses made of CPNI,
the time period within which approval remains valid, and the types of information that may be used”) (emphasis
added).
484
See, e.g., Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936
(1996) (HIPAA); see also FTC Staff Comments at 21.
485
See, e.g., Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338 (1999) (GLBA); see also FTC Staff
Comments at 21. See also infra note 791.
486
See, e.g., FTC Staff Comments at 21.
487
See, e.g., Children’s Online Privacy Protection Act, Pub. L. No. 105-277, 112 Stat. 2681-728 (1998) (COPPA);
Common Sense Kids Action Comments at 2-3; Letter from Ariel Fox Johnson, Senior Policy Counsel, Privacy and
Consumer Affairs, Common Sense Kids Action, to Tom Wheeler, Chairman, FCC, WC Docket No. 16-106, at 2
(filed Oct. 5, 2016) (Common Sense Kids Action Oct. 5, 2016 Ex Parte) (“Children’s information, all of it, is
sensitive. This is why the FTC’s COPPA Rule protects a wide swathe of children’s informationnot just their
social security numbers.”); FTC Staff Comments at 21.
Federal Communications Commission FCC 16-148
71
categories of information as sensitive, as well.
488
Despite some commenters’ assertions to the contrary,
489
the FTC does not claim to define the outer bounds of sensitive information with this list.
490
For example,
in its 2009 Staff Report on online behavioral advertising and in its comments to this proceeding, the FTC
clearly indicated that its list was non-exhaustive.
491
Furthermore, Commission precedent and consumer
expectations demonstrate strong support for certain additional categories of sensitive information. For
instance, the Commission has also afforded enhanced protection to call detail information for voice
services.
492
Consumer research also supports identifying several types of information as sensitive: the
2016 Pew study, noted by a number of commenters in the record, found that large majorities of
Americans considered Social Security numbers, health information, communications content (including
phone conversations, email, and texts), physical locations over time, phone numbers called or texted, and
web history to be sensitive.
493
Each of these categories has a clear and well attested case in the record and
in federal law for being considered sensitive.
494
179. Consistent with the FTC and the record, we conclude that precise geo-location
information is sensitive customer PI.
495
Congress specifically amended Section 222 to protect the privacy
488
FTC Staff Comments at 19-20.
489
See, e.g., Letter from Michelle R. Rosenthal, Senior Corporate Counsel, T-Mobile, to Marlene H. Dortch,
Secretary, FCC, WC Docket No. 16-106, at 1-2 (filed Oct. 14, 2016) (T-Mobile Oct. 14, 2016 Ex Parte) (asking the
Commission to “consider narrowing the scope of sensitive CPNI to the five FTC categories”); Letter from James
J.R. Talbot, Executive Director Senior Legal Counsel, AT&T, to Marlene H. Dortch, Secretary, FCC, WC Docket
No. 16-106, at 3 (filed Oct. 17, 2016) (AT&T Oct. 17, 2016 Ex Parte) (claiming that the FTC considers information
sensitive only if it is content or “falls within the traditional categories of sensitive data”); Advertisers Oct 10, 2016
Ex Parte at 3-4 (suggesting that FTC has “long held that ‘sensitive data’ encompasses a limited set of data types”);
Letter from Sydney M. White, Counsel to Internet Commerce Coalition, to Marlene H. Dortch, Secretary, FCC, WC
Docket No. 16-106, at 2 (filed Oct. 18, 2016) (ICC Oct. 18, 2016 Ex Parte).
490
FTC 2012 Privacy Report at 58-60 (observing general consensus that five categories were sensitive).
491
See FTC, Self-Regulatory Principles for Online Behavioral Advertising: Behavioral Advertising Tracking,
Targeting, & Technology (2009) 12 (setting out the principle that “companies should obtain affirmative express
consent before they use sensitive datafor example, data about children, health, or financesfor behavioral
advertising” (emphasis added)); FTC Staff Comments at 19-20 (supporting opt-in “for sensitive information that
could be collected by BIAS providers, including: (1) content of communications and (2) Social Security numbers or
health, financial, children’s or precise geolocation data” (emphasis added)).
492
See 2007 CPNI Order, 22 FCC Rcd at 6936, para. 13 (finding that “the release of call detail over the telephone
presents an immediate risk to privacy” and imposing restrictions on its release); id. at 6936, n.45 (explaining that
“‘call detail’ or ‘call records’ includes any information that pertain to the transmission of specific telephone calls
including, for outbound calls, the number called, and the time, location, or duration of any call and, for in inbound
calls, the number from which the call was placed, and the time, location, or duration of any call”; and finding that “a
narrower definition that included only inbound or outbound telephone numbers would make it too easy for
unauthorized persons with partial information to confirm and expand on that information”).
493
See Consumer Watchdog Comments at 2-3; Lee Rainie, The State of Privacy in post-Snowden America, Pew
Research Center (Sept. 21, 2016) at http://www.pewresearch.org/fact-tank/2016/01/20/the-state-of-privacy-in-
america/ft_16-01-20_ssnumbers-1/.
494
See CTIA Comments at 96-97; Comcast Comments at 18; ANA Comments at 12; Electronic Transactions
Association Comments at 13; Future of Privacy Forum Comments at 27; NCTA Comments at 44.
495
See Letter from Maria L. Kirby, AVP Regulatory Affairs & Assoc. General Counsel, CTIA, to Marlene H.
Dortch, Secretary, FCC, WC Docket No. 16-106, at 2 (filed Oct. 18, 2016); Letter from Michelle R. Rosenthal,
Senior Corporate Counsel, Government Affairs, Federal Regulatory, T-Mobile, to Marlene H. Dortch, Secretary,
FCC, WC Docket No. 16-106, at 1, n.1 (filed Oct. 19, 2016); see also, e.g., 2012 FTC Report at 58-60; FTC Staff
Comments at 19-20; CTIA Comments at 96-97; DMA Comments at 10-11; ANA Comments at 12; CCA Reply at
19-22; Verizon Reply at 21-22; Letter from Melissa Newman, Vice President-Federal Regulatory Affairs,
CenturyLink, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 5 (filed Sept. 13, 2016); Letter from
(continued….)
Federal Communications Commission FCC 16-148
72
of wireless location information as the privacy impacts of it became clear.
496
Real-time and historical
tracking of precise geo-location is both sensitive and valuable for marketing purposes due to the granular
detail it can reveal about an individual. Such data can expose “a precise, comprehensive record of a
person’s public movements that reflects a wealth of detail about her familial, political, professional,
religious, and sexual associations.”
497
In some cases, a BIAS provider can even pinpoint in which part of
a store a customer is browsing.
498
The FTC has found that precise geo-location data “includ[es] but [is]
not limited to GPS-based, WiFi-based, or cell-based location information.”
499
180. The record also reflects the historical and widely-held tenet that the content of
communications is particularly sensitive.
500
Like financial and health information, Congress recognized
communications as being so critical that their content, information about them, and even the fact that they
have occurred, are all worthy of privacy protections.
501
This finding is strongly supported by the record,
and consistent with FTC guidance.
502
As the FTC explains, “content data can be highly personalized and
granular, allowing analyses that would not be possible with less rich data sets.”
503
We therefore concur
with the large number of commenters who assert that content must be protected
504
and agree with Access
Now in finding that “the use or sharing . . . of the content of user communications is a clear violation of
the right to privacy.”
505
As such, we consider communications contents to be sensitive information.
506
181. We also add to the list of sensitive customer PI a customer’s web browsing and
application usage history, and their functional equivalents. A customer’s web browsing and application
(Continued from previous page)
Francis M. Buono, Sr. Vice President, Legal Regulatory Affairs & Sr. Dep. General Counsel, Comcast Corp., to
Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 1 (filed Aug. 2, 2016); Future of Privacy Forum
Comments at 22-23.
496
See Wireless Communications and Public Safety Act of 1999, Pub. L. No. 106-81, 113 Stat. 1286 (1999).
497
United States v. Jones, 132 S. Ct. 945, 955 (2012) (Sotomayor, J., concurring). Accord CDT Comments at 14;
EFF Comments at 3-4.
498
See Riley v. California, 134 S.Ct. 2473, 2490 (2014) (“Historic location information is a standard feature on
many smart phones and can reconstruct someone’s specific movements down to the minute, not only around town
but also within a particular building.”); CDD Comments at 14.
499
Goldenshores Technologies, LLC, Decision and Order, F.T.C. Docket No. C-4446, at 3 (March 31, 2014).
Accord Snapchat, Inc., Decision and Order, F.T.C. Docket No. C-4501, at 2 (Dec. 31, 2014); Designware, LLC,
Decision and Order, F.T.C. Docket No. C-4390, at 3 (April 11, 2013). As noted above in paragraph 66, we do not
draw distinctions between technologies used to determine precise geo-location. We make clear, however, that we do
not consider a customer’s postal or billing address to be sensitive precise geo-location information, but rather to be
non-sensitive customer PI when used in context as customer contact information.
500
AAJ Comments at 8; ACLU Comments at 7-8; EFF Comments at 5; FTC Staff Comments at 21; OTI
Comments at 23; Public Knowledge White Paper at 59; CCA Reply at 19.
501
See, e.g., 47 U.S.C. § 605; 18 U.S.C. § 2510 et seq.; 18 U.S.C. § 2701 et seq.; 18 U.S.C. § 3121 et seq.
502
FTC Staff Comments at 20-21; see also supra note 500.
503
FTC Staff Comments at 20.
504
See supra note 500.
505
Access Now Comments at 6.
506
Designating content as sensitive customer PI will not, despite NCTA’s concerns, require a carrier to obtain
additional customer approval to accept or respond to communications with its customers. See infra para. 215; see
also Letter from Loretta Polk, Vice President and Associate General Counsel, NCTA, to Marlene H. Dortch,
Secretary, FCC, WC Docket No. 16-106, at 2 (filed Oct. 18, 2016).
Federal Communications Commission FCC 16-148
73
usage history frequently reveal the contents of her communications,
507
but also constitute sensitive
information on their own
508
particularly considering the comprehensiveness of collection that a BIAS
provider can enjoy and the particular context of the BIAS provider’s relationship with the subscriber. The
Commission has long considered call detail information sensitive, regardless of whether a customer called
a restaurant, a family member, a bank, or a hospital. The confidentiality of that information, and its
sensitivity, do not rely upon what category of entity the customer is calling. The same is true of a
customer’s web browsing and application usage histories.
509
We therefore decline to define a subset of
non-sensitive web browsing and application usage history, as a number of commenters urge.
510
182. Web browsing and application usage history, and their functional equivalents are also
sensitive within the particular context of the relationship between the customer and the BIAS provider, in
which the BIAS provider is the on-ramp to the Internet for the subscriber and thus sees all domains and IP
addresses the subscriber visits or apps he or she uses while using BIAS. This is a different role than even
the large online ad networks occupythey may see many sites a subscriber visits, but rarely see all of
them.
511
The notion is that before a BIAS provider tracks the websites or other destinations its customer
visits the customer should have the right to decide upfront if he or she is comfortable with that tracking
for the purposes disclosed by the provider.
183. As EFF explains, BIAS providers can acquire a lot of information “about a customer’s
beliefs and preferencesand likely future activitiesfrom Web browsing history or Internet usage
history, especially if combined with port information, application headers, and related information about a
customer’s usage or devices.”
512
For instance, a user’s browsing history can provide a record of her
507
See, e.g., Paul Ohm Testimony at 4-5 (explaining that a list of websites visited reveals a customer’s reading
history); Upturn Comments at 3-4 (explaining that web addresses can reveal web page content); OTI White Paper at
3-5. Some commenters raise the issue of cases drawing distinctions between “content” and “metadata” in the
context of ECPA as standing for the proposition that all non-content data is non-sensitive. See, e.g., Letter from
Sydney M. White, Counsel to the Internet Commerce Coalition, to Marlene H. Dortch, Secretary, FCC, WC Docket
No. 16-106, at 2 (filed Oct. 13, 2016) (ICC Oct. 13, 2016 Ex Parte). We disagree. While the text of ECPA requires
a court to make determinations of what is and is not “content” of communications to determine that statute’s
applicability, neither the statute nor the case law interpreting it suggests that information other than content cannot
be considered sensitive under the Communications Act.
508
See, e.g., Letter from Dallas Harris, Policy Fellow, Public Knowledge to Marlene H. Dortch, Secretary, FCC,
WC Docket No. 16-106, at 1-2 (filed Oct. 21, 2016) (Public Knowledge Oct. 21, 2016 Ex Parte) (noting that the
confidentiality of communications is not limited to their content in Sections 222 and 705).
509
See, e.g., Letter from Gaurav Laroia, Policy Counsel, Free Press, to Marlene H. Dortch, Secretary, FCC, WC
Docket No. 16-106, at 3 (filed Oct. 7, 2016).
510
See, e.g., AT&T Oct. 17, 2016 Ex Parte at 3; Google Oct. 3, 2016 Ex Parte at 1.
511
See, e.g., OTI White Paper at 3-5 (explaining that “[b]ecause of their special role handling all of a user’s Internet
traffic, ISPs have a uniquely detailed and comprehensive perspective on the activities of their subscribers.”); Upturn
White Paper at 6 (explaining that, even with encryption, “ISPs can still almost always see the domain names that
their subscribers visit.”); CDT Reply at 21 (“[A] BIAS provider’s access to a consumer’s data is unique because the
BIAS provider serves as the gatekeeper between the consumer and the internet and the shepherd of the consumer’s
data across the internet . . . [A] BIAS provider [in the case of location information] will always have some form of
location data for the consumer with the phone. . .simply because the BIAS provider cannot serve a phone that it
cannot find.”); Public Knowledge White Paper at 45 (arguing that “[b]roadband providers uniquely enjoy a
confluence of both a total view into subscribers’ Internet access habits on the one hand, and knowledge of physical
information about the subscribers such as home address and financial information on the other.”); Online Trust
Alliance Comments at 1.
512
EFF Comments at 4. See also 18MillionRising.Org Petition and Comments at 1 (“The tracking and cataloguing
of consumers’ online habits are especially harmful to marginalized communities, for whom information regarding
immigration status, mental health, race, and religion can be particularly sensitive.”); Julie Brill, Comm’r, Fed. Trade
Comm’n, Net Neutrality and Privacy: Challenges and Opportunities, Keynote Address at Georgetown Institute for
(continued….)
Federal Communications Commission FCC 16-148
74
reading habitswell-established as sensitive information
513
as well as information about her video
viewing habits,
514
or who she communicates with via email, instant messaging, social media, and video
and voice tools. Furthermore, the domain names and IP addresses may contain potentially detailed
information about the type, form, and content of a communication between a user and a website. In some
cases, this can be extremely revealing: for instance, query strings within a URL may include the contents
of a user’s search query, the contents of a web form, or other information.
515
Browsing history can easily
lead to divulging other sensitive information, such as when and with what entities she maintains financial
or medical accounts, her political beliefs, or attributes like gender, age, race, income range, and
employment status.
516
More detailed analysis of browsing history can more precisely determine detailed
information, including a customer’s financial status, familial status, race, religion, political leanings, age,
and location.
517
The wealth of information revealed by a customer’s browsing history indicates that it,
even apart from communications content, deserves the fullest privacy protection.
518
184. Web browsing, however, is only one form of sensitive information about a customer’s
online activities.
519
The use of other applications besides web browsers also provides a significant amount
(Continued from previous page)
Public Representation and Center for Privacy and Technology Symposium on Privacy and Net Neutrality at 6 (Nov.
19, 2015), available at https://www.ftc.gov/publicstatements/2015/11/net-neutrality-privacy-challenges-
opportunities (“Even if an ISP just looks at the IP addresses to which you connect and the time at which connections
occur, it can get an intimate portrait of your interests, daily rhythms, habitsas well as those of all members of your
household.”).
513
See Paul Ohm Testimony at 4-5; see also Paul Ohm July 28, 2016 Ex Parte at 4-5; Future of Privacy Forum
Reply at 6-7 (explaining that “sensitive data would include the content of detailed browsing histories”); Consumer
Watchdog Comments at 2-3; Tattered Cover, Inc. v. City of Thornton, 44 P.3d 1044 (Colo. Sup. Ct. 2002) (en banc)
(protecting privacy in book purchases).
514
The cable and satellite privacy provisions of the Act were created in significant part to protect the privacy of
video viewing habits. See H.R. Rep. No. 934, 98th Cong., 2d Sess. 29 (1984) (“Subscriber records from interactive
systems can reveal details about bank transactions, shopping habits, political contributions, viewing habits and other
significant personal decisions”); 47 U.S.C. § 551; 47 U.S.C. § 338(i). Video rental records have also been
recognized by Congress as worthy of particular privacy protection. VPPA, 18 U.S.C. § 2710 et seq. As such, we
disagree with Google’s assertions that web browsing has not traditionally been considered sensitive information.
Google Oct. 3, 2016 Ex Parte at 1 (drawing a distinction between medical records and shopping habits).
515
See, e.g., Andrew G. West & Adam J. Aviv, On the Privacy Concerns of URL Query Strings, 2014 Proc. of the
8th Workshop on Wed 2.0 Sec. and Privacy, available at
http://w2spconf.com/2014/papers/privacy_query_strings.pdf; Reisman and Narayanan June 17, 2016 Ex Parte at 22-
24 (customer names and other PII included in some URLs); see also Peter Swire Working Paper at 9 (noting that
encryption can block access to detailed URLs, which “can reveal granular details of a user’s search or other online
activities”).
516
See, e.g., OTI White Paper at 5.
517
See OTI Oct. 13, 2016 Ex Parte at 7-9; Letter from Brandi Collins, Director of Campaigns: Economic,
Environmental, & Media Justice Departments, Color of Change, to Tom Wheeler, Chairman, FCC, WC Docket No.
16-106 (filed Oct. 20, 2016) (Color of Change Oct. 20, 2016 Ex Parte); Letter from Laura M. Moy & Eric. G. Null,
New America’s Open Technology Institute, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 2
(filed Sept. 12, 2016); Letter from Brandi Collins, Director of Campaigns: Economic, Environmental & Media
Justice Departments, Color of Change, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106 at 2-3 (filed
Oct. 3, 2016) (Color of Change Oct. 3, 2016 Ex Parte).
518
See, e.g., Public Knowledge White Paper at 47 (“The IP address of the service being accessed can indicate much
information about the subscriber based on the nature of the service: a household with children, for example, is likely
to visit Disney’s website; a domestic violence victim far more likely to be accessing helpline information.”).
519
See, e.g., Feamster ISP Data Use Comments at 5 (“A user’s DNS lookups can reveal activity patterns, the website
that a user is visiting, and (due to website fingerprinting attacks) possibly even the web pages that a user visits. . . .
This concern is likely to grow as consumers increasingly deploy [Internet of Things devices] in their homes, as the
(continued….)
Federal Communications Commission FCC 16-148
75
of insight into a user’s behavior. Any of the information transmitted to and from a customer via a
browser can just as easily be transmitted via a company-specific or use-specific application. Whether on
a mobile device or a desktop computer, the user’s newsreader application will give indications of what he
is reading, when, and how; an online video player’s use will transmit information about the videos he is
watching in addition to the video contents themselves; an email, video chat, or over-the-top voice
application will transmit and receive not only the messages themselves, but the names and contact
information of his various friends, family, colleagues, and others; a banking or insurance company
application will convey information about his health or finances; even the mere existence of those
applications will indicate who he does business with. A customer using ride-hailing applications, dating
applications, and even games will reveal information about his personal life merely through the fact that
he uses those apps, even before the information they contain (his location, his profile, his lifestyle) is
viewed.
520
185. Considering the particular visibility of this information to telecommunications carriers,
we therefore find that web browsing history and application usage history, and their functional
equivalents, are sensitive customer PI.
521
Web browsing history and application usage history includes
information from network traffic related to web browsing or other applications (including the application
layer of such traffic), and information from network traffic indicating the website or party with which the
consumer is communicating (e.g., their domains and IP addresses). We include their functional
equivalents to ensure that the privacy of customers’ online activities (today most frequently encompassed
by browsing and application usage history) will be protected regardless of the specific technology or
architecture used. We expect this to be particularly significant as the Internet of Things continues to
develop. While a customer may expect that the people and businesses she interacts with will know some
things about herher bookstore will know what she’s bought by virtue of having sold it to herthis is
distinct from having her voice or broadband provider extract that information from her communications
paths and therefore knowing every store she has visited and everything she has purchased.
522
Furthermore, as mentioned above, a carrier not only has the technical ability to access the information
about the customer’s calls to the bookstore or visits to its website; it could also, unlike the store, associate
that information with the customer’s other communications.
523
Edge providers, even those that operate ad
networks, simply do not have sufficient access to an individual to put together such a comprehensive view
of a consumer’s online behavior. And, to the extent a customer wants to prevent edge providers from
collecting information about her, she can adopt a number of readily available privacy-enhancing
technologies.
524
While the knowledge of any one fact from a customer’s online history (the use of an
online app) may be known to several parties (including the BIAS provider, the app itself, the server of an
in-app advertisement),
525
the BIAS provider has the technical ability to access the most complete and most
unavoidable picture of that history. We therefore disagree with commenters who believe that browsing
history or application usage are not sensitive in the context of the customer/BIAS provider relationship.
526
(Continued from previous page)
DNS and IPFIX traffic from these devices may reveal an increasing amount of information about user behavior and
activity.”) (emphasis in original).
520
See, e.g., OTI Oct. 13. 2016 Ex Parte at 8-9.
521
We do not take a position on how sensitive this information would be in other contexts, or what levels of
customer approval would be appropriate in those circumstances.
522
See, e.g., 2012 FTC Privacy Report at 56; CDT Reply at 10; OTI Comments at 3-9; McDonald Reply at 6-7.
523
See supra note 511.
524
See, e.g., Reisman and Narayanan June 17, 2016 Ex Parte at 34-35.
525
See, e.g., Comcast Comments at 26-27.
526
See, e.g., James Cooper Comments at 3 (noting that “it is clear that certain data (e.g. social security and credit
card numbers, bank account information, drivers’ license numbers, insurance information) may raise the risk of
(continued….)
Federal Communications Commission FCC 16-148
76
186. Also, contrary to some commenters’ arguments, the existence of encryption on websites
or even in apps does not remove browsing history from the scope of sensitive information. As noted
above,
527
encryption is far from fully deployed;
528
the volume of encrypted data does not represent a
meaningful measure or privacy protection;
529
and carriers have access to a large and broad amount of user
data even when traffic is encrypted, including, frequently, the domains and IP addresses that a customer
has visited.
530
Comcast argues that because BIAS providers are limited to this information, they have less
access to information overall.
531
While the record indicates that BIAS providers have a less granular view
of encrypted web traffic than unencrypted, it does not change the breadth of the carrier’s view or the fact
that it acquires this information by virtue of its privileged position as the customer’s conduit to the
internet. Nor does it change the fact that this still constitutes a record of the customer’s online behavior,
which, as noted above, can reveal details of a customer’s life even at the domain level.
187. In deciding to treat broadband customers’ web browsing history, application history, and
their functional equivalents as sensitive information, we agree with commenters, including technical
experts, who explain that attempting to neatly parse customer data flowing through a network connection
into sensitive and non-sensitive categories is a fundamentally fraught exercise.
532
As a number of
commenters have noted, a network provider is ill-situated to reliably evaluate the cause and meaning of a
customer’s network usage.
533
We therefore disagree with the suggestion made by some commenters that
web browsing is not sensitive, because providers have established methods of sorting data which do not
require them to “manually inspect” the contents of packets.
534
(Continued from previous page)
new- or existing-identity theft, and geolocation data may increase safety risks from stalking. Less clear, however, is
the theory by which data, such as browsing histories, shopping records, MAC address, and application usage
statistics, threaten privacy.”).
527
See supra para 34.
528
See, e.g., Reisman and Narayanan June 17, 2016 Ex Parte at 17-19; Upturn White Paper at 3-6; McDonald Reply
at 4-5.
529
See, e.g., Upturn White Paper at 3-5. Comcast notes that few dispute on the record that a growing volume of
traffic is encrypted. Comcast Reply at 38. However, the volume of encrypted data is not indicative of how much
customer privacy is protected. For instance, a very small amount of browsing information can reveal that a
customer is visiting a site devoted to a particular disease, while many times that data, unencrypted, would only
reveal that the user had streamed a particular video. See Reisman and Narayanan June 17, 2016 Ex Parte at 10-16.
530
Upturn White Paper at 6-9; Reisman and Narayanan June 17, 2016 Ex Parte at 26; SIIA Comments 3
(“Broadband service providers are unique in their ability to see the domains that their subscribers visit, even in cases
where a web site uses encryption. Recent technical analysis has noted that ‘[b]ecause the user’s computer is
assigned by default to use the ISP’s DNS server, the ISP is generally capable of retaining and analyzing records of
the queries, which the users themselves send to the ISP in the normal course of their browsing.’”); Consumer Action
Comments at 1; Consumer Watchdog Comments at 4; Internet Association Reply at 7.
531
Comcast Reply at 38.
532
See, e.g., Narayanan and Reisman Reply at 3-4 (explaining that it is “technically infeasible” for ISPs to determine
the sensitivity of Internet traffic); Upturn White Paper at 6-9 (describing how DNS information and encrypted
network traffic can be highly revealing); EFF Comments at 5-6 (arguing that BIAS providers should not be able to
“identify or inspect” network information “in order to determine whether it falls into a ‘sensitive’ category”); see
also Common Sense Kids Action Oct. 5, 2016 Ex Parte at 1 (observing that privacy protections for children under
COPPA extend to “how a child moves across different sites and services over time”).
533
See, e.g., Public Knowledge Comments at 24-26; Public Knowledge July 26, 2016 Ex Parte at 3; Paul Ohm
Reply at 10-12; National Consumers League Comments at 2.
534
See, e.g., Future of Privacy Forum Reply at 8 (suggesting that providers could “scan” or “categorize” network
information into sensitive and non-sensitive categories).
Federal Communications Commission FCC 16-148
77
188. This remains true even when providers do not attempt to classify customers’ browsing
and application usage as they use BIAS, but instead employ blacklists or whitelists of sensitive or non-
sensitive sites and applications.
535
Although commenters cite various industry attempts to categorize
consumer interests, and identify the sensitive categories among those, the definitions vary significantly
between them.
536
Even within one set of classifications, the lines between what is and is not considered
sensitive information can be difficult to determine. For instance, as Common Sense Kids Action points
out, determining when browsing information belongs to a child, teen, or adult customer or user would
require more than knowing the user’s online destination.
537
Further, as OTI notes, something that is non-
sensitive to a majority of people may nevertheless be sensitive to a minority, which may have the
unintended consequence of disparately impacting the privacy rights of racial and ethnic minorities and
other protected classes.
538
By treating all web browsing data as sensitive, we give broadband customers
the right to opt in to the use and sharing of that information, while relieving providers of the obligation to
evaluate the sensitivity and be the arbiter of any given piece of information.
189. We also observe that treating web browsing and application usage history as sensitive in
the context of the BIAS/customer relationship is consistent with industry norms among BIAS providers.
Until recently, for example, to participate in AT&T’s GigaPower Premium Offer (i.e., to receive the fixed
broadband service GigaPower at a lower cost), customers had to opt in to AT&T Internet Preferences.
Under AT&T’s Internet Preferences, “you agree to share with us your individual browsing, like the search
terms you enter and the webpages you visit, so we can tailor ads and offers to your interests.
539
AT&T
explained that “AT&T Internet Preferences works independently of your browser's privacy settings
regarding cookies, do-not-track and private browsing” and that “[i]f you opt-in to AT&T Internet
Preferences, AT&T will still be able to collect and use your Web browsing information independent of
those settings.
540
In short, AT&T appears to have tracked web browsing history only pursuant to
customer opt-in. Similarly, participation in Verizon’s Verizon Selects program is on an opt-in basis.
That opt-in program uses web browsing and application usage data, along with location, to develop
marketing information about its customers.
541
535
See, e.g., ICC Oct. 18. 2016 Ex Parte at 3; Letter from Christopher L. Shipley, Attorney & Policy Advisor,
INCOMPAS, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 2 (filed Oct. 18, 2016); Advertisers
Oct. 19, 2016 Ex Parte at 2.
536
See Ohm Reply at 11-12 (noting that “[a]dvertisers can definitely target ads to people suffering from a particular
disability on DAA platforms, definitely not on Facebook, and probably not on Google or NAI. Genomic
information is only prohibited within the NAI definition [of sensitive information], arguably within Googles, and
likely not Facebook’s or DAA’s. Ads targeted to symptoms might be barred by Google and maybe NAI, but
probably not by Facebook or DAA.”)
537
Common Sense Kids Action Oct. 5, 2016 Ex Parte at 2.
538
See, e.g., OTI Oct. 13, 2016 Ex Parte at 2; Letter from Laura M. Moy & Eric. G. Null, New America’s Open
Technology Institute, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 2 (filed Sept. 12, 2016);
Letter from 38 Public Interest Organizations to Chairman Tom Wheeler, Sept. 7, 2016, at 3-4; Letter from Brandi
Collins, Director of Campaigns: Economic, Environmental & Media Justice Departments, Color of Change, to
Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106 at 2-3 (filed Oct. 3, 2016) (Color of Change Oct. 3,
2016 Ex Parte).
539
AT&T, U-verse With AT&T Gigapower, https://www.att.com/esupport/article.html#!/u-verse-high-speed-
internet/KM1011211 (last visited Sept. 13, 2016).
540
Id.
541
Torod Neptune, Verizon Wireless, How Verizon Selects from Verizon Wireless Works, Dec. 3, 2012,
http://www.verizonwireless.com/news/article/2012/12/verizon-selects.html (“Verizon Selects will use location, web
browsing and mobile application usage data, as well as other information including customer demographic and
interest data, to create specific insights.”); Verizon Wireless, Verizon Selects FAQs,
http://www.verizonwireless.com/support/verizon-selects-faqs/ (last visited Oct. 5, 2016) (“Verizon Selects uses . .
(continued….)
Federal Communications Commission FCC 16-148
78
190. We disagree with the assertions made by a number of advertising trade associations that
web browsing history should not be considered sensitive customer PI because courts have “found that the
advertising use of web browsing histories tied to device information does not harm or injure
consumers.”
542
We find this to be inapposite to the task we confront in applying Section 222 of the Act.
These cases deal with a factually different, and significantly narrower, scenarios than we address through
web browsing history in this Order.
543
191. We recognize that there are other types of information that a carrier could add to the list
of sensitive information, for example information that identifies customers as belonging to one or more of
the protected classes recognized under federal civil rights laws. Commenters also describe as sensitive
other forms of governmental identification,
544
biometric identifiers,
545
and electronic signatures.
546
Other
privacy frameworks, both governmental and commercial, identify other types of information as
particularly sensitive, such as race, religion, political beliefs, criminal history, union membership, genetic
data, and sexual habits or sexual orientation.
547
Most of these categories already overlap with our
established categories, or the use or sharing of such information would be subject to opt-in requirements
pursuant to the requirement to obtain opt-in consent for the use and sharing of content and web browsing
and application usage history. Moreover, as explained above, carriers are welcome to give their
customers the opportunity to provide opt-in approval for the use and sharing of additional types of
information. However, we recognize that as technologies and business practices evolve, the nature of
what information is and is not sensitive may change,
548
and as customer expectations or the public interest
may require us to refine the categories of sensitive customer PI, we will do so.
(Continued from previous page)
.[i]nformation about your wireless device including websites you visit, apps and features you use, and device and
advertising identifiers . . .”). We provide these examples only to demonstrate that BIAS providers already treat web
browsing and application usage history as sensitive and as subject to opt-in consent, and we do not mean to suggest
that these existing or past programs are reasonable or consistent with the rules and standards we discuss in this
Order.
542
Advertisers Oct. 10, 2016 Ex Parte at 4.
543
For instance, in both cases, the courts found that plaintiffs had failed to allege that they had suffered “loss” as that
term is narrowly defined under the Computer Fraud and Abuse Act. Mount v. PulsePoint, Inc., No. 13 Civ. 6592
(S.D.N.Y. Aug. 17, 2016), 2016 WL 5080131 at *7-8; LaCourt v. Specific Media, Inc., No. SACV 10-1256 (C.D.
Cal. April 28, 2011), 2011 WL 1661532 at *6. We do not adopt the CFAA’s definitions of “damage” or “loss” for
the purposes of this Order.
544
WISPA Comments at 21; Electronic Transactions Association at 13.
545
Paul Vixie Comments at 29; CDT Comments at 8.
546
CDT Comments at 8.
547
See, e.g., EU General Data Protection Regulation, Article 9, Processing of Special Categories of Personal Data;
Google, Sensitive Categories, http://www.google.com/policies/privacy/key-terms/#toc-terms-sensitive-categories;
Google, Sensitive Personal Information, http://www.google.com/policies/privacy/key-terms/#toc-terms-sensitive-
info; Facebook, Restricted information for Lead Ads, https://www.facebook.com/policies/ads/#lead_ads.
548
For instance, some commenters have suggested that information considered non-sensitive at one point might
reveal through later analysis information about protected classes. See, e.g., Color of Change Oct. 3, 2016 Ex Parte
at 2-3 (“[I]nformation drawn from the non-sensitive data can easily become proxy for protected class and sensitive
information”).
Federal Communications Commission FCC 16-148
79
(ii) Opt-In Approval Required for Use and Sharing of Sensitive
Customer PI and Retroactive Material Changes in Use of
Customer PI
192. As the FTC recognizes, “the more sensitive the data, the more consumers expect it to be
protected and the less they expect it to be used and shared without their consent.”
549
We therefore require
BIAS providers and other telecommunications carriers to obtain a customer’s opt-in consent before using,
disclosing, or permitting access to his or her sensitive customer PI, except as otherwise required by law
and subject to the other exceptions outlined in Part III.D.2.
193. Consistent with the Commission’s existing CPNI rules and wider precedent,
550
opt-in
approval requires that the carrier obtain affirmative, express consent from the customer for the requested
use, disclosure, or access to the customer PI. Because Section 222(a) requires protection of the
confidentiality of all customer PI, we include all types of sensitive customer PI, and not just sensitive,
individually identifiable CPNI, within the definition of opt-in approval.
551
The broad support in the
record for protecting sensitive information nearly unanimously argues that use and sharing of sensitive
customer information be subject to customer opt-in approval.
552
The record demonstrates that customers
expect that their sensitive information will not be shared without their affirmative consent, and sensitive
information, being more likely to lead to more serious customer harm, requires additional protection.
553
For instance, the FTC recognizes that consumer expectations drive increased protections for sensitive
information.
554
We find that requiring opt-in approval for the use and sharing of sensitive customer PI
reasonably balances burdens between carriers and their customers. If a carrier’s uses or sharing of
customers’ sensitive personal information benefits those customers,
555
the customer has every incentive to
make that choice, and the carrier has every incentive to make the benefits of that choice clear to the
customer.
556
We anticipate that this will increase the amount of clear and informative information that
customers will have about the costs and benefits of participation in these programs. Carriers’ incentives
to encourage customer opt-in will likely be tempered by carriers’ desire to avoid alienating customers
with too-frequent solicitations to opt in.
557
194. In contrast, we find that opt-out consent would be insufficient to protect the privacy of
sensitive customer PI. Research has shown that default choices can be “sticky,” meaning that consumers
549
FTC Staff Comments at 21.
550
See 47 CFR § 64.2003(k); NAI, NAI Code of Conduct at 6, http://www.networkadvertising.org/code-
enforcement/code (last visited Oct. 13, 2016); NAI, NAI Mobile Application Code at 3,
https://www.networkadvertising.org/mobile/NAI_Mobile_Application_Code.pdf (last visited Oct. 13, 2016).
551
See Access Now Comments at 6.
552
See supra note 477.
553
See, e.g., CenturyLink Comments at 16; James Cooper Comments at 3; ANA Comments at 25-26; CTIA
Comments at 96-97; NTCA Comments at 28 (“[T]he proposition that Social Security numbers, date and place of
birth, mother’s maiden name, and unique government identification numbers . . . are guarded by customer is likely
consistent with current consumer expectations.”); CCA Reply at 19.
554
FTC Staff Comments at 19-20 (“[T]he FTC has advocated that companies provide meaningful choices to
consumers, with the level of choice being tied to consumer expectations. Under this approach, the FTC supports the
use of opt-in for sensitive information that could be collected by BIAS providers.”).
555
See Verizon Reply at 7-9; CIPL Comments at 5; CompTIA Comments at 7; Lehr et al. Comments at 2-3.
556
Willis Reply at 12-18 (noting defaults made “slippery” through marketing encouraged opting in to certain
programs).
557
See CenturyLink Comments at 27 (expressing concern that opt-in requirements may force providers to balance
informing customers of information-sharing programs against the possibility of annoying or confusing those
customers).
Federal Communications Commission FCC 16-148
80
will remain in the default position, even if they would not have actively chosen it.
558
Further, opt-in
regimes provide additional incentives for a company to invest in making notices clear, conspicuous,
comprehensible, and direct.
559
Additionally, empirical evidence shows that relatively few customers opt
out even though a larger number express a preference not to share their information, suggesting that they
did not receive notice or were otherwise frustrated in their ability to exercise choice.
560
In an opt-in
scenario, however, we anticipate that many consumers, solicited by carriers incentivized to provide and
improve access to their notice and choice mechanisms, will wish to affirmatively exercise choice options
around the use and sharing of sensitive information. Although we recognize that opt-in imposes
additional costs, based on these factors we find that opt-in is warranted to maximize opportunities for
informed choice about sensitive information.
195. Material Retroactive Changes. Notwithstanding the fact that our choice framework
generally differentiates between sensitive and non-sensitive information, we agree with the FTC and other
commenters that material retroactive changes require a customer’s opt-in consent for changes to the use
and sharing of both sensitive and non-sensitive information.
561
The record demonstrates widespread
conviction that material retroactive changes to privacy policies should require opt-in approval from
customers.
562
Retroactive changes in privacy policies particularly risk violating customers’ privacy
expectations because they result in a carrier using or sharing information already collected from a
customer for one purpose or set of purposes for a different purpose. Because of this, we require that
telecommunications carriers obtain customers’ opt-in approval before making retroactive material
changes to privacy policies. It is a “bedrock principle” of the FTC that “companies should provide
558
See Willis Reply at 8-10; Behavioral Economics Consulting Group at 2 (“Research in Behavioral Economics has
shown that most of the time, peoples’ decisions do not conform to a model in which people are information seeking
rational actors, guided by self-interest. In particular, where the decision is complex, the stakes are high and/or the
arena is unfamiliar, people are more likely to procrastinate or avoid a decision. In effect, the individual ‘chooses’
avoidance and ends up being assigned whatever the system’s designers have designated as the proxy for ‘no
answer.’ Whoever defined that proxy becomes the de facto decision maker.”).
559
Cf. Greenlining Institute Comments at 29 (noting “dense, slippery and confusing language” in privacy notices);
Access Now Comments at 10 (“Opt-out mechanisms typically suffer from cumbersome processes, offer little notice
or explanation on the nature of the use, and often even deliberately obfuscate the methods and purposes of corporate
programs that track users. Moreover, opt-out is useless in situations where customers have no context to understand
the program or service at issue, how it impacts their privacy, or that it even exists in the first place.”); Consumer
Action Comments at 2; Consumer Watchdog Comments at 6; Privacy Rights Clearinghouse Comments at 4 (“It is
tenuous at best to assume that a customer has approved use or sharing merely because she has not opted out of a
practice. This is especially true if an opt-out choice is buried deep in a privacy notice, and is in no way in line with
customers’ expectations.”); CDD Comments at 17.
560
See, e.g., Willis Reply at 11-12, n.31 (citing reports that only 0.5 percent of consumers opted out of a financial
privacy default, when a far larger number of consumers expressed preferences against tracking); McDonald Reply at
3 (noting that in response to NebuAd tracking, “The total percentage of users to opt out was about 1%. . . . [T]his is
dramatically lower than the percentage of users who prefer not to have data collected and used for targeted
advertising. A majority of users who wanted to opt out did not, and their privacy preferences were violated by their
ISPs.”); Paul Ohm Reply at 7-10.
561
FTC Staff Comments at 14-15 (recommending “affirmative express consent before making changes that apply to
previously collected consumer information”); 2012 FTC Privacy Report at 57-58 (rejecting arguments from AT&T
and Phorm that opt-out approval was sufficient, or that approval should be scaled to sensitivity or identifiability of
data); EFF Comments at 13; WISPA Comments at 14; CTIA Comments at 122-23.
562
See, e.g., FTC Staff Comments at 14-15 (recommending “affirmative express consent before making changes that
apply to previously collected consumer information”); 2012 FTC Privacy Report at 57-58; Charter Reply at 7; CTIA
Comments at 123; Internet Commerce Coalition Reply at 1-2; see also NTCA Comments at 6 (noting that
retroactive material changes can violate consumer expectations of privacy). The CPBR also highlights the need for
advance notice of material changes to policies, and the need for additional protections such as express affirmative
consent where such changes are retroactive. 2015 Administration CPBR Discussion Draft §102(e).
Federal Communications Commission FCC 16-148
81
prominent disclosures and obtain affirmative express consent before using data in a manner materially
different than claimed at the time of collection.”
563
This means that, whether customer PI is sensitive or
non-sensitive, a telecommunications carrier must obtain opt-in permission if it wants to use or share data
that it collected before the time that the change was made. For instance, if a carrier wanted to change its
policy to share a customer’s past monthly data volumes with third party marketers, it would need to
obtain the customer’s opt-in permission. In contrast, if the carrier changes its policy to share the
customer’s future monthly data volumes with those same marketers, it would only need the customer’s
opt-out consent.
b. Approval Requirements for the Use and Sharing of Non-Sensitive
Customer PI
196. We recognize that customer concerns about the use and sharing of their non-sensitive
customer PI will be less acute than sharing of sensitive PI, and that there are significant benefits to
customers and to businesses from some use and sharing of non-sensitive customer PI. However, we reject
suggestions that consumers should be denied choice about the use and sharing of any of their non-
sensitive information.
564
Empowering consumers by providing choice is a standard component of privacy
frameworks.
565
Further, ensuring choice is necessary as a part of effectuating the duty to protect the
confidentiality of customer PI under Section 222(a) and the duty to obtain the approval of the customer
before using, disclosing, or permitting access to individually identifiable CPNI under Section 222(c)(1).
Therefore, consistent with the FTC privacy framework, we require BIAS providers and other
telecommunications carriers to obtain the customer’s opt-out approval to use, disclose, or permit access to
non-sensitive customer PI.
566
197. We define opt-out approval as a means for obtaining customer consent to use, disclose, or
permit access to the customer’s proprietary information under which a customer is deemed to have
consented to the use, disclosure, or access to the customer’s covered information if the customer has
failed to object thereto after the carrier’s request for consent.
567
This definition, based on the existing
CPNI voice rules, applies to all non-sensitive customer PI for all covered telecommunications carriers.
The current CPNI rules define opt-out approval to require a thirty-day waiting period before a carrier can
consider a customer’s opt-out approval effective. We eliminate this requirement, and similarly decline to
apply it to BIAS providers or other telecommunications carriers. As borne out in the record, we find that
requiring carriers to enable customers to opt out at any time and with minimal effort will reduce the
likelihood that customers’ privacy choices would not be respected. As such, we believe that the 30-day
waiting period is no longer necessary and provide additional regulatory flexibility by eliminating it.
568
We make clear, however, that while we do not adopt a specific timeframe for effectuating customers’ opt-
out approval choices, we do not expect carriers to assume that a customer has granted opt-out consent
563
2012 FTC Privacy Report at 57.
564
See, e.g., Free State Foundation Comments at 9 (“By requiring ISPs create an ‘opt out’ policy regarding the
collection of ‘any information that is linked or linkable to an individual,’ the Commission risks discouraging ISPs
from offering consumers targeted marketing deals or selling advertisements to personally design consumer
experiences.”).
565
See supra para. 166.
566
We note that our requirements for customer opt-out approval serve as a floor, not a ceiling, to the level of
customer approval to be provided. Thus, a carrier may set up its programs to solicit and receive customer opt-in
approval if it so chooses.
567
See Broadband Privacy NPRM, 31 FCC Rcd at 2523, para. 68.
568
See, e.g., Access Now Comments at 6; Consumer Federation of California Comments at 14. But see EFF
Comments at 6 (opposing removing the 30-day timeframe); OTI Comments at 24 (suggesting in the alternative a 7-
day period).
Federal Communications Commission FCC 16-148
82
when a reasonable customer would not have had an opportunity to view the solicitation. We conclude
that this flexible standard will appropriately account for the faster pace of electronic transactions, while
preventing carriers from using customer PI before customers have had the opportunity to opt out.
198. We agree with commenters who assert that non-sensitive information naturally generates
fewer privacy concerns for customers, and as such does not require the same level of customer approval
as for sensitive customer PI.
569
From this, we conclude that an opt-out approval regime for use and
sharing of non-sensitive customer PI would likely meet customers’ privacy expectations. We agree with
ANA that “[a]n opt-out framework for uses of non-sensitive information also matches consumers’
expectations regarding treatment of their data,”
570
and CTIA that “[b]y tying its rules to the sensitivity of
the data, the Commission will ensure that they align with consumer expectations and what consumers
know to be fair.”
571
While an opt-out regime places a greater burden than an opt-in regime upon
customers who do not wish for their carrier to use or share their non-sensitive information, research
suggests that those same customers will likely be more motivated to actively exercise their opt-out
choices.
572
Further, we conclude that permitting carriers to use and share non-sensitive data with
customers’ opt-out approvalrather than opt-in approvalgrants carriers flexibility to make
improvements and innovations based on customer PI.
573
For example, ACA notes that an opt-out
framework can allow “providers, including small providers, to explore, market, and deploy innovative,
value-added services to their consumers, including home security and home automation services that will
drive the ‘Internet of Things.’”
574
Thus, we reject arguments that “opt-out is not an appropriate
mechanism to obtain user approval” in any circumstances.
575
199. We disagree with commenters who assert that customer approval to use and share
customer PI for the purposes of all first party marketing is generally implied in Section 222.
576
We find
that allowing carriers to use or share customer PI for all first party marketing does not comport with
Section 222’s customer approval and data protection requirements. Section 222(c)(1) explicitly requires
customer approval to use and share CPNI for purposes other than providing the telecommunications
569
See, e.g., FTC Staff Comments at 22-23 (arguing that a privacy framework should “reflect the different
expectations and concerns that consumers have for sensitive and non-sensitive data”).
570
ANA Comments at 27.
571
CTIA Comments at 97.
572
See Letter from Scott Bergmann, Vice President, Reg. Affairs, CTIA, to Marlene H. Dortch, Secretary, FCC, WC
Docket No. 16-106 (filed Aug. 18, 2016) (CTIA Aug. 18, 2016 Ex Parte), Attach., ITIF White Paper, Why
Broadband Discounts for Data are Pro-Consumer at 4-5 (ITIF White Paper) (describing Alan Westin’s groupings of
consumers by privacy preference, including “Privacy Fundamentalists” likely to value privacy highly). But see
Consumer Watchdog Comments at 6 (citing Hoofnagle et al.’s criticisms of Westin’s categorizations and Turow,
Tradeoff Fallacy, which suggests consumer disclosure of data is due to resignation rather than actively trading on
their personal information).
573
ITIC Comments at 14-15; FTC Staff Comments at 22-23.
574
ACA Comments at 31; see also SIIA Comments at 10; Letter from Joshua Seidemann, Vice President of Policy,
NTCA, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 2 (filed Oct. 14, 2016) (NTCA Oct. 14,
2016 Ex Parte) (arguing that the rules should not require opt-in approval for marketing services such as
hardware/software systems and alarm/security services).
575
Access Now Comments at 10; see also, e.g., Consumer Action Comments at 2; Consumer Watchdog Comments
at 6 (“Opt-out consent is insufficient. In fact, it is not really consent.”).
576
See, e.g., Letter from Francis M. Buono, Senior Vice President, Legal Regulatory Affairs, to Marlene H. Dortch,
Secretary, FCC, WC Docket No. 16-106, at 2 (filed Sept. 22, 2016) (Comcast Sept. 22, 2016 Ex Parte); Letter from
Michelle R. Rosenthal, Senior Corporate Counsel, T-Mobile USA, Inc., to Marlene H. Dortch, Secretary, FCC, WC
Docket No. 16-106 at 3 (filed Sept. 13, 2016) (T-Mobile Sept. 13, 2016 Ex Parte); NCTA Reply at 42-43; ICC
Comments at 4; CTA Comments at 8.
Federal Communications Commission FCC 16-148
83
service, and subject to certain other limited exceptions. Likewise, Section 222(a) imposes a duty on
carriers to protect the confidentiality of customer PI. We conclude that permitting carriers to use and
share customer PI to market all carrier and affiliate services based on inferred customer approval is
inconsistent with these statutory obligations.
577
Our conclusion is also consistent with Commission
precedent and FTC Staff comments.
578
While some comments assert that customers expect some degree
of targeted marketing absent explicit customer approval,
579
the record also indicates that customers expect
choice with regard to the privacy of their online communications.
580
Inferring consent for all first-party
marketing would leave consumers without the right to opt out of receiving any manner of marketing from
their telecommunications carrierviolating that basic precept recognized by Justice Louis Brandeis of the
“right of the individual to be let alone.”
581
We accordingly adopt an opt-out regime for first-party
marketing that relies on non-sensitive customer PI to fulfill Section 222 and provide customers with the
choice that they desire without unduly hindering the marketing of innovative services.
200. Giving consumers control of the use and disclosure of their information, even for first-
party marketing, is consistent with other consumer protection laws and regulations adopted by the both
the FTC and FCC. For instance, the popular and familiar National Do Not Call registry, created by the
FTC, the FCC, and the states empowers consumers to opt out of most telemarketing calls.
582
Consumers
have registered over 222 million phone numbers with the Do Not Call Registry in order to stop unwanted
marketing calls.
583
Also, pursuant to rules adopted by both the FTC and the FCC, consumers to have the
right to opt out of receiving calls even from companies with which they have a prior business relationship,
577
See, e.g., EFF Comments at 8 (arguing that implied consent in general “eliminate[s] all customer control over PII
for a large range of activities, including marketing,” and that this is inconsistent with the statute); EPIC Comments
at 20 (claiming that “allow[ing] the use of personal information to market additional service offerings without any
customer consent conflicts with Section 222(c) of the Communications Act,” since it does not obtain the required
customer approval); OTI Comments at 37-38 (arguing that there is no implied approval for marketing, and that
marketing is not “necessary to, or used in” provision of service); Public Knowledge May 9, 2016 Ex Parte at 1
(“While there is precedent establishing that an opt-out system is sufficient to show customer approval, there is no
authority for the proposition that a customer impliedlyapproves of a carrier using his or her information for the
purposes of Section 222(c).”); Letter from Dallas Harris, Policy Fellow, Public Knowledge, to Marlene H. Dortch,
Secretary, FCC, WC Docket no. 16-106, at 1 (filed May 27, 2016); Paul Vixie Comments at 13 (arguing that
implied consent for marketing “denies consumer any choice or control”).
578
FTC Staff Comments at 16. This same rationale applies to other telecommunications carriers. We note that, as
discussed below, limited types of first-party marketing (of categories of service to which a customer subscribes, and
services necessary to, or used in, those services) do not require customer approval.
579
See, e.g., Comcast Comments at 49-50; see also AT&T Reply at 9 (“Until now, all online companies have been
free to use nonsensitive customer-specific information to engage in first-party marketing without any consent
mechanism.”); Verizon Comments at 24, 31 (asserting that for decades, businesses have “sen[t] ads or promotions to
customers for the provider’s and its affiliates’ products or services”); NTCA Comments at 45-46 (suggesting that
“[c]ustomers largely expect firms that have access to their data to use their data” and that “consumers expect
providers to identify the services and uses that best meet their needs”); T-Mobile Comments at 8-9 (arguing that
customers expect their information to be used for different purposes, including marketing, as adjusted to the
sensitivity of the information); ACA Comments at 31.
580
See supra note 208; see also ACLU Comments at 8-9; Access Now Comments at 9; CDT Reply at 6; Public
Knowledge Comments at 29-30.
581
Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193, 195 (1890).
582
See 47 CFR § 64.1200; 16 CFR Part 310; see also, e.g., Mich. Comp. Laws § 445.111a (2016); N.D. Cent. Code
§ 51-28-09 (2016).
583
Federal Trade Commission, Biennial Report to Congress Under the Do Not Call Registry Fee Extension Act of
2007, FY 2014 and 2015 at 1 (2015), https://www.ftc.gov/reports/biennial-report-congress-under-do-not-call-
registry-fee-extension-act-2007-fy-2014-2015.
Federal Communications Commission FCC 16-148
84
with businesses required to place the consumer on a do-not-call list upon the consumer’s request.
584
The
CAN SPAM Act of 2003,
585
and the rules the FTC adopted under CAN SPAM, also give consumers the
right to opt out of the receipt of future commercial email from and require senders of commercial email to
provide a working mechanism in their email to facilitate those opt-outs.
586
Our rules follow these many
models.
2. Congressionally-Recognized Exceptions to Customer Approval
Requirements for Use and Sharing of Customer PI
201. In this section, we detail the scope of limitations and exceptions to the customer approval
framework discussed above. In the first part of this section, based on our review of the record and our
analysis of the best way to implement Section 222, we find that no additional customer consent is needed
in order for a BIAS provider or other telecommunications carrier to use and share customer PI in order to
provide the telecommunications service from which such information is derived or provide services
necessary to, or used in, the provision of such telecommunications service. These limitations on customer
approval requirements allow a variety of necessary activities beyond the bare provision of services,
including research to improve or protect the network or telecommunications, and limited first-party
marketing of services that are part of, necessary to, or used in the provision of the telecommunications
service. In the second part of this section, we apply the statutory exceptions detailed in Section 222(d) to
all customer PI, allowing telecommunications carriers to use and share customer PI to: (1) initiate, render,
bill, and collect for telecommunications services; (2) protect the rights or property of the carrier, or to
protect users and other carriers from fraudulent, abusive, or unlawful use of, or subscription to,
telecommunications services; (3) provide any inbound telemarketing, referral, or administrative services
to the customer for the duration of a call; and (4) provide customer location information and non-sensitive
customer PI in certain specified emergency situations.
587
We also take this opportunity to clarify that our
rules do not prevent use and sharing of customer PI to the extent such use or sharing is allowed or
required by other law.
202. The statutory mandate of confidentiality is not an edict of absolute secrecy. The need to
use and share customer information to provide telecommunications services, to initiate or render a bill, to
protect the network, and to engage in the other practices identified above are inherent in a customer’s
subscription. While Congress specified this in the context of its more detailed provisions on customer
approval for CPNI in Sections 222(c)-(d), it left to the Commission the details of determining the scope of
the duty of confidentiality. We therefore exercise our authority to adopt implementing rules in order to
harmonize the application in our rules of Section 222(a) as to customer PI with the limitations and
exceptions of Sections 222(c)-(d). Doing so ensures that carriers are not burdened with disparate or
duplicative approval requirements based upon whether a particular piece of information is classified as
CPNI, PII, or both.
588
We disagree with commenters who argue that extending these limitations and
exceptions to approval requirements unduly risk customers’ privacy.
589
We make clear that carriers using
584
See 47 CFR § 64.1200(d)(3); 16 CFR § 310.4(b)(1)(iii).
585
Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, Pub. L. No. 108-187, 117
Stat. 2699 (2003) (“CAN SPAM Act”).
586
16 CFR §§ 316.1-316.6.
587
47 U.S.C. § 222(d).
588
See supra Part III.B.3 (noting that the categories of CPNI and PII are not mutually exclusive).
589
See, e.g., EFF Comments at 8 (arguing that access to all customer PI includes access to communications content,
contrary to Stored Communications Act); OTI Comments at 38-39 (sensitive information not useful for exceptions
and exposes customers to greater risk of harm); Access Now Comments at 9 (“The proposal as written does not
provide meaningful limits on sharing CPNI, which can include sensitive user information, such as location and
browsing habits. Instead, the proposal should only permit the sharing of CPNI to the extent that any PII or other
private data is scrubbed and only ‘whenever reasonably necessary to prevent future cyber security threats or risk of
(continued….)
Federal Communications Commission FCC 16-148
85
or sharing customer PI should remain particularly cognizant of their obligation to comply with the data
security standards in Part III.E, below. We also emphasize that carriers should be particularly cautious
about using sensitive customer PI, especially the content of communications, and carriers should carefully
consider whether its use is necessary before making use of it subject to these limitations and exceptions.
Furthermore, we observe that BIAS providers and other telecommunications carriers remain subject to all
other applicable laws and regulations that affect their collection, use, or disclosure of communications,
including but not limited to, the Electronic Communications Privacy Act (ECPA), the Communications
Assistance for Law Enforcement Act (CALEA), Section 705 of the Communications Act, and the
Cybersecurity Information Sharing Act (CISA).
590
a. Provision of Service and Services Necessary to, or Used in, Provision
of Service
203. Section 222 makes clear that no additional customer consent is needed to use customer PI
to provide the telecommunications service from which it was derived, and services necessary to, or used
in the telecommunications service.
591
Consent to use customer PI for the provision of service is implied in
the service relationship.
592
Customers expect their information to be used in the provision of service
after all, customers fully intend for their communications to be transmitted to and from recipientsand
they necessarily give their information to the carrier for that purpose.
593
For instance, a number of
commenters objected to our inclusion of IP addresses as forms of customer PI, because they are necessary
to route customers’ communications, or otherwise provide telecommunications service.
594
This concern is
misplaced; while a BIAS provider needs to share its customer’s IP address to provide the broadband
service, there is no basis to share that information for other non-exempt purposes absent customer
consent. Indeed, because of the explicit limitation described by Section 222(c)(1)(A) and implemented
here, we do not need to exclude IP addresses or other forms of information from the scope of customer PI
in order to allow the provision of telecommunications service, or services necessary to or used in
providing telecommunications service. Thus, we import these statutory mandates into our rules and apply
them to all customer PI.
204. We continue to find, as did previous Commissions, that telecommunications customers
expect their carriers to market them improved service offerings within the scope of service to which they
already subscribe, and as such, conclude that such limited first-party marketing is part of the provision of
the telecommunications service within the meaning of Section 222(c)(1)(A).
595
As with earlier CPNI
orders, we decline to enumerate a definitive list of “services necessary to, or used in, the provision of . . .
telecommunications service” within the meaning of Section 222(c)(1).
596
However, we provide guidance
(Continued from previous page)
vulnerabilities.’ Further, the language should only permit the sharing of information for cybersecurity attacks or risk
of vulnerabilities only to the extent it does not risk user privacy or security.”).
590
18 U.S.C. § 2510-2522 (ECPA); 47 U.S.C. § 1001 et seq. (CALEA); 47 U.S.C. § 605 (Section 705); 6 U.S.C. §
1503(c)(1) (CISA).
591
See 47 U.S.C. § 222(c)(1).
592
We note that the need for providers to transmit and disclose certain types of customer PI (including IP addresses
and the contents of communications) in the course of providing service in no way obviates customers’ privacy
interests in this information.
593
See 2015 Open Internet Order, 30 FCC Rcd at 5748, para. 339 (“[A] broadband Internet access service
provider’s representation to its end-user customer that it will transport and deliver traffic to and from all or
substantially all Internet endpoints necessarily includes the promise to transmit traffic to and from those Internet end
points back to the user.”).
594
See Cincinnati Bell Comments at 6; Audience Partners Comments at 11; NCTA Comments at 74-75.
595
1998 CPNI Order, 13 FCC Rcd at 8083, para. 30.
596
1998 CPNI Order, 13 FCC Rcd 8061; 1999 CPNI Reconsideration Order, 14 FCC Rcd 14409.
Federal Communications Commission FCC 16-148
86
with respect to certain services raised in the record, and specifically find that this exception includes the
provision and marketing of communications services commonly bundled together with the subscriber’s
telecommunications service, customer premises equipment, and services formerly known as “adjunct-to-
basic services.” We further find that the provision of inside wiring and technical support; reasonable
network management; and research to improve and protect the network or the telecommunications either
fall within this category or constitute part of the provision of telecommunications service.
597
205. Services that are Part of, Necessary to, or Used in the Provision of Telecommunications
Service. The Commission has historically recognized that, as a part of providing service, carriers may,
without customer approval, use and share CPNI to market service offerings among the categories of
service to which the customer already subscribes.
598
We therefore adopt a variation of our proposal,
which mirrored the existing rule, and permit telecommunications carriers to infer approval to use and
share non-sensitive customer PI to market other communications services commonly marketed with the
telecommunications service to which the customer already subscribes. For example, the carrier could
infer consent to market voice (whether fixed and/or mobile) and video service to a customer of its
broadband Internet access service.
599
We limit this exception to the use and sharing of non-sensitive
information, because we agree with a number of commenters that this type of marketing remains part of
what customers expect from their telecommunications carrier when subscribing to a service.
600
For
example, under our rules, a BIAS provider can offer customers new or different pricing or plans for the
customers’ existing subscriptions (e.g., a carrier may, without the customer’s approval, use the fact that
the customer regularly reaches a monthly usage cap to market a higher tier of service to the customer).
This exception also allows carriers to conduct internal analyses of non-sensitive customer PI to develop
and improve their products and services and to develop or improve their offerings or marketing
campaigns generally, apart from using the customer PI to target specific customers.
601
206. The Commission also has historically recognized certain functions offered by
telecommunications carriers as inherently part of, or necessary to, or used in, the provision of
telecommunications service. Consistent with Commission precedent, we reaffirm that services formerly
known as “adjunct-to-basic,” including, but not limited to, speed dialing, computer-provided directory
assistance, call monitoring, call tracing, call blocking, call return, repeat dialing, call tracking, call
waiting, caller ID, call forwarding, and certain centrex features, are either part of the provision of
telecommunications service or are “necessary to, or used in” the provision of that telecommunications
service.
602
Similarly, the Commission has, in prior orders, recognized that the provision and marketing of
certain other services as being “necessary to, or used in” the provision of service, such as call answering,
voice mail or messaging, voice storage and retrieval services, fax storage and retrieval services, and
597
The current voice rules also permit the use and sharing of CPNI without additional customer approval for certain
first-party marketing purposes.
598
47 CFR § 64.2005(a).
599
See, e.g., NTCA Comments at 47 (“[C]ustomers generally expect that their broadband providers may use or share
the customers’ proprietary information with affiliates to market voice, video, or any types of communications-
related services tailored to their needs and preferences”); AT&T Oct. 4, 2016 Ex Parte at 2-3 (noting that wireline
carriers routinely offer, and consumers expect, “double- or triple-play options and other service packages that
combine home broadband Internet with voice and video services.”); WTA Comments at 8 (assuming that existing
rules include MVPD service with fixed and mobile voice services as “communications-related” services).
600
See, e.g., Comcast Sept 22, 2016 Ex Parte at 2; T-Mobile Sept. 13, 2016 Ex Parte at 3; but see OTI Comments at
37-38; Public Knowledge Comments at 30-31.
601
See Verizon Sept. 29, 2016 Ex Parte.
602
See 1998 CPNI Order, 13 FCC Rcd at 8097-98, para. 48; 47 CFR § 64.2005(c)(3).
Federal Communications Commission FCC 16-148
87
protocol conversion , and we continue to do so today.
603
Likewise, we continue to find that CPE, as well
as other customer devices, inside wiring installation, maintenance, and repair, as well as technical
support, serve as illustrative examples of services that are either part of the telecommunications service or
are “necessary to, or used in” the provision of the underlying telecommunications service for the purposes
of these rules.
604
Customers require working inside wiring to receive service, and often depend upon
technical support to fully utilize their services.
605
As such, carriers may use and share non-sensitive
customer PI, without additional customer approval, to provide and market such services.
606
207. In importing these historical findings into the rules we adopt today and applying them to
the current telecommunications environment, we make clear that our rules no longer permit CMRS
providers to use or share customer PI to market all information services without customer approval.
607
In
first making these findings, the Commission noted the potential to revisit this decision if it became
apparent that customer expectations, and the public interest, changed.
608
The 1999 CPNI Reconsideration
Order interpreted Section 222(c)(1) as permitting CMRS providers to market information services in
general to their customers without customer approval, but limited the information services for which
wireline carriers could infer approval.
609
That decision was made when the mobile information services
market was in its infancy. As the third party mobile application market has developed, we can no longer
find that such an exception is consistent with giving consumers meaningful choice over the use and
sharing of their information. Moreover, we have a strong interest in our rules being technologically
neutral.
208. Reasonable Network Management. We agree with commenters asserting that BIAS
providers need to use customer PI to engage in reasonable network management.
610
We have previously
explained that a network practice is “reasonable if it primarily used for and tailored to achieving a
legitimate network management purpose, taking into account the particular network architecture and
technology of the broadband service.”
611
We recognize that reasonable network management plays an
603
1999 CPNI Reconsideration Order, 14 FCC Rcd at 14434, para. 45; 47 CFR § 64.2005(b)(1). Such adjunct-to-
basic functions fall within the telecommunications systems management exception to the definition of “information
services” in the Act. See 47 U.S.C. § 153(24) (“the term ‘information service’ . . . does not include any use of any
such capability for the management, control, or operation of a telecommunications system or the management of a
telecommunications service”); 2015 Open Internet Order, 30 FCC Rcd at 5766, para. 367 n.1029. In the 2015 Open
Internet Order, we concluded that DNS, caching, and network-oriented, security-related blocking functions
including parental controls and firewalls fall within the telecommunications systems management exception and are
akin to adjunct-to-basic services. See 2015 Open Internet Order, 30 FCC Rcd at 5766-72, paras. 367-73.
604
In each case here and below, whether the particular function is a part of the telecommunications service or a
separate service “necessary to, or used in” the telecommunications service may depend on the particular
circumstances of the underlying telecommunications service and the customer, and we need not address this
distinction to determine that the statutory limitation applies.
605
See NTCA Comments at 45-47; WTA Comments at 10; Letter from Loretta Polk, Vice President & Associate
General Counsel, NCTA, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 2 (filed Oct. 14, 2016)
(NCTA Oct. 14, 2016 Ex Parte); WTA Reply at 11.
606
See, e.g., ACA Oct. 18, 2016 Ex Parte at 4.
607
1999 CPNI Reconsideration Order, 14 FCC Rcd at 14433, para. 43.
608
1998 CPNI Order, 13 FCC Rcd at 8080, n.98; 14 FCC Rcd at 14434-35, n.132.
609
1999 CPNI Reconsideration Order, 14 FCC Rcd at 14433-34, paras. 44-46.
610
See Sandvine Comments at 17; Cincinnati Bell Comments at 9; ACA Comments at 40; WTA Comments at 23-
24; Lehr et al. Comments at 3; Feamster ISP Data Use Comments at 7-8.
611
2015 Open Internet Order, 30 FCC Rcd at 5700, para. 215; 47 CFR § 8.2(f). As we further elaborated in the
2015 Open Internet Order, reasonable network management includes, but is not limited to network management
practices that are primarily used for, and tailored to, ensuring network security and integrity, including by addressing
(continued….)
Federal Communications Commission FCC 16-148
88
important role in providing BIAS, and consider reasonable network management to be part of the
telecommunications service or “necessary to, or used in” the provision of the telecommunications
service.
612
As such, we clarify that BIAS providers may infer customer approval to use, disclose, and
permit access to customer PI to the extent necessary for reasonable network management, as we defined
that term in the 2015 Open Internet Order.
209. Research to Improve and Protect Networks or Telecommunications. We also find that
certain uses and disclosures of customer PI for the purpose of conducting research to improve and
protect
613
networks or telecommunications are part of the telecommunications service or “necessary to, or
used in” the provision of the telecommunications service for the purposes of these rules.
614
For instance,
Professor Feamster explains that “network research fundamentally depends on cooperative data sharing
agreements with ISPs,” and that, lack of access to certain types of customer PI, “will severely limit
vendors’ and developers’ ability to build and deploy network technology that functions correctly, safely,
and securely.”
615
Comcast also emphasizes the need to share customer PI with “trusted vendors,
researchers, and academics . . . under strict confidentiality agreements . . . to improve both the integrity
and reliability of the service.”
616
NCTA also argues that carriers must be able to use customer data for
internal operational purposes such as improving network performance.
617
Some commenters, such as
CDT, caution that a research exemption, read too broadly, might permit privacy violations.
618
We share
these concerns, and emphasize that in the interest of protecting the confidentiality of customer PI, carriers
should seek to minimize privacy risks that may stem from using and disclosing customer PI for the
purpose of research, and should ensure that the entities to which they disclose customer PI will likewise
safeguard customer privacy.
619
Telecommunications carriers and researchers should design research
projects that incorporate principles of privacy-by-design,
620
and agree not to publish or otherwise publicly
(Continued from previous page)
traffic that is harmful to the network; network management practices that are primarily used for, and tailored to,
addressing traffic that is unwanted by end users; and network practices that alleviate congestion without regard to
the source, destination, content, application, or service. 2015 Open Internet Order, 30 FCC Rcd at 5701-02, para.
220.
612
See NCTA Oct. 14, 2016 Ex Parte at 1 (expressing the need for carriers to use customer PI for internal purposes
such as improving network performance, quality of service, and customer satisfaction).
613
Since telecommunications carriers must be able to provide secure networks to their customers, we include
security research within the scope of research allowed under this limitation. Security research also falls under the
exception covered in Part III.D.2.b, infra, regarding uses of customer PI to protect the rights and property of a
carrier, or to protect users from fraud, abuse, or unlawful use of the networks.
614
See, e.g., Antonakakis et al. Comments.
615
Feamster ISP Data Use Comments at 7-8.
616
Comcast Comments at 60; see also Letter from Nick Feamster et al., to Tom Wheeler, Chairman, FCC, WC
Docket No. 16-106 (filed Aug. 6, 2016) (Security Researchers Aug. 6, 2016 Ex Parte); Future of Privacy Forum
Comments at 12; Feamster ISP Data Use Comments at 3-4, 7-8; Lehr et al. Comments at 2-3, 8; NCTA Comments
at 76-77; Nominum Comments at 5-6.
617
NCTA Oct. 14, 2016 Ex Parte at 1.
618
See, e.g., CDT Reply at 12 (“For example, marketing and social science research are very much attenuated from
the direct interests of BIAS customers, and allowing those forms of research may lead to abuses of purported
research data that subvert the intent of the NPRM to protect consumer privacy from such uses in the first place.”).
619
Security Researchers Aug. 6, 2016 Ex Parte; M3AAWG Comments at 5 (explaining that “researchers attempt to
use anonymous data to identify signs of a security problem, either on the host ISP network or pointing at signs on
another network”); CDT Reply at 12 (stating that “the FCC must develop generic protections that bind security
researchers as a condition of receiving BIAS data”).
620
This would include, for instance, practicing data minimization and not using more identifiable information than
necessary for the research task.
Federal Communications Commission FCC 16-148
89
share individually identifiable data without customer consent. In addition, the existing rules permit
CMRS providers to infer customer approval to use and share CPNI for the purpose of conducting research
on the health effects of CMRS.
621
We retain this limited provision, extending it to all customer PI. We
reiterate that that carriers should endeavor to minimize privacy risks to customers.
b. Specific Exceptions
210. In addition to the activities included in the provision of service and services necessary to,
or used in, provision of service, carriers do not need to seek customer approval to engage in certain
specific activities that represent important policy goals detailed in Section 222(d). We apply those
exceptions to the customer approval framework to all customer PI.
211. Initiate, Render, Bill, and Collect for Service. We import into our rules and apply to all
customer PI the statutory exception permitting carriers to use, disclose, and permit access to CPNI “to
initiate, render, bill, and collect for telecommunications services” without obtaining additional customer
consent. As the Rural Wireless Association explains, carriers frequently need to share “certain customer
information” “with billing system vendors, workforce management system vendors, consultants that assist
with certain projects, help desk providers, and system monitoring solutions providers.”
622
212. Protection of Rights and Property. We also import into our rules and apply to all
customer PI the statutory provision permitting carriers to use, disclose, and permit access to CPNI “to
protect the rights or property of the carrier, or to protect users of those services and other carriers from
fraudulent, abusive, or unlawful use of, or subscription to, such services” without obtaining specific
customer approval.
623
We agree with the broad set of commenters who expressed the opinion that this
exception should be incorporated into the rules,
624
and further agree that it should also apply to customer
PI beyond CPNI.
625
We also find that these rules comport with the Cybersecurity Information Sharing
Act of 2015 (CISA), which permits certain sharing of cyber threat indicators between telecommunications
providers and the federal government or private entities, “notwithstanding any other provision of law.”
626
621
47 CFR § 64.2005(c)(2); see also 47 CFR § 20.3 (defining “commercial mobile radio service” as including
mobile broadband Internet access service”).
622
Rural Wireless Association Comments at 4; see also American Association of Law Libraries Comments at 3;
Consumer Action Comments at 2 (recognizing that “when one does business with an internet service provider, it
needs to share limited information about customers with certain other companies to provide service and prepare
billing statements”); CCA Oct. 13, 2016 Ex Parte at 5 (explaining need for carriers to share information with third
parties acting on behalf of the carrier); NTCA Oct. 14, 2016 Ex Parte at 2 (recognizing need to share information
with third parties or affiliates for billing and similar purposes). Also, as noted below, to the extent that the carrier is
using an agent to perform acts on its behalf, the carrier’s agents, acting in the scope of their employment, stand in
the place of the carrier, both in terms of rights and liabilities. See infra note 637.
623
See 47 U.S.C. § 222(d)(2) (stating that Section 222 does not prohibit a telecommunications carrier from using,
disclosing, or permitting access to CPNI obtained from its customers, either directly or indirectly through its agents
“to protect the rights or property of the carrier, or to protect users of those services and other carriers from
fraudulent, abusive, or unlawful use of, or subscription to, such services”).
624
See, e.g., M3AAWG Comments at 2; Nominum Comments at 4; Charter Reply at 27-30; NCTA Comments at
76; NCTA Reply at 50-52; CTIA Reply at 83-85; Lehr et al. Comments at 7-9; Letter from Christopher L. Shipley,
INCOMPAS, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 3-4 (filed Aug. 4, 2016)
(INCOMPAS Aug. 4, 2016 Ex Parte).
625
See, e.g., CTIA Comments at 138-39; Email Sender & Provider Coalition Comments at 6-7; NTCA Comments at
46-47 (“NTCA supports the ability of BIAS to use ‘customer proprietary information’ . . . to protect users or others
from cyber security threats or vulnerabilities . . . .”); see also Comcast Comments at 59.
626
6 U.S.C. § 1503(c)(1). We do not assume that the scope of our exception is coterminous with the definition of
cyber threat information in CISA. As noted, however, to the extent information is allowed to be shared pursuant to
CISA, our rules do not inhibit such sharing.
Federal Communications Commission FCC 16-148
90
Moreover, to the extent that other federal laws, such as CISA, permit or require use or sharing of
customer PI, our rules expressly do not prohibit such use or sharing.
213. We also agree with commenters that this provision of our rules encompasses the use and
sharing of customer PI
627
to protect against spam, malware such as viruses, and other harmful traffic,
628
including fraudulent, abusive, or otherwise unlawful robocalls.
629
We caution that carriers using or
sharing customer PI pursuant to this section of the rules should remain vigilant about limiting such use
and sharing to the purposes of protecting their networks and users, and complying with their data security
requirements.
630
We acknowledge Access Now’s concern that an overbroad reading of this exception
could result in carriers actively and routinely monitoring and reporting on customers’ behavior and
traffic,
631
and make clear that the rule does not allow carriers to share their customers’ information
wholesale on the possibility that doing so would enhance security; use and sharing of customer PI for
these purposes must be reasonably tailored to protecting the network and its users.
214. We agree with commenters that recommend that we consider this provision of our rules
to encompass not only actions taken to combat immediate security threats, but also uses and sharing to
research and develop network and cybersecurity defenses.
632
When combined with the immunity granted
by CISA, this exception addresses carriers’ concerns about participating in cybersecurity sharing
initiatives.
633
Security is an essential part of preventing bad actors from gaining unauthorized access to
the system or making abusive use of it with spam, malware, or denial of service attacks. Research and
development into new techniques and technologies for addressing fraud and abuse may require internal
use of customer PI, but also disclosures to third-party researchers and other collaborators. However, as
with other applications of this exception, carriers should not disclose more information than is reasonable
to achieve this purpose, and should take reasonable steps to ensure that the parties with which they share
information use this information only for the purposes for which it was disclosed.
634
627
As proposed, this includes any form of customer PI, not merely calling party phone numbers. See FTC Staff
Comments at 18-19; USTelecom Comments at 16; West Telecomm. Serv. Reply at 4-5.
628
Email Sender & Provider Coalition Comments at 6-7; Antonakakis et al. Comments at 3; Comcast Comments at
59.
629
See, e.g., West Telecomm. Serv. Reply Comments at 3-5; FTC Staff Comments at 18; USTelecom Comments at
16-18; see also NTCA Comments at 46-47 (“NTCA supports the ability of BIAS to use ‘customer proprietary
information’ . . . to address such issues as ‘spoofing’ and unlawful ‘robocalls.’).
630
USTelecom Comments at 17 (“CPNI sharing in such circumstances is limited to just what is needed to
investigate the source of the call such as the calling party telephone number, the called party telephone number, and
the date and time of the call.”).
631
Access Now Comments at 8-9; see also CDT Reply at 12 (explaining need for protections on disclosure for
security purposes); EFF Comments at 9 (advocating for limits on disclosures for security purposes).
632
Feamster ISP Data Use Comments; Antonakakis et al. Comments at 2, 4, 6-8; Comcast Comments at 60; CDT
Reply at 10-11.
633
As noted above, CISA permits the sharing of cybersecurity threat indicators “notwithstanding any other provision
of law.” 6 U.S.C. § 1503(c)(1). These provisions should also alleviate the concern expressed in the interim update
on information sharing from the Communications Security, Reliability, and Interoperability Council (CSRIC), that
our rules may conflict with CISA. CSRIC Working Group 5, Information Sharing Barriers at 7-8 (June 2016),
https://transition.fcc.gov/bureaus/pshs/advisory/csric5/WG5_Info_Sharing_Report_062016.pdf.
634
See, e.g., Security Researchers Aug. 6, 2016 Ex Parte. Feamster et al. suggest that security research receive a
specific exemption, so long as security disclosures be limited to those that: promote security, stability, and reliability
of networks; do not violate privacy; and benefit research in a way that outweighs privacy risks. They also highlight
particular categories of researchers to whom disclosure represents less privacy risk. While we decline to include this
specific exemption and its criteria, we note that similar steps to mitigate privacy risks and determine trustworthy
recipients can be useful factors in determining reasonableness.
Federal Communications Commission FCC 16-148
91
215. Providing Inbound Services to Customers. Customers expect that a carrier will use their
customer PI when they initiate contact with the carrier in order to ask for support, referral, or new services
in a real-time context. Therefore, within the limited context of the particular interaction, carriers can use
customer PI to render the services that the customer requests without receiving additional approval from
the customer. This provision represents a more generalized version of the exception in Section 222(d)(3),
which specifies that carriers may use customer PI “for the duration of [a support, referral, or request for
new services] call.” Under the rule we adopt today, carriers may use customer PI for the duration of any
real-time interaction, including voice calls, videoconferencing, and online chats. However, given the less
formal nature of such requests, a carrier’s authorization to use the customer PI without additional
permission should only last as long as that particular interaction does, and not persist longer. We find that
this provision will achieve the same purpose as existing Section 64.2008(f) of our rules, which allows
carriers to waive certain notice requirements for one-time usage of customer PI. We believe that carriers’
ability to use customer PI for these purposes without additional customer permission obviates the need for
streamlined notice and consent requirements in one-time interactions.
216. Some commenters have argued that our rules should permit a carrier to share customer PI
with its agents absent customer approval, noting the need to share customer PI with agents to provide
customer support, billing, or other tasks.
635
We agree that such sharing is often necessary, and the
limitations and exceptions outlined above allow carriers to share customer PI with their agents without
additional customer approval. To the extent that a carrier needs to share customer PI with an agent for a
non-exempt task, it needs no more customer approval than it would have needed in order to perform that
task itself.
636
This is consonant with the Communications Act’s requirement that carriers’ agents, acting
in the scope of their employment, stand in the place of the carrier, both in terms of rights and liabilities.
637
217. Providing Certain Customer PI in Emergency Situations. In adopting Section 222,
Congress recognized the important public safety interests in ensuring that carriers can use and share
necessary customer information in emergency situations. Section 222(d)(4) specifically allows carriers to
provide call location information of commercial mobile service users to: (1) certain specified emergency
services, in response to a user’s call for emergency services; (2) a user’s legal guardian or immediate
family member, in an emergency situation that involves the risk of death or serious physical harm; and (3)
to providers of information or database management services solely for the purpose of assisting in the
delivery of emergency services in the case of an emergency. We adopt rules mirroring these exceptions,
and expand the scope of information that may be disclosed under these circumstances to include customer
location information and non-sensitive customer PI.
218. While commercial mobile service users’ location may be the information most
immediately relevant to emergency services personnel, other forms of customer PI may also be relevant
for customers using services other than commercial mobile services, especially if customers are seeking
635
See, e.g., CCA Comments at 25 (expressing concern that “the proposal to potentially limit sharing of a vast
amount of information with affiliates that provide communications-related services would be concerning for
competitive wireless carriers with corporate structuring that tends to include vendors and affiliates for the everyday
provision of mobile broadband services”); CTIA Comments at 129-130 (arguing that “sharing a customer’s name
with an ISP’s longstanding agent (for which the ISP has assumed liability) presents a diminished privacy risk
relative to an ISP’s selling a customer’s web browsing activity to an anonymous data broker”); Letter from Aaron N.
Goldberger, Associate General Counsel, Neustar, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106
(filed Sept. 9, 2016); Verizon Reply at 14-15 (arguing that the rules should not contain special restrictions for
sharing with affiliates and contractors); Level 3 Comments at 12-13; AT&T Reply at 9, 34-35.
636
See supra Part III.D.1.
637
47 U.S.C. § 217 (“In construing and enforcing the provisions of this chapter, the act, omission, or failure of any
officer, agent, or other person acting for or employed by any common carrier or user, acting within the scope of his
employment, shall in every case be also deemed to be the act, omission, or failure of such carrier or user as well as
that of the person.”).
Federal Communications Commission FCC 16-148
92
emergency assistance through means other than dialing 9-1-1 on a voice line.
638
Expanding the types of
information available in an emergency to include non-sensitive information such as other known contact
information for the customer or the customer’s family or legal guardian will allow carriers the flexibility
necessary to keep emergency services informed with actionable information. However, recognizing the
concerns that too broad an exception could lead to increased exposure of sensitive information,
639
we
extend the exception only to customer location information and non-sensitive customer PI.
219. We recognize that, as with any provision that allows disclosure of a customer’s
information, this exception can potentially be abused. Various bad actors may use pretexting techniques,
pretending to be a guardian, immediate family member, emergency responder, or other authorized entity
to gain access to customer PI.
640
As with all of the other provisions of these rules, we expect carriers to
abide by the security standards set forth in Part III.E, below. Under these standards, we expect that
carriers will reasonably authenticate third parties to whom they intend to disclose or permit access to
customer PI. This need to act reasonably also applies to authenticating emergency services and other
entities covered under this exception, as well as authenticating customers themselves.
220. We decline suggestions that we allow carriers only to divulge customer PI in emergency
situations to emergency contact numbers specified by the customer in advance.
641
While such a safeguard
could prevent a certain amount of pretexting, we believe that such a requirement would be overly
restrictive and, in the case of call information, contrary to the statute. If such a requirement were in place,
customers who failed to supply or update emergency contact information would be denied the ability for
guardians or family members from being contacted. Recognizing the permissible nature of Section
222(d), we do not prohibit carriers from using such a safeguard if they so choose.
3. Requirements for Soliciting Customer Opt-Out and Opt-In Approval
221. In this section, we discuss the requirements for soliciting customer approval for the use
and sharing of customer PI. First, we require telecommunications carriers to solicit customer approval at
the point of sale, and permit further solicitations after the point of sale. Next, we require that carriers
actively contact their customers in these subsequent solicitations, to ensure that customers are adequately
informed. Finally, we require the solicitations to be clear and conspicuous, to be comprehensible and not
misleading, and to contain the information necessary for a customer to make an informed choice
regarding her privacy.
222. Timing of Solicitation. Based on the record before us, we conclude that BIAS providers
and other telecommunications carriers must solicit customers’ privacy choices at the point of sale. We
agree with the FTC and other commenters that the point of sale remains a logical time for customers to
exercise privacy decisions because it precedes the carriers’ uses of customer PI; frequently allows for
clarification of terms between customer and carrier; and avoids the need for customers to make privacy
decisions when distracted by other considerations, and is the time when customers are making decisions
about material terms.
642
223. We further find that, in addition to soliciting choice at point-of-sale, a carrier seeking
customer approval to use customer PI may also solicit that permission at any time after the point after the
sale, so long as the solicitation provides customers with adequate information as specified in these rules.
638
Texas 9-1-1 Entities Comments at 2 (noting the need for customer PI that may be associated with alternative
emergency calls, including “data, video, text, and other non-legacy voice services”).
639
See, e.g., Access Now Comments at 8; EFF Comments at 9.
640
FTC Staff Comments at 16-17.
641
But see FTC Staff Comments at 17.
642
CDD Comments at 20; FTC Staff Comments at 24-25; Hughes Comments at 4-5; Hughes Oct. 14, 2016 Ex Parte
at 2.
Federal Communications Commission FCC 16-148
93
This allows carriers to supply customers with relevant information at the most relevant time and in the
most relevant context.
643
Moreover, a carrier that makes material changes to its privacy policy must
solicit customers’ privacy choices before implementing those changes. Material retroactive changes
require opt-in customer approval as discussed above in Part III.D.1.a(ii). Consistent with our sensitivity-
based framework, prospective material changes require opt-in approval if they entail use or sharing of
sensitive customer PI, and opt-out approval if they entail use or sharing of non-sensitive customer PI.
224. Methods of Solicitation. We agree with commenters who recommend that we not require
particular formats or methods by which a carrier must communicate its solicitation of consent to
customers. On this point, we agree with NTCA and USTelecom, which request flexibility in determining
the means of solicitation, arguing that carriers are best placed to determine the most effective ways of
reaching their customers.
644
225. The existing voice rules contain specific requirements for solicitations sent as email, such
as a requirement that the subject line clearly and accurately identify the subject matter of the email.
645
We
decline to include such specific requirements and thereby provide carriers with additional flexibility to
develop clear notices that best serve their customers. However, the clarity and accuracy of an email
subject line are highly relevant to an overall assessment of whether the solicitation as a whole was clear,
conspicuous, comprehensible and not misleading.
226. Contents of Solicitation. Carriers’ solicitations of opt-in or opt-out consent to use or
share customer PI must clearly and conspicuously inform customers of the types of customer PI that the
carrier is seeking to use, disclose, or permit access to; how those types of customer PI will be used or
shared; and the categories of entities with which that information is shared. The solicitations must also be
comprehensible and not misleading, and be translated into a language other than English if the
telecommunications carrier transacts business with the customer in that language. As with our notice
requirements, we decline to specify a particular format or wording for this solicitation, so long as the
solicitation meets the standards described above. The solicitation must provide a means to easily access
the carrier’s privacy policy as well as a means to easily access to a mechanism, described below in Part
III.D.4, by which the customer can easily exercise his choice to permit or deny the use or sharing of his
customer PI. Access to the choice mechanism may take a variety of forms, including being built into the
solicitation, or provided as a link to the carrier’s website, an email address that will receive the customer’s
choice, or a toll-free number that a customer can call to make his choice.
646
227. As a point of clarification, the distinction between notice and consent solicitation is one
of functionality, not necessarily of form. Choice solicitations may be combined with notices of privacy
policies or notices of material change in privacy policies, but only to the extent that both the notices and
solicitations meet their respective requirements for being clear and conspicuous, comprehensible, and not
misleading. For instance, a carrier instituting a new program that uses non-sensitive customer PI
prospectively could send an existing customer a notice of material change to the privacy policy that
contained the opt-out solicitation (described in this Part) and access to the customer’s choice mechanism
643
See ACA comments at 52-53 (arguing that providers can best determine the timing of solicitations most relevant
to the context of the interaction); CTIA Comments at 143-44; NTCA Comments at 53-54.
644
See, e.g., NTCA Comments at 54 (“NTCA supports proposals that each BIAS provider be permitted to determine
the best method for soliciting customer approval.”); USTelecom Comments at 12-13 (“[T]he Commission should . .
. allow carriers the flexibility to determine the appropriate methods for notifying its customers and to maintain
records of choice selections in ways that make sense in the context of the specific provider-customer relationship.”).
645
47 CFR § 64.2008(d)(3)(iv).
646
See, e.g., NTCA Comments at 55 (“NTCA supports the proposition that providers may offer customers access to
privacy policies and an ability to effectuate related choices through a variety of means, including via telephone or
on-line interactions. Providers should have latitude to determine the most effective course of providing notice to
their customers through those methods.”); USTelecom Comments at 12-13.
Federal Communications Commission FCC 16-148
94
(described in Part III.D.4, infra). This communication would, subject to the ease-of-use requirements,
satisfy the rules. We further clarify that we are not requiring carriers to have special “customer PI”
choice mechanisms that are different and stand alone from other mechanisms that may exist, so long as
those mechanisms satisfy the outcomes required by our rules (such as, among other things, that they be
clear and conspicuous). Likewise, we are not mandating a “blanket” choice mechanism. A carrier is free
to give the customer the ability to pick and choose among which marketing channels the customer will
opt out of. At the same time, if a carrier wanted to give the customer the ability to opt out of all
marketing with a single click, that would be consistent with our rules.
647
4. Customers’ Mechanisms for Exercising Privacy Choices
228. In soliciting a customer’s approval for the use or sharing of his or her customer PI, we
require carriers to provide customers with access to a choice mechanism that is simple, easy-to-use clear
and conspicuous, in language that is comprehensible and not misleading, and made available at no
additional cost to the customer. This choice mechanism must be persistently available on or via the
carrier’s website; on the carrier’s app, if it provides one for account management purposes; and on any
functional equivalents of either.
648
If a carrier lacks a website, it must provide a persistently available
mechanism by another means such as a toll-free telephone number. However, we decline to specify any
particular form or format for this choice mechanism. Carriers must act upon customers’ privacy choices
promptly.
229. Format. As with our requirements for notices and for solicitations of approval, the actual
mechanism provided by the carrier by which customers may inform the carrier of their privacy choices
must be clear and conspicuous, and in language that is comprehensible and not misleading. Because
users’ transaction costs, in terms of time and effort expended, can present a major barrier to customers
exercising choices, carriers’ choice mechanisms must also be easy to use, ensuring that customers can
readily exercise their privacy rights.
230. We encourage but do not require carriers to make available a customer-facing dashboard.
While a customer-facing dashboard carries a number of advantages, we are mindful of the fact that it may
not be feasible for certain carriers, particularly small businesses, and that improved technologies and user
interfaces may lead to better options.
649
Preserving this flexibility benefits both carriers and customers by
enabling carriers to adopt a mechanism that suits the customer’s abilities and preferences and the carrier’s
technological capabilities. As noted, we are particularly mindful of the needs of smaller carriers. For
example, WTA explains that “[a] privacy dashboard as envisioned in the NPRM would require providers
to aggregate information that is likely housed today on multiple systems and develop both internal and
external user interfaces.”
650
ACA adds that creating a privacy dashboard would be a “near-impossible
task” for small BIAS providers.
651
Particularly in light of the concerns expressed by small providers and
their representatives, we decline to mandate that BIAS providers make available a customer-facing
dashboard.
231. Timing to Implement Choice. We require carriers to give effect to a customer’s grant,
denial, or withdrawal of approval “promptly.”
652
Aside from the ordinary time that might be required for
647
NCTA Oct. 20, 2016 Ex Parte at 8.
648
We intend for this requirement to mirror the requirements for a provider’s provision of its notice of privacy
policies.
649
See, e.g., Hughes Comments at 5-6; Sprint Comments at 13-14; CTIA Comments at 104-05; NTCA Comments at
41-42; Rural Wireless Association Comments at 7; WTA Comments at 11-12.
650
WTA Reply at 9-10.
651
ACA Comments at 38-39.
652
See, e.g., Hughes Oct. 14, 2016 Ex Parte at 2 (arguing that providers should be required to “update consumers’
decisions regarding privacy preferences when they are affirmatively communicated to the provider”).
Federal Communications Commission FCC 16-148
95
processing incoming requests, customers must be confident that their choices are being respected. The
flexibility of this standard enables carriers to account for the relative size of the carrier, the type and
amount of customer PI being used, and the particular use or sharing of the customer PI.
653
Since the
carrier process and technical mechanics of implementing a customer denial of approval for a new use may
well differ from implementing a customer’s denial of a previously approved practice, we do not expect
that the time frames for each will necessarily be the same.
654
The Commission has long held this
interpretation to be consistent with the language and design of Section 222.
655
232. Choice Persistence. As in our existing rules and as proposed in the NPRM, we require a
customer’s choice to grant or deny approval for use of her customer PI to remain in effect until a
customer revokes or limits her choice.
656
We find that customers reasonably expect that their choices will
persist and not be changed without their affirmative consent (in the case of sensitive customer PI and
previously collected non-sensitive customer PI) or at least the opportunity to object (in the case of yet to
be collected non-sensitive customer PI).
233. Small Carriers. Some small carriers expressed concern on the record that their websites
do not allow for customers to manage their accounts, and thus could not offer an in-browser way for
customers to immediately exercise their privacy choices on the carriers’ websites.
657
Since we decline to
require a specific format for accepting customer privacy choices, any carriers, including small carriers,
that lack choice mechanisms that customers can operate directly from the carrier’s website or app may be
able to accept customer preferences by providing on their websites, in their apps, and any functional
equivalents, an email address, 24-hour toll-free phone number, or other easily accessible, persistently
available means to exercise their privacy choices.
5. Eliminating Periodic Compliance Documentation
234. We eliminate the specific compliance recordkeeping and annual certification
requirements in Section 64.2009 for voice providers. Eliminating these requirements reduces burdens for
all carriers, and particularly small carriers, which often may not need to record approval if they do not use
or share customer PI for purposes other than the provision of service.
658
We find that carriers are likely to
keep records necessary to allow for any necessary enforcement without the need for specific
requirements, and that notifications of data breaches to customers and to enforcement agencies (including
the Commission) will ensure compliance with the rules and a workable level of transparency for
customers.
653
NTCA Comments at 38 (requesting that the rules account for context).
654
See, e.g., Letter from Jennifer Manner, Senior Vice President, Regulatory Affairs, Hughes Network Systems, to
Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, Attach. at 1 (filed July 26, 2016) (requesting 10-day
timeframe “to implement a consumer’s request to opt-in or opt-out of permitted uses of their customer PI.”); Hughes
Oct. 14, 2016 Ex Parte Attach. at 1 (same).
655
See 1998 CPNI Order, 13 FCC Rcd at 8151, para. 116 (explaining that “the language of Section 222(d)(3) stating
that carriers may ‘provide inbound telemarketing, referral, or administrative services to the customer for the
duration of the call’ suggests that Congress expressly limited the duration of approval where it wanted to so specify,
and thus the absence of similar language in Section 222(c)(1) evidences that Congress did not limit as a statutory
matter the time period within which customer approval remains valid”).
656
47 CFR § 64.2007(a)(2); Broadband Privacy NPRM, 31 FCC Rcd at 2552, para. 147.
657
See, e.g., Letter from Patricia Cave, Director, Government Affairs, WTA, to Marlene H. Dortch, Secretary, FCC,
WC Docket No. 16-106, at 2-3, n.4 (filed Aug. 22, 2016) (WTA Aug. 22, 2016 Ex Parte).
658
See infra note 690.
Federal Communications Commission FCC 16-148
96
E. Reasonable Data Security
235. In this section, we adopt a harmonized approach to data security that protects consumers’
confidential information by requiring BIAS providers and other telecommunications carriers to take
reasonable measures to secure customer PI. The record reflects broad agreement with our starting
proposition that strong data security practices are crucial to protecting the confidentiality of customer
PI.
659
There is also widespread agreement among industry members, consumer groups, academics, and
government entities about the importance of flexible and forward-looking reasonable data security
practices.
660
236. In the NPRM we proposed rules that included an overarching data security expectation
and specified particular types of practices that providers would need to implement to comply with that
standard, while allowing providers flexibility in implementing the proposed requirements (e.g., taking
into account, at a minimum, the nature and scope of the provider’s activities and the sensitivity of the
customer PI held by the provider). Based on the record in this proceeding, we have modified the
overarching data security standard to more directly focus on the reasonableness of the providers’ data
security practices. Also based on the record, we decline to mandate specific activities that providers must
undertake in order to meet the reasonable data security requirement. We do, however, offer guidance on
the types of data security practices we recommend providers strongly consider as they seek to comply
with our data security requirement—recognizing, of course, that what constitutes “reasonable” data
security is an evolving concept.
237. The approach we take today underscores the importance of ensuring that providers have
robust but flexible data security practices that evolve over time as technology and best practices continue
to improve. It is consistent with the FTC’s body of work on data security,
661
the NIST Cybersecurity
Framework (NIST CSF),
662
the Satellite and Cable Privacy Acts,
663
and the CPBR,
664
and finds broad
support in the record.
665
In harmonizing the rules for BIAS providers and other telecommunications
carriers we apply this more flexible and future-focused standard to voice providers as well, replacing the
659
Broadband Privacy NPRM, 31 FCC Rcd at 2557, para. 167; see also Access Now Comments at 11-12 (“[T]he
ultimate policy cannot create flexibility to excuse companies or actions from failing to provide adequate
protections.”); National Consumers League Comments at 2 (encouraging adoption of “high baseline data security
protections”); American Association of Law Libraries Comments at 4; Greenlining Institute Comments at 45-48;
Consumer Action Comments at 2; Access Humboldt et al. Comments at 5.
660
See, e.g., CenturyLink Comments at 32; Comcast Reply at 26; DMA Comments at 24; National Consumers
League Comments at 9; New York Attorney General Reply at 3; S
2
ERC Center Comments at 3; Jon Leibowitz
Comments at 10-11; FTC Staff Comments at 27-28; Letter From Chris Calabrese, VP of Policy, Center for
Democracy & Technology, to Marlene Dortch, Secretary, FCC, at 4 (filed Sept. 29, 2016) (CDT Sept. 29, 2016 Ex
Parte).
661
See FTC Staff Comments at 27-28 (outlining the FTC’s “technology-neutral, process-based approach to security
[it has applied] for two decades”); FTC, Data Security, https://www.ftc.gov/datasecurity (“[A] company’s data
security measures must be reasonable in light of the sensitivity and volume of consumer information it holds, the
size and complexity of its data operations, and the cost of available tools to improve security and reduce
vulnerabilities.”).
662
See infra note 682.
663
See 47 U.S.C. §§ 551(c)(1), 338(i)(4) (directing cable operators and satellite carriers, respectively, to “take such
actions as are necessary to prevent unauthorized access to [subscriber information]”); see also Cox Consent Decree,
30 FCC Rcd at 12302, para. 3 (“Congress and the Commission have made clear that cable operators such as Cox
must take such actions as are necessary to prevent unauthorized access to such information by a person other than
the subscriber or cable operator.’”).
664
See infra note 681.
665
See, e.g., NTCA Comments at 59-60; CTIA Comments at 156-58.
Federal Communications Commission FCC 16-148
97
more rigid data security procedures codified in the existing rules and thus addressing the potential that
these existing procedures are both under- and over-inclusivewith the expectation that strong and
flexible, harmonized, forward-looking rules will benefit consumers and industry.
1. BIAS and Other Telecommunications Providers Must Take Reasonable
Measures to Secure Customer PI
238. The rule that we adopt today requires that every BIAS provider and other
telecommunications carrier take reasonable measures to protect customer PI from unauthorized use,
disclosure, or access. To comply with this requirement, a provider must adopt security practices
appropriately calibrated to the nature and scope of its activities, the sensitivity of the underlying data, the
size of the provider, and technical feasibility.
666
239. As we observed in the NPRM, privacy and security are inextricably linked.
667
Section
222(a) imposes a duty on telecommunications carriers to “protect the confidentiality of proprietary
information of and relating to . . . customers.”
668
Fulfilling this duty requires a provider to have sound
data security practices.
669
A telecommunications provider that fails to secure customer PI cannot protect
its customers from identity theft or other serious personal harm, nor can it assure its customers that their
choices regarding use and disclosure of their personal information will be honored. As commenters point
out, contemporary data security practices are generally oriented toward “confidentiality, integrity, and
availability,”
670
three dynamic and interrelated principles typically referred to together as the “CIA”
triad.
671
Confidentiality refers specifically in this context to protecting data from unauthorized access and
disclosure;
672
integrity refers to protecting information from unauthorized modification or destruction;
673
and availability refers to providing authorized users with access to the information when needed.
674
We
666
See infra Appx A.
667
See generally Broadband Privacy NPRM, 31 FCC Rcd at 2557, para. 167 (“Strong data security protections are
crucial to protecting the confidentiality of customer PI.”).
668
47 U.S.C. § 222(a).
669
See TerraCom Consent Decree, 30 FCC Rcd at 7075, para. 2 (“The failure to reasonably secure customers’
proprietary information violates a carrier’s duty under the Communications Act . . .”); 2007 CPNI Order, 22 FCC
Rcd at 6959, para. 64 (“We fully expect carriers to take every reasonable precaution to protect the confidentiality of
proprietary or personal customer information.”).
670
See Paul Vixie Comments at 31 (“The textbook security objectives are normally confidentiality, integrity, and
availability in the enterprise case.”); International Association of Privacy Professionals Comments at 2 (“Data
security is concerned with the confidentiality, integrity and availability of any information.”); NTCA Comments at
58-59.
671
See, e.g., Techopedia, CIA Triad of Information Security, https://www.techopedia.com/definition/25830/cia-
triad-of-information-security (last visited Oct. 5, 2016); see also 44 USC § 3552(b)(3) (defining “integrity,”
“confidentiality,” and “availability” as the constituent elements of “information security”); Office of Management
and Budget, Circular No. A-130, Managing Information as a Strategic Resource at 36 (2016),
https://www.whitehouse.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf (defining
“[s]ecurity controlas “the safeguards or countermeasures prescribed for an information system or an organization
to protect the confidentiality, integrity, and availability of the system and its information”).
672
See ATIS, ATIS Telecom Glossary: Confidentiality (Sept. 12, 2016),
http://www.atis.org/glossary/definition.aspx?id=6609; see also 44 U.S.C. § 3552(b)(3)(B). Our discussion of
“confidentiality” as part of the CIA triad of data security principles is not intended to suggest that the term has the
same meaning under Section 222 of the Act as it has in the CIA context.
673
See ATIS, ATIS Telecom Glossary: Integrity (Sept. 12, 2016),
http://www.atis.org/glossary/definition.aspx?id=458; see also 44 U.S.C. § 3552(b)(3)(A).
674
See ATIS, ATIS Telecom Glossary: Availability (Sept. 12, 2016),
http://www.atis.org/glossary/definition.aspx?id=5637; see also 44 U.S.C. § 3552(b)(3)(C).
Federal Communications Commission FCC 16-148
98
agree with NTCA that confidentiality, integrity and availability are best understood as “elements of a
single duty” to secure data, and their collective purpose is to “illustrate the various considerations that
must be engaged when the management of confidential information is considered.”
675
The record
confirms that these are core principles that underlie the modern-day practice of data security.
676
Thus, we
expect providers to take these principles into account when developing, implementing, and monitoring the
effectiveness of adopted measures to meet their data security obligation.
240. By requiring providers to take reasonable data security measures, we make clear that
providers will not be held strictly liable for all data breaches.
677
Instead, we give providers significant
flexibility and control over their data security practices while holding these practices to a standard of
reasonableness that respects context and is able to evolve over time. There is ample precedent and
widespread support in the record for this approach. FTC best practices guidance advises companies to
“make reasonable choices” about data security,
678
and in numerous cases the FTC has taken enforcement
action against companies for failure to take “reasonable and appropriate” steps to secure customer data.
679
Many states also have laws that require regulated entities to take “reasonable measures” to protect the
personal data they collect.
680
The CPBR reaffirms this standard, directing companies to “establish,
implement and maintain safeguards reasonably designed to ensure the security of” personal customer
information.
681
Placing the responsibility on companies to develop and manage their own security
practices is also a core tenet of the NIST CSF.
682
A diverse range of commenters in this proceeding
support adoption of a data security requirement for BIAS providers that is consistent with these
675
NTCA Comments at 58. Additionally, one commenter notes that increasing security may affect availability. See
Paul Vixie Comments at 31 (“We believe availability to be fully on par with the other objectives mentioned for a
utility-like service such as broadband service. A desire for security must NOT be allowed to potentially degrade
availability.”); see also International Association of Privacy Professionals Comments at 2 (“Data security is
concerned with the confidentiality, integrity and availability of any information.”).
676
See supra note 670.
677
But see FTC Staff Comments at 27-28 (“[T]he proposed rule text would impose strict liability on companies for
‘ensuring’ security.”); CenturyLink Comments at 32-33; CTIA Comments at 159-161.
678
See Federal Trade Commission, Start with Security: A Guide for Business at 1 (2015), https://www.ftc.gov/tips-
advice/business-center/guidance/start-security-guide-business (2015 FTC Security Guide for Business).
679
See, e.g., GMR Transcription Services, Inc., Complaint, F.T.C. File No. 122-3095 (2014),
https://www.ftc.gov/system/files/documents/cases/140821gmrcmpt.pdf (GMR Transcription Services Complaint);
GeneLink, Inc., Complaint, F.T.C. File No. 112-3095 (2014)
https://www.ftc.gov/sites/default/files/documents/cases/140107genelinkcmpt.pdf (GeneLink Complaint); Accretive
Health, Inc., Complaint, F.T.C. File No. 122-3077 (2014),
https://www.ftc.gov/system/files/documents/cases/140224accretivehealthcmpt.pdf; see also FTC v. Wyndham
Worldwide Corp., 799 F.3d 236 (3d Cir. 2015) (upholding FTC authority to bring data security cases under the
Section 5 “unfairness” prong).
680
See, e.g., Md. Code Ann., Com. Law § 14-3503(a) (2016); Utah Code Ann. § 13-44-201 (2016); Fla. Stat. §
501.171(2) (2016); Cal. Civ. Code § 1798.81.5(b)-(c) (2016).
681
See 2015 Administration CPBR Discussion Draft § 105(a)(2); see also 2012 White House Privacy Blueprint at
appx. A (“Consumer Privacy Bill of Rights”).
682
See National Institute for Standards and Technology, Framework for Improving Critical Infrastructure
Cybersecurity at 2 (2014) http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf (NIST
CSF) (“The [NIST CSF] is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure.
Organizations will continue to have unique risks different threats, different vulnerabilities, different risk tolerances
and how they implement the practices in the [NIST CSF] will vary.”).
Federal Communications Commission FCC 16-148
99
principles.
683
Indeed, several providers acknowledge the importance of and need for reasonable data
security.
684
241. By clarifying that our standard is one of “reasonableness” rather than strict liability, we
address one of the major concerns that providersincluding small providers and their associationsraise
in this proceeding.
685
WTA, for instance, argues that a strict liability standard “is particularly
inappropriate for small providers that lack the resources to install the expensive and constantly evolving
safeguards necessary to comply with a strict liability regime.”
686
We agree with these parties, and others
such as the Federal Trade Commission staff,
687
that our rules should focus on the reasonableness of the
providers’ practices and not hold providers, including smaller providers, to a standard of strict liability.
242. We also agree with those commenters that argue that the reasonableness of a provider’s
data security practices will depend significantly on context.
688
The rule therefore identifies four factors
that a provider must take into account when implementing data security measures: the nature and scope of
its activities; the sensitivity of the data it collects; its size; and technical feasibility. Taken together, these
factors give considerable flexibility to all providers. No one factor, taken independently, is determinative.
243. We include “size” in part based on the understanding in the record that smaller providers
employ more limited data operations in comparison to their larger provider counterparts. While the other
contextual factors already account considerably for the varying data collection and usage practices of
providers of different sizes, we agree with commenters that size is an independent factor in what practices
are reasonable for smaller providers, particularly to the extent that the smaller providers engage in limited
data usage practices.
689
For instance, WTA explains that “its members do not currently, and have no plans
to, retain customer Internet browsing histories and related information on an individual subscriber basis
because the cost . . . would significantly outweigh any potential monetary benefit derived from data
683
See, e.g., FTC Staff Comments at 27-28; National Consumers League Comments at 9 (citing Kamala D. Harris,
Cal. Dep’t of Justice, California Data Breach Report 2012-2015 5 (2016),
https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf ) (“What constitutes reasonable data
security today will not constitute reasonable data security tomorrow.”) (emphasis added); Direct Marketing
Association Comments at 24 (“Adequate protections for consumers can be effectively achieved by requiring BIAS
providers to maintain ‘reasonable’ data security practices. . . .”); Jon Leibowitz Comments at 10-11; Electronic
Transactions Association Comments at 2; New York Attorney General Reply at 3; S
2
ERC Comments at 3; Online
Trust Alliance Comments at 3; CompTIA Comments at 1-2; ViaSat Comments at 6-7; CDT Sept. 29, 2016 Ex Parte
at 4; Letter From Harold Feld, Senior VP, Public Knowledge, to Marlene Dortch, Secretary, FCC at 3 (filed Oct. 3,
2016) (Public Knowledge Oct. 3, 2016 Ex Parte).
684
See CenturyLink Comments at 32; Comcast Comments at 22; Verizon Comments at 65; T-Mobile Comments at
47; NCTA Reply at 54; CCA Reply at 10; WTA Aug. 22, 2016 Ex Parte at 3.
685
See, e.g., ACA Reply at 9-10; WTA Reply at 12-13; CenturyLink Comments at 32-33; T-Mobile Comments at
47-48.
686
WTA Reply at 12; see also U.S. Small Business Administration Reply at 3 (“The record in this proceeding would
support any effort by the FCC to mitigate the disproportionate compliance burden its proposal would have on small
BIAS providers.”).
687
See FTC Staff Comments at 27-28.
688
See, e.g., CenturyLink Comments at 32 (“[A]ll providers should adopt reasonable data security safeguards based
[on contextual factors proposed in the NPRM].”).
689
See, e.g., WTA Aug. 22, 2016 Ex Parte at 3 (“WTA also argued that size should be a factor for consideration
when assessing the implementation of reasonable security measures in order to avoid unreasonably holding small
carriers with only a handful or two of employees to the same standard as providers that employ armies of technical
and security professionals and drive industry best-practices.”).
Federal Communications Commission FCC 16-148
100
relating to the small subscriber bases of [rural carriers].”
690
Several small provider commenters also point
out that many such providers have few employees and limited resources.
691
Accordingly, certain security
measures that may be appropriate for larger providers, such as having a dedicated official to oversee data
security implementation, are likely beyond the needs and resources of the smallest providers.
692
Our
inclusion of “size” as a factor makes clear that small providers are permitted to adopt reasonable security
practices that are appropriate for their businesses.
693
At the same time, we emphasize that all providers
must adopt practices that take into account all four contextual factors. For instance, a small provider with
very expansive data collection and usage practices could not point to its size as a defense for not
implementing security measures appropriate for the “nature and scope” of its operations.
694
244. The rule also takes into account the distinction between sensitive and non-sensitive
information that underlies our customer approval requirements. Because the protection of both sensitive
and non-sensitive customer PI is necessary to give effect to customer choices about the use and disclosure
of their information,
695
our data security rule must cover both.
696
At the same time, we decline to require
690
WTA Aug. 22, 2016 Ex Parte at 2-3; see also RWA Reply at 2 (“[U]nlike large or nationwide BIAS providers,
[our] members do not generally collect, store, analyze, and exploit [CPNI]”); WTA Comments at 19 (“Small BIAS
providers also do not engage in the collection and retention of sensitive consumer information to the extent that
other industry participants that are subject to the FTC enforcement do.”); CCA Comments at 33 (“[M]any CCA
carrier members that fall under CCA’s proposed definition of small provider do not share customer information with
third parties for advertising purposes.”); NTCA Comments at 1 (“As a general matter . . . NTCA members do not
broker their customers’ information.”); ACA Comments at 5 (explaining that “ACA members generally do not use
their customers’ information for purposes requiring opt-in consentoften because they lack the incentive or
resources to do so”).
691
See ACA Comments at 8 (Most ACA members have few employees: half of ACA’s members have ten or fewer
employees.”); Education and Research Consortium et al. Comments at 10; RWA Comments at 10-12; WISPA
Comments at 26-27; WTA Aug. 22, 2016 Ex Parte at 3.
692
See RWA Comments at 12 (“Saddling small carrier employees with qualification requirements in rural markets
(where workforce demands are often already difficult to meet) is counterproductive and may force small rural
carriers into unnecessary additional hires, solely for the purpose of meeting such requirements.”). ACA Oct. 18,
2016 Ex Parte at 2 (urging the Commission to “[r]ecognize the limited financial resources of smaller ISPs in
determining whether their data security practices are ‘reasonable.’”) (internal formatting omitted). Our decision not
to adopt minimum required security practices should further allay concerns about the impact of the rule on small
providers. See, e.g., WTA Aug. 22, 2016 Ex Parte at 3 (“Because risk management requires tough decisions
regarding which risks are reasonably acceptable in light of an organization’s activities, size and resources, WTA
urged the Commission to provide flexibility for small carriers and refrain from imposing specific security
requirements beyond a generalized duty to employ reasonable security measures.”); RWA Reply at 11 (citing WTA
Comments at 21) (“[A]llow each BIAS provider to determine the particulars of and design its own risk management
program, taking into account the probability and criticality of threats and vulnerabilities, as well as the nature and
scope of a provider’s business activities and the sensitivity of the underlying data.”); ACA Reply at 44 (“[E]xempt
small providers from the specific minimum data security requirements . . . .”); CTIA Reply at 10.
693
See ACA Comments at 23; CCA Comments at 42; WTA Comments at 18-25; U.S. Small Business
Administration Reply at 3-4; Letter From Joshua Seidemann, Vice President of Policy, NTCA, to Marlene Dortch,
Secretary, FCC at 2-3 (filed Sept. 16, 2016) (NTCA Sept. 16, 2016 Ex Parte).
694
See National Consumers League Reply at 21 (“[P]rotecting consumers’ data is a part of running a modern
company.”). But see ACA Oct. 18, 2016 Ex Parte at 2 (“[The Order] should explicitly state that a higher relative
cost for a smaller ISP to implement a practice on a per customer basis compared to a larger ISP is a factor in
determining whether an ISP’s implementation of a practices is reasonable.”).
695
See supra Part III.D.
696
The State Privacy and Security Coalition argues that the security rule proposed in the NPRM would be too
burdensome when applied to non-sensitive information. See State Security and Privacy Coalition Comments at 5,
11-12; see also Letter From Michelle Rosenthal, Senior Corporate Counsel, Government Affairs, Federal
Regulatory, T-Mobile, to Marlene Dortch, Secretary, FCC at 2 (filed Sept. 14, 2016) (T-Mobile Sept. 14, 2016 Ex
(continued….)
Federal Communications Commission FCC 16-148
101
“the same, strict data security protections” for all such information.
697
Rather, we direct providers to
calibrate their security measures to “the sensitivity of the underlying data.”
698
This approach finds broad
support in the record
699
and is consistent with FTC guidance and precedent.
700
Similarly, our inclusion of
“technical feasibility” as a factor makes clear that reasonable data security practices must evolve as
technology advances.
701
Because our rule gives providers broad flexibility to consider costs when
determining what security measures to implement over time, we do not find it necessary to include “cost
of security measures” as a separate factor as AT&T and other commenters propose.
702
This means that
every provider must adopt security measures that reasonably address the provider’s data security risks.
245. In their comments, the National Consumers League recommended that we establish data
security threshold requirements that providers could build on, but not fall below.
703
We find that
unnecessary in light of the rules we adopt today. We believe that the flexible and forward-looking rule
we adopt combined with the discussion that follows regarding exemplary practices makes clear that the
rule sets a high and evolving standard of data security.
704
A provider that fails to keep current with
industry best practices and other relevant guidance in designing and implementing its data security
practices runs the risk of both a preventable data breach and that it will be found out of compliance with
our data security rule. We also observe that we have already acted in multiple instances to enforce
carriers’ broad statutory obligations to take reasonable precautions to protect sensitive customer
information.
705
In the TerraCom proceeding, for instance, we took action against a carrier under Section
222 of the Act for its failure to employ “appropriate security measures” to protect customers’ Social
Security numbers and other data from exposure on the public Internet.
706
Moreover, in TerraCom and
other data security enforcement proceedings, parties have agreed to detailed data security obligations on
individual carriers as conditions of settlement.
707
For example, as part of one consent decree entered into
(Continued from previous page)
Parte) (“The standard should be limited to either sensitive CPNI or CPNI that is likely to lead to an economic or
physical harm in the event of an unauthorized disclosure.”). We believe the modifications we have made to the
proposal, including our decision not to adopt minimum required security practices, sufficiently address this concern.
697
Contra National Consumers League Comments at 9; but see ACLU Comments at 6. As explained above, we
have determined that it is both feasible and appropriate to draw a distinction between sensitive and non-sensitive
information under our rules. See supra Part III.D.1.
698
See supra para. 242. Where sensitive and non-sensitive customer PI are commingled, a carrier should err on the
side of treating the information as sensitive.
699
See Access Now Comments at 11; CTIA Comments at 96-97; IAB Comments at 11.
700
See 2015 FTC Security Guide for Business at 1.
701
See, e.g., FTC Staff Comments at 27-28 (expressing support for a formulation of the rule that includes the
“technical feasibility” factor).
702
But see AT&T Comments at 78 (“The NPRM’s discussion of ‘reasonable’ data security also ignores many
factors that are highly relevant to what security measures should be adopted, such as the nature of the threats that
ISPs face and the costs of security measures.”); NTCA Sept. 16, 2016 Ex Parte at 4-5, n.5; CCA Oct. 13, 2016 Ex
Parte at 6.
703
See National Consumers League Reply at 19.
704
But see Access Now Comments at 11 (“[T]he ultimate policy cannot create flexibility to excuse companies or
actions from failing to provide adequate protections.”); American Association of Law Libraries Comments at 4;
Consumer Action Comments at 2; Access Humboldt et al. Comments at 5.
705
See TerraCom Consent Decree, 30 FCC Rcd at 7075, paras. 1-2; AT&T Consent Decree, 30 FCC Rcd at 2808,
para. 2; Cox Consent Decree, 30 FCC Rcd at 12303, para 4.
706
See TerraCom NAL, 29 FCC Rcd at 13335, paras. 29-30.
707
See generally TerraCom Consent Decree; AT&T Consent Decree; Cox Consent Decree.
Federal Communications Commission FCC 16-148
102
by AT&T and the Commission’s Enforcement Bureau, AT&T agreed to develop and implement a
compliance plan aimed at preventing recurrence of a major data security lapse.
708
We have the ability to
pursue similar remedial conditions in the context of any enforcement proceeding that may arise under the
data security rule we adopt today, based on the facts of the case.
246. In addition, the flexibility we have built into our rule addresses concerns about potential
conflict with the NIST Cybersecurity Framework (NIST CSF) and with other initiatives to confront data
security as well as broader cyber threats.
709
The Commission values the NIST CSF and has demonstrated
its commitment to promoting its adoption across the communications sector,
710
and we have accordingly
fashioned a data security rule that closely harmonizes with the NIST CSF’s flexible approach to risk
management. The rule gives providers ample flexibility to implement the NIST CSF on a self-directed
basis, and it imposes on BIAS providers a standard for data security similar to that which governs edge
providers and other companies operating under the FTC’s general jurisdiction.
711
We also reject any
suggestions that our rule will impinge on BIAS providers’ efforts to improve Internet security or protect
their customers from malware, phishing attacks, and other cyber threats.
712
Indeed, protecting against
such attacks and threats will only bolster a company’s claims that it has reasonable data security practices.
Moreover, as explained above, the rules adopted in this Report and Order do not prohibit or impose any
constraint on cyber threat information sharing that is lawfully conducted pursuant to the Cybersecurity
Information Sharing Act of 2015 (CISA).
713
Indeed, we believe that information sharing is a vital part of
promoting data security across the industry.
247. Finally, we recognize that there is more to data security than the steps each individual
provider takes to secure the data it possesses. For instance, effective consumer outreach and education
can empower customers to be pro-active in protecting their own data from inadvertent or malicious
disclosures. We also encourage providers to continue to engage constructively with the Commission,
including through the CSRIC and related efforts, to develop and refine data security best practices. Also,
as carriers develop and manage their security practices, we encourage them to be forward-looking. In
particular, carriers should make efforts to anticipate future data security threats and proactively work to
mitigate future risk drivers.
2. Practices That Are Exemplary of Reasonable Data Security
248. While we do not prescribe specific practices that a provider must undertake to comply
with our data security rule, the requirement to engage in reasonable data security practices is set against a
708
See AT&T Consent Decree, 30 FCC Rcd at 2808, para. 2.
709
See, e.g., Information Technology Industry Council Comments at 15 (“[The] proposed requirements contradict
existing cybersecurity public policy such as that embedded in the [NIST Cybersecurity Framework] that risk
management is a continuous process demanding flexibility . . .”); NTCA Sept. 16, 2016 Ex Parte.
710
See Communications, Security, Reliability and Interoperability Council, Cybersecurity Risk Management Best
Practices: Working Group 4: Final Report (March 2015),
https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf (final report of a
Commission federal advisory committee charged with developing “implementation guidance to help communication
providers use and adapt the voluntary NIST Cybersecurity Framework”).
711
In late August, FTC staff issued a blog post as part of its data security education work showing how the NIST
CSF and the FTC’s data security work complement each other. See Andrea Arias, FTC, The NIST Cybersecurity
Framework and the FTC (Aug. 31, 2016), https://www.ftc.gov/news-events/blogs/business-blog/2016/08/nist-
cybersecurity-framework-ftc (FTC Staff Guidance on NIST CSF).
712
CTIA Reply at 83-85.
713
See Cybersecurity Information Sharing Act of 2015, 6 U.S.C. §§ 1501-1510 (2016); see also supra para. 212.
Federal Communications Commission FCC 16-148
103
backdrop of existing privacy and data security laws,
714
best practices,
715
and public-private initiatives.
716
Each of these is a potential source of guidance on practices that may be implemented to protect the
confidentiality of customer PI. For the benefit of small providers, and others, below we discuss in more
detail an evolving set of non-exclusive practices that we consider relevant to the question of whether a
provider has complied with the requirement to take reasonable data security measures. While certain of
these practices were originally proposed as minimum data security requirements,
717
we discuss them here
as part of a set of practices that we presently consider exemplary of a reasonable and evolving standard of
data security. We agree with commenters that dictating a minimum set of required practices could foster
a “compliance mindset” that is at odds with the dynamic and innovative nature of data security.
718
Providers with less established data security programs may interpret such requirements as a checklist of
what is required to achieve reasonable data security, an attitude we seek to discourage. We also seek to
avoid codifying practices as the state of the art continues to rapidly evolve.
719
Our approach places the
responsibility on each provider to develop and implement data security practices that are reasonable for
its circumstances and to refine these practices over time as circumstances change.
720
Rather than mandate
what these practices must entail, we provide guidance to assist each provider in achieving reasonable data
714
See, e.g., Federal Trade Commission Act, 15 U.S.C. § 45 (FTC Act provision setting forth the “unfair or
deceptive” standard that guides FTC oversight of commercial data security practices); 42 U.S.C. § 1320d-2(d); 45
CFR §§ 164.302-164.318 (Health Insurance Portability and Accountability Act (HIPAA) “Security Rule” and
related implementing regulations); 15 U.S.C. §§ 6801-6809; 16 CFR §§ 314.1-314.5 (Gramm-Leach-Bliley Act
(GLBA) and its implementing regulations); Md. Code Ann., Com. Law § 14-3503(a); Utah Code Ann. § 13-44-201;
Fla. Stat. § 501.171(2); Cal. Civ. Code § 1798.81.5(b)-(c) (examples of state laws on data security).
715
See, e.g., 2015 FTC Security Guide for Business; Federal Communications Commission, CSRIC Best Practices,
https://www.fcc.gov/nors/outage/bestpractice/BestPractice.cfm (last visited Oct. 5, 2016).
716
See, e.g., NIST, Cybersecurity Framework, http://www.nist.gov/cyberframework.
717
See Broadband Privacy NPRM, 31 FCC Rcd at 2559-69, paras. 174-209.
718
Charter Reply at 31; see also CTIA Comments at 151; Lenard and Wallsten Comments at 36; DMA Comments at
22 (arguing that minimum requirements “would merely add additional ‘box checking’”); Cincinnati Bell Comments
at 8 (“[The Commission] should future-proof its rules by encouraging BIAS providers to keep pace with rapid
developments in the industry (i.e., act reasonably).”); ViaSat Comments at 7. But see National Consumers League
Reply at 19; CDT Sept. 29, 2016 Ex Parte at 4.
719
For example, National Consumers League recommends adoption of multi-factor authentication as a required
“minimum baseline.” National Consumers League Comments at 14-16; see also AAJ Comments at 8. Yet the
record includes discussion of a variety of techniques for robust customer authentication, not all of which would
necessarily qualify as “multi-factor” in all circumstances. See, e.g., Steven Bellovin Reply at 2 (recommending as a
customer authentication method the use of data from commercial brokers to dynamically generate “unusual”
security questions); Lorrie Faith Cranor Reply at 4 (observing that “[m]ulti-factor methods may or may not be
necessary for routine transactions” but recommending that carriers always make such methods available to their
customers); see also Consumers’ Research Comments at 21 (“Log-in preferences vary widely, so when the
Commission considers mandating a certain log-in technique, it is not listening to customers who are frustrated by
onerous authentication methods that make account management an ordeal”); Cincinnati Bell Comments at 8-9
(“Instead of forcing rigid syntax rules (e.g., requiring certain characters), which may actually provide impostors with
information as to the proper format of a valid password, ISPs should be allowed to offer flexible password strength
and security features similar to current banking industry and Government agency practices when users set up access
to their account information.”).
720
But see ITTA Comments at 23 (opposing a “one-size-fits-all” approach to data security); AT&T Comments at
79-80 (criticizing the “rigidity of the proposed rules”); ACA Comments at 23 (“The Commission’s proposed
prescriptive data security requirements would impose overwhelming costs and burdens on small providers.”).
Federal Communications Commission FCC 16-148
104
security on its own terms. Taking this approach will also allay concerns that overly prescriptive rules
would frustrate rather than improve data security.
721
249. While providers are not obligated to adopt any of the practices we suggest, we believe
that together they provide a solid foundation for data security that providers can modify and build upon as
their risks evolve and, as such, the presence and implementation of such practices will be factors we will
consider in determining, in a given case, if a provider has complied with the reasonable data security
requirement. However, these practices do not constitute a “safe harbor.” A key virtue of the flexible data
security rule we adopt today is that it permits data security practices to evolve as technology advances and
new methods and techniques for data security come to maturity. We are concerned that any fixed set of
security practices codified as a safe harbor would fail to keep pace with this evolutionary process.
722
The
availability of a safe harbor may also discourage experimentation with more innovative data security
practices and techniques. While it may be possible to construct a safe harbor “with concrete requirements
backed by vigorous enforcement”
723
that also takes the evolution of data security practices into account,
we find no guidance in the record on how to do so in a workable fashion. Accordingly, our approach is to
evaluate the reasonableness of any provider’s data security practices on a case-by-case basis under the
totality of the circumstances, taking into account the contextual factors that are part of the rule. This
approach is well-grounded in precedent
724
and will provide sufficient guidance to providers.
725
Our
721
See, e.g., CCA Comments at 41 (“CCA is concerned that if the FCC adopts its proposed specific data security
requirements, it would quell the natural progression of best practices that currently is evolving, and ultimately force
BIAS providers to prioritize compliance over an adaptable security risk-based management model that is required to
address the evolving cyber threat landscape.”) (internal quotation omitted); NCTA Reply at 55 (“[T]he specific data
security obligations proposed or considered in the Notice . . . are overly prescriptive, not calibrated to incentivize
protection for sensitive data, and inconsistent with state and federal policy.”); WTA Comments at 18 (“Small
providers do everything in their power to make sure that vulnerabilities are minimized, but they cannot be required
to dedicate precious network resources to combat a vulnerability that is not likely to be a substantial threat to the rest
of the network and other services provided to their customers.”); T-Mobile Comments at 47 (“Providers must have
the flexibility to allocate resources in accordance with the assessed risk to the provider and its customers,
particularly as technology and the threat environments evolve.”); AT&T Comments at 79 (“[T]he NPRM proposes
that companies must ‘promptly remedy any’ security concerns that [risk management] assessments identify. On its
face, this would require ISPs to address any issue identified by a security assessment, regardless of whether it is
material, regardless of cost, regardless of the sensitivity of the underlying data, and regardless of the risk of a
breach.”).
722
See, e.g., Cincinnati Bell Comments at 8 (“[The Commission] should future-proof its rules by encouraging BIAS
providers to keep pace with rapid developments in the industry (i.e., act reasonably).”); see also WTA Comments at
19 (“Nor should the Commission establish safe harbors with respect to minimum data security standards as this
could be seen by some as all that is required, rather than encouraging providers to take additional steps as
appropriate to manage their cyber risk.”). But see Hughes Oct. 14, 2016 Ex Parte at 3 (supporting adoption of a safe
harbor).
723
See FTC Staff Comments at 29.
724
See, e.g., 2015 Open Internet Order, 30 FCC Rcd at 5659-69, paras. 133-53 (setting forth the “no-unreasonable
interference/disadvantage standard” and the “factors to guide application of the rule”); see also Implementing Public
Safety Broadband Provisions of the Middle Class Tax Relief and Job Creation Act of 2012, Order, 27 FCC Rcd
9652, 9662-64, para. 25 (2012) (articulating as “guidance” several “factors [the Commission] would likely find to be
supportive of a public interest finding favorable to merit a grant” of a special temporary authorization); NCTA
Comments at 87 (“A ‘reasonableness’ standard administered on a case-by-case basis makes sense, since it provides
companies with the flexibility to adapt and innovate with regard to the manner in which they safeguard data.”);
CompTIA Comments at 2 (recommending implementation of “a case-by-case framework mirroring the FTC’s
implementation of Section 5 authority”).
725
See S
2
ERC Comments at 3 (“[L]everaging the FCC’s expertise to provide interpretive and technical guidance
could bolster consumer privacy and simplify compliance for new and smaller BIAS providers.”); T-Mobile Sept. 14,
2016 Ex Parte at 2 (“The final rule should include a reasonableness standard that can be supplemented by further
(continued….)
Federal Communications Commission FCC 16-148
105
approach to data security also mirrors the FTC’s, under which the reasonableness of an individual
company’s data security practices is assessed against a background of evolving industry guidance.
726
The
CPBR also takes a similar approach.
727
250. Engagement with Industry Best Practices and Risk Management Tools. We encourage
providers to engage with and implement up-to-date and relevant industry best practices, including
available guidance on how to manage security risks responsibly. One powerful tool that can assist
providers in this respect is the NIST CSF, which many commenters endorse as a voluntary framework for
cyber security and data security risk management.
728
We agree that proper implementation of the NIST
CSF, as part of a provider’s overall risk management, would contribute significantly to reasonable data
security, and that use of the NIST CSF can guide the implementation of specific data security practices
that are within the scope of that framework.
729
We encourage providers to consider use of the NIST CSF,
as the widespread adoption of this common framework permits the Commission to optimize its
engagement with the industry. That said, we clarify that use of the NIST CSF is voluntary, and providers
retain the option to use whatever risk management approach best fits their needs. In addition, we
encourage providers to look to guidance from the FTC,
730
as well as materials that have been issued to
guide the implementation of data security requirements under HIPAA, GLBA, and other relevant
statutory frameworks.
731
Finally, we note that a Commission multi-stakeholder advisory body, the
Communications Security, Reliability, and Interoperability Council (CSRIC), has produced a rich
repository of best practices on various aspects of communications security
732
as well as alerting the
Commission of useful activities for which Commission leadership can effectively convene stakeholders to
address industry-wide risk factors. In particular, CSRIC has developed voluntary mechanisms by which
the communications industry can address cyber risk, based upon the NIST CSF. Many providers and
(Continued from previous page)
FCC guidance as to what constitutes ‘reasonable security,’ and that can evolve with changing technology and threat
environments.”).
726
See, e.g., FTC Security Guide for Business at 1 (“Distilling the facts of [more than fifty FTC data security
enforcement actions] down to their essence, here are ten lessons to learn that touch on vulnerabilities that could
affect your company, along with practical guidance on how to reduce the risks they pose.”).
727
See 2015 Administration CPBR Discussion Draft at § 105.
728
See, e.g., CenturyLink Comments at 37-38; Charter Reply at 31; NCTA Reply at 57; see also FTC Staff
Guidance on NIST CSF (“[A]s the FTC’s enforcement actions show, companies could have better protected
consumers’ information if they had followed fundamental security practices like those highlighted in the [NIST
CSF].”).
729
See, e.g., Access Now Comments at 11 (“[A]ccess controls, authentication safeguards, and notification and
patching systems are all considerations in the NIST Framework.”).
730
See, e.g., Ohlhausen Comments at 1 (“We [i.e., the FTC] conduct extensive consumer and business outreach and
guidance; coordinate workshops to foster discussions about emerging privacy and data security issues; coordinate on
international privacy efforts; and advocate public policies that protect privacy, enhance data security, and improve
consumer welfare.”); see also 2015 FTC Security Guide for Business. This document imparts “lessons learned from
the more than 50 law enforcement actions [regarding data security] the FTC has announced so far.” Id. at 1.
731
See, e.g., National Institute for Standards and Technology, An Introductory Resource Guide for Implementing the
Health Insurance Portability And Accountability Act (HIPAA) Security Rule at 15-17 (2008),
http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf (NIST guidance
for HIPAA Security Rule risk analyses).
732
See FCC, CSRIC Best Practices, https://www.fcc.gov/nors/outage/bestpractice/BestPractice.cfm.
Federal Communications Commission FCC 16-148
106
industry associations that have participated in this proceeding are active contributors to the CSRIC’s
work.
733
We encourage providers to consider implementation of the CSRIC best practices as appropriate.
251. Strong Accountability and Oversight. Strong accountability and oversight mechanisms
are another factor we consider exemplary of reasonable data security. As an initial matter, we agree with
the FTC that the development of a written comprehensive data security program is a practice that is a best
practice in promoting reasonable data security. As the FTC explains, putting a data security program in
writing can “permit internal and external auditors to measure the effectiveness of the program and provide
for continuity as staff members leave and join the team.”
734
A written security program can also reinforce
the specific practices a provider implements to achieve reasonable data security.
252. A second accountability mechanism that helps a company engage in reasonable data
security is the designation of a senior management official or officials with personal responsibility over
and accountability for the implementation and maintenance of the provider’s data security practices as
well as an official responsible for its privacy practices.
735
Companies that take this step are advised to
couple designation of corporate privacy and security roles and responsibilities with effective interaction
with Boards of Directors (or, for firms without formal Board oversight, such other structure governing the
firm’s risk management and oversight), to provide a mechanism for including cyber risk reduction
expense within overall risk management plans and resource allocations. That said, we do not specify the
qualifications or status that such an official would need to possess, and we recognize that for a smaller
provider these responsibilities may rest with someone who performs multiple functions or may be
outsourced.
736
Another practice that is indicative of reasonable data security is training employees and
contractors on the proper handling of customer PI.
737
Employee training is a longstanding component of
data security under the Commission’s existing rules.
738
We encourage providers to seek out expert
guidance and best practices on the design and implementation of efficacious training programs.
739
Finally, accountability and oversight are also relevant in the context of sharing customer PI with third
parties. We agree with commenters that providers must take reasonable steps to promote the safe
handling of customer PI they share with third parties.
740
Perhaps the most straightforward means of
achieving this accountability is to obtain data security commitments from the third party as a condition of
the disclosure.
741
We also remind providers that they are directly accountable for the acts and omissions
733
See FCC, CSRIC, Membership List,
https://transition.fcc.gov/bureaus/pshs/advisory/csric4/CSRIC_Membership_03_17_15.pdf (CSRIC membership as
of March 17, 2015); see also CenturyLink Comments at 10-11; NTCA Sept. 16, 2016 Ex Parte at 2.
734
FTC Staff Comments at 28.
735
See Access Now Comments at 12 (“Digital rights like privacy and freedom of expression are material issues that
require board-level oversight in information and communication technology companies.”); National Consumers
League Comments at 18-19.
736
See, e.g., WTA Aug. 22, 2016 Ex Parte at 3; RWA Comments at 12.
737
See NTCA Comments at 62; Sprint Comments at 19; Greenlining Institute Comments at 47; American
Association of Law Libraries Comments at 4; National Consumers League Comments at 17-18.
738
See 1998 CPNI Order, 13 FCC Rcd at 8198, para. 198; see also 47 CFR § 64.2009(b).
739
See, e.g., International Association of Privacy Professionals Reply at 3-5 (“More than 10,000 IAPP members
have already been certified under the association’s various bodies of knowledge” such as the Certified Information
Privacy Professional (CIPP) program, Certified Information Privacy Manager (CIPM) program, and Certified
Information Privacy Technologist (CIPT) program, which are “accredited by the American National Standards
Institute (ANSI) under the International Organization for Standardization’s (ISO) standard 17024: 2012 . . .”).
740
See Greenlining Institute Comments at 45-47; Electronic Frontier Foundation Comments at 16; American
Association of Law Libraries Comments at 5; AAJ Comments at 7-8; Access Humboldt et al. Comments at 5. Third
party recipients of customer PI may also be subject to FTC jurisdiction. But see S
2
ERC Comments at 14-15.
741
See National Consumers League Comments at 21; EFF Comments at 16.
Federal Communications Commission FCC 16-148
107
of their agents, including independent contractors, for the entirety of the data lifecycle. This means that
the acts and omissions of agents will be taken into account in assessing whether a provider has engaged in
reasonable data security practices.
742
253. Robust Customer Authentication. The strength of a provider’s customer authentication
practices also is probative of reasonable data security. We have recognized that there is no single
approach to customer authentication that is appropriate in all cases, and authentication techniques and
practices are constantly evolving.
743
That said, the record documents some discernable trends in this area
that we would currently expect providers to take into account.
744
For instance, we encourage providers to
consider stronger alternatives to relying on rudimentary forms of authentication like customer-generated
passwords or static security questions.
745
Providers may also consider the use of heightened
authentication procedures for any disclosure that would place a customer at serious risk of harm if the
disclosure were improperly made.
746
In addition, we encourage providers to periodically reassess the
efficacy of their authentication practices and consider possible improvements.
747
Another practice we
encourage providers to consider is to notify customers of account changes and attempted account
changes. These notifications provide a valuable tool for customers to monitor their own accounts’
security.
748
Providers that implement them should consider the potential for “notice fatigue” in
determining how often and under what circumstances these notifications are sent.
254. Other Practices. The record identifies other practices that we encourage providers to
consider when implementing reasonable security measures. For instance, several commenters cite the
importance of “data minimization,” which involves thinking carefully about what data to collect, how
long to retain it, and how to dispose of it securely.
749
The principle of data minimization is also embodied
in FTC guidance,
750
in the CPBR,
751
and in the Satellite and Cable Privacy Acts.
752
We encourage
742
See 47 U.S.C. § 217; Long Distance Direct, Inc., Apparent Liability for Forfeiture, 15 FCC Rcd 3297, 3300,
para. 9 (2000) (clarifying that Section 217 imposes liability for acts of independent contractors).
743
See Broadband Privacy NPRM, 31 FCC Rcd at 2564, para. 193.
744
See Lorrie Faith Cranor Reply at 3-6; Steven Bellovin Reply at 1-2; National Consumers League Comments at
14-16.
745
See Lorrie Faith Cranor Reply at 4 (suggesting that multi-factor authentication methods “should always be
offered to customers who want to use them”); Steven Bellovin Reply at 1 (describing the use of smart-phone apps,
commercial data brokers, and written requests as alternate authentication methods); S
2
ERC Comments at 15 (“[O]ne
mechanism for improving customer authentication processes might be eliminating the usage of certain identifiers . . .
. such as Social Security Number and mother’s maiden name.”); Mozilla Comments at 7; National Consumers
League Comments at 14-15; Paul Vixie Comments at 26-31.
746
See Lorrie Faith Cranor Reply at 4 (“[Providers] should establish authentication procedures that are not unduly
burdensome to their customers performing routine transactions, but that may require extra steps in higher-risk
situations (for example when a mobile customer requests an account change but claims to have lost their phone).”).
747
See Lorrie Faith Cranor Reply at 4 (“Due to changing technology and differences in the ways BIAS providers
interact with their customers, I recommend allowing providers some flexibility in establishing authentication
procedures informed by periodic risk assessments and updated to respond to the changing technology and security
landscape.”); Cf. National Consumers League Comments at 15 (advocating for an FCC advisory council to regularly
assess the efficacy of multi-factor authentication methods and recommend updates).
748
See Lorrie Faith Cranor Reply at 6 (“[Account change notification] is a currently implemented best practice and
makes sense to continue.”).
749
See, e.g., EPIC Comments at 24; EFF Comments at 6-7; Mozilla Comments at 7.
750
See 2015 FTC Guide for Business at 2 (advising businesses not to “collect personal information you don’t need,”
and to “[h]old on to information only as long as you have a legitimate business need”).
751
See 2015 Administration CPBR Discussion Draft at § 104.
Federal Communications Commission FCC 16-148
108
providers to look specifically to the FTC’s “Disposal Rule” for guidance on the safe destruction and
disposal of customer PI.
753
We also encourage providers to consider data minimization practices that
apply for the entirety of the data lifecycle, from collection to deletion. In addition, several commenters
recommend strong data encryption,
754
another practice that the FTC advises companies to consider.
755
We
agree with commenters that technologically sound data encryption can significantly improve data
security, in part by minimizing the consequences of a breach.
756
Finally, we believe that the lawful
exchange of information regarding cyber incidents and threats is relevant to promoting data security, and
encourage providers to consider engagement in established information sharing practices.
255. The exemplary practices discussed above are not an exhaustive list of reasonable data
security practices. A provider that implements each of these practices may still fall short of its data
security obligation if there remain unreasonable defects in its protection of the confidentiality of customer
PI. Conversely, a provider may satisfy the rule without implementing each of the listed practices. The
key question is whether a provider has taken reasonable measures to secure customer PI, based on the
totality of the circumstances. In taking this approach, we acknowledge that the adoption of more
prescriptive, bright-line requirements could offer providers greater certainty as to what reasonable data
security requires. Yet virtually all providers that have addressed the issue—including small providers and
their associations—oppose such requirements.
757
Rather, these providers prefer the approach we have
taken in this Report and Order, i.e., the adoption of a “reasonableness” standard that mirrors the FTC’s.
758
Also like the FTC, we have provided the industry with guidance on how to achieve reasonable data
security in compliance with our rule. We anticipate building upon this guidance over time as data
security practices evolve and with them the concept of reasonable data security.
3. Extension of the Data Security Rule to Cover Voice Services
256. In light of the record, we conclude that harmonization of the data security requirements
that apply to BIAS and other telecommunications services is the best option for providers and consumers
alike. Accordingly, we extend to voice services the data security rule we have adopted for BIAS.
759
This
data security rule replaces the more inflexible data security requirements presently codified in Part 64 of
the rules.
760
257. There are many reasons to harmonize the data security requirements that apply to BIAS
and voice services. As an initial matter, many providers offer services of both kinds and often sell them
together in bundled packages.
761
We agree with commenters that argue that applying different security
requirements to the two kinds of services may confuse customers and add unnecessary complexity to
(Continued from previous page)
752
See 47 U.S.C. §§ 551(e), 338(i)(6) (“Destruction of information”).
753
See 16 CFR § 682.3(a); see also FTC Staff Comments at 28-29 (discussing the Disposal Rule). There are also
state laws on data disposal that may provide additional guidance. E.g., Ark. Code Ann. § 4-110-104(a); Kan. Stat.
Ann. § 50-7a03; N.J. Stat. Ann. § 56:8-162.
754
See EPIC Comments at 23; OTI Comments at 41; Paul Vixie Comments at 31; WTA Comments at 20-21.
755
See 2015 FTC Guide for Business at 6-7.
756
See infra para. 269.
757
See, e.g., ACA Comments at 23-28; WISPA Comments at 31; CCA Comments at 38; CTIA Comments at 154-
56; NCTA Comments at 87-89.
758
See, e.g., CTIA Comments at 155-56 (“Rather than imposing the prescriptive regulation proposed in the NPRM,
the Commission should consider a flexible reasonableness standard for data security, akin to the FTC model.”).
759
See supra note 68.
760
See supra note 659.
761
See, e.g., Broadband Privacy NPRM, 31 FCC Rcd at 2536-37, n.181.
Federal Communications Commission FCC 16-148
109
providers’ data security operations, which may be particularly burdensome for smaller providers.
762
In
addition, the evidence suggests that the data security requirements of the existing rules no longer provide
the best fit with the present and anticipated communications environment. For instance, expert
commentary on the topic of robust customer authentication indicates that this is a complex area where
providers need flexibility to adapt their practices to new threats.
763
The highly specific procedures
outlined in the existing voice rules are incongruous with this approach to customer authentication.
764
258. Moreover, retaining the prescriptive data security rules that apply to voice services could
impede the development and implementation of more innovative data security measures for BIAS.
Providers subject to both sets of rules may determine that the easiest and most cost-effective path to
compliance is to adopt for both services the more rigid data security practices that the voice rules
require.
765
Such an outcome would contravene our intent to establish a robust and flexible standard for
BIAS data security that evolves over time.
259. Accordingly, we find that the best course is to replace the data security rules that
currently govern voice services with the more flexible standard we are adopting for BIAS. We find that
the rule as written is sufficiently broad to cover BIAS and other telecommunications services. We also
clarify that the exemplary practices we discuss above may be implemented differently depending on the
services an entity provides. For instance, data security best practices that pertain specifically to
broadband networks or services may or may not be relevant in the context of providing voice services.
260. In harmonizing the data security rules for voice services and BIAS, we acknowledge that
voice providers have operated for many years under the existing rules and have tailored their data security
practices accordingly. We do not expect any provider to revamp its data security practices overnight. On
the contrary, as explained below, we are adopting an implementation schedule that affords providers
ample time to bring their practices into compliance with the new rules.
766
F. Data Breach Notification Requirements
261. In this section we adopt rules requiring BIAS providers and other telecommunications
carriers to notify affected customers, the Commission, the FBI, and the Secret Service of data breaches
unless the provider reasonably determines that no harm to customers is reasonably likely to occur.
767
For
purposes of these rules, we define a breach as any instance in which a person, without authorization or
exceeding authorization, has gained access to, used, or disclosed customer proprietary information. The
record clearly demonstrates that data breach notification plays a critical role in protecting the
confidentiality of customer PI. An obligation to notify customers and law enforcement agencies when
762
See ACA Comments at 57-58; RWA Comments at 10-12.
763
See generally Lorrie Faith Cranor Reply at 1 (outlining “how authentication requirements may address the
growing problem of mobile phone account hijacking and related fraud”); Steven Bellovin Reply; see also ACA
Comments at 53 (characterizing the voice authentication rules as “[o]verly prescriptive”); Letter From Catherine M.
Hilke, Assistant General Counsel, Verizon, to Marlene Dortch, Secretary, FCC at 1 (filed Sept. 23, 2016) (Verizon
Sept. 23, 2016 Ex Parte) (“Harmonization also would provide the Commission with the opportunity to update its
existing but outdated voice rules, including those related to authentication that may inhibit providers from taking
advantage of new, more secure technologies.”).
764
The rules specify authentication procedures for different kinds of customer interactions: in person, over the
telephone, and online. See 47 CFR § 64.2010(b)-(d). Authentication online or during a customer-initiated telephone
call requires the use of a password. See id. at § 64.2010(b), (c).
765
See, e.g., WTA Comments at 19 (discussing the costs that would accrue to smaller providers in complying with
“multiple regulatory regimes”).
766
See infra Part III.I.
767
The data breach notification requirements adopted in this Report and Order extend to breaches involving a
carrier’s vendors and contractors. See 47 U.S.C. § 217.
Federal Communications Commission FCC 16-148
110
customer data is improperly accessed, used, or disclosed incentivizes carriers to adopt strong data security
practices.
768
Breach notifications also empower customers to protect themselves against further harms,
help the Commission identify and confront systemic network vulnerabilities, and assist law enforcement
agencies with criminal investigations. At the same time, unnecessary notification can cause notice
fatigue, erosion of consumer confidence in the communications they receive from their provider, and
inflated compliance costs. The approach we adopt today finds broad support in the record and will
maximize the benefits of breach notification as a consumer protection and public safety measure while
avoiding unnecessary burdens on providers and their customers. Furthermore, our approach is consistent
with how federal law enforcement agencies, such as the FBI and Secret Service, conduct and coordinate
data breach investigations.
262. First, we address the circumstances that will obligate BIAS providers and other
telecommunications carriers to notify the Commission, federal law enforcement agencies, and customers
of data breaches.
769
This includes a discussion of two related elements adopted today: the harm-based
notification trigger and the updated definition for “breach.” We then address the requirements that BIAS
providers and other telecommunications carriers must follow for providing notice to the Commission and
other federal law enforcement. Next, we describe the specific notification requirements that BIAS
providers and other telecommunications carriers must follow in providing data breach notifications to
customers, including: the required timing for sending notification; the necessary contents of the
notification; and the permissible methods of notification. We then discuss the data breach record
retention requirements. Finally, we explain our decision to adopt rules that harmonize data breach
requirements for BIAS providers and other telecommunications carriers.
1. Harm-Based Notification Trigger
263. We require breach notification unless a carrier can reasonably determine that no harm to
customers is reasonably likely to occur as a result of the breach. We do so to enable customers to receive
the data breach notifications that they need to take steps to protect themselves, and to provide the
Commission, the FBI, and Secret Service with the information they need to evaluate the efficacy of data
security rules as well as detect systemic threats and vulnerabilities. In the NPRM we sought comment on
what should trigger data breach notification, and based on the record, we conclude that the trigger most
suitable for our purposes is one based on the potential for customer harm.
770
Among its many benefits,
this harm-based trigger will avoid burdening providers and customers alike with excessive notifications,
and it will allow providers the flexibility to focus limited resources on data security and ameliorating
customer harms resulting from data breaches rather than on notifications that have minimal benefit to
customers.
771
The record reflects various harms inherent in unnecessary notification, including notice
fatigue,
772
erosion of consumer confidence in the communications they receive from their provider,
773
and
768
See, e.g., Access Now Comments at 12.
769
We note that these obligations are not mutually exclusive with other data breach notification obligations
stemming from other state, local, or federal laws, or contractual obligations. See Part III.J.
770
See, e.g., Lenard and Wallsten Paper at 28; FBI/Secret Service Reply at 3-4; CenturyLink Comments at 41-42;
CTIA Comments at 176; Comcast Comments at 61-62; AT&T Comments at 80-81; INCOMPAS Comments at 16;
Letter from Jacquelyne Flemming, AT&T, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 1
(filed July 28, 2016) (AT&T July 28, 2016 Ex Parte).
771
See, e.g., XO Communications Comments at 6 (explaining that data breach notifications based on customer harm
increases the likelihood that the consumer will be motivated to read the notice and take appropriate action, such as
monitoring relevant accounts, to prevent and mitigate potential harm, including identity or financial theft”);
INCOMPAS Comments at 16 (arguing that without an intent or harm standard, customers will not understand the
potential impact of breaches in the notification they receive); AT&T Comments at 81 (asserting that over-reporting
will distract attention from genuine data security).
772
See, e.g., XO Communications Comments at 9-10 (asserting that consumers and other notification recipients
will so regularly receive such notices that they will inevitably stop reading them because it will become impossible
(continued….)
Federal Communications Commission FCC 16-148
111
compliance costs.
774
The harm-based notification trigger we adopt addresses these concerns, by limiting
the overall volume of notifications sent to customers and eliminating correspondence that provides
minimal or no customer benefit.
264. Our harm-based trigger has a strong basis in existing state data breach notification
frameworks.
775
The triggers employed in these laws vary from state to state, but in general they permit
covered entities to avoid notifying customers of breaches where the entity makes some determination that
the breach will not or is unlikely to cause harm.
776
Likewise, the FTC supports an approach that requires
notice unless a company can establish that there is no reasonable likelihood of economic, physical, or
other substantial harm.
777
Our rule similarly requires the carrier to reasonably determine that no harm to
(Continued from previous page)
to discern which notices involve a true threat to their identity or finances, from those that pose effectively no risk.”);
CompTIA Comments at 4; ICC Comments at 15; State Privacy and Security Coalition Comments at 4-5; AT&T
Comments at 81; Comcast Comments at 62-63 (“If customers receive such meaningless breach notifications, they
are more likely to disregard the notifications that are meaningfulnot only from their ISP, but generally.”).
773
See, e.g., CenturyLink Comments at 41 (asserting that “[o]ver-notification would also impose substantial
disruptions on the consumer-BIAS provider relationship” and that the “harm to public perception and brand value of
the BIAS provider that would result is both unnecessary and unfair and could even, in some cases, lead consumers
to opt out of broadband use entirely.”); WISPA Comments at 20 (“Consumers should not be overwhelmed with
inconsequential notices that potentially create unwarranted distrust of its providers.”); INCOMPAS Comments at
16; T-Mobile Comments at 51-52 (“Notifications involving breaches that pose no harm which cannot offer the
consumer any meaningful steps to take in response serve only to confuse customers and corrode faith in providers’
practices based on misconceptions as to the consequences of a purported ‘breach.’”); Verizon Comments at 69
(“[T]he provider responsible for these excessive breach notifications will risk losing the customer’s trust for no good
reason: for sending notifications when there has been no harm (or even risk of harm) to the customer’s privacy
interests.”).
774
See, e.g., ACA Comments at 35 (“Moreover, the costs of providing notifications and associated breach costs are
sky highone recent estimate was well over $130 per person.” citing Richard Kissel, Hyunjeong Moon, U.S. Dep’t
of Commerce, Draft NISTIR 7621 Revision 1, Small Business Information Security: The Fundamentals 2 (2014));
State Privacy and Security Coalition Comments at 8-9 (“[B]reach notice incidents are expensive. The average cost
per record of a data breach including both out of pocket costs and harm to good will currently exceeds $200 per
record.” citing Ponemon Institute, 2015 Cost of Data Breach Study: Global Analysis (2015), available at
https://nhlearningsolutions.com/Portals/0/Documents/2015-Cost-of-Data-Breach-Study.PDF); CTIA Comments at
175 (asserting that reporting of minor non-harmful breaches is costly to ISPs and of no use to consumers).
775
See generally Nat’l Conference of State Legislatures, Security Breach Notification Laws; see also Jill Joerling,
Data Breach Notification Laws: An argument For a Comprehensive Federal Law to Protect Consumer Data, 32
Wash. U. J. L. & Pol’y 467 (2010).
776
For example, Connecticut does not require entities to disclose a breach if an investigation determines that no
harm is likely. See Conn. Gen. Stat. § 36a-701b(b)(1); see also Ark. Code § 4-110-105(d) (notice not required if no
reasonable likelihood of harm); Fla. Stat. § 501.171(6)(b) (notice not required if reasonably determined that breach
has not and will not likely result in identity theft or any other financial harm); Iowa Code § 715C.2(6) (no notice
required if no reasonable likelihood of financial harm has resulted or will result from the breach); Or. Rev. Stat. §
646A.602(1)(a) (no notice required if no reasonable likelihood of harm has resulted or will result from the breach);
N.J. Stat. Ann. § 56:8-163(a) (notice not required if determined that misuse of the information is not reasonably
possible); see also State Privacy and Security Coalition Comments at 13(“A large majority of state breach notice
laws (41 out of 47) contain a ‘harm trigger’ to distinguish between these circumstances and to avoid over-
notification.”).
777
Discussion Draft of H.R._, Data Security and Breach Notification Act of 2015 Before the Subcomm. on
Commerce, Manufacturing, and Trade of the H. Comm. On Energy and Commerce, 114th Cong. 15 (2015),
http://docs.house.gov/meetings/IF/IF17/20150318/103175/HHRG-114-IF17-Wstate-RichJ-20150318.pdf, (prepared
statement of Jessica Rich, Dir. of the Bureau of Consumer Prot., Fed. Trade Commn); see also Letter from James
J.R. Talbot, AT&T, to Marlene H. Dortch, Secretary, FCC, WC Docket N0. 16-106, at 2 (filed Aug. 23, 2016)
(continued….)
Federal Communications Commission FCC 16-148
112
customers is reasonably likely to occur. As such, we disagree with commenters arguing that standards
based on determinations of harm leave consumers more vulnerable to that harm.
778
On the contrary, the
record, and the many state laws addressing data breach notifications, demonstrate that providers have
ample experience determining a likelihood of harm.
779
Additionally, the reasonableness standard that
applies to both the carrier’s evaluation and the likelihood of harm adds an objective component to these
determinations.
265. Further, the harm-based trigger places the burden on a carrier that detects a breach to
reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach.
This responds to concerns such as AAJ’s that it is “frequently impossible” for a carrier to immediately
discern the full scope and ramifications of a breach.
780
Our harm-based trigger does not relieve a carrier
of its notification obligation simply by virtue of its failure or inability to ascertain the harmful effects of a
breach. Rather, carriers must take the investigative steps necessary to reach a reasonable determination
that no such harm is reasonably likely. Where a carrier’s investigation of a breach leaves it uncertain
whether a breach may have resulted in customer harm, the obligation to notify remains. By contrast,
requiring customer notification only when a provider determines the presence of some risk of harm would
create perverse incentives not to carefully investigate breaches.
781
266. In adopting a harm-based trigger, we clarify that its scope is not limited to “easily
recognized financial harm.”
782
In the NPRM, we acknowledged that “harm” is a concept that can be
broadly construed to encompass “financial, physical, and emotional harm.”
783
We conclude that the same
construction of harm is appropriate for our final breach notification rule. This decision is consistent with
the fundamental premise of this proceeding that customer privacy is about more than protection from
economic harm. The record demonstrates that commenters’ privacy concerns stem from more than just
avoiding financial harms.
784
As such, we disagree with commenters who assert that financial loss or
identity theft should be the primary metrics for determining the level of harm or whether harm exists at
(Continued from previous page)
(AT&T Aug. 23, 2016 Ex Parte) (asserting that “the Commission should reduce excessive reporting by adopting the
approach taken by many states of not requiring notification where a provider determines that there is no reasonable
likelihood of harm to any customer resulting from the breach).
778
See, e.g., AAJ Comments at 7.
779
See supra note 776.
780
See AAJ Comments at 7.
781
Some comments could be construed as supporting a standard of this kind. See, e.g., CTIA Comments at 176
(“The Commission should require notification only if a breach causes harm or is likely to cause harm.”).
782
See Access Now Comments at 13 (“There are standard practices for response to breaches involving data such as
credit card information or social security numbers. However, there is no standard practice for breaches that involve
PII that cannot easily be tied to financial harm, such as personal photos. Stronger responses to a broader array of
breaches would increase user trust in BIAS providers.”).
783
See Broadband Privacy NPRM, 31 FCC Rcd at 2575-76, para. 237 n.373 (citing Rules and Regulations
Implementing the Truth in Caller ID Act of 2009, Report and Order, 26 FCC Rcd 9114, 9122, para. 22 (2011)
(agreeing that the term “‘harm’ is a broad concept that encompasses financial, physical, and emotional harm”)).
784
Privacy Rights Clearinghouse Comments at 6 (“Privacy harms are broad and nuanced, and breach victims often
suffer or are at risk of suffering harms that can’t be qualified as financial or economic in nature.”); LGBT
Technology Partnership Comments at 1-2 (“All around the country, LGBT people still face signification
discrimination including bullying, rejection by families, loss of employment and even the possibility of physical
harm simply for their LGBT identity . . . For this reason, LGBT individuals are fiercely protective of their privacy
and may face drastic consequences if that privacy is breached.”); see also TRUSTe & Nat’l Cyber Sec. Alliance,
U.S. Consumer Privacy Index 2016, available at https://staysafeonline.org/download/datasets/17482/DPD[4].pdf.
(showing that 68 percent of consumers were more concerned about not knowing how personal information was
collected online than losing their principal income) (Consumer Privacy Index 2016).
Federal Communications Commission FCC 16-148
113
all.
785
Some commenters have called “for the FCC to help determine how organizations can better
respond to breaches in which personal, non-financial data is breached.”
786
We find that within the
meaning of Section 222(a), threats to the “confidentiality” of customer PI include not only identity theft
or financial loss but also reputational damage, personal embarrassment, or loss of control over the
exposure of intimate personal details.
787
267. Relatedly, we establish a rebuttable presumption that any breach involving sensitive
customer PI presumptively poses a reasonable likelihood of customer harm and would therefore require
customer notification. This rebuttable presumption finds a strong basis in the record.
788
Even
commenters that favor minimal breach reporting generally concede that customers are entitled to
notification when their most sensitive information is misused or disclosed.
789
The presumption also aligns
with our decision to base the level of customer approval required for use or disclosure of customer PI on
whether the PI is sensitive in nature. As we explain above, this distinction upholds the widespread
expectation that customers should be able to maintain particularly close control over their most sensitive
personal data.
790
While breaches of sensitive customer PI often present severe risks of concrete economic
harm,
791
there is a more fundamental harm that comes from the loss of control over information the
customer reasonably expects to be treated as sensitive.
268. We also find that our employing a harm-based trigger will substantially reduce the
burdens of smaller providers in reporting breaches of customer PI.
792
We agree with commenters stating
that a frameworksuch as oursthat allows providers to assess the likelihood of harm to their customers
will ultimately be less costly and “will not overburden small providers.”
793
The record indicates that
smaller providers tend to collect and use customer data, including sensitive information, far less
785
See, e.g., DMA Comments at 28; ANA Comments at 31; ITI Comments at 11; WISPA Comments at 20-22; ACA
Comments at 36-37.
786
Access Now Comments at 2 (Nathan White); see also 2012 FTC Privacy Report at 7-9; 2015 Administration
CPBR Discussion Draft, at § 4(g) (defining “privacy risk” as “the potential for personal data, on its own or when
linked to other information about an individual, to cause emotional distress, or physical, financial, professional, or
other harm to an individual.”).
787
See, e.g., Access Now Comments at 13.
788
Cf. XO Communications Comments at 8-9 (asserting that breach notification should be sensitivity-based); State
Privacy and Security Coalition Comments at 13 (“Harm exists where the unauthorized acquisition creates a material
or significant risk of identity theft, fraud, or in some cases, breach of very sensitive personal information such as
private medical data . . .”); CenturyLink Comments at 16 (Consumers expect that their sensitive information will be
treated differently than information that is not sensitive, such as information that is readily and publicly available
and thus poses no risk of identity theft or consumer harm.”); AT&T July 28, 2016 Ex Parte at 1.
789
See, e.g., CTIA Comments at 96-97 (asserting that “any privacy rules that the Commission promulgates should
protect data based on their sensitivity”); CenturyLink Comments at 16.
790
See supra Part III.D.
791
See, e.g., FBI/Secret Service Reply at 3 (explaining that information about customers can be exploited by
criminal groups to steal the identities of these customer or to target them for other criminal purposes, such as to
implant malicious software on their devices, to extort money from them by encrypting devices, to compromise other
online account the customer maintains, or to make them the target of any number of fraudulent schemes).
792
See, e.g., WTA Comments at 8-9, 17 (raising concerns about the impact on smaller providers of providing
multiple notices).
793
ACA Comments at 41-42 (arguing for the superiority of a data breach notification rule that provides a “safety
valve for good faith disclosures so that small providers can avoid counterproductive strict liability enforcement
actions associated with inflexible and overly prescriptive regimes.”).
Federal Communications Commission FCC 16-148
114
extensively than larger providers.
794
More modest collection and usage of customer PI leaves a provider
less prone to breaches that would trigger a data breach notification obligation under our rule.
269. Finally, we clarify that our harm-based notification trigger applies to breaches of data in
an encrypted form. Whether a breach of encrypted data presents a reasonable likelihood of harm will
depend in significant part on the likelihood that unauthorized third parties reasonably would be expected
to be able to decrypt the data.
795
Factors that make decryption more or less likely are therefore relevant in
determining whether a reasonable likelihood of customer harm is present in such instances. These factors
may include the quality of the encryption and whether third parties can access the encryption key.
Ultimately, a provider must notify affected customers if it cannot reasonably determine that a breach
poses no reasonable likelihood of harm, regardless of whether the breached data is encrypted.
270. With our adoption of a harm-based trigger, we have removed the need for a separate
trigger based on intent. Thus, for purposes of these rules, we adopt the definition of breach that we
proposed in the NPRM and define a breach as any instance in which a person, without authorization or
exceeding authorization, has gained access to, used, or disclosed customer proprietary information. This
definition is broader than the definition in our existing rules, which includes an intent element, and only
applies to breaches of CPNI, in recognition that the record indicates that the relevant factor for breach
reporting is not intent, but effect on the customer.
796
271. We agree with other commenters that inadvertent breaches can be just as severe and
harmful for consumers as intentional breaches,
797
and consumers are likely to care about serious breaches
even when they occur by accident or mistake.
798
Moreover, whether or not a breach was intentional may
not always be immediately apparent.
799
By defining breach to include unintentional access, use, or
disclosure we ensure that in the event of a breach the provider has an incentive to investigate the cause
and effect of the breach, and the opportunity to respond appropriately. Some commenters recommend
that the definition of breach include an intent element to avoid equating inadvertent disclosure of
customer PI to an employee or contractor of a provider with intentional hacking of customer records.
800
794
See, e.g., WTA Aug. 22, 2016 Ex Parte at 1 (explaining that its small rural local exchange carrier members
typically either refrain entirely from any use of CPNI for marketing purposes or alternatively providing customers
the option to opt-out of marketing upon signing up for service, and that any sharing of information typically occurs
“solely between the RLEC and its affiliates that provide services to their customers or third-parties that provide
services related to the provision of telecommunications services, including but not limited to billing, help-desk
representatives, and installation contractors”).
795
It also will depend on, among other things, the scope and magnitude of potential harm if the data were
unencrypted.
796
See, e.g., OTI Comments at 33 (“Customer proprietary information, such as financial details included in
applications for Lifeline service, can include highly sensitive information that must be adequately protected.”);
American Association for Justice Comments at 7; OTI Comments at 29; Access Now Comments at 13; AT&T
Comments at 85.
797
See American Association for Justice Comments at 7; OTI Comments at 29, 30-31 (“[C]onsumers may need to
take action to protect themselves against inadvertent breaches of private information, which could harm consumers
just as much as intentional breaches.”).
798
American Association for Justice Comments at 7 (“Whether a data breach was intentional or inadvertent has no
bearing on the severity of the breach or the amount of information that is compromised.”); Access Now Comments
at 12; see also Online Trust Alliance Comments at 4
799
See Paul Vixie Comments at 11 (“It is not always easyor even possibleto determine what an intruder has
accessed when a computer is breached.”); see also OTI Comments at 29-30 (explaining that if an accidental breach
is discovered, there is a possibility that a malicious breach took place as well).
800
See, e.g., XO Comments at 10-11; NTCA Comments at 34; WTA Comments at 8; CTIA Comments at 11.
Federal Communications Commission FCC 16-148
115
The adoption of a harm-based triggerin lieu of a trigger based on intentcreates a consistent obligation
to report breaches that may harm consumers, regardless of the source or cause of the breach.
272. Commenters also argue that including an intent element in the definition of breach would
prevent excessive data breach notifications.
801
Commenters making this argument raise the prospect of a
flood of notifications for breaches that have no impact on the consumer, including such good-faith errors
as an employee inadvertently accessing the wrong database.
802
We share their general concern about the
risk of over-notificationit is costly to providers, without corresponding benefit to consumers, and can
lead to notice fatigue and possibly consumer de-sensitization. However, in this context the argument is
misplaced. Identifying a data breach is only the first step towards determining whether data breach
notification is necessary. The harm-based trigger that we adopt today relieves a provider from notifying
its customers and government agencies of breaches that result from minor mistakes that create no risk of
harm to the affected customers. Based on this analysis, we find eliminating the word “intentionally” from
our breach definition equally warranted for all telecommunications carriers.
273. Our adoption of a harm-based trigger also addresses concerns about the breadth of our
breach definition. For example our definition includes incidents where a person gains unauthorized
access to customer PI but makes no further use of the data.
803
We agree with AAJ that we must account
for the difficulties a provider faces in determining when “access translates to acquisition and when
acquisition leads to misuse.”
804
Our rule appropriately requires providers to issue notifications in cases
where a provider is unable to determine the full scope and impact of a breach. However, the definition of
breach does not create an obligation to notify customers of an unauthorized gain of accesssuch as an
employee opening the wrong fileonce the provider reasonably determines that no harm is reasonably
likely to occur. This accords with AT&T, which explains that “not requiring notification where a
provider determines that there is no reasonable likelihood of harm to any customer resulting from the
breach” will “reduce excessive reporting.”
805
274. Similarly, our harm-based trigger allays the concern that extending breach notification
obligations beyond CPNI to customer PI more broadly would vastly expand the range of scenarios where
notification is required.
806
This concern is largely premised on the assumption that we would require
customer notification of all breaches of customer PI, regardless of the severity of the breach or the
sensitivity of the PI at issue. As explained above, we have instead adopted a more targeted obligation that
takes into account the potential for customer harm. In addition, we observe that many, if not all, state
data breach notification requirements explicitly include sensitive categories of PII within their scope.
807
801
See, e.g., INCOMPAS Comments at 15-16; ITTA Comments at 23; CompTIA Comments at 4; WTA Comments
at 8-9; Internet Commerce Coalition Comments at 15; State Privacy and Security Coalition Comments at 17; CTIA
Comments at 177-78.
802
See, e.g., WTA Comments at 8-9; T-Mobile Comments at 51; State Privacy and Security Coalition Comments at
17.
803
We note that this aspect of our definition of “breach” is consistent with our prior definition. See 2007 CPNI
Order, 22 FCC Rcd at 6978.
804
American Association for Justice Comments at 7.
805
AT&T Aug. 23, 2016 Ex Parte at 2.
806
ACA Comments at 35; AT&T Comments at 78; CTIA Comments at 175.
807
See, e.g., Alaska Stat. § 45.48.090(7); Haw. Rev. Stat. §487N-1; Mass. Gen. Laws ch. 93H § 1(a) (financial
account/credit or debit number can be with or without required access codes or passwords) (emphasis added); Minn.
Stat. § 325E.61(1)(e)-(f); Mont. Code Ann. § 30-14-1704(4)(b); Ohio Rev. Code Ann. § 1349.19(A)(7)(a); Okla.
Stat. § 24-162(6); Utah Code Ann. § 13-44-102(3); Ark. Code § 4-110-103(7); Del. Code Ann. tit. 6 § 12B-101(4);
Ky. Rev. Stat. § 365.732(1)(c)); Mich. Comp. Laws § 445.63(3)(r); Miss. Code Ann. § 75-24-29(2)(b); Nev. Rev.
Stat. § 603A.040; N.H. Rev. Stat. Ann. § 359-C:19(IV); N.J. Stat. Ann. § 56:8-161(10); 73 Pa. Stat. § 2302; 11 R.I.
(continued….)
Federal Communications Commission FCC 16-148
116
Under our rule, breaches involving such information would presumptively meet our harm trigger and thus
require notification. We think it is clear that the unauthorized exposure of sensitive PII, such as Social
Security numbers or financial records, is reasonably likely to pose a risk of customer harm, and no
commenter contends otherwise. We therefore find it appropriate for our breach notification rule to apply
broadly to customer PI, including PII.
2. Notification to the Commission and Federal Law Enforcement
275. In this section, we describe rules requiring telecommunications carriers to notify the
Commission and federal law enforcement of breaches of customer PI, under the harm-based notification
trigger discussed above. We also specify the timeframe and methods by which providers must provide
this information.
276. Scope. As proposed in the NPRM, we require notification to the Commission of all
breaches that meet the harm-based trigger and, when the breach affects 5,000 or more customers, the FBI
and Secret Service. We expect that this notification data will facilitate dialogue between the Commission
and telecommunications carriers, and will prove extremely valuable to the Commission in evaluating the
efficacy of its data security rules, as well as in identifying systemic negative trends and vulnerabilities
that can be addressed with individual providers or the industry as a whole including to further the goal of
collaborative improvement and refinement of data security practices.
808
Still, we retain discretion to take
enforcement action to ensure BIAS providers and other telecommunications carriers are fulfilling their
statutory duties to protect customer information.
277. We adopt an additional trigger of at least 5,000 affected customers for notification to the
Secret Service and FBI, in order to ensure that these agencies are not inundated with notifications that are
unlikely to have significant law enforcement implications. This threshold finds support in the comments
of the FBI and Secret Service
809
and is also consistent with or similar to provisions in various legislative
and administration proposals for a federal data breach law.
810
We recognize that there may be
circumstances under which carriers want to share breach information that does not meet the harm trigger
we adopt today as part of a broader voluntary cybersecurity and threat detection program, and we
encourage providers to continue these voluntary efforts.
811
278. Timeframe. The dictates of public safety and emergency response may require that the
Commission and law enforcement agencies be notified of a breach in advance of customers and the
(Continued from previous page)
Gen. Laws § 11-49.2-5(c); Tenn. Code App. § 47-18-2107(a)(3); Va. Code Ann. § 18.2-186.6(A); W. Va. Code §
46A-2A-101(6); D.C. Code § 28-3581(3).
808
National Consumers League Comments at 24-25 (“Breaches indicate lapses or vulnerabilities in security that
companies will be forced to recognize and fix. NCL believes that an ancillary benefit of these breach notification
requirements is the creation of incentives for companies to share information in order to minimize the impact for
themselves and for customers.” (citations omitted)).
809
FBI/Secret Service Reply at 6.
810
Cf. Data Security and Breach Notification Act of 2015, H.R. 1770, 114th Cong. § 3(a)(5) (2015) (requiring
10,000 individuals); Data Security and Breach Notification Act of 2015, S. 177, 114th Cong. § 4 (2015) (requiring
10,000 individuals); Updated Data Breach Notification 2 (2015), in Letter from Shaun Donovan, Dir., Office of
Mgmt. & Budget, Exec. Office of the President, to the Hon. John A. Boehner, Speaker of the H.R. (Jan 13, 2015),
available at https://www.whitehouse.gov/sites/default/files/omb/legislative/letters/updated-data-breach-
notification.pdf (OMB proposed legislation and text for the Personal Data Breach Notification and Protection Act
to the House of Representatives and the Senate, requiring 10,000 individuals).
811
See supra para. 246.
Federal Communications Commission FCC 16-148
117
general public.
812
Thus, for breaches affecting 5,000 or more customers, we require carriers to notify the
Commission, the FBI, and the Secret Service within seven (7) business days of when the carrier
reasonably determines that a breach has occurred, and at least three (3) business days before notifying
customers. For breaches affecting fewer than 5,000 customers, carriers must notify the Commission
without unreasonable delay and no later than thirty (30) calendar days following the carrier’s reasonable
determination that a reach has occurred. Both of these thresholds remain subject to the harm-based
trigger. We agree with commenters that the timeline for data breach notification should not begin when a
provider first identifies suspicious activity.
813
At the same time, we clarify that “reasonably determining”
a breach has occurred does not mean reaching a conclusion regarding every fact surrounding a data
security incident that may constitute a breach. Rather, a carrier will be treated as having “reasonably
determined” that a breach has occurred when the carrier has information indicating that it is more likely
than not that there was a breach. To further clarify, the notification timelines discussed herein run from
the carrier’s reasonable determination that a breach has occurred, not from the determination that the
breach meets the harm-based notification trigger.
279. We agree with the FBI and the Secret Service that advance notification of breaches will
enable law enforcement agencies to take steps to avoid the destruction of evidence and to assess the need
for further delays in publicizing the details of a breach.
814
We reject arguments that the timeframes for
Commission and law enforcement notification that we adopt are too burdensome.
815
Rather, we agree
with AT&T and other commenters in the record that allowing carriers seven (7) business days to notify
the Commission and law enforcement furnishes those providers with sufficient time to adequately
investigate suspected breaches.
816
Further, to address concerns expressed in the record regarding the
812
FBI/Secret Service Reply at 5 (arguing that early notification to federal law-enforcement agencies would help
assess the intrusion, secure evidence, facilitate interagency coordination, and consider whether there is a need to
further delay customer notification).
813
See, e.g., Letter from Jacquelyne Flemming, AT&T, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-
106, at 1 (filed Sept. 21, 2016) (AT&T Sept. 21, 2016 Ex Parte) (arguing that providers should be allowed an
opportunity to distinguish actual breaches from merely suspicious activity or conduct); CenturyLink Comments at
43 (“Ultimately, any notification timeline should be tied initially to the determination that a breach has occurred.”);
see also S
2
ERC Comments at 16 (“A clearer definition of what constitutes the “discovery” of a breach may be
necessary to aid in compliance with the timeline requirements.”).
814
FBI/Secret Service Reply at 5 (“Early notification to the Federal Law Enforcement Agencies will enable law
enforcement to assess the intrusion and engage meaningfully with the Service Provider when it may be possible to
obtain vital evidence that could become obscured or destroyed over time. Early notification will also permit the
Federal Law Enforcement Agencies to coordinate their efforts so that any law enforcement response can maximize
the resources available to address and respond to the intrusion. . . Another benefit of early notification to the Federal
Law Enforcement Agencies is that early notice will allow law enforcement agencies sufficient opportunity to
determine whether there is a need for delayed notice to customers . . .”).
815
See, e.g., Hughes Comments at 7 (recommending a 30 day renewable time from for notices to the Commission
and law enforcement to ease compliance); WISPA Comments at 32 (“The proposed deadlines would require
notification to Federal law enforcement and customers much more quickly than nearly all state laws require such
that it may be difficult for even larger providers to comply with the Commission’s proposals.”) (footnote omitted);
INCOMPAS Comments at 14-15, 17-18; ACA Comments at 35-36, 54-55.
816
AT&T Aug. 23, 2016 Ex Parte at 2 (supporting a framework requiring Commission notification without
unreasonable delay and within seven (7) business days as opposed to 7-10 days); AT&T July 28, 2016 Ex Parte at 2
(supporting business day framework for notification deadlines); see ViaSat Comments at 7 (proposing that BIAS
providers should have ten (10) total “business” days to notify consumers, the Commission, and federal law
enforcement as opposed to the “10 days” proposed in the NPRM); but see Online Trust Alliance May 27, 2016 Ex
Parte at 3-4 (supporting ten (10) business day standard for customer breach notification deadline but seven (7)
calendar day standard for Commission and law enforcement breach notification); Hughes Network Systems, LLC
July 26, 2016 Ex Parte at 1-2 (supporting general 30 day requirement for data breach reporting).
Federal Communications Commission FCC 16-148
118
complexity and costs of data breach notification for smaller providers,
817
we relax the notification
timeframe for breaches affecting fewer than 5,000 customers. Carriers must notify the Commission of
breaches affecting less than 5,000 customers without unreasonable delay and no later than thirty (30)
calendar days following the carrier’s reasonable determination that a breach has occurred. We find that a
30-day notification timeframe for breaches affecting fewer than 5,000 customers provides the
Commission with the data necessary to monitor trends and gain meaningful insight from breach activity
across the country, while at the same time reducing and simplifying the requirements for all carriers,
particularly smaller providers, whose limited resources might be better deployed toward remediating and
preventing breach activity, particularly in the early days of addressing a relatively small breach.
280. We also recognize that a carrier’s understanding of the circumstances and impact of a
breach may evolve over time. We expect carriers to supplement their initial breach notifications to the
Commission, FBI, and Secret Service, as appropriate.
818
Early notification of breaches will improve the
Commission’s situational awareness and enable it to coordinate effectively with other agencies, including
with the FBI and Secret Service on breaches not reportable directly to these agencies that may
nevertheless raise law enforcement concerns. Furthermore, time is of the essence in a criminal
investigation.
819
Learning promptly of a significant, large-scale breach gives law enforcement agencies an
opportunity “to coordinate their efforts so that any law enforcement response can maximize the resources
available to address and respond to the intrusion.”
820
Given the vital interests at stake in cases where a
data breach merits a law enforcement response, we find that the seven (7) business day reporting deadline
for such breaches is necessary as a matter of public safety and national security.
281. To further advance the needs of law enforcement, we permit the FBI or Secret Service to
direct a provider to delay notifying customers and the public at large of a breach for as long as necessary
to avoid interference with an ongoing criminal or national security investigation.
821
This provision
replaces the more prescriptive requirements in the existing rules specifying the timing and methods for
law enforcement intervention.
822
Consistent with our overall approach in this proceeding, we adopt rules
that incorporate flexibility to account for changing circumstances. Several commenters agree that this
provision for law enforcement, which is embodied in the existing rules, remains prudent.
823
We also
observe that the laws of several states and the District of Columbia include similar law enforcement delay
provisions.
824
We are not persuaded that such a provision unduly interferes with the interests of
817
Letter from Thomas Cohen, Attorney, Kelley Drye & Warren, LLP, to Marlene H. Dortch, Secretary, FCC, WC
Docket No. 16-106, at 4 (filed Oct. 5, 2016) (American Cable Association Oct. 5, 2016 Ex Parte) (arguing that small
providers should be allowed to notify the Commission of smaller breaches at the same time that customers are
notified).
818
See, e.g., AT&T Aug. 23, 2016 Ex Parte at 2 (proposing a modified notification framework that accounts for
ongoing data breach investigations stretching beyond the initial 30 day window).
819
See FBI/Secret Service Reply at 5.
820
Id.
821
See id. at 6.
822
See 47 CFR § 64.2011(b)(3).
823
National Consumers League Comments at 32 (stating that this requirement “strikes the appropriate balance
between customers’ need to know and the ability of federal law enforcement to properly investigate the origins of
the breach.”); FTC Staff Comments at 33.
824
See Ariz. Rev. Stat. § 18-545(C); Ark. Code § 4-110-105(c); Cal. Civ. Code § 1798.82(c) (amended by 2015 Cal.
Assem. B. 739); Conn. Gen. Stat. § 36a-701b(d); D.C. Code § 28-3852(d); Ga. Code Ann. § 10-1-912(c); Ky. Rev.
Stat. § 365.732(4); La. Stat. Ann. § 51:3074(D); Me. Rev. Stat. tit. 10, § 1348(3); Minn. Stat. § 325E.61(1)(c);
Mont. Code Ann. § 30-14-1704(3); Nev. Rev. Stat. § 603A.220(3); N.J. Stat. Ann. § 56:8-163(c)(2); N.Y. Gen. Bus.
Law § 899-aa(4); N.D. Cent. Code § 51-30-04; 11 R.I. Gen. Laws § 11-49.3-4(b); S.C. Code Ann. § 39-1-90(C);
Tex. Bus. & Com. Code Ann. § 521.053(d).
Federal Communications Commission FCC 16-148
119
customers in taking informed action to protect themselves against breaches.
825
As the FBI and Secret
Service explain, customer notification delays are not routine but are requested as a matter of practice only
in “exceptional circumstances” involving a serious threat of harm to individuals or national security.
826
In
addition, decisions regarding when to publicly disclose details of a criminal investigation are a matter that
lies within the expertise of law enforcement agencies. We therefore find that the best course is to defer to
the judgment of the FBI and Secret Service on when the benefits of delaying customer notification
outweigh the risks.
282. Method. We will create a centralized portal for reporting breaches to the Commission
and other federal law enforcement agencies. The Commission will issue a public notice with details on
how to access and use this portal once it is in place. The reporting interface will include simple means of
indicating whether a breach meets the 5,000-customer threshold for reporting to the FBI and Secret
Service. The creation of this reporting facility will streamline the notification process,
827
reducing
burdens for providers, particularly small providers. Any material filed in this reporting facility will be
presumed confidential and not made routinely available for public inspection.
828
3. Customer Notification Requirements
283. In order to ensure that telecommunications customers receive timely notification of
potentially harmful breaches of their customer PI, we adopt rules specifying how quickly BIAS providers
and other telecommunications carriers must notify their customers of a breach, the information that must
be included in the breach notification, and the appropriate method of notification.
a. Timeline for Notifying Customers
284. We require BIAS providers and other telecommunications carriers to notify affected
customers of reportable breaches of their customer PI without unreasonable delay, and no later than 30
calendar days following the carriers’ reasonable determination that a breach has occurred, unless the FBI
or Secret Service requests a further delay.
829
This approach balances affected customers’ need to be
notified of potentially harmful breaches of their confidential information with carriers’ need to properly
determine the scope and impact of the breach, and to the extent necessary, to most immediately focus
resources on preventing further breaches. Also, the specific customer notification timeline we adopt has
broad record support.
830
825
S
2
ERC Comments at 16 (“The three-day notification delay requirement considered at the request of law
enforcement is understandable but such regulations are often not in the best interest of consumers. Such delays may
allow criminals to wipe out the assets of a customer using stolen PI before the customer becomes aware of the threat.
Restitution following such an incident is not always complete and is rarely timely or convenient for the victims.
Additionally, the delay requirement may raise the liability of BIAS providers significantly as criminals may
continue to rack up damages during the waiting period. At the very least, BIAS providers should not be liable for
harms that occur after a breach is reported to law enforcement especially when these harms could have been
prevented with earlier notification.”).
826
FBI/Secret Service Reply at 4.
827
See, e.g., ACA Comments at 56-57 (asserting that the Commission “should create a one-stop shop for
Commission and law enforcement notifications to avoid the need to [sic] duplicative notification”).
828
See 47 CFR § 0.457.
829
See supra Part III.F.2.
830
See, e.g., Comcast Comments at 63 (stating that “the Commission should follow other well-established breach
laws and allow at least 30 days after discovery of a breach to notify consumers”); Hughes Comments at 6-7 (stating
that “a more equitable solution would be to stipulate that broadband service providers must report a breach within 30
days from the discovery of that breach, with leave to extend the reporting period by 30 day increments if the
broadband service provider can demonstrate that more time is needed to determine the scope of the breach, to
conduct risk assessments, and to restore reasonable integrity to the network”); AT&T Aug. 23, 2016 Ex Parte at 2
(continued….)
Federal Communications Commission FCC 16-148
120
285. As an initial matter, we agree with commenters that clear and straightforward notification
deadlines are necessary to ensure that customers are timely notified of breaches that affect them.
831
We
also agree with commenters that providing more time to notify customers than the 10 days we initially
proposed will enable carriers to conduct a more thorough and complete investigation of breaches in
advance of the notification.
832
This extra time for investigation will minimize duplicative and incomplete
breach notices, avoid customer confusion, allow providers to focus first on stopping further breaches, and
minimize burdens on providers.
833
The FBI and Secret Service, which have extensive experience with
data breach notification and, more specifically, experience with our existing data breach notification rules,
generally support a customer notification timeframe of between 10 and 30 days.
834
FTC staff
recommends that breach notifications occur without unreasonable delay, but within an outer limit of
between 30-60 days.
835
State data breach laws vary, but most states do not require notification within a
specific time frame and the majority of states that do provide 45 days or more to provide notice.
836
286. Our adoption of a customer notification period longer than that initially proposed also
responds to concerns raised by smaller carriers. For example, the Rural Wireless Association argues that
“[s]mall BIAS providers need additional time [beyond ten days] to determine the extent of any breach, as
well as to consult with counsel as to the appropriate next steps.”
837
The American Cable Association
similarly argues that compliance with a compressed notification timeline would require small providers
“to divert senior and technical staff solely to data breach response for the duration of the breach response
period” and otherwise incur high compliance costs.
838
We are mindful of the compliance burdens that a
10-day period for customer notification would impose on small carriers in particular, and accordingly
adopt a more flexible requirement to notify customers of reportable breaches without unreasonable delay
and in any event no longer than 30 calendar days. These commenters and others proposed longer
notification periods and, alternatively, an open-ended non-specific timeframe for small providers.
839
While we are sensitive to these concerns, we also note, however, that customer exposure to avoidable or
(Continued from previous page)
(supporting a framework to notify affected customers without unreasonable delay and no later than 20 business days
after notification to the Commission).
831
See, e.g., OTI Comments at 43.
832
State Privacy and Security Coalition Comments at 14 (“When a breach or suspected breach occurs, a company’s
top priorities are to ascertain the nature of the event, restore the security and integrity of the affected system, and
determine the scope of the incident and who was affected. Time is of the essence. A requirement to report very
quickly after discovery of a breach takes important resources away from remediation and investigation.”); Hughes
Comments at 6-7 (“This minimal modification of the proposed rule will give time for quick action while recognizing
the real time needed accurately to respond to a reported breach.”).
833
See, e.g., State Privacy and Security Coalition Comments at 13-14; INCOMPAS Aug. 4, 2016 Ex Parte at 3.
834
FBI/Secret Service Reply at 5 (“The Federal Law Enforcement Agencies are primarily concerned with breaches
involving suspected criminal activity, and would support a more relaxed reporting timeline for those breaches not
involving potential criminal activity.”).
835
FTC Staff Comments at 33.
836
See ACA Comments at 54-55; Jill Joerling, Data Breach Notification Laws: An Argument For a Comprehensive
Federal Law to Protect Consumer Data, 32 Wash. U. J. L. & Pol’y 467, 477 (2010).
837
RWA Comments at 13.
838
ACA Comments at 34-35.
839
See RWA Comments at 13 (arguing for a 45-day notification timeline where state law does not mandate a
specific timeline); ACA Comments at 34-35 (arguing for an “as soon as reasonably practical” standard); Letter from
Rebecca Murphy Thompson, Executive Vice President and General Counsel, Competitive Carriers Association, to
Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 4 (filed Oct. 19, 2016) (CCA Oct. 19, 2016 Ex
Parte) (arguing for a 60-day customer notification timeline for small providers).
Federal Communications Commission FCC 16-148
121
mitigable risk continues to grow in the aftermath of a breach. We therefore emphasize the value of
notifying affected customers as soon as possible to allow the customer to undertake time-sensitive
mitigation activities and encourage carriers to notify consumers as soon as practicable.
287. Requiring carriers to notify affected customers without unreasonable delay while
adopting a 30 calendar day deadline to do so creates a backstop against excessive delays in notifying
customers. Of course, if a telecommunications carrier conducts a good faith, reasonable investigation
within 30 calendar days but later determines that the scope of affected customers is larger than initially
known, we expect that provider to notify those additional customers as soon as possible.
840
However,
based on the record, we find that 30 calendar days is ample time to prepare a customer notification that
meets our minimum content requirements, as discussed below.
841
Our prior rules did not specify a precise
timeline for customer noticeonly that it must occur after the carrier completes law enforcement
notificationand we find adoption of the timeline above warranted to ensure timely notification to
customers. We recognize that a carrier may identify a breach and later learn that the scope of the breach
is larger than initially determined. Under such circumstances a carrier has a continuing obligation to
notify without unreasonable delay any additional customers it identifies as having been affected by the
breach, to the extent the carrier cannot reasonably determine that no harm is reasonably likely to occur to
the newly identified affected customers as a result of the breach.
b. Information Provided as Part of Customer Breach Notifications
288. To be a useful tool for consumers, breach notifications should include information that
helps the customer understand the scope of the breach, the harm that might result, and whether the
customer should take any action in response. In the NPRM we proposed that providers include certain
types of basic information in their data breach notifications to affected customers, and based on the
record, we adopt those same basic requirements,
842
which include the following elements:
The date, estimated date, or estimated date range of the breach;
A description of the customer PI that was used, disclosed, or accessed, or reasonably believed
to have been used, disclosed, or accessed, by a person without authorization or exceeding
authorization as a part of the breach of security;
Information the customer can use to contact the telecommunications carrier to inquire about
the breach of security and the customer PI that the carrier maintains about the customer;
Information about how to contact the Federal Communications Commission and any state
regulatory agencies relevant to the customer and the service; and
If the breach creates a risk of financial harm, information about national credit-reporting
agencies and the steps customers can take to guard against identity theft, including any credit
monitoring, credit reporting, or credit freezes the telecommunications carrier is offering
customers affected by the breach of security.
289. While data breaches are not “one-size-fits-all,” creating a measure of consistency across
customer breach notifications will benefit customers and providers, particularly smaller providers, by
840
See, e.g., AT&T Aug. 23, 2016 Ex Parte at 2 (proposing a modified notification framework that accounts for
ongoing data breach investigations stretching beyond the initial 30 day window).
841
See, e.g., AT&T July 28, 2016 Ex Parte at 2 (“To allow providers adequate time to identify all affected
customers and prepare relevant information for them and any other relevant support such as call centers they can
contact with follow-up questions, providers should be allowed up to 20 business days after making that
determination to notify customers.”).
842
See, e.g., OTI Comments at 42; NTCA Comments at 68; see also Access Now Comments at 12 (asserting that
remediation options should be clearly indicated and accessible in breach notices).
Federal Communications Commission FCC 16-148
122
removing any need to reinvent the wheel in the event of a data breach. Seventeen states and territories
currently mandate that specific content be included in breach notifications and the requirements we adopt
today are generally consistent with those statutes.
843
Much of the information we require consists of
contact information for the Commission, relevant authorities, credit reporting agencies, and the carrier
itself. Based on the record, we also require customer breach notifications to contain information about
credit freezes and credit monitoring if the breach creates a risk of financial harm.
844
The foregoing
elements should be easy for any provider to ascertain and for customers to understand. The remaining
two elements simply define the basic elements of a breach notificationwhen the breach occurred and
what information was breached.
845
Additionally, we hold carriers to a reasonable standard of accuracy
and precision in providing this information. Rather than having to provide the exact moment a breach
occurred, providers are tasked with giving an “estimated” date or, alternatively, an estimated date
“range.” Moreover, while a description of the customer PI involved in the breach should be as detailed,
informative, and accurate as possible, the rule allows for a description of the data the telecommunications
carrier “reasonably believes” was used, disclosed, or accessed.
290. We encourage providers to supplement these minimum elements with additional
information that their customers may find useful or informative. For example, FTC Staff recommends
that notifications include contact information for the FTC, and a reference to its comprehensive
IdentityTheft.gov website.
846
In appropriate cases, providing such additional information could further
empower customers to take steps to mitigate their own harm and protect themselves against the effects of
any future breaches.
c. Notification Methods
291. As proposed in the NPRM, we require that customer notifications occur by means of
written notification to the customer’s address of record or email address, or by contacting the customer by
other electronic means of active communications agreed upon by the customer for contacting that
customer for data breach notification purposes. For former customers, we require carriers to issue
notification to the customer’s last known postal address that can be determined using commonly available
sources. These options create flexibility for providers to notify customers in a manner they choose to be
contacted by their provider, and they are consistent with methods permitted under other data breach
843
See generally Cal. Civ. Code § 1798.82(d) (California); Haw. Rev. Stat. § 487N-2(d) (Hawaii); 815 ILCS §
530/10(a) (Illinois); Iowa Code § 715C.2(5) (Iowa); Md. Code Com. Law § 14-3504 (Maryland); Mass. Gen. Laws
§ 93H-3(b) (Massachusetts); Mich. Comp. Laws § 445.72(6) (Michigan); Mo. Rev. Stat. § 407.1500.2(4)
(Missouri); N.H. Rev. Stat. § 359-C:20(IV) (New Hampshire); N.Y. Gen. Bus. Law § 899-aa(7) (New York); N.C.
Gen. Stat § 75-65(d) (North Carolina); Or. Rev. Stat. § 646A.605(5) (Oregon); Vt. Stat. tit. 9 § 2435(b)(5)
(Vermont); Va. Code § 18.2-186.6,A (Virginia); W.V. Code § 46A-2A-102(d) (West Virginia); Wyo. Stat. § 40-12-
501(e) (Wyoming); P.R. Laws tit.10 § 4053 (Puerto Rico).
844
National Consumers League Comments at 30. Several states currently require data breach notices to contain
information about both credit monitoring and credit freezes. See Conn. Gen. Stat. §36a-701b(b); 815 Ill. Comp. Stat
§530/10(a); Mass. Gen. Laws Ch. 93H § 3(b); 10-1-912(c); W. Va. Code § 46A-2A-102(d). But see FTC Staff
Comments (“While contacting the national credit reporting agencies may be appropriate in certain circumstances, it
may not be helpful in others and could create a false sense of security.”).
845
See, e.g., Cal. Civ. Code § 1798.82(d) (requiring approximate date of breach and types of personal information
that were or are reasonably believed to have been subject to a breach); Fla. Stat. § 501.171(4)(f) (requiring estimated
date range of breach and a description of the personal information accessed or reasonably believed to have been
accessed); Iowa Code § 715C.2(5) (requiring approximate date of the breach and the type of personal information
obtained as a result of the breach); N.H. Rev. Stat. Ann. § 359-C:20(IV) (requiring approximate date of breach and
the type of personal information obtained as a result of the breach).
846
Several states already require this. See 815 Ill. Comp. Stat § 530/10(a); Md. Code. Ann., Com. Law. § 14-
3504(g); N.C. Gen. Stat. § 75-65(d).
Federal Communications Commission FCC 16-148
123
notification frameworks.
847
One of the few commenters to address this issue supports the NPRM
proposal, while also suggesting that providers post “substitute breach notifications” on their websites.
848
While some other breach notification frameworks do include such a requirement,
849
we are not persuaded
it is necessary for our purposes. Telecommunications carriers have direct relationships with their
customers through which they are likely to have ready means of contacting them. We believe the options
discussed above for direct notification will generally provide a sufficient array of options for reaching
customers affected by a breach, and we thus decline also to require a broader, less targeted public
disclosure.
4. Record Retention
292. We adopt a streamlined version of the record retention requirement we proposed in the
NPRM. We require only that providers keep record of the dates on which they determine that reportable
breaches have occurred and the dates when customers are notified, and that they preserve written copies
of all customer notifications. These records must be kept for two years from the date a breach was
reasonably determined to have occurred. The purpose of this limited requirement is to enable
Commission oversight of the customer breach notifications our rule requires. This minor recordkeeping
requirement will not impose any significant administrative burden on providers.
850
On the contrary, the
information that must be retained must be collected anyway, is of limited quantity, and largely comprises
information we would expect carriers to retain as a matter of business practice.
851
Moreover, shortening
the retention period would weaken the utility of the requirement as an enforcement tool, while not
delivering any substantiated cost savings for providers.
852
As a final point, we clarify that we do not
require carriers to retain records of breaches that do not rise to the level of a required Commission
notification. A large percentage of breaches are therefore likely to be exempted from this requirement.
5. Harmonization
293. In the NPRM, we proposed adoption of a harmonized breach notification rule for BIAS
and other telecommunications services that would replace the existing Part 64 rule. Based on the record,
we have determined to take this approach. We agree with commenters who argue that creating a
harmonized rule will enable providers to streamline their notification processes and will reduce the
potential for customer confusion.
853
Moreover, we find that the modifications we have made to the
847
See 45 CFR § 164.404(d)(1) (HIPAA); N.Y. Gen. Bus. Law § 899-aa(5); Arizona Rev. Stat. § 44-7501(D); Ark.
Code § 4-110-105(e); Colo. Rev. Stat. § 6-1-716(1)(c).
848
National Consumers League Comments at 29 (“In addition to a choice between written and electronic
notifications required in 47 U.S.C. § 64.7006(a)(1), BIAS providers should be required to post and maintain
substitute breach notifications in a clearly marked section of their websites.”).
849
Some states, however, allow for substitute notice depending on the cost and number of affected individuals. See,
e.g., Me. Stat. tit. 10 § 1347(4)(C) ($5,000 or 1,000 residents); Mich. Comp. Laws § 445.72(12)(5)(d) ($250,000 and
500,000 residents).
850
National Consumers League Comments at 33.
851
Id.
852
But see Hughes Comments at 9 (“A six month recordkeeping requirement will ensure that customers’ records are
retained for a reasonable period following the termination of service and give the Commission and law enforcement
agencies sufficient access to records to conduct investigations of consumer complaints.”).
853
Greenlining Institute Comments at 16 (“Commenters believe that a uniform regime is not only easier for the
carriers, easier of enforcement, and easier for customers to understand, it is also consistent with the Open Internet
Order in terms of law and policy.”); WTA Comments at 17 (“There is no reason that BIAS providers should have
different customer notification requirements for breaches, particularly when many BIAS providers also provide
voice and/or video service as part of a bundle. Providing more than one notice could also cause consumer confusion
and would be more burdensome and costly than simply requiring one notice per affected customer.”); INCOMPAS
Comments at 17-18.
Federal Communications Commission FCC 16-148
124
proposed rule, particularly the harm trigger we adopt and timeline for notifying customers, ameliorate
concerns that applying the new rule to both BIAS and other telecommunications services will unduly
increase burdens for voice providers.
854
G. Particular Practices that Raise Privacy Concerns
294. In this section we prohibit “take-it-or-leave-it” offers in which BIAS providers offer
broadband service contingent on customers surrendering their privacy rights as contrary to the
requirements of Sections 222, 201, and 202 of the Act. We also adopt heightened disclosure and
affirmative consent requirements for BIAS providers that offer customers financial incentives, such as
lower monthly rates, in exchange for the right to use the customers’ confidential information. Congress
has tasked the Commission with protecting the public interest, and we conclude that our two-fold
approach to these practices will permit innovative and experimental service offerings and encourage and
promote customer choice, while prohibiting the most egregious offerings that would harm the public
interest.
1. BIAS Providers May Not Offer Service Contingent on Consumers’
Surrender of Privacy Rights
295. We agree with those commenters that argue that BIAS providers should not be allowed to
condition or effectively condition the provision of broadband on consenting to use or sharing of a
customer’s PI over which our rules provide the consumer with a right of approval.
855
Consistent with our
proposal in the NPRM, we therefore prohibit BIAS providers from conditioning the provision of
broadband service on a customer surrendering his or her privacy rights.
856
We also prohibit BIAS
providers from terminating service or otherwise refusing to provide BIAS due to a customer’s refusal to
waive any such privacy rights. By design, such “take-it-or-leave-it” practices offer no choice to
consumers. The record supports our finding that such practices will harm consumers, particularly lower-
income customers,
857
and we agree with Atomite that there is a difference between offering consumers “a
carrot (i.e., consideration in exchange for property rights) and [] a stick (e.g., no ISP service unless
subscribers relinquish their property rights).”
858
We therefore conclude that prohibiting such practices
will ensure that consumers will not have to trade their privacy for broadband services.
296. As we discussed above, broadband plays a pivotal role in modern life.
859
We find that a
“take-it-or-leave it” approach to the offering of broadband service contingent upon relinquishing customer
854
See supra paras. 263, 284.
855
See, e.g., Privacy Rights Clearinghouse Comments at 6 (“Under no circumstances should any consumer,
especially those who are members of vulnerable communities, have to choose between their rights to privacy and
foregoing broadband service.”); Access Now Comments a 7 (“To ensure user protection, consent must be freely and
unambiguously given. This means, for instance, that the use of a service must not be contingent on consumer
approval for the sharing of personal information with third parties or for the use of information for other purposes
than the one it was originally collected.”); ACLU Comments at 6 (arguing that requiring customers to sign away
their privacy rights as a condition of service, or certain kinds of service should be prohibited as it would create a
gaping loophole that would quickly be exploited”); NTCA Comments at 71 (stating it does “not oppose disallowing
practices that enable providers to deny service if customers do not relinquish certain rights”).
856
Broadband Privacy NPRM, 31 FCC Rcd at 2682, para. 285 (proposing to “prohibit BIAS providers from making
service offers contingent on a customer surrendering his or her privacy rights”).
857
See supra note 855; see also Letter from Eric G. Null, New America’s Open Technology Institute, to Marlene H.
Dortch, Secretary, FCC, GN Docket No 16-106 at 3 (filed Sept. 12, 2016) (“Low-income individuals often rely on a
single device, meaning the single ISP used by that person has access to extensive information about the individual.
Pay-for-privacy would be particularly problematic in the Lifeline context. Lifeline subscribers, who are among the
most vulnerable populations, should not be forced to give up their privacy for an Internet connection.”).
858
Atomite Comments at 6.
859
See supra Part III.A.
Federal Communications Commission FCC 16-148
125
privacy rights is inconsistent with the telecommunications carriers’ “duty to protect the confidentiality of
proprietary information of, and related to . . . customers.”
860
Further, we find that a “take-it-or-leave-it”
customer acceptance is not customer “approval” within the meaning of Section 222(c)(1), which prohibits
telecommunications carriers from using, disclosing, or permitting access to CPNI without customer
approval.
861
297. We also conclude that requiring customers to relinquish all privacy rights to their PI to
purchase broadband services is an unjust and unreasonable practice within the meaning of Section
201(b).
862
Requiring customers to relinquish privacy rights in order to purchase broadband services, or
other telecommunications services, would also constitute unjust and unreasonable discrimination in
violation of section 202(a).
863
A take-it-or-leave-it offering would discriminate unreasonably by offering
the service to potential customers willing and able to relinquish privacy rights that consumers expect and
deserve, and/or that are guaranteed to them under sections 222 and 201, and not offering the service to
others. Consumers should not have to face such a choice. In the 2015 Open Internet Order, we explained
that with respect to BIAS services, we will evaluate whether a practice is unjust, unreasonable, or
unreasonably discriminatory using the no-unreasonable interference/disadvantage standard (general
conduct rule).
864
Under this standard, the Commission can prohibit, on a case-by-case basis, practices that
unreasonably interfere with or unreasonably disadvantage the ability of consumers to reach the Internet
content, services, and applications of their choosing.
865
In evaluating whether a practice satisfies this rule,
we consider a totality of the circumstances, looking to a non-exhaustive list of factors. Among these
factors are end-user control, free expression, and consumer protection.
2. Heightened Requirements for Financial Incentive Practices
298. Unlike the “take-it-or-leave-it” offers for BIAS discussed above, the record concerning
financial incentives practices is more mixed. There is strong agreement among BIAS providers, some
public interest groups, and other Internet ecosystem participants that there are benefits to consumers and
860
47 U.S.C. § 222(a).
861
47 U.S.C. § 222(c)(1).
862
47 U.S.C. § 201(b) (requiring that all charges, practices, classifications, and regulation for and in connection with
a telecommunications service be “just and reasonable,” and prohibiting “unjust and unreasonable” charges,
practices, classifications, or regulations). Thus, we disagree with CTIA’s assertions that the “term ‘approval’ must
reflect the common law contract law principle that neither take-it-or-leave-it offers nor financial inducements are
unconscionable.” CTIA Reply at 29, n.102. Congress directed the Commission to “execute and enforce” the
provisions of the Act, including the prohibition on “unjust or unreasonable” practices.
863
47 U.S.C. § 202(a) (“It shall be unlawful for any common carrier to make any unjust or unreasonable
discrimination in charges, practices, classifications, regulations, facilities, or services for or in connection with like
communication service, directly or indirectly, by any means or device, or to make or give any undue or unreasonable
preference or advantage to any particular person, class of persons, or locality, or to subject any particular person,
class of persons, or locality to any undue or unreasonable prejudice or disadvantage.”); see Broadband Privacy
NPRM, 31 FCC Rcd at 2593, para. 294, 2596, paras. 305-06.
864
2015 Open Internet Order, 30 FCC Rcd at 5659-60, paras. 133-37.
865
2015 Open Internet Order, 30 FCC Rcd at 5659, para. 135. The no-unreasonable interference/disadvantage
standard requires that “Any person engaged in the provision of broadband Internet access service, insofar as such
person is so engaged, shall not unreasonably interfere with or unreasonably disadvantage (i) end users’ ability to
select, access, and use broadband Internet access service or the lawful Internet content, applications, services, or
devices of their choice, or (ii) edge providers’ ability to make lawful content, applications, services, or devices
available to end users. Reasonable network management shall not be considered a violation of this rule.” Id. at
5609, para. 21. See also 47 CFR § 8.11, No unreasonable interference or unreasonable disadvantage standard for
Internet conduct.
Federal Communications Commission FCC 16-148
126
companies of allowing BIAS providers the flexibility to offer innovative financial incentives.
866
The
record does, however, reflect concerns that these programs may be coercive or predatory in persuading
consumers to give up their privacy rights.
867
We therefore find that that heightened disclosure and
affirmative customer consent requirements will help to ensure that customers’ decisions to share their
proprietary information in exchange for financial incentives are based on informed consent.
868
299. As we recognized in the Broadband Privacy NPRM, it is not unusual for business to give
consumers benefits in exchange for their personal information. For example, customer loyalty programs
that track consumer purchasing habits online and in the brick-and-mortar world are commonplace.
869
Moreover, the Internet ecosystem continues to innovate in ways to obtain consumer information such as
earning additional broadband capacity, voice minutes, text messages, or even frequent flyer airline miles
in exchange for personal information.
870
Discount service offerings can benefit consumers.
871
As MMTC
866
See, e.g., AT&T Comments at 59 (“Banning discounts in exchange for information-sharing would, by definition,
increase the price and lower the output of any affected service, including broadband Internet access.”); ADTRAN
Comments at 12 (arguing that financial incentive “business models of providing discounts in return for access to
consumers’ proprietary information have been well-received by consumers both in the bricks-and-mortar world, as
well as specifically in the provision of BIAS services where they have been offered as an option”); CDT Comments
at 3 (asserting that BIAS providers should have flexibility under the rules to encourage customer opt-in, “including
offering monetary rewards in exchange for customer opt-in”); CenturyLink Comments at 30 (stating that “any
outright prohibition adopted by the Commission would disserve consumers, who might miss out on services they
want and value propositions they appreciate”); Free State Foundation Comments at 9 (arguing a ban on financial
incentives would “deprive consumers of their choice to enjoy free or . . . inexpensive services and applications”);
NTCA Comments at 71-72 (“Providers should have the flexibility, within the boundaries of notice, choice and
security, to offer consumers packages that meet their needs.”); Cincinnati Bell Comments at 10 (“Once the basic
privacy requirements are established on such a basis, the Commission should not prohibit BIAS providers from
offering enhanced levels of security for customers who are willing to pay the extra cost that is necessary to support
such services.”); Sprint Comments at 20-21; T-Mobile Comments at 44; Comcast Reply at 18-19; CTIA Aug. 25,
2016 Ex Parte at 2-3 (arguing that financial incentives “can lead to significant cost savings for all consumers, enable
more valuable services for consumers, and mirror much of the economic activity that consumers expect”); see also
id. Attach., ITIF White Paper, Why Broadband Discounts for Data are Pro-Consumer.
867
See, e.g., Consumer Watchdog Comments at 6 (arguing that “‘pay-for-privacy’ polices can rapidly become
coercive and predatory, especially when applied to lower-income subscribers”); Consumer Action Comments at 2
(urging the Commission “to do everything in its power to ensure that companies don’t snare consumers to wittingly
or unwittingly give up their privacy rights in exchange for free services or devices”); EFF Comments at 9
(expressing concern that financial incentive practices “are prone to abuse”); EPIC Comments at 25-26; OTI
Comments at 45 (explaining that financial incentive “programs are concerning because they could be crafted to
induce or, worse, coerce customers into giving up privacy protections all so BIAS providers can further develop
their advertising businesses”); California AG Comments at 4 (Consumers pay their ISPs for their Internet
connection; they do not and should not be expected to also paywith their personal information as well); Common
Sense Kids Action Comments at 14 (emphasizing that “[p]rivacy should not be a privilege reserved for those with
time, money, and technical expertise”); Letter from Ariel Fox Johnson, Senior Policy Counsel, Common Sense Kids
Action, to Marlene H. Dortch, Secretary, FCC, WC 16-106, at 1 (filed Sept. 9, 2016); Color of Change Oct. 20,
2016 Ex Parte at 5.
868
We limit the heightened disclosure and consent requirements discussed herein to financial incentive practices
offered by BIAS providers. The record reveals concerns about these practices specific to BIAS, and as such, we
limit our requirements to such services.
869
Broadband Privacy NPRM, 31 FCC Rcd at 2581, para. 258; Consumers’ Research Comments at 8 (stating that
many consumers exchange financial incentives for consent, based on their own preferences”).
870
See TPI Comments, Attach., Thomas Lenard and Scott Wallsten White Paper, An Economic Analysis of the
FCC’s Privacy Notice of Proposed Rulemaking at 35-36 (discussing Freedompop, which allows subscribers to earn
additional broadband capacity, voice minutes, or text messages by performing specified actions with their third party
advertisers (e.g., completing a questionnaire or purchasing a product or service); see also Chantal Tode, Flyers on
(continued….)
Federal Communications Commission FCC 16-148
127
explains, for example, such programs “significantly drive online usage” as well as “help financially
challenged consumers.”
872
300. At the same time, the record includes legitimate concerns that financial incentive
practices can also be harmful if presented in a coercive manner, mislead consumers into surrendering their
privacy rights, or are otherwise abused.
873
This is particularly true, because as CFC has explained,
consumers have difficulty placing a monetary value on privacy” and often “have little knowledge of the
details or extent of the personally identifiable data that is collected or shared by their BIAS providers and
others.”
874
Commenters also raise concerns about the potential disproportionate effect on low income
individuals.
875
Thirty-eight public interest organizations expressed concern that financial incentives can
result in consumers paying up to $800 per year$62 per monthfor plans that protect their privacy.
876
301. Mindful of the potential benefits and harms associated with financial incentive practices,
we adopt heightened disclosure and choice requirements, which will help ensure consumers receive the
information they need to fully understand the implications of any such practices and make informed
decisions about exchanging their privacy rights for whatever benefits a provider is offering.
877
We
therefore require BIAS providers offering financial incentives in exchange for consent to use, disclose,
(Continued from previous page)
United, American can now exchange location data for miles, Mobile Marketer (Aug. 22, 2016),
http://www.mobilemarketer.com/cms/news/database-crm/23473.html.
871
See supra note 866.
872
MMTC et al. Comments at 8; see also APPI Comments at 3 (“If the Commission were to prohibit financial
inducements that were designed to support low-income broadband adoption, more vulnerable AAPI consumers
would be deterred from online use.”).
873
See supra note 867.
874
CFC Comments at 9.
875
ACLU Comments 6 (asserting that “the underprivileged (and disproportionately minority) population that lacks
the discretionary income to devote to privacy will lose a right available for purchase by more affluent Americans”);
NBCSL Comments at 1 (expressing concern about financial incentive practices for “people of color and low income
consumers” because they “face particular risks to their privacy from companies that offer free or low cost services
that actually come at the cost of giving up control of personal data”); Public Knowledge et al. Comments at 2 (“In
households with low income elasticity, even moderate price discrimination between privacy and no-privacy
offerings can become coercive inducements. Such inducements could force low-income consumers to choose
between exercising their privacy rights, and having a broadband connection at all.”).
876
Letter from Access Humboldt, et al. to Tom Wheeler, Chairman, FCC, WC Docket No. 16-106 at 5 (filed Sept. 7,
2016), citing Karl Bode, Think Tank Argues that Giving up Privacy is Good for the Poor, Techdirt (Aug. 18, 2016),
https://www.techdirt.com/articles/20160816/07164935254/think-tank-argues-that-giving-up-privacy-is-good-
poor.shtml) (“AT&T charges its U-Verse broadband customers $528 to $792 more every year (up to $62 more per
month) to opt out of the company’s Internet Preferences program, which uses deep packet inspection to track your
online behavior -- down to the second. Not only is that not anything close to a discount, but AT&T makes opting
out as cumbersome as possible.”)).
877
CDT Comments at 3 (“However, because such inducements to consent raise serious public policy concerns, these
programs must be transparent and must not be coercive.”); see also CenturyLink Comments at 30 (arguing the
Commission should allowproperly informed customers” to “voluntarily [] enter contracts for lower monthly rates
or to accept other financial inducements in exchange for their consent to the use and/or sharing of their
information”); Letter from Jon Leibowitz to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 1 (filed
May 10, 2016) (“So long as broadband providers provide sufficient notice, consumers [] have the ability to make
informed choices about how they value their personal data.”); Greenlining Institute Comments at 14 (“There is
nothing wrong with a consumer, after being fully informed, choosing to trade access to his or her personal data in
return for enhanced services.”); MMTC et al. Comments at 8 (arguing that “financial inducement programs that
require informed consent should not be seen as presumptively coercive”).
Federal Communications Commission FCC 16-148
128
and/or permit access to customer PI to provide a clear and conspicuous notice of the terms of any
financial incentive program that is explained in a way that is comprehensible and not misleading.
878
That
explanation must include information about what customer PI the provider will collect, how it will be
used, with what types of entities it will be shared and for what purposes.
879
The notice must be provided
both at the time the program is offered and at the time a customer elects to participate in the program.
BIAS providers must make financial incentive notices easily accessible and separate from any other
privacy notifications and translate such notices into a language other than English if they transact business
with customers in that language. When a BIAS provider markets a service plan that involves an exchange
of personal information for reduced pricing or other benefits, it must also provide at least as prominent
information to customers about the equivalent plan without exchanging personal information.
302. BIAS providers must also comply with all notice requirements in Section 64.2003 of our
rules when providing a financial incentive notice.
880
Because of the potential for customer confusion and
in keeping with our overarching goal of giving customers control over the use and sharing of their
personal information, we further require BIAS providers to obtain customer opt-in consent for
participation in any financial incentive program that requires a customer to give consent to use of
customer PI.
881
Consistent with the choice framework we adopt today, once customer approval is given,
BIAS providers must provide a simple and easy-to-use mechanism that enables customers to change their
participation in such programs at any time. This mechanism, which may be the same choice mechanism
as the one in Part III.D.4, must be clear and conspicuous and in language that is comprehensible and not
misleading. The mechanism must also be persistently available on or through the carrier’s website; the
carrier’s application, if it provides one for account management purposes; and any functional equivalent
of either. If a carrier does not have a website, it must provide its customers with a persistently available
mechanism by another means such as a toll-free telephone number. We find that the protections outlined
herein will encourage consumer choice in evaluating whether to take advantage of financial incentive
programs.
882
303. We will closely monitor the development of financial incentive practices, particularly if
allegations arise that service prices are inflated such that customers are essentially compelled to choose
between protecting their personal information and very high prices. We caution that we reserve the right
to take action, on a case-by-case basis, under Sections 201 and 222 against BIAS providers engaged in
878
Notices that contain material misrepresentations or omissions will not be considered accurate.
879
CDT Comments at 25.
880
See supra Part III.C.
881
We observe that BIAS providers are already requiring opt-in consent for financial incentive programs. See U-
verse with AT&T GigaPower Internet Preferences, AT&T, https://www.att.com/esupport/article.html#!/u-verse-
high-speed-internet/KM1011211 (last visited Sept. 12, 2016) (website has been taken down); see also Adria
Tomaszewski, Verizon Smart Rewards Gives Back to Wireless Customers (July 21, 2014),
http://www.verizonwireless.com/news/article/2014/07/smart-rewards-gives-back-to-wireless-customers.html?null
(“Customers may be required to enroll in Verizon Selects, part of Precision Market Insights from Verizon, as part of
the Smart Rewards registration process and will receive 2,500 bonus points for being part of Verizon Selects and
500 Rewards points per participating line each month.”); Torod Neptune, How Verizon Selects from Verizon
Wireless Works (Dec. 3, 2012), http://www.verizonwireless.com/news/article/2012/12/verizon-selects.html (“We are
asking customers to opt-in to Verizon Selects because of the types of information being used and because the
capabilities provided to third-party marketers gives them the ability to reach customers directly with more relevant
infomation[sic].”).
882
Mobile Futures Comments at 7 (“The FCC should not adopt paternalistic rules that deprive consumers of the
choice to voluntarily share personal information in exchange for benefits.”); Comcast Comments at 58 (arguing that
the Commission should not take a “paternalistic view of ‘consumers’ ability to make informed choices”); Public
Knowledge White Paper at 64 (“Congress clearly intended that consumers should have control of their own
information.”).
Federal Communications Commission FCC 16-148
129
financial incentive practices that are unjust, unreasonable, unreasonably discriminatory, or contrary to
Section 222. The approach we take today enables BIAS providers the flexibility to experiment with
innovative financial incentive practices while ensuring that such practices are neither predatory nor
coercive.
H. Other Issues
1. Dispute Resolution
304. In the Broadband Privacy NPRM we sought comment on whether our current informal
complaint resolution process is sufficient to address customer concerns or complaints with respect to our
proposed privacy and data security rules.
883
At present, customers who experience violations of any of
our rules may file informal complaints through the Consumer Inquiries and Complaints Division of the
Consumer & Governmental Affairs Bureau, and carriers may not require customers to waive, or otherwise
restrict their ability to file complaints with or otherwise contact the Commission regarding violations of
their privacy rights.
884
The record does not demonstrate a need to modify our complaint process for
purpose of the rules we adopt today.
885
305. On the question of whether BIAS providers should adopt specific dispute resolution
processes, we received significant feedback both in support of
886
and in opposition to
887
limitations on
mandatory arbitration agreements. Based on that record, we continue to have serious concerns about the
impact on consumers from the inclusion of mandatory arbitration requirements as a standard part of many
contracts for communications services. The time has come to address this important consumer protection
issue in a comprehensive way. Therefore, we will initiate a rulemaking on the use of mandatory
arbitration requirements in consumer contracts for broadband and other communications services, acting
on a notice of proposed rulemaking in February 2017. We observe that the Consumer Financial
Protection Bureau (CFPB)which has extensive experience with consumer arbitration agreements and
dispute resolution mechanismsissued a report last year on mandatory arbitration clauses and is
currently engaged in a rulemaking on the subject in the consumer finance context.
888
We expect that
883
Broadband Privacy NPRM, 31 FCC Rcd at 2586-88, paras. 273-75.
884
See 47 U.S.C. § 208; 47 CFR §§ 1.716 to 1.719; FCC, Consumer Help Center,
https://consumercomplaints.fcc.gov/hc/en-us (last visited Oct. 5, 2016); GS Texas Ventures, LLC, Order, 29 FCC
Rcd 10541, 10543, para. 6 (WCB 2014) (invalidating an arbitration clause precluding formal complaints to the
Commission); Letter from National Association of Consumer Advocates (NACA), Public Justice, Public Citizen,
Public Knowledge, AAJ, and Consumers Union to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106
(filed Sept. 21, 2016) (discussing need to protect the Commission’s complaint procedures from contractual waivers);
see also 2015 Open Internet Order, 30 FCC Rcd at 5718, para. 267 n.687 (permitting mandatory third-party
arbitration “so long as it is subject to de novo review by the Commission”).
885
See OTI Comments at 47 (“[T]he FCC should ensure that there is an easy and clear process for consumer
complaints at the FCC.”); WISPA Comments at 34-36.
886
See AAJ Comments at 1-3, 6; Consumer Federation of California Comments at 12; Consumers Union Reply at 6;
EPIC Comments at 27; NACA, Public Citizen, and 22 Other Public Interest Organizations Comments at 2-8; OTI
Comments at 46; Privacy Rights Clearinghouse Comments at 7; Letter from Dallas Harris, Policy Fellow, Public
Knowledge to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106, at 1 (filed Aug. 3, 2016); Smithwick &
Belendiuk, P.C. Comments 1-11. See also Letter from 38 Public Interest Organizations to Chairman Tom Wheeler,
Sept. 7, 2016, at 4-5.
887
See AT&T Comments at 114-15; Comcast Reply at 53-55; Consumers’ Research Comments at 5-6; CTIA
Comments at 50-59; ITTA Comments at 24-25; NCTA Reply at 64-65; Sprint Comments at 20-21; T-Mobile
Comments at 55; Verizon Reply at 38-45.
888
See CFPB, Arbitration Agreements, 81 Fed. Reg. 32830 (May 24, 2016); Arbitration Study, CFPB (Mar. 10,
2015), http://www.consumerfinance.gov/data-research/research-reports/arbitration-study-report-to-congress-2015/.
(continued….)
Federal Communications Commission FCC 16-148
130
many of the lessons the CFPB learns and the conclusions it draws in its rulemaking will be informative
and useful.
2. Privacy and Data Security Exemption for Enterprise Voice Customers
306. Having harmonized the current rules for voice services with the rules we adopt today for
BIAS, we revisit and broaden the existing exemption from our Section 222 rules for enterprise voice
customers, where certain conditions are met. Specifically, we find that a carrier that contracts with an
enterprise customer for telecommunications services other than BIAS need not comply with the other
privacy and data security rules under Part 64, Subpart U of our rules if the carrier’s contract with that
customer specifically addresses the issues of transparency, choice, data security, and data breach; and
provides a mechanism for the customer to communicate with the carrier about privacy and data security
concerns. As with the existing, more limited business customer exemption from our existing
authentication rules, carriers will continue to be subject to the statutory requirements of Section 222 even
where this exemption applies.
889
307. Our existing voice rules include customer authentication obligations as a required data
security practice, but allow business customers to bind themselves to authentication schemes that are
different than otherwise provided for by our rules.
890
In adopting an alternative data security option for
authenticating business customers, the Commission recognized that the privacy concerns of
telecommunications customers are greatest “when using personal telecommunications service,”
891
and
“businesses are typically able to negotiate the appropriate protection of CPNI in their service
agreements.”
892
As Level 3 argues in this rulemaking, business customers have the “knowledge and
bargaining power necessary to contract for privacy and data security protections that are tailored to meet
their needs.”
893
Moreover, business customers may have different privacy and security needs and
therefore different expectations.
894
For example, Verizon explains that “many businesses may want their
CPNI used in different ways than a typical consumer.”
895
Allowing sophisticated enterprise customers to
(Continued from previous page)
See also Consumer Federation of California Comments at 12 (discussing the CFPB report); CTIA Comments at 54
(same); AAJ Comments at 4-5 (discussing the CFPB’s report and NPRM).
889
See 47 U.S.C. § 222; see also Level 3 Comments at 5 (noting that even with an enterprise exemption, the
Commission would retain the power to evaluate providers’ compliance with Section 222 and to bring enforcement
actions where necessary); 2007 CPNI Order, 22 FCC Rcd at 6942-43, para. 25.
890
See 47 CFR § 64.2010(g).
891
See 2007 CPNI Order, 22 FCC Rcd at 6943, para. 25 (determining that carriers who contract with enterprise
customers need not comply with the Commission’s carrier authentication rules so long as the carrier’s contracts with
its business customers (1) are serviced by dedicated account representatives as the primary contacts, and (2)
specifically address the carrier’s protection of CPNI).
892
See id.
893
Level 3 Comments at 3; see also XO Comments at 5 (noting that the business customers it serves negotiate
service-level agreements with various privacy and data protection provisions based on individual customer needs).
894
See Level 3 Comments at 4 (stating that, because enterprise service is not personal service, “end users in the
enterprise context do not have the same expectation of privacy in the use of the service and are not expected to risk
exposing private information the way individual, mass-market consumers using their personal phones might”);
Verizon Comments at 63 (noting that the Commission has “sensibly recognized that the privacy rules that apply to
consumers may not make sense for businesses”); Letter from Nicholas G. Alexander, Associate General Counsel,
Federal Affairs, Level 3 Communications, to Marlene H. Dortch, Secretary, FCC, WC Docket No. 16-106 at 1 (filed
Aug. 5, 2016) (Level 3 Aug. 5, 2016 Ex Parte); see also XO Comments at 3.
895
Verizon Comments at 63; see also Verizon Oct. 13, 2016 Ex Parte at 1 (arguing the Commission should allow
“business customers to bind themselves to alternative privacy and data security regimes as their privacy and data
security needs may differ from those of consumers.”).
Federal Communications Commission FCC 16-148
131
negotiate their own privacy and data security protections with their carriers will “allow businesses to
tailor how a telecommunications service provider protects their privacy and data specifically to their
individual needs”
896
and allow carriers “to compete by offering innovative pro-customer options and
contracts that meet business customers’ privacy and data security expectations.”
897
Although the
Commission previously limited the enterprise exemption to authentication, for the reasons above we are
convinced to broaden the exemption to encompass all privacy and data security rules under Section 222
for the provision of telecommunications services other than BIAS to enterprise customers.
898
308. To ensure that business customers have identifiable protections under Section 222, we
limit the business customer exemption to circumstances in which the parties’ contract addresses the
subject matter of the exemption and provides a mechanism for the customer to communicate with the
carriers about privacy and data security concerns.
899
The existing exemption applies only if the parties’
contract addresses authentication; in light of the broader scope of the exemption we adopt today, we now
limit the exemption to circumstances in which the parties’ contract addresses transparency, choice, data
security, and breach notification.
900
We reject the contention that we should exempt enterprise services
from our rules entirely with regard to the two limitations above.
901
The existence of contractual terms
between two businesses addressing privacy ensures that the enterprise customer’s privacy is in fact
protected without the need for our rules.
902
In this regard, as XO observes, an enterprise carrier would
“face significant liability if it violated contractual terms governing privacy and data security.”
903
We do
not provide a business exemption for BIAS services purchased by enterprise customers, because BIAS
services by definition are “mass market retail service[s],” and as such we do not anticipate that it will be
typical for purchasers to negotiate the terms of their contracts.
309. Regardless of whether the exemption applies, we observe that carriers remain subject to
the statutory requirements of Section 222. This exemption in our rules is thus not tantamount to
forbearance from the statute. We agree with commenters that Section 222 provides a solid legal
foundation for carriers and sophisticated business customers to negotiate adequate and effective service
terms on matters of privacy and data security.
904
896
Level 3 Aug. 5, 2016 Ex Parte at 1.
897
INCOMPAS et al. Aug. 4, 2016 Ex Parte at 2.
898
See 47 CFR § 64.2010(g); 2007 CPNI Order, 22 FCC Rcd at 6943-44, para. 25.
899
See Christopher L. Shipley, Attorney & Policy Advisor, INCOMPAS, to Marlene H. Dortch, Secretary, FCC,
WC Docket No. 16-106, at 2 (filed Oct. 21, 2016) (INCOMPAS Oct. 21, 2016 Ex Parte).
900
See Level 3 Aug. 5, 2016 Ex Parte at 1 (“[W]e agreed that it would be reasonable for the Commission to adopt a
general rule that requires carriers to address customer choice, transparency, data security, and data breach
notification when selling to business customers so long as that rule does not specify how carriers are obligated to
meet that requirement.”).
901
See INCOMPAS et al. Aug. 4, 2016 Ex Parte at 1 (stating that the Notice “asserts that BIAS is a mass market
retail service and that proposed rules would apply only to mass market customer relationships” and that the
Commission should “adopt the same approach in the context of” voice services).
902
We clarify that the contract at issue need not be a fully negotiated agreement, but can take the shape of standard
order forms. See INCOMPAS Oct. 21, 2016 Ex Parte at 2.
903
See XO Comments at 5.
904
See INCOMPAS et al. Aug. 4, 2016 Ex Parte at 1; see also Level 3 Comments at 5 (stating that, under the
strictures of Section 222, enterprise service providers would still be required to protect customer information, limit
their use of carrier information and protect its confidentiality, and obtain customer approval or infer customer
approval when it is clearly warranted under the circumstances before using, disclosing, or permitting access to
CPNI for any reason other than providing voice services, or services necessary to or used in the provision of voice
service, unless a statutory exemption applies).
Federal Communications Commission FCC 16-148
132
I. Implementation
310. To provide certainty to customers and carriers alike, in this section we establish a
timeline by which carriers must implement the privacy rules we adopt today. Until these rules become
effective, Section 222 applies to all telecommunications services, including BIAS, and our current
implementing rules continue to apply to telecommunications services other than BIAS and to
interconnected VoIP. Below, we explain when the rules we adopt will be effective, and address how
carriers should treat customer approvals to use and share customer PI received before the new rules are
effective. Finally, we establish an extended implementation period for small providers with respect to the
transparency and choice requirements we adopt today.
1. Effective Dates and Implementation Schedule for Privacy Rules
311. Swift implementation of the new privacy rules will benefit consumers. Moreover,
carriers that have complied with FTC and industry best practices will be well-positioned to achieve
prompt compliance with the privacy rules we adopt today. We recognize, however, that carriers will need
some time to update their internal business processes as well as their customer-facing privacy policies and
choice mechanisms in order to come into compliance with some of our new rules.
905
Additionally, some
of the new rules will require revised information collection approval from the Office of Management and
Budget pursuant to the Paperwork Reduction Act (PRA approval), and it is difficult to predict the exact
timeline for PRA approval.
906
We therefore adopt a set of effective dates for the new rules that is
calibrated to the changes carriers will need to make to come into compliance providing a minimum
timeframe before which the rules could come into effect. In order to provide certainty about effective
dates, we also direct the Wireline Competition Bureau (Bureau) to provide advance notice to the public of
the precise date after PRA approval when the Commission will begin to enforce compliance with each of
the new rules.
312. Notice and Choice. The notice and choice rules we adopt today will become effective the
later of (1) PRA approval, or (2) twelve months after the Commission publishes a summary of the Order
in the Federal Register.
907
We acknowledge that our new notice and choice rules may “represent a
significant shift in the status quo” for carriers.
908
Carriers will need to analyze the new, harmonized
privacy rules as well as coordinate with various business segments and vendors, and update programs and
policies.
909
Carriers will also need to engage in consumer outreach and education. These implementation
steps will take time and we find, as supported in the record, that twelve months after publication of the
Order in the Federal Register is an adequate minimum implementation period to implement the new
notice and approval rules. In order to provide certainty, we also direct the Bureau to release a public
notice after PRA approval of the notice and choice rules, indicating that the rules are effective, and giving
carriers a time period to come into compliance with those rules that is the later of (1) eight weeks from the
date of the public notice, or (2) twelve months after the Commission publishes a summary of the Order in
the Federal Register.
313. Breach Notification Procedures. The data breach notification rule we adopt today will
become effective the later of (1) PRA approval, or (2) six months after the Commission publishes a
summary of the Order in the Federal Register.
910
We find that six months is an appropriate minimum
905
See Verizon Sept. 23, 2016 Ex Parte at 1; see also T-Mobile Sept. 13, 2016 Ex Parte at 1.
906
PRA approval, as defined herein, is not complete until the Commission publishes notice of OMB approval in the
Federal Register.
907
See infra Appx. A, 47 CFR §§ 64.2003-64.2005. This implementation schedule also applies to the disclosure and
consent requirements for financial incentive practices. See id., § 64.2011(b).
908
T-Mobile Sept. 13, 2016 Ex Parte at 1.
909
See id. at 2, n.1; see also Verizon Sept. 23, 2016 Ex Parte at 1.
910
See infra Appx. A, 47 CFR § 64.2008.
Federal Communications Commission FCC 16-148
133
implementation period for data breach implementation. Although providers of telecommunications
services other than BIAS are subject to our current breach notification rule
911
and we are confident that
carriers are cognizant of the importance of data breach notification in the appropriate circumstances,
912
we
recognize that carriers may have to modify practices and policies to implement our new rule, we find the
harm trigger we adopt and timeline for notifying customers lessen the implementation requirements.
913
Moreover, harmonization of our data breach rule for BIAS and voice services enable providers to
streamline their notification processes, which should also lessen carriers’ need for implementation time.
Given these steps to minimize compliance burdens, we find six months is an adequate minimum
timeframe. We also direct the Bureau to release a public notice after PRA approval of the data breach
rule, indicating that the rule is effective, and giving carriers a time period to come into compliance with
the rule that is the later of (1) eight weeks from the date of the public notice, or (2) six months after the
Commission publishes a summary of the Order in the Federal Register.
314. Data Security. The specific data security requirements we adopt today will become
effective 90 days after publication of a summary of the Order in the Federal Register.
914
We find this to
be an appropriate implementation period for the data security requirements because as discussed above,
carriers should already be largely in compliance with these requirements because the reasonableness
standard adopted in this Order provides carriers flexibility in how to approach data security and resembles
the obligation to which they were previously subject pursuant to Section 5 of the FTC Act.
915
We
therefore do not think the numerous steps outlined by commenters that would have been necessary to
comply with the data security proposals in the NPRM apply to the data security rule that we adopt.
916
Nevertheless, we encourage providers, particularly small providers, to use the adoption of the Order as an
opportunity to revisit their data security practices and therefore provide an additional 90 days subsequent
to Federal Register publication in which carriers can revisit their practices to ensure that they are
reasonable, as provided for in this Order.
315. Prohibition on Conditioning Broadband Service on Giving up Privacy. The prohibition
on conditioning offers to provide BIAS on a customer’s agreement to waive privacy rights will become
effective 30 days after publication of a summary of this Order in the Federal Register.
917
We find that
unlike the other privacy rules, consumers should benefit from this prohibition promptly. As discussed
above, we find that these “take-it-or-leave-it” offers give consumers no choice and require them to trade
their privacy for access to the Internet. As supported in the record, these practices would harm
consumers, particularly lower-income customers.
918
We therefore find no basis for any delay in the
effective date of this important protection. Further, prompt implementation will not create any burdens
for carriers that are committed to providing their customers with privacy choices. All other privacy rules
adopted in the Order will be effective 30 days after publication of a summary of the Order in the Federal
Register.
911
47 CFR § 64.2011.
912
See TerraCom NAL, 29 FCC Rcd at 13339-41, paras. 39-44.
913
See supra Part III.F.1.
914
See infra Appx. A, 47 CFR § 64.2007.
915
See supra Part III.E; see also 15 U.S.C. § 45.
916
See, e.g., T-Mobile Sept. 13, 2016 Ex Parte at 1 (asking the Commission to consider a 12-18 month
implementation time period after rules are adopted”); see also T-Mobile Oct. 14, 2016 Ex Parte, Attach. at 3;
Verizon Sept. 23, 2016 Ex Parte at 1 (arguing that the implementation steps “will take a significant amount of time
to complete, requiring approximately 18 months from the date rules are adopted”); Verizon Oct. 13, 2016 Ex Parte
at 1.
917
See infra Appx. A, 47 CFR § 64.2011(a).
918
See supra Part III.G.1.
Federal Communications Commission FCC 16-148
134
2. Uniform Timeline for BIAS and Voice Services
316. We adopt a uniform implementation timetable for both BIAS and other
telecommunications services. Implementing our rules for all telecommunications services simultaneously
will help alleviate potential customer confusion from disparate practices between services or carriers.
This approach will support the benefits of harmonization discussed throughout this Order and is strongly
supported in the record.
919
We emphasize that until the new privacy rules are effective and implemented
with respect to voice services, the existing rules remain in place. Further, we make clear that all carriers,
including BIAS providers, remain subject to Section 222 during the implementation period that we
establish and beyond.
920
3. Treatment of Customer Consent Obtained Prior to the Effective and
Implementation Date of New Rule
317. We recognize that our new customer approval rule
921
requires carriers to modify the way
they obtain consent for BIAS and voice services based on our sensitivity-based framework discussed
above.
922
We seek to minimize disruption to carriers’ business practices and therefore do not require
carriers to obtain new consent from all their customers.
923
Rather, for BIAS, we treat as valid or
“grandfather” any consumer consent that was obtained prior to the effective date of our rules and that is
consistent with our new requirements. For example, if a BIAS provider obtained a customer’s opt-in
consent to use that individual’s location data to provide coupons for nearby restaurants and provided
adequate notice regarding his or her privacy rights, then the customer’s consent would be treated as valid.
The consent would not be invalidated simply because it occurred before the new customer approval rule
became effective. However, if the customer consent was not obtained in the manner contemplated by our
new rule, a new opportunity for choice is required. We recognize that consumers whose opt-in or opt-out
consent is grandfathered may not be aware of our persistent choice requirement,
924
and therefore we direct
the Consumer and Governmental Affairs Bureau to work with the industry to engage in a voluntary
consumer education campaign.
318. We decline to more broadly grandfather preexisting consents obtained by small BIAS
providers.
925
We find that the parameters set forth above create the appropriate balance to limit
919
See supra Part III.C.5 (explaining the benefits of harmonization, including consistency between privacy regimes
for all telecommunications services, both to reduce possible consumer confusion, and to decrease compliance
burdens for all affected telecommunications carriers, particularly small providers).
920
See Enf. Bur. Privacy Advisory, 30 FCC Rcd 4849 (2015).
921
See infra Appx. A, 47 CFR § 64.2004.
922
See supra Part III.D.1.
923
See WISPA Comments at 31 (arguing it should not “not be compelled to obtain new consents…from its
customers.”); ACA Comments at 45; CCA Comments at 33; NTCA Comments at 55; USTelecom Comments at 19.
924
See infra Appx. A, 47 CFR § 64.2004 (c) (“A telecommunications carrier must make available a simple, easy-to-
access method for customers to provide or withdraw consent at any time. Such method must be clearly disclosed,
persistently available, and made available at no additional cost to the customer. The customer’s action must be
given effect promptly after the decision to provide or withdraw consent is communicated to the carrier.”).
925
See USTelecom Comments at 19 (“[W]e support allowing small providers who have already obtained customer
approval to use their customers’ proprietary information to grandfather in those approvals for first and third party
uses.”). WTA argues that the Commission should permit “small BIAS providers to grandfather existing opt-out
approvals as it has done in the past” citing the Commission’s 2002 CPNI Order, in which the Commission allowed
carriers to use preexisting opt-out approval with the limitation that such approval only be used for marketing of
communications-related services by carriers, their affiliates that provide communications-related services, and
carriers’ agents, joint venture partners and independent contractors. See Letter from Patricia Cave, Director,
Government Affairs, WTA, to Marlene H. Dortch, Secretary, FCC, GN Docket No. 16-106 at 2 (filed Aug. 22,
2016); see also 2002 CPNI Order, 17 FCC Rcd at 14897, para. 85.
Federal Communications Commission FCC 16-148
135
compliance costs with our new notice and customer approval rules while providing consumers the privacy
protections they need. As we explain above, BIAS providers are in a unique position as gateways to the
Internet and we need to ensure consumers are aware of their privacy rights and have the ability to choose
how their personal information is used and shared.
319. As with BIAS services, customer consent obtained by providers of other
telecommunications services subject to the legacy rules remains valid for the time during which it would
have remained valid under the legacy rules. As such, opt-out consent obtained before the release date of
this order remains valid for two years after it was obtained, after which a carrier must conform to the new
rules.
926
Opt-in consent that is valid under the legacy rules remains valid. This approach is consistent
with established customer expectations at the time the consent was solicited, and should reduce notice
fatigue.
927
Maintaining the validity of customer consent for voice services will also help reduce the up-
front cost of compliance of the new rules. We reiterate that a customer’s preexisting consent is valid only
within its original scope. For instance, if a carrier previously received a customer’s opt-in consent to use
information about the characteristics of the customer’s service to market home alarm services, the carrier
could not claim that same consent applies to use of different customer PI (e.g., a Social Security Number)
or a different use or form of sharing (e.g., selling to a data aggregator). Similarly, opt-out consent to use
and share CPNI to market communications-related services could not be used to support use of different
customer PI or different forms of use or sharing (e.g., marketing non-communications-related services).
4. Limited Extension of Implementation Period for Small Carriers
320. In the NPRM we sought comment on ways to minimize the burden of our proposed
privacy framework on small providers,
928
and throughout this Order we have identified numerous ways to
reduce burdens and compliance costs while providing robust privacy protections to their customers.
929
To
further address the concerns raised by small providers in the record, we provide small carriers an
additional twelve months to implement the notice and customer approval rules we adopt today.
930
926
See 47 CFR § 64.2008(a)(2).
927
See, e.g., CTA Comments at 11 (expressing concern that certain Commission proposals would induce notice
fatigue); see also INCOMPAS Comments at 10 (arguing that notice fatigue will lessen the effectiveness of
consumer notices).
928
See Broadband Privacy NPRM, 31 FCC Rcd at 2553, para. 151.
929
See supra Part III.C.5 (explaining that harmonizing our BIAS and voice definitions under Section 222 will
simplify compliance for small providers who collect less customer information, use it for narrower purposes, and do
not have the resources to maintain a bifurcated system); see also supra para. 14358 (eliminating the pre-existing
every-two-year notice requirement from our Section 222 rules to reduce burdens smaller carriers); supra Part III.C.3
(declining to require a standardized format of privacy notices as it would decrease flexibility for small carriers); id.
(only requiring providers to convey their notices of privacy policies to customers in another language, if the
customer transacts business with the BIAS provider or other telecommunications carrier in that other language so as
not to overburden small providers); id. (directing the CAC to develop a safe harbor standardized form, to be used by
small providers if they choose so they can easily adopt a compliant form and format for their notices); supra para.
241 (clarifying that the data security standard is one of “reasonableness” rather than strict liability and establishing a
non-exhaustive rather than prescriptive list of reasonable data security to allow easier compliance for small
providers); supra Part III.F.1 (employing a harm-based trigger or data breaches to substantially reduce the burdens
of smaller providers in reporting breaches of customer PI); supra Part III.F.3.a (changing the timeline for notifying
customers of a data breach from 7-days to 30-days to allow more time for small providers to comply).
930
CCA asserts that “any compliance burdens produced by privacy rules will be compounded by many additional
regulations including Title II regulation, enhanced transparency rules, and outage reporting requirements.” See CCA
Oct. 13, 2016 Ex Parte at 2. Consideration of the effect of separate requirements was taken into account in
developing this implementation plan.
Federal Communications Commission FCC 16-148
136
321. We find that an additional one-year phase-in will allow small carriersboth broadband
providers and voice providerstime to make the necessary investments to implement these rules.
931
The
record reflects that small providers have comparatively limited resources and rely extensively on vendors
over which they have limited leverage to compel adoption of new requirements.
932
We recognize our
notice and choice framework may entail up- front costs for small providers. We also agree with NTCA
that small providers will “be aided by observing and learning from the experience of larger firms who by
virtue of their size and scale are better position to absorb the learning curve.”
933
As such, we find that this
limited extension is appropriate.
322. For purposes of this extension, we define small BIAS providers as providers with
100,000 or fewer broadband connections and small voice providers with 100,000 or fewer subscriber lines
as reported on their most recent Form 477, aggregated over all the providers’ affiliates. In the NPRM we
sought comment on whether we should exempt carriers that collect data from fewer than 5,000 customers
a year provided they do not share customer data with third parties.
934
Commenters objected that the 5,000
threshold was too narrow to accurately identify small providers and that the limitation on information
sharing was too restrictive.
935
We therefore find that given the limited scope of relief granted to small
carriers, increasing the numeric scope from the 5,000 to 100,000 is suitable because it will benefit
additional providers without excess consumer impact. We also decline to count based on the number of
customers from whom carriers collect data, as we recognize that some data collection is necessary to the
provision of service.
936
Additionally, we decline to impose any requirement that small providers not share
their information with third parties to qualify for the exception. Moreover, cabining the scope of this
limited extension to providers serving 100,000 or fewer broadband connections or voice subscriber lines
is consistent with the 2015 Open Internet Order, in which we adopted a temporary exemption from the
enhancements to the transparency rule for BIAS providers with 100,000 or fewer broadband
subscribers.
937
Therefore for these reasons, and the critical importance of privacy protections to
931
See CCA Reply Comments at 40-41 (advocating for 24-month extension after effective date of new privacy
rules); see also WISPA Comments at 28-29 (same).
932
See WISPA Comments at 28 (“This additional time will enable small providers to assess their obligations, budget
for lawyers, consultants, train personnel, and establish internal systems to ensure compliance.”) see also ACA
Comments at 8 (arguing that “very few of these [small] providers have in-house technical or compliance personnel
with extensive expertise in privacy and data security compliance. Some are forced to outsource some of their
security functions to outside vendors at a significant cost”).
933
NTCA Oct. 14, 2016 Ex Parte at 4.
934
See Broadband Privacy NPRM, 31 FCC Rcd at 2553, para. 151.
935
See, e.g., CCA Reply at 40-41 (advocating for 24-month extension after effective date of new privacy rules);
WISPA Comments at 28-29 (same); U.S. Small Business Administration Reply at 4 (same); ACA Comments at 46
(arguing the Commission “should extend the effective dates for small providers to comply with any new privacy and
data security rules by at least one year beyond any general compliance deadline”); RWA Comments at 4 (explaining
that “certain customer information is shared with billing system vendors, workforce management system vendors,
consultants that assist with certain projects, help desk providers, and system monitoring solutions providers”).
936
See supra Part III.D.2.a.
937
See 2015 Open Internet Order, 30 FCC Rcd at 5677-78, para. 172; see also Protecting and Promoting the Open
Internet, GN Docket No. 14-28, Report and Order, 30 FCC Rcd 14162, 14166-67, para. 10 (CGB Dec. 15, 2015)
(Small BIAS Provider Transparency Extension Order) (maintaining the 100,000 threshold for the small business
extension as it “remains a reasonable basis to delineate which providers are likely to be most affected by the burden
of complying with the enhanced disclosure requirements.”); Rural Call Completion, WC Docket No. 13-39, Report
and Order and Further Notice of Proposed Rulemaking, 28 FCC Rcd 16154, 16168-69, para. 27 (2013) (exempting
smaller providers from the recording, retention, and reporting rules if they provide long-distance voice service that
make the initial long-distance call path choice for less than 100,000 domestic retail subscriber lines (counting the
total of all business and residential fixed subscriber lines and mobile phones and aggregated over all of the
(continued….)
Federal Communications Commission FCC 16-148
137
consumers, we decline to adopt CCA’s recommendation to define small BIAS providers as either
companies with up to 1,500 employees or serving 250,000 subscribers or less.
938
323. We decline to provide any longer or broader extension periods or exemptions to our new
privacy rules.
939
We find that our “reasonableness” approach to data security mitigates small provider
concern about specific requirements, such as annual risk assessments and requiring specific privacy
credentials.
940
Moreover, as advocated by small carriers, we adopt a customer choice framework that
distinguishes between sensitive and non-sensitive customer information, as well as decline to mandate a
customer-facing dashboard to help manage their implementation and compliance costs.
941
Furthermore,
we find our data breach notification requirements and “take-it-or-leave-it” prohibition do not require an
implementation extension as compliance with these protections should not be costly for small carriers that
generally collect less customer information and use customer information for narrower purposes. Also,
although smaller in company size and market share, small carriers still retain the ability to see and collect
customer personal information and therefore, it is appropriate to extend these important protections to all
customers on an equal timeframe.
J. Preemption of State Law
324. In this section, we adopt the proposal in the NPRM and announce our intent to preempt
state privacy laws, including data security and data breach laws, only to the extent that they are
inconsistent with any rules adopted by the Commission.
942
This limited application of our preemption
authority is consistent with our precedent in this area.
943
We have long appreciated and valued the
important role states play in upholding the pillars of privacy and protecting customer information.
944
As
the Office of the New York Attorney General has explained, the State AGs are “active participants in
ensuring that [their] citizens have robust privacy protections” and it is critical that they continue that
(Continued from previous page)
providers’ affiliates)); RWA Reply at 5 (supporting the 100,000 threshold established in the 2015 Open Internet
Order).
938
See CCA Oct. 13, 2016 Ex Parte at 1-2; see also Small BIAS Provider Transparency Extension Order, 30 FCC
Rcd at 141266, para. 10 (declining to broaden the small provider threshold, as it would “substantially increase the
number of consumers who would be temporarily excluded from receiving the information that the Commission has
deemed essential for them to make informed choices about broadband services.”).
939
See WISPA Comments at 27-28 (seeking a two-year extension for all the Commission rules); CCA Reply at 40
(“If the Commission declines to adopt a small provider exemption . . . CCA urges the Commission to allot those
providers an extension of time to comply with new regulations.”); RWA Reply at 7 (“If the Commission declines to
adopt these broader exemptions, RWA urges the adoption of a 24-month extended compliance deadline for small
providers.”).
940
See supra Part III.E.1; see also WTA & Nex-Tech Apr. 25, 2016 Ex Parte at 2 (explaining how such data
security proposals would unduly burden small carriers).
941
See supra Part III.D.1 see also supra para. 230.
942
See Broadband Privacy NPRM, 31 FCC Rcd at 2511, 2588 paras. 27, 276. State law includes any statute,
regulation, order, interpretation, or other state action with the force of law.
943
See 1998 CPNI Order, 13 FCC Rcd at 8075, para. 16 (“We conclude that, in connection with CPNI regulation,
the Commission may preempt state regulation of intrastate telecommunications matters where such regulation would
negate the Commission’s exercise of its lawful authority . . . .”); 2002 CPNI Order, 17 FCC Rcd at 14890-91, para.
70 (“Should states adopt CPNI requirements that are more restrictive than those adopted by the Commission, we
decline to apply any presumption that such requirements would be vulnerable to preemption.”).
944
See 2002 CPNI Order, 17 FCC Rcd at 14891, para. 71 (observing that “our state counterparts . . . bring particular
expertise to the table regarding competitive conditions and consumer protection issues in their jurisdictions, and
privacy regulation, as part of general consumer protection, is not a uniquely federal matter”); 2007 CPNI Order, 22
FCC Rcd at 6958, para. 60.
Federal Communications Commission FCC 16-148
138
work.
945
As such, we further agree with the New York Attorney General’s Office that “it is imperative
that the FCC and the states maintain broad authority for privacy regulation and enforcement.
946
We also
agree with those providers and other commenters that argue that neither telecommunications carriers nor
customers are well-served by providers expending time and effort attempting to comply with conflicting
privacy requirements.
947
We therefore codify a very limited preemption rule that is consistent with our
past practice with respect to rules implementing Section 222. By allowing states to craft and enforce their
own laws that are not inconsistent with our rules with respect to BIAS providers’ and other
telecommunications carriers’ collection, use, and sharing of customer information, we recognize and
honor the important role the states play in protecting the privacy of their customer information.
325. As the Commission has previously explained, we may preempt state regulation of
intrastate telecommunications matters “where such regulation would negate the Commission’s exercise of
its lawful authority because regulation of the interstate aspects of the matter cannot be severed from
regulation of the intrastate aspects.”
948
In this case, we apply our preemption authority to the limited
extent necessary to prevent such instances of incompatibility. Where state privacy laws do not create a
conflict with federal requirements, providers must comply with federal law and state law.
326. As we have in the past, we will take a fact-specific approach to the question of whether a
conflict between our privacy rules and state law exists.
949
If a provider believes that it is unable to comply
945
Letter from Kathleen McGee, Chief, Bureau of Internet and Technology, New York Attorney General, to
Chairman Tom Wheeler, FCC, WC Docket No. 16-106 at 4 (filed June 30, 2016) (NY Attorney General Ex Parte);
see also Letter from Bill Schuette, Michigan State Attorney General, et al., to Marlene H. Dortch, Secretary, FCC,
WC Docket No. 16-106 at 1 (filed Sept. 15, 2016) (“As Attorneys General, we are always concerned with protecting
consumers’ privacy and defending the protections our consumers have been afforded via our various state laws. It is
of paramount importance that any federal regulations not impair states’ ability to vigorously protect their citizens as
they deem appropriate.”); Letter from Karl A. Racine, District of Columbia Attorney General, to Marlene H. Dortch,
Secretary, FCC, WC Docket No. 16-106 at 1 (filed Oct. 12, 2016).
946
NY Attorney General Ex Parte at 4; see also California Office of Attorney General Reply at 2; PA PUC Reply at
4 (arguing that the Commission should not preclude state authorities from developing privacy standards based upon
independent state law so long as those standards do not unduly burden interstate commerce and advance a
compelling state interest”); Greenlining Institute Comments at 51 (explaining that “neither federal nor state agencies
have sufficient resources to fully protect consumers, and it is important that ‘cooperative federalism’ be maintained
in this vital area”).
947
See, e.g., Hughes Comments at 7 (“Hughes also supports the FCC preempting state privacy laws to the extent that
they are inconsistent with any rules adopted by the Commission.”); ViaSat Comments at 7 (agreeing with our
adopted method, by stating for example, “that the Commission make clear that any data breach notification
requirements adopted in this proceeding preempt all inconsistent state requirements”) (emphasis added); CTIA
Comments at 183 (arguing that the Commission should be clear “about the extent to which it would preempt state
law requirements” so providers can avoid having to address conflicting state and federal notice requirements).
948
1998 CPNI Order, 13 FCC Rcd at 8075-76, para. 16; see also 2002 CPNI Order, 17 FCC Rcd at 14890, para. 69.
We reject ITTA’s argument that we lack authority to preempt inconsistent state laws regarding non-CPNI customer
PI because its argument is premised on the incorrect assumption that our legal authority under Section 222 is limited
to CPNI. See infra Part IV.A.2 (concluding that the Commission has authority to reach customer PI under Section
222(a) of the Act); contra Letter from Michael J. Jacobs, Vice President Regulatory Affairs, ITTA, to Marlene H.
Dortch, Secretary, FCC, WC Docket No. 16-106, at 3 (filed Aug. 9, 2016) (“State Attorneys General, furthermore,
have jurisdiction . . . to enforce their own privacy and unfair practice laws, which the FCC would not be empowered
to preempt in light of its own lack of statutory authority regarding non-CPNI consumer information.”).
949
The Commission reviews petitions for preemption of CPNI rules on a case-by-case basis. See 2002 CPNI Order,
17 FCC Rcd at 14893, para. 74 (“By reviewing requests for preemption on a case-by-case basis, we will be able to
make preemption decisions based on the factual circumstances as they exist at the time and on a full and a complete
record.”); see also id. at 14890-93, paras. 69-74 (recognizing the potential burdens associated with different
regulatory requirements); ViaSat Comments at 8 (expressing concern about being subject to “a potentially confusing
patchwork of conflicting breach notification requirements at the state level”).
Federal Communications Commission FCC 16-148
139
simultaneously with the Commissions rules and with the laws of another jurisdiction, the provider should
bring the matter to our attention in an appropriate petition. Examining specific conflict issues when they
arise will best ensure that consumers receive the privacy protections they deserve, whether from a state
source or from our rules.
327. The states have enacted many laws aimed at ensuring that their citizens have robust
privacy protections.
950
We agree with the Pennsylvania Attorney General that it is important that we not
undermine or override state law providing greater privacy protections than federal law,”
951
or impede the
critical privacy protections states continue to implement. Rather, as supported in the record, we
encourage the states to continue their important work in the privacy arena, and adopt an approach to
preemption that ensures that they are able to do so.
952
In so doing, we reaffirm the Commission’s limited
exercise of our preemption authority to allow states to adopt consumer privacy protections that are more
restrictive than those adopted by the Commission provided that regulated entities are able to comply with
both federal and state laws.
953
328. In taking this approach, we reject ACA’s suggestion that we should “preempt state data
breach notification laws entirely.”
954
As stated above, we continue to provide states the flexibility to craft
and enforce their own privacy laws, and therefore we only preempt state laws to the extent that they
impose inconsistent requirements. Our privacy rules are designed to promote “cooperative federalism”
and therefore unless providers are unable to comply with both the applicable state and Commission
requirements, we find it inappropriate to categorically preempt these state data breach laws.
955
329. Commenters have identified data breach notification as one area where conflicts may
arise. We agree with commenters that it is generally best for carriers to be able to send out one customer
data breach notification that complies with both state and federal laws,
956
and we welcome state agencies
to use our data breach notification rules as a model.
957
However, we recognize that states law may require
differently timed notice or additional information than our rules, and we do not view such privacy-
protective requirements as necessarily inconsistent with the rules we adopt today since carriers are
capable of sending two notices at two different times. However, in the interest of efficiency and
950
See, e.g., California Online Privacy Protection Act of 2003, Cal. Bus. & Prof. Code § 22577(a); California
Consumer Protection Against Computer Spyware Act, Cal. Bus. & Prof. Code § 22947.1(k); Cal. Civ. Code §
1798.82(h); Conn. Gen. Stat. § 36a-701b(a); N.Y. Gen. Bus. L. §§ 899-aa(1)(a), (b); La. Stat. § 51:3073(4); Fla.
Stat. § 501.171(1)(g).
951
PA PUC Reply at 2.
952
See, e.g., NY Attorney General Ex Parte at 4; see also National Consumers League Comments at 33-34 (stating
our approach “will ensure that States will be able to continue to innovate in protecting consumersdata, set a high
bar for consumer protection, and help to clarify the baseline that BIAS providers must adhere to”).
953
See 2002 CPNI Order, 17 FCC Rcd at 14890-92, paras. 69-71; see also Broadband Privacy NPRM, 31 FCC Rcd
at 2588, para. 277.
954
ACA Comments at 56-57; see also ACA Reply at 5.
955
See supra note 946.
956
State Privacy and Security Coalition Comments at 5 (arguing that “requiring notification in many situations that
involve no risk of harm makes ‘notice fatigue’ more likely with consumers ignoring notice of serious breaches that
actually create risk”); see also ACA Comments at 57 (“By reducing the number of government-level notifications
that BIAS providers must make from over 50 notifications to a single notification, the Commission will significantly
reduce the costs that BIAS providers must assume in the event of a breach while preserving the benefits of
notifications to the customer.”).
957
See National Consumers League Comments at 34 (explaining that “[i]t is NCL’s hope that the robust and
comprehensive data security and breach notification set out by the FCC will also serve as a model for other states
and agencies”).
Federal Communications Commission FCC 16-148
140
preventing notice fatigue, we invite carriers that find themselves facing requirements to send separate
consumer data breach notices to fulfill their federal and state obligations to come to the Commission with
a proposed waiver that will enable them to send a single notice that is consistent with the goals of
notifying consumers of their data breach. Additionally, as explained by CTIA, a situation could arise
where a state law enforcement agency requests a delay in data breach notice due to an ongoing
investigation.
958
We encourage both carriers and state law enforcement officials to come to the
Commission in such a situation, as we have authority to waive our rules for good cause and recognize the
importance of avoiding interference with a state investigation.
959
330. We clarify that we apply the same preemption standard to all aspects of our Section 222
rules. Although the Commission, in its previous orders, had applied its preemption standard with respect
to all of the Section 222 rules, the preemption requirement is currently codified at Section 64.2011 of our
rules, which addresses notification of data breaches.
960
Recognizing that states are enacting privacy laws
outside of the breach notification context, and consistent with historical Commission precedent, we
conclude that the preemption standard should clearly apply in the context of all of the rules we adopt
today implementing Section 222. Therefore, as we proposed in the NPRM, we remove the preemption
provision from that section of our rules, and adopt a new preemption section that will clearly apply to all
of our new rules for the privacy of customer proprietary information.
961
In doing so, we enable states to
continue their important role in privacy protection.
331. Further, we find that the same preemption standard should apply in both the voice and
BIAS contexts to help provide certainty and consistency to the industry.
962
Accordingly, we adopt a
harmonized preemption standard across BIAS and other telecommunications services.
963
By applying the
same preemption standard to BIAS providers and to other telecommunications carriers, we ensure that
states continue to serve a role in tandem with the Commission, regardless of the specific service at issue.
IV. LEGAL AUTHORITY
332. In this Report and Order, we implement Congress’s mandate to ensure that
telecommunications carriers protect the confidentiality of proprietary information of and relating to
customers. As explained in detail below, the privacy and security rules that we adopt are well-grounded
in our statutory authority, including but not limited to Section 222 of the Act.
964
A. Section 222 of the Act Provides Authority for the Rules
333. Section 222 of the Act governs telecommunications carriers in their use, disclosure, and
protection of proprietary information that they obtain in their provision of telecommunications services.
The fundamental duty this section imposes on each carrier, as stated in Section 222(a), is to “protect the
958
CTIA Comments at 183-84 (asking would the Commission’s [] rule for notice to customers trump that
request?).
959
See 47 U.S.C. § 1.3; see also WAIT Radio v. FCC, 418 F.2d 1153, 1159 (D.C. Cir. 1969) (waivers must show a
deviation will serve the public interest).
960
See Broadband Privacy NPRM, 31 FCC Rcd at 2602-03, para. 3; 47 CFR § 64.2011.
961
See Broadband Privacy NPRM, 31 FCC Rcd at 2610, para. 4 (adding § 64.7007 Effect on State Law to new
Subpart GG); see also infra Appx. A § 64.2012.
962
See ACA Comments at 57 (supporting the creation of “a single privacy and data security framework for providers
of multiple services as a means of reducing compliance burdens and consumer confusion”); see also WTA Reply at
19 (arguing that in complying with state and federal privacy regulations, “‘[p]articularly for small providers,
[i]nevitability of parallel enforcement underscores the need for harmonization’”).
963
See 47 CFR Subpt. U; see also Broadband Privacy NPRM, 31 FCC Rcd at 2603-2610.
964
47 U.S.C. § 222; see also 47 U.S.C. § 201(b) (“The Commission may prescribe such rules and regulations as may
be necessary in the public interest to carry out the provisions of this chapter.”).
Federal Communications Commission FCC 16-148
141
confidentiality of proprietary information of, and relating to” customers, fellow carriers, and equipment
manufacturers.
965
Section 222(c) imposes more specific requirements with regard to a subset of
customers’ proprietary information, namely customer proprietary network information.
966
This Report
and Order implements Section 222 as to customer PI, a category that includes individually identifiable
CPNI and other proprietary information that is “of, and relating to” customers of telecommunications
services. As explained below, the rules we adopt today are faithful to the text, structure, and purpose of
Section 222.
1. Section 222 Applies to BIAS Providers Along With Other
Telecommunications Carriers
334. We begin by reaffirming our conclusion in the 2015 Open Internet Order that Section
222 applies to BIAS providers.
967
In so doing, we reject the view that Section 222 applies only to voice
telephony.
968
The 2015 Open Internet Order reclassified BIAS as a telecommunications service, making
BIAS providers “telecommunications carriers” insofar as they are providing such service.
969
Section
222(a) imparts a general duty on “[e]very telecommunications carrier,” while other subsections specify
the duties of “a telecommunications carrier” in particular situations. The term “telecommunications
carrier” has long included providers of services distinct from telephony, including at the time of Section
222’s enactment. Thus, in construing the term for purposes of Section 222, we see no reason to depart
from the definition of “telecommunications carrier” in Section 3 of the Act.
970
To the contrary, deviating
from this definition without a clear textual basis in Section 222 would create uncertainty as to the scope of
numerous provisions in the Act, regulatory imbalance between various telecommunications carriers, and a
gap in Congress’s multi-statute privacy regime. Moreover, commenters cite no evidence that the term
“telecommunications carrier” is used more restrictively in Section 222 than elsewhere in the Act.
335. We similarly reject the claim that in reclassifying BIAS we have improperly exercised
our “definitional authority” to expand the scope Section 222.
971
The relevant term that defines the scope
of Section 222 is “telecommunications carrier,”
972
and we simply are applying the holding of the 2015
Open Internet Order that this statutory term encompasses BIAS.
973
Nor does the fact that Section 230 of
965
See 47 U.S.C. § 222(a). The provision reads in full: “Every telecommunications carrier has a duty to protect the
confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment
manufacturers, and customers, including telecommunication carriers reselling telecommunications services provided
by a telecommunications carrier.” Id.
966
47 U.S.C. § 222(c) (emphasis added).
967
See 2015 Open Internet Order, 30 FCC Rcd at 5820, para. 462.
968
See, e.g., Comcast Comments at 67-68; NCTA Comments at 7-13; CTIA Comments at 19-22; USTelecom
Comments at 28; U.S. Chamber of Commerce Comments at 4. But see Free Press Comments at 9 (“The logic for
applying Section 222 to broadband is inexorable.”); OTI Reply at 3-5; Free Press Reply at 5-7.
969
See 2015 Open Internet Order, 30 FCC Rcd at 5615, para. 47; see also USTA v. FCC, 825 F.3d 674 (D.C. Cir.
2016) (upholding the 2015 Open Internet Order in full).
970
See OTI Reply at 4 (“It is presumed that use of a defined term retains its definition unless there is proof
otherwise.”).
971
See, e.g., NCTA Comments at 13; Comcast Comments at 68.
972
See 47 U.S.C. § 222(a) (“Every telecommunications carrier has a duty . . .”), (c) (“[A] telecommunications carrier
that receives or obtains . . .”).
973
See 2015 Open Internet Order, 30 FCC Rcd at 5615, para. 47.
Federal Communications Commission FCC 16-148
142
the Act uses the term Internet, while Section 222 does not, compel us to disregard the clear uses of
“telecommunications carrier” in Section 222.
974
336. We also reject arguments that “telephone-specific references” contained in Section 222
serve to limit the scope of the entire section to voice telephony or related services.
975
This argument
misconstrues the structure of Section 222. As explained in more detail below, Section 222(a) imposes a
broad general duty to protect proprietary information while other provisions impose more-specific duties.
Some of these more-specific duties concerning CPNI are indeed relevant only in the context of voice
telephony.
976
But their purpose is to specify duties that apply in that limited context, not to define the
outer bounds of Section 222.
977
The definition of CPNI found in Section 222(h)(1) illustrates this point.
While the term is defined in Section 222(h)(1)(B) to include “the information contained in the bills
pertaining to telephone exchange service or telephone toll service
978
and to exclude “subscriber list
information”
979
categories that have no relevance for BIASpursuant to Section 222(h)(1)(A) the term
CPNI also includes a broader category of information that carriers obtain by virtue of providing a
telecommunications service.
980
This broader category articulated in Section 222(h)(1)(A) pertains to
“telecommunications service[s]” in general, not only to telephony. As we have explained above, BIAS
providers collect significant amounts of information that qualifies as CPNI under the broad, functional
definition articulated in Section 222(h)(1)(A).
981
Whether BIAS providers also issue telephone bills or
publish directories makes no difference. The reference to “call[s]” in Section 222(d)(3) is similarly
inapposite as to the scope of Section 222 as a whole.
982
The “call[s]” at issue in this provision are
customer service calls initiated by the customer; a customer of any service, including BIAS, can make
such a call.
337. If anything, the placement of references to telephony in Section 222 supports our reading
of that section as reaching beyond telephony. Such terms are used to define narrow provisions or
exceptions, but not the outer contours of major components of the statute. Most significantly, the broad
term “telecommunications carrier” is used in defining the general duty under subsection (a); the
974
See USTA v. FCC, 825 F.3d at 702-03 (rejecting petitioners’ Section 230-based argument against reclassification
of BIAS as a telecommunications service). But see Comcast Comments at 67.
975
But see Comcast Comments at 67.
976
See, e.g., 47 U.S.C. § 222(c)(3) (imposing a sharing condition on “local exchange carrier[s]”, but not on other
telecommunications carriers, in their use and disclosure of “aggregate customer information”).
977
We need not and do not construe BIAS as a “local exchange service,” “telephone exchange service,” or
“telephone toll service” in order to bring it within the reach of Section 222. Provisions of the statute that apply only
to such limited categories, or to carriers that provide services in such categories, are not part of the statutory basis
for any rules we adopt in this Report and Order as to BIAS. Rather, the rules we adopt for BIAS are rooted only in
those aspects of Section 222 that govern “telecommunications carriers” and “telecommunications services” writ
large.
978
See 47 U.S.C. § 222(h)(1)(B).
979
See 47 U.S.C. § 222(h)(1), (h)(3).
980
See 47 U.S.C. § 222(h)(1)(A)-(B). Under 47 U.S.C. § 222(h)(1)(A), CPNI includes “information that relates to
the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service
subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the
customer solely by virtue of the carrier-customer relationship” other than subscriber list information.
981
See supra Part III.B.3.
982
See 47 U.S.C. § 222(d)(3) (carving out an exception that permits the use or disclosure of CPNI for the provision
of “any inbound telemarketing, referral or administrative services to the customer for the duration of the call, if the
call was initiated by the customer and the customer approves of the use of such information to provide such
service”). But see CTIA Comments at 16.
Federal Communications Commission FCC 16-148
143
obligation to seek customer approval for use, disclosure, or permission of access to individually
identifiable CPNI under paragraph (c)(1); the obligation to disclose CPNI upon request under paragraph
(c)(2); and the grant of permission to use and disclose “aggregate customer information” under paragraph
(c) (3).
338. Where a component of Section 222 applies only to a subset of telecommunications
carriers, Congress used a term to apply such a limit. For instance, Section 222(c)(3) permits all
telecommunications carriers to use and disclose aggregate customer information, but “local exchange
carrier[s]” can do so only on the condition that they make the information available to others on
reasonable and nondiscriminatory terms.
983
The inclusion of a pro-competitive condition in Section
222(c)(3) that applies only to local exchange carriers is consistent with other provisions of the 1996 Act
directed at opening local telephone markets to competition.
984
But the limited scope of this condition does
not serve to limit the applicability of Section 222 as a whole.
985
Indeed, not even Section 222(c)(3) itself
is limited in scope to providers of local exchange service. Rather, its primary purpose is to clarify that
telecommunications carriers may use and disclose customer information when it takes the form of
“aggregate customer information.” BIAS providers commenting in this proceeding have expressed a
strong interest in being able to use and disclose such information.
986
As telecommunications carriers,
their ability to do so is made clear under Section 222(c)(3).
339. Similarly, the limited scope of providers covered by the duty to share “subscriber list
information” under Section 222(e) is commensurate with the scope of the problem being addressed,
namely in the publication of telephone directories.
987
In particular, the “telephone exchange service”
providers subject to unbundling and nondiscrimination requirements by the provision are those that would
have the “subscriber list information” needed to produce these directories.
988
The fact that Section 222
includes provisions to address such telephone-specific concerns does not change its overall character as a
privacy protection statute for telecommunications, one that has as much relevance for BIAS as it does for
telephone service.
340. We disagree with the view that Congress confirmed Section 222 as a telephone-specific
statute when it amended subsections 222(d)(4), (f)(1) and (g) as part of the New and Emerging
Technologies 911 Improvement Act of 2008 (NET 911 Act).
989
These provisions of Section 222 establish
rights and obligations regarding carrier disclosure of customer information to assist in the delivery of
emergency services. The NET 911 Act brought “IP-enabled voice service[s]” within their scope.
Amending Section 222 in this manner addressed a narrow but critical public safety concern: IP-enabled
voice services were emerging as a platform for delivery of 911 service, yet providers of these services
were not classified as “telecommunications carriers” subject to Section 222.
990
The NET 911 Act
983
47 U.S.C. § 222(c)(3).
984
See generally 47 U.S.C. §§ 251-261 (“Development of Competitive Markets”), §§ 271-276 (“Special Provisions
Concerning Bell Operating Companies”).
985
See 47 U.S.C. § 222(c)(3). But see NCTA Comments at 9, n.13.
986
See supra Part III.B.4.
987
See H.R. Rep. No. 104-204, at 89 (“LECs have total control over subscriber list information . . . . Section 222
ensures that independent directory publishers have access to subscriber listing information gathered by all LECs.”).
988
See 47 U.S.C. § 222(e) (requiring the provision of subscriber list information “for the purpose of publishing
directories in any format”).
989
New and Emerging Technologies 911 Improvement Act of 2008, Pub. L. No. 110-283 (2008). See CTIA
Comments at 18; USTelecom Comments at 29.
990
See H.R. Rep. No. 110-442, at 7 (2007) (“Section 222 includes exceptions to its protections to allow wireline and
wireless carriers to provide customer information to PSAPs in emergency situations. There is no similar provision
(continued….)
Federal Communications Commission FCC 16-148
144
amendments ensure that all IP-enabled voice services, even to the extent they are not telecommunications
services, are treated under Section 222 much the same as traditional telephony services for purposes
related to E911 service. This treatment has nothing to do with the extent to which telecommunications
services that are not voice services are subject to Section 222.
991
341. In addition, we observe that none of the references to telephone-specific services in
Section 222 that commenters identify are found in Section 222(a). As explained below, we construe
Section 222(a) as a broad privacy protection mandate that extends beyond the specific duties articulated
in Sections 222(b) and (c). Thus, even if commenters could establish that these more specific parts of
Section 222 are qualified in ways that limit their scope to voice telephony or related services, or that
exclude BIAS from their scope, we would still find that a BIAS providerlike “[e]very
telecommunications carrier”
992
has customer privacy obligations under Section 222(a). And if we
accept commenters’ view that the role of Section 222(a) in the statute is to identify “which entities” have
duties thereunder,
993
it follows that subsections (b) and (c) apply not only to telephony or voice providers
but to “every telecommunications carrier.”
342. Finally, we dismiss efforts to conflate Section 222 with its implementing rules.
994
When
we forbore from application of the existing implementing rules to BIAS, we made clear that the statute
itself still applies.
995
Commenters do not present any compelling reason to revisit this decision.
996
2. Section 222(a) Provides Authority for the Rules as to Customer PI
343. We next conclude that Section 222(a) provides legal authority for our rules. As
explained below, Section 222(a) imposes an enforceable duty on telecommunications carriers that is more
expansive than the combination of duties set forth subsections (b) and (c). We interpret these subsections
as defining the contours of a carrier’s general duty under Section 222(a) as it applies in particular
contexts, but not as coterminous with the broader duty under Section 222(a). On the contrary, we
construe Section 222(a) as imposing a broad duty on carriers to protect customer PI that extends beyond
the narrower scope of information specified in Section 222(c). We also find that the rules adopted in this
Report and Order to ensure the protection of customer PI soundly implement Section 222(a).
(Continued from previous page)
governing or granting exceptions for VoIP service. H.R. 3403 would amend section 222 to add VoIP 911 service to
the established 911 exceptions.”).
991
We have exercised our ancillary jurisdiction to apply rules adopted under Section 222 to providers of
interconnected VoIP services. See 2007 CPNI Order, 22 FCC Rcd at 6954-57, paras. 54-59; see also 47 CFR §
64.2003(o) (defining “telecommunications carrier or carrier” for purposes of the CPNI rules to include
interconnected VoIP providers).
992
See 47 U.S.C. § 222(a).
993
See infra Part IV.A.2.a; see also Free Press Reply at 7-8 (arguing that CTIA “counsels the Commission against
‘atomistic interpretation of Section 222(a)’” while at the same time urging the Commission to “ignore the entirety of
the statute in favor of focusing on ‘atomistic’ references to telephone and voice services”).
994
See, e.g., CTIA Comments at 23 (“The Commission implicitly acknowledged Section 222’s inapplicability to
ISPs’ provision of broadband service by forbearing from applying its CPNI rules in the Open Internet Order.”)
(capitalization omitted).
995
2015 Open Internet Order, 30 FCC Rcd at 5820, para. 462.
996
See USTA v. FCC, 825 F.3d 674 (upholding the 2015 Open Internet Order in its entirety). Insofar as any
commenter in this proceeding requests reconsideration of the classification decision in the 2015 Open Internet
Order, the request is untimely. See 47 CFR §§ 1.106, 1.429.
Federal Communications Commission FCC 16-148
145
a. Section 222(a) Imposes on Telecommunications Carriers an
Enforceable Duty to “Protect the Confidentiality” of “Proprietary
Information”
344. Section 222(a) states that “[e]very telecommunications carrier has a duty to protect the
confidentiality of proprietary information of, and relating to” customers, fellow carriers, and equipment
manufacturers.
997
In this Report and Order we adopt the most straightforward interpretation of this text by
finding that Section 222(a) imposes a “duty,” on “every telecommunications carrier.” A “duty” is
commonly understood to mean an enforceable obligation.
998
It is well-established that the Commission
may adopt rules to implement and enforce an obligation imposed by the Act, including Section 222(a).
999
The substance of the duty is to “protect the confidentiality of proprietary information”all “proprietary
information” that is “of, and relating to,” the specified entities, namely “other telecommunications
carriers, equipment manufacturers, and customers.”
1000
This Report and Order implements Section 222(a)
with respect to “customers,” defining the term “customer PI” to mean that which is “proprietary
information of, and relating to . . . customers.”
1001
The term is thus firmly rooted in the language of
Section 222(a).
1002
345. The duty set forth in Section 222(a) concerns information “of, and relating to” customers
and other covered entities. The Supreme Court has held that “the ordinary meaning of [the phrase
‘relat[ing] to’] is a broad one,” and in certain contexts it has described the phrase as “deliberately
expansive” and “conspicuous for its breadth.”
1003
The record contains no evidence that Congress intended
the phrase “relating to” to be construed more narrowly for purposes of Section 222(a) than it would be
ordinarily. Thus, the most natural reading of Section 222(a) is that it imposes a broad duty on
telecommunications carriers to protect proprietary information, one that is informed by but not necessarily
limited to the more specific duties laid out in subsections (b) and (c).
1004
346. The treatment of “equipment manufacturers” under Section 222 provides further evidence
for this interpretation. This term is used only once: Section 222(a) includes “equipment manufacturers”
997
See 47 U.S.C. § 222(a).
998
See Black’s Law Dictionary 615 (10
th
ed. 2014) (defining a “duty” as “[a] legal obligation that is owed or due to
another and that needs to be satisfied; that which one is bound to do, and for which somebody else has a
corresponding right”).
999
AT&T Corp. v. Iowa Utils. Bd., 525 U.S. 366, 378 (1999) (holding that the last sentence in Section 201(b)
“means what it says: The FCC has rulemaking authority to carry out the ‘provisions of this Act,’” including
provisions added by the Telecommunications Act of 1996); 1998 CPNI Order, 13 FCC Rcd at 8073-74, para. 14;
2007 CPNI Order, 22 FCC Rcd at 6943, para. 27 n.94 (“Section 201(b) authorizes the Commission to prescribe
such rules and regulations as may be necessary in the public interest to carry out the provisions of this Act,’
including section 222.”). But see USTelecom Comments at 29-30 (“But, unlike several other provisions that include
an enforceable mandate for which the Commission has direct authority to create governing regulations, subsection
(a) merely sets forth a duty without granting authority to the Commission to further define or enforce that duty.”)
(internal citation omitted).
1000
See 47 U.S.C. § 222(a).
1001
See id.
1002
But see CTIA Comments at 24 (“The term ‘customer proprietary information’ appears nowhere in the
Communications Act, and the Commission lacks authority to create it . . .”).
1003
See Morales v. TransWorld Airlines, 504 U.S. 374, 383-84 (1992).
1004
See EFF Comments at 2; OTI Comments at 18-19; Free Press Reply at 8.
Federal Communications Commission FCC 16-148
146
among the classes of entities owed confidentiality protections as part of a carrier’s “general” duty.
1005
While Sections 222(b) and (c) specify in greater detail how this duty applies with respect to customers
and fellow carriersthe other entities protected under Section 222(a)there is no further statutory
guidance on what carriers must do to protect the proprietary information of equipment manufacturers.
Thus, the duty imposed on carriers under Section 222 with regard to equipment manufacturers must have
its sole basis in Section 222(a). This would not be possible unless Section 222(a) were read to confer
enforceable obligations that are independent of, and that exceed, the requirements of subsections (b) and
(c).
1006
347. Nothing in the statutory text or structure of Section 222 contradicts this interpretation. To
the contrary, this plain language interpretation is further supported by the structure of Section 222 and
consistent with approaches used in other parts of the Act. Section 222(a)’s heading “In General” suggests
a general “duty,” to be followed by specifics as to particular situations. Section 222(a) is not given a
heading such as “Purpose” or “Preamble” that would indicate that the “duty” it announces is merely
precatory or an inert “statement of purpose.” Section 251 of the Act is structured similarly in this regard,
and there is no argument that the duty announced in Section 251(a) is merely precatory.
1007
In addition,
there is no textual indication that Sections 222(b) and (c) define the outer bounds of Section 222(a)’s
scope.
1008
For instance, Section 222(a) does not include language such as “as set forth below” or “as set
forth in subsections (b) and (c).” We also dismiss as irrelevant CTIA’s observation that some provisions
of the 1996 Act “can be interpreted as general statements of policy, rather than as grants of additional
authority.”
1009
That fact alone would have no bearing on how to interpret Section 222(a), which employs
“regulatory terminology” in imparting a general “duty” on telecommunications carriers.
1010
Finally, our
interpretation of subsection (a) does not render subsection (b) or (c) superfluous.
1011
The latter
subsections directly impose specific requirements on telecommunications carriers to address concerns that
1005
See 47 U.S.C. § 222(a) (“Every telecommunications carrier has a duty to protect the confidentiality of
proprietary information of, and relating to, other telecommunications carriers, equipment manufacturers . . .”)
(emphasis added).
1006
We reject any argument that the reference in Section 222(a) to equipment manufacturers is nothing more than a
cross-reference to obligations contained in Section 273. Such an interpretation would give no independent meaning
to Section 222(a), and therefore would be inconsistent with established principles of statutory construction. It would
also be contrary to the plain meaning of Section 222(a), which contains no reference to and is plainly broader than
Section 273; nothing in Section 273 applies broadly to every telecommunications carrier, as Section 222(a) clearly
does.
1007
Compare 47 U.S.C. § 222(a) (titled “In General” and beginning “Every telecommunications carrier has a
duty . . .”) (capitalization omitted) with 47 U.S.C. § 251(a) (titled “General Duty of Telecommunications Carriers”
and beginning “Each telecommunications carrier has the duty. . .”) (capitalization omitted). Also, like in Section
222, the “general duty” announced in subsection (a) of Section 251 is accompanied by more specific duties
announced in the subsections that follow. See 47 U.S.C. § 251(b) (“Obligations of All Local Exchange Carriers”)
(capitalization omitted), (c) (“Additional Obligations of Incumbent Local Exchange Carriers”) (capitalization
omitted).
1008
See Free Press Comments at 10 (“Section 222 begins with a general duty for telecommunications carriers to
protect the ‘proprietary information’ of customers. Subsections of 222 further elaborate on, but do not narrow the
scope of that general duty to protect privacy.”). But see CenturyLink Comments at 14 (arguing that “Section 222(a)
sets forth the general objective of the provision” while “[t]he specifics are then supplied by the following
subsections”); T-Mobile Comments at 17 (arguing “Section 222(a) is nothing more than a general introductory
provision”); Washington Legal Foundation Comments at 5.
1009
Letter From Scott Bergmann, Vice President, Regulatory Affairs, CTIA, to Marlene Dortch, Secretary, FCC,
WC Docket No. 16-106 at 8 (filed Sept. 16, 2016) (CTIA Sept. 16, 2016 Ex Parte).
1010
But see id. (arguing that Section 222(a) “lacks the regulatory terminology present in Section 706(a)”).
1011
But see ADTRAN Comments at 5-6.
Federal Communications Commission FCC 16-148
147
were particularly pressing at the time of Section 222’s enactment. Our reading of Section 222(a)
preserves the role of each of these provisions within the statute, while also allowing the Commission to
adopt broader privacy protections to keep pace with the evolution of telecommunications services.
348. As Public Knowledge argues, the breadth of the duty announced in Section 222(a) is
consistent with a broad understanding of the purpose of Section 222. We agree that this subsection
endows the Commission with a continuing responsibility to protect the privacy customer information as
telecommunications services evolve.
1012
Congress’s inclusion in Section 222 of more specific provisions
to address issues that were “front-and-center” at the time of the 1996 Act’s enactment in no way detracts
from this broader purpose.
1013
349. Our interpretation of Section 222(a) is far from novel. Other provisions of the Act set
forth a general rule along with specific instructions for applying the rule in particular contexts.
1014
We
agree with Public Knowledge that, in addition to Section 251, another provision that bears a particularly
close resemblance to Section 222 in this regard is Section 628.
1015
Subsection (b) of this provision
imposes a general “prohibition” on cable operators from interfering with competitors’ ability to provide
satellite cable or satellite broadcast programming.
1016
Subsection (c) in turn directs the Commission to
adopt rules to implement this prohibition and specifies their “minimum contents.”
1017
As a general matter,
the “minimum” regulations required under Section 628(c) are aimed at preventing cable operators from
denying their competitors access to programming.
1018
In 2009, the D.C. Circuit upheld Commission rules
adopted under Section 628(b) that prevented cable operators from entering exclusivity agreements with
1012
See Public Knowledge White Paper at 16 (“Congress recognized that it could not accurately forecast what
specific information might become either personally or competitively sensitive in the future as communications
technologies evolved and converged to include video service and other media. Rather than wait for Congress to do a
study, Congress simply delegated the authority to the FCC to consider what rules, what type of information and
what specific services should be covered over time.”); see also EFF Comments at 1-2 (“Congress enacted Section
222 following a tradition of sector-specific privacy regimes to address unique problems. Telecommunications as a
telephone service posed all of the same privacy risks to consumers that modern day broadband communications
does, as voice communications of sensitive information simply become digital transmissions. The Commission is
now at a critical point to determine telecommunications providers’ statutory obligations under Section 222 to protect
consumer privacy.”).
1013
See OTI Reply at 4-5 (“[T]he information collection capabilities of internet providers were primitive when
Congress passed Section 222 and therefore the internet likely was not front-and-center on the collective minds of
Congress . . . . Congress was not legislating against today’s factual backdrop, where ISPs can monitor everyone’s
internet traffic, but Congress left the statute broad enough that the FCC could address that issue.”).
1014
See 47 U.S.C. § 251 (imposing a “general duty” on telecommunications carriers and more specific duties on
subcategories of carriers); see also Public Knowledge White Paper at 17-19. CTIA attempts to distinguish other
such provisions by arguing that they do not “define in their subsequent subsections the duties of different regulated
entities identified in their initial subsections.” CTIA Reply at 18. In fact, Section 251 does define specific duties of
different regulatees in subsections (b) (all local exchange carriers) and (c) (incumbent local exchange carriers), and
Section 628 does apply specific duties to cable operators, satellite cable programming vendors, and common
carriers, see 47 U.S.C. § 548(c), (j). In any event, CTIA does not explain what it believes to be the significance of
this distinction.
1015
47 U.S.C. § 548; see also Public Knowledge White Paper at 17-18.
1016
47 U.S.C. § 548(b).
1017
47 U.S.C. § 548(c).
1018
Id. at (c)(2). The “minimum” required regulations include, inter alia, “establish[ing] effective safeguards to
prevent a cable operator which has an attributable interest in a satellite cable programming vendor or a satellite
broadcast programming vendor from unduly or improperly influencing the decision of such vendor to sell, or the
prices, terms, and conditions of sale of, satellite cable programming or satellite broadcast programming to any
unaffiliated multichannel video programming distributor.” Id. at (c)(2)(A).
Federal Communications Commission FCC 16-148
148
owners of multi-unit buildings, an anti-competitive practice that is only tenuously related to the
“minimum” regulations implemented under Section 628(c).
1019
Taking note of Section 628(b)’s “broad
and sweeping terms,” the court ruled that “nothing in the statute unambiguously limits the Commission to
regulating practices” related to the “principal evil that Congress had in mind” when enacting Section 628,
as expressed in subsection (c).
1020
Rather, it held that the Commission’s “remedial powers” to enforce
subsection (b) reached beyond circumstances that Congress “specifically foresaw.”
1021
Similarly, we
agree with OTI that the “principal” focus of Section 222 on regulating CPNI to promote competition and
consumer protection in emerging telecommunications markets must be read in harmony with the “broad
and sweeping” mandate of Section 222(a).
1022
In construing the latter we must give effect to the “actual
words” of the provision.
1023
These words plainly impose a “duty” on “every telecommunications carrier.”
350. Even if there were some ambiguity in the text, commenters that oppose our
interpretation of Section 222(a) have failed to offer a compelling alternative interpretation. One proposed
alternative is that Section 222(a) merely confirms Congress’s intent that the newly enacted Section 222
would apply to “every telecommunications carrier,” including not only the legacy carriers subject to then-
existing CPNI requirements but also “the new entrants that the 1996 Act envisioned.”
1024
Similar
arguments in the record are that Section 222(a) “identifies which entities have responsibility to protect
information, and informs the reading of subsequent subsections, which articulate how these entities must
protect information,”
1025
or that the provision “merely identifies the categories of information to which
Section 222 applies.”
1026
These arguments are unconvincing. First, subsections (b) and (c) themselves are
written broadly to apply to “telecommunications carrier[s].” There is no textual basis for interpreting
either provision as applying only to a legacy subset of carriers, such as the Bell Operating Companies,
AT&T, and GTE. Subsections (b) and (c) also specify the categories of information to which each
applies, without reference to subsection (a). Thus, commenters’ proposals for interpreting Section 222(a)
1019
National Cable & Telecomms. Ass’n v. FCC, 567 F.3d 659, 661 (D.C. Cir. 2009) (NCTA II); see also
Cablevision Sys. Corp. v. FCC, 649 F.3d 695, 707 (D.C. Cir. 2011).
1020
Id. at 664; see also PGA Tour v. Martin, 532 U.S. 661 (2001) (“[T]he fact that a statute can be applied in
situations not expressly anticipated by Congress does not demonstrate ambiguity. It demonstrates breadth.”)
(quoting Pa. Dept. of Corr.v. Yeskey, 524 U.S. 206, 212 (1952)).
1021
NCTA II, 567 F.3d at 665.
1022
See OTI Reply at 3 (“In the mid-nineties, when the Telecommunications Act was written, Congress was of
course concerned with incumbent telephone services given their ability to use the data they collected in routing
traffic to gain competitive advantages and target specific customers. However, Congress’s concerns over some
specific telephone issues does not freeze the entire statute in time, nor did those specific concerns narrow the statute
to telephone services ever after. If Congress had intended to write a statute that applied to telephone services only, it
could have easily done so.”).
1023
NCTA II, 567 F.3d at 666.
1024
Verizon Comments at 54. Verizon argues that both the House bill and the Senate bill originally would have
protected a category of customer information broader than the eventual definition of CPNI, but that “Congress
ultimately rejected both approaches.” See id. at 55. There is no evidence that Congress would have, without
explanation, adopted an approach that is narrower than either chamber’s bill. And, in fact, the Senate bill (which, as
Verizon points out, was intended to apply broadly to “customer-specific proprietary information,” S. Rep. No. 104-
23 at 24), contained in its text language almost identical to what Congress ultimately enacted, creating “a duty to
protect the confidentiality of proprietary information relating to other common carriers, to equipment manufacturers,
and to customers.” S. 652, 104
th
Cong., 1
st
Sess. § 301(d); id. sec. 222(a), § 256(c)(2)(E).
1025
CTIA Comments 26; see also Washington Legal Foundation Comments at 5.
1026
T-Mobile Comments at 16.
Federal Communications Commission FCC 16-148
149
would render that provision superfluous, contrary to the canon against such interpretations.
1027
Moreover,
the statute does not expressly link the duty announced in Section 222(a) with the subsections that follow.
That is, the statute does not direct “every telecommunications carrier” to protect proprietary information
“in accordance with subsections (b) and (c)” or anything similar.
351. Nor does our interpretation of Section 222(a) vitiate any other elements of Section 222.
On the contrary, we read Section 222(a) as imposing a broad duty that can and must be read in harmony
with the more specific mandates set forth elsewhere in the statute.
1028
Accordingly, we need not and do
not construe Section 222(a) so broadly as to prohibit any sharing of subscriber information that subsection
(e) or (g) would otherwise require.
1029
That is, subsection (a)’s duty to protect the confidentiality of
customer PI is in no way inconsistent with subsection (e)’s duty to share SLI, which by definition
1030
is
published and therefore is not confidential.
1031
Nor is it inconsistent with subsection (g)’s duty to share
subscriber information “solely for purposes of delivering or assisting in the delivery of emergency
services.
1032
Indeed, far from “render[ing] null” subsections (e) and (g), our reasoned interpretation of
Section 222(a) preserves the full effect of both of these provisions.
1033
We thus reject the argument that
subsection (a)’s absence from the “notwithstanding” clauses of subsections (e) and (g) should be taken as
evidence that the former provision confers no “substantive regulatory authority.”
1034
Rather, there was
simply no need for Congress to have included subsection (a) in these clauses.
1035
Also, the mere omission
of Section 222(a) from the these clauses would have been an exceedingly oblique and indirect way of
settling upon an interpretation of Section 222(a) that runs counter to its plain meaning.
1036
Relatedly,
there is no conflict because our understanding of Section 222(a) does not override any of the exceptions
to Section 222(c) set forth in Section 222(d). For example, a carrier need not fear that its disclosure of
CPNI “to initiate, render, bill [or] collect for telecommunications services” as subsection (d) permits
might independently violate Section 222(a), because such disclosure is not inconsistent with the carrier’s
1027
See Hibbs v. Winn, 542 U.S. 88, 101 (2004) (“A statute should be construed so that effect is given to all its
provisions, so that no part will be inoperative or superfluous, void or insignificant . . . .”) (quoting 2A N. Singer,
Statutes and Statutory Construction § 46.06, 181186 (rev. 6th ed. 2000)); see also OTI Reply at 7-8.
1028
See RadLAX Gateway Hotel, LLC v. Amalgamated Bank, 132 S.Ct. 2065, 2071 (2012) (“It is an old and familiar
rule that, where there is, in the same statute, a particular enactment, and also a general one, which, in its most
comprehensive sense, would include what is embraced in the former, the particular enactment must be operative,
and the general enactment must be taken to affect only such cases within its general language as are not within the
provisions of the particular enactment. This rule applies wherever an act contains general provisions and also
special ones upon a subject, which, standing alone, the general provisions would include.”) (citing United States v.
Chase, 135 U.S. 255, 260 (1890)).
1029
But see AT&T Comments at 106-07; CTIA Comments at 27-28; NCTA Comments at 16-17.
1030
47 U.S.C. § 222(h)(3) (defining “subscriber list information” as identifying information that the carrier or an
affiliate has published or intends to publish in a directory format).
1031
See 47 U.S.C. § 222(e)
1032
See 47 U.S.C. § 222(g).
1033
But see CTIA Comments at 27.
1034
NCTA Comments at 17.
1035
But see, e.g., AT&T Comments at 106-07 (arguing that the construction of Section 222(a) proposed in the
NPRM would create conflict with subsections (e) and (g)).
1036
See Whitman v. American Trucking, 531 U.S. 457, 468 (2001) (Whitman) (“Congress, we have held, does not
alter the fundamental details of a regulatory scheme in vague terms or ancillary provisionsit does not, one might
say, hide elephants in mouseholes.”); see also USTA v. FCC, 825 F.3d at 703 (citing Whitman in rejecting the
argument that language in Section 230 of the Act settles the regulatory status of broadband service as an information
service).
Federal Communications Commission FCC 16-148
150
duty to protect the confidentiality of such information.
1037
Nor do we construe Section 222(a) as negating
a carrier’s right under Section 222(c)(1) to use, disclose or permit access to CPNI for the specific
purposes set forth in subclauses (A) and (B).
1038
352. We also disagree with the argument that our construction of Section 222(a) enlists a
“vague or ancillary” provision of the statute to “alter [its] fundamental details.”
1039
Section 222(a)
appears, of course, at the beginning of Section 222. The first thirteen words of Section 222(a)and thus,
of Section 222read: “Every telecommunications carrier has a duty to protect the confidentiality of
proprietary information. . . .”
1040
Congress could not have featured this language any more prominently
within the statute, nor could the duty it propounds be any more clearly and directly expressed. As
discussed above, a statutory structure of establishing a general duty and then addressing subsets of that
duty in greater detail is not unique, even within the Communications Act.
353. Finally, we reject the view that our interpretation of Section 222(a) locates in “a long-
extant statute an unheralded power to regulate a significant portion of the American economy.”
1041
The
Commission has exercised regulatory authority under Section 222(c) for approximately two decades and
oversaw certain carriers’ handling of customer PI for over two decades before that.
1042
Even assuming a
contrary reading of Section 222(a), subsection (c) would still invest the Commission with substantial
regulatory authority over personal information that BIAS providers and other telecommunications carriers
collect from their customers, and Sections 201 and 202 would apply to carriers’ practices in handling
customers’ information.
1043
Thus, our interpretation of Section 222(a) is a far cry from the
“transformative” act of statutory interpretation struck down in Utility Air Regulatory Group v. EPA.
1044
There, the agency’s broad construction of the term “air pollutant” would have completely upended the
“structure and design” of a permitting scheme established by statute and extended that regime to broad
swaths of the economy.
1045
By contrast, the net effect of our interpreting Section 222(a) as governing all
customer PI is to make clear the Commission’s authority over carriers’ treatment of customer proprietary
information that may not qualify as CPNI, such as Social Security numbers or financial records. This
represents a modest but critical recognition of our regulatory purview beyond CPNI to cover additional
“proprietary” information that Section 222(a) plainly reaches. Moreover, BIAS providers’ treatment of
such information fell squarely within the jurisdiction of the FTC prior to the Commission’s
reclassification of BIAS. The scope of regulatory authority we are asserting under Section 222(a) is thus
far from novel or “unheralded.”
b. The Broad Duty of Section 222(a) Extends to All “Proprietary
Information” That Is “Of” or “Relating to” Customers
354. Having determined that Section 222(a) imposes on carriers an enforceable duty, we also
1037
See 47 U.S.C. § 222(d)(1).
1038
See 47 U.S.C. § 222(c)(1). But see Verizon Reply at 27.
1039
Whitman, 531 U.S. at 468.
1040
See 47 U.S.C. § 222(a).
1041
See Utility Air Regulatory Group. v. EPA, 134 S. Ct. 2427, 2444 (2014); see also Comcast Comments at 75,
n.200.
1042
See Furnishing of Customer Premises Equipment and Enhanced Services by American Telephone & Telegraph
Co., CC Docket No. 85-26, Order, 102 F.C.C.2d 655, 692-93, para. 64 (1985) (discussing 47 CFR § 64.702 (1984)
and noting that “customer proprietary information . . . belongs to the customers, and many may not want it to be
made public”).
1043
See 47 U.S.C. §§ 222(c), 201, 202; see also TerraCom NAL, 29 FCC Rcd at 13335-41, paras. 31-44.
1044
See Utility Air Regulatory Group, 134 S. Ct. at 2444.
1045
Id. at 2442-43.
Federal Communications Commission FCC 16-148
151
conclude that this duty extends to all “proprietary information” that is “of, or relating to” customers,
regardless of whether the information qualifies as CPNI. That is, we reject the argument that Section
222(c) exhausts the duty set forth in Section 222(a) as it applies with respect to customers.
355. Once again, our interpretation follows from the plain language of Section 222. While
subsection (c) establishes obligations with respect to “customer proprietary network information,”
subsection (a) omits the word “network.” The concept of the “network” lies at the heart of CPNI: the
information defined as CPNI in Section 222(h)(1) is of the sort that carriers obtain by virtue providing
service over their networks. However, as we have explained above, this sort of information is not the
only “proprietary information” that telecommunications carriers can and do obtain from their customers
by virtue of the carrier-customer relationship.
1046
We therefore find that “proprietary information of, and
relating to. . . customers” is best read as broader than CPNI. Moreover, we are convinced that the term
“network” should not be read into Section 222(a), contrary to what some commenters appear to argue.
1047
We dismiss the idea that the syntax of Section 222(a) would have made it awkward to include the term
“network” as an express limitation on the general duty as it applies with regard to customer proprietary
information.
1048
Congress is not bound to any particular formula when drafting legislation. Section
222(a) could easily have been written to include the term “customer proprietary network information” in
full, had Congress chosen to do so.
1049
356. Even if there were some ambiguity in the text of the statute, we would conclude that the
best interpretation is that Section 222(a) applies to customer proprietary information that is not CPNI.
Some argue that the legislative history of Section 222 precludes this interpretation because of a statement
from the Conference Report that attended passage of the 1996 Act, which reads: “In general, Section 222
strives to balance both competitive and consumer privacy interests with respect to CPNI.”
1050
Commenters appear to interpret this statement as evidence that Section 222 was intended to apply only to
CPNI.
1051
But this is clearly not so. Section 222(a) concerns not only customer information but also
information “of, and relating to” fellow carriers and equipment manufacturers. Section 222(b) in turn is
focused exclusively on “carrier information.”
1052
Therefore, Section 222 in general cannot be concerned
solely with CPNI. We are similarly unmoved by evidence that Congress considered but ultimately
rejected a more expansive definition of CPNI than that which is codified in Section 222(h)(1).
1053
Such
evidence cannot decide the question whether Section 222(a) governs a category of customer information
that is broader than CPNI. As explained above, our interpretation follows from the plain language of the
1046
See supra Part III.B.
1047
But see Comcast Comments at 71-72 (“The term proprietary information was used in Section 222(a) simply
because the provision covers information exchanged with three different types of entities customers,
telecommunications carriers, and equipment manufacturers and so using the term CPNI, a term that applies solely
to customers as addressed in Section 222(c), would not have been appropriate.”).
1048
But see id.
1049
For instance, the subsection could have read: “Every telecommunications carrier has a duty to protect the
confidentiality of customer proprietary network information, and of proprietary information of, and relating to, other
telecommunication carriers and equipment manufacturers, including telecommunication carriers reselling
telecommunications services provided by a telecommunications carrier.”
1050
See S. Conf. Rep. No. 104-230, 205 (1996).
1051
See, e.g., ITTA Comments at 6-7; CTIA Comments at 28.
1052
See 47 U.S.C. § 222(b). Furthermore, subsections (e) and (g) impose affirmative obligations on carriers in
certain circumstances to share SLI, which by definition is not CPNI. See 47 U.S.C. §§ 222(e), (g), (h)(1), (h)(3).
1053
See, e.g., Comcast Comments at 74 (“The Conference Report [for the 1996 Act] adopted the House’s proposed
CPNI definition, but eliminated the catch-all provision from the CPNI definition ultimately codified in Section
222.”).
Federal Communications Commission FCC 16-148
152
provision, and the legislative history of Section 222 is not to the contrary. At the very least, any contrary
evidence that may be derived from the legislative history is far from sufficient to override our reasoned
interpretation of the provision.
1054
357. We acknowledge that prior Commission orders implementing Section 222 have focused
largely on CPNI rather than customer PI more broadly.
1055
Yet we do not believe this precedent should
constrain our efforts in this proceeding to develop robust privacy protections for consumers under Section
222(a). In fact, the Commission made clear as early as 2007 that Section 222(a) requires carriers to “take
every reasonable precaution to protect the confidentiality of proprietary or personal customer
information.”
1056
Our express determination in the TerraCom proceeding that subsection (a) covers
customer proprietary information beyond CPNI merely “affirm[ed]” what the Commission had strongly
implied seven years earlier.
1057
Moreover, earlier orders adopting and revising rules under Section 222
were focused so narrowly on the protection of individually identifiable CPNI that the question whether
Section 222(a) covers additional customer information was never squarely addressed.
1058
This early
focus on CPNI makes sense: Section 222 was adopted against the background of existing Commission
regulations concerning CPNI,
1059
and the first Section 222 proceeding was instituted in response to a
petition from industry seeking clarity about the use of CPNI.
1060
However, the Commission has never
expressly endorsed the view that Section 222(a) fails to reach customer information beyond CPNI.
1061
We
1054
See Oncale v. Sundowner Offshore Servs., Inc., 523 U.S. 75, 79 (1998) (“[I]t is ultimately the provisions of our
laws rather than the principal concerns of our legislators by which we are governed.”); cf. NCTA II, 567 F.3d at 665
(“Thus, even if legislative history could carry petitioners all the way from statutory language that literally authorizes
the Commission’s action to the proposition that the statute unambiguously forecloses the agency’s view, this
legislative history [i.e., that attending adoption of Section 628 of the Act] cannot.”).
1055
See, e.g., AT&T Comments at 104-05; CTIA Comments at 30-32; see also 2007 CPNI Order, 22 FCC Rcd at
6928, para. 1 (“In this Order, [we . . . strengthen] our rules to protect the privacy of customer proprietary network
information (CPNI) . . .”); 1998 CPNI Order, 13 FCC Rcd at 8066-67, para. 4 (providing an overview of the rules
being adopted in that order regarding CPNI).
1056
See 2007 CPNI Order, 22 FCC Rcd at 6959, para. 64.
1057
TerraCom NAL, 29 FCC Rcd at 13330, para. 14. But see CTIA Comments at 30-31 (contending that the
reference to “proprietary or personal customer information” in paragraph 64 of the 2007 CPNI Order is best read as
limited to CPNI); see also Lifeline and Link Up Reform and Modernization et al., Second Further Notice of
Proposed Rulemaking, Order on Reconsideration, Second Report and Order, and Memorandum Opinion and Order,
30 FCC Rcd 7818, 7895-96, para. 234 (2015) (reminding carriers that the duty to protect customer information
“includes all documentation submitted by a consumer or collected by an [eligible telecommunications carrier] to
determine a consumer’s eligibility for Lifeline service, as well as all personally identifiable information contained
therein”).
1058
But see ITTA Comments at 3-4 (arguing that “the Commission did address [whether Section 222(a) covers
customer information other than CPNI] and affirmatively decided that subsection 222(a) afforded no such ‘broader’
protections.”). ITTA cites as the basis for this claim a discussion in the 1999 CPNI Reconsideration Order of the
relationship between Sections 222 and 272(c)(1). See id. at 4, n.10 (citing 1999 CPNI Reconsideration Order, 14
FCC Rcd at 14488, para. 147). Contrary to ITTA’s claim, the Commission did not “affirmatively” address the scope
of customer information covered under Section 222(a).
1059
See 1998 CPNI Order, 13 FCC Rcd at 8068-69, para. 7 (“Prior to the 1996 Act, the Commission had established
CPNI requirements applicable to the enhanced services operations of AT&T, the BOCs, and GTE, and the CPE
operations of AT&T and the BOCs, in the Computer II, Computer III, GTE ONA, and BOC CPE Relief
proceedings.”) (internal footnotes omitted).
1060
See 1998 CPNI Order, 13 FCC Rcd at 8068, para. 6 (explaining that the proceeding was initiated “[i]n response
to various informal requests for guidance from the telecommunications industry regarding the obligation of carriers
under new section 222”).
Federal Communications Commission FCC 16-148
153
therefore disagree that interpreting the provision in a contrary manner will have the effect of unsettling
“18 years” of Commission precedent in this area.
1062
358. Finally, construing Section 222(a) as reaching customer information other than CPNI
avoids the creation of a regulatory gap that Congress could not reasonably have intended. While the FTC
has broad statutory authority to protect against “unfair or deceptive” commercial practices, its enabling
statute includes a provision that exempts common carriers subject to the Communications Act.
1063
This
leaves the Federal Communications Commission as the only federal agency with robust authority to
regulate BIAS providers and other telecommunications carriers in their treatment of sensitive customer
information obtained through the provision of BIAS and other telecommunications services. If that
authority failed to reach customer PI other than CPNI, substantial quantities of highly sensitive
information that carriers routinely collect and use would fall outside of the purview of either this
Commission or the FTC. The facts of TerraCom make clear the dangers of this outcome. In that
proceeding we enforced Section 222(a) against a carrier that neglected to take even minimal security
measures to protect Social Security numbers and other sensitive customer data from exposure on the
public Internet.
1064
Commenters that advocate a narrow construction of Section 222(a) would have us
divest ourselves of authority to take action in circumstances such as these. We need not and will not
leave consumers without the authority to decide under what circumstances, if any, their BIAS providers
are allowed to use and share their Social Security numbers, financial and health information, and other
personal information.
c. The Rules We Adopt as to “Customer PI” Reasonably Implement
the Mandate of Section 222(a) That Carriers “Protect the
Confidentiality” of Such Information
359. The rules we adopt in this Report and Order apply with respect to customer PI, which we
have defined to include three overlapping categories of information: individually identifiable CPNI;
personally identifiable information (PII); and the content of communications. As explained above, the
information we define as customer PI is “proprietary information of, [or] relating to . . . customers” for
purposes of Section 222(a).
1065
The rules we adopt in this Report and Order faithfully implement this
statutory provision. As a general matter, we are adopting a uniform regulatory scheme to govern all
customer PI, regardless of whether the information qualifies as CPNI. We have achieved this unity by
replicating the basic structure of Section 222(c), including the exceptions set forth in Section 222(d),
under Section 222(a). In doing so, we uphold the specific statutory terms that govern CPNI, while
(Continued from previous page)
1061
We expressly disavow any prior Commission statement that could be read as endorsing such a view. See FCC v.
Fox Television Stations, Inc., 556 U.S. 502, 515 (2009) (holding that although an agency must acknowledge that it is
changing course when it adopts a new construction of an ambiguous statutory provision, “it need not demonstrate to
a court’s satisfaction that the reasons for the new policy are better than the reasons for the old one . . . .” Rather, it is
sufficient that “the new policy is permissible under the statute, that there are good reasons for it, and that the agency
believes it to be better, which the conscious change of course adequately indicates.”).
1062
But see Verizon Reply at 26.
1063
15 U.S.C. § 45(a)(2) (exempting “common carriers subject to the Acts to regulate commerce”), § 44 (defining
“Acts to regulate commerce” as including “the Communications Act of 1934 and all Acts amendatory thereof and
supplementary thereto”). See also 47 U.S.C. § 153(51) (providing that “[a] telecommunications carrier shall be
treated as a common carrier under [the Communications Act] only to the extent that it is engaged in providing
telecommunications services”).
1064
See TerraCom NAL, 29 FCC Rcd at 13325, para. 1 (“Today, we take action against two companies that collected
names, addresses, Social Security numbers, driver’s licenses, and other proprietary information (PI) belonging to
low-income Americans and stored them on unprotected Internet servers that anyone in the world could access with a
search engine and basic manipulation.”).
1065
See supra Part III.B.
Federal Communications Commission FCC 16-148
154
adapting these to the broader category of customer PI. This approach is lawful under the statute and
well-supported as a matter of policy.
360. As discussed above, we understand Section 222(a) to impose a broad duty on carriers to
protect customer PI that extends beyond the narrower scope of information specified in Section 222(c).
1066
Section 222(c) sets forth binding rules regarding application of the general duty to carriers’ handling of
CPNI. In support of this view, we note the common focus of these subsections on “confidentiality.”
While subsection (a) directs carriers to “protect the confidentiality of proprietary information” in
general,
1067
subsection (c) concerns the confidentiality of “individually identifiable customer proprietary
network information” in particular.
1068
Under our interpretation, subsection (c) provides one possible way
of implementing the broad duty set forth in subsection (a). That is, subsection (c) settles what it means
for a carrier to “protect the confidentiality of proprietary information” when the information at issue is
individually identifiable CPNI. Given this reading of the two provisions, we find no reason that the basic
scheme set forth in Section 222(c) to govern individually identifiable CPNI cannot not be replicated under
Section 222(a) to govern customer PI more broadly. In adopting Section 222(c), Congress identified a
scheme for “protecting the confidentiality of proprietary information” that it deemed valid at least in the
context of CPNI.
1069
The statute is silent on the implementation of this general duty as it applies to
customer PI more broadly. In the absence of clear statutory guidance on the matter, we must exercise our
judgment to determine a regulatory scheme that is appropriate for customer PI other than individually
identifiable CPNI.
361. We have good reason to adopt a single set of rules for all customer PI under Section
222(a) that is based on the scheme set forth for individually identifiable CPNI in Sections 222(c) and (d).
First, the record indicates that customer expectations about the use and handling of their personal
information do not typically depend on whether the information at issue is CPNI or some other kind of
proprietary information. Rather, customers are far more likely to recognize distinctions based on the
sensitivity of the data.
1070
The rules we adopt today uphold this widespread customer expectation.
1071
In
addition, a common set of rules for all customer PI subject to 222(a) will be easier for customers to
understand and for providers to implement than two distinct sets of rules.
1072
These considerations go to
the very heart of Section 222: the ability of customers to make informed decisions and of providers to
apply a harmonized regime to all customer data will each contribute to the protection of “confidentiality”
that the statute requires. Moreover, equalizing treatment of CPNI and other customer PI more closely
aligns our rules with the FTC’s time-tested privacy approach.
1073
362. We agree with Comcast that “protect[ing] confidentiality” of proprietary information
involves, among other things, “preventing [such information] from being exposed without
authorization.”
1074
This is among the core purposes of our rules. The requirement to obtain customer
1066
See supra para. 343.
1067
See 47 USC § 222(a).
1068
See 47 USC § 222(c).
1069
See id.; see also CTIA Comments at 26 (“In short, the most natural reading of Section 222 is that subsection
(a)’s general mandate is specifically set forth for customers in subsection (c) . . .”).
1070
See supra Part III.D.
1071
See supra Part III.D.1 (sensitive/non-sensitive distinction), Part III.E (sensitivity of the data as a factor), and
III.F.1 (harm presumption with respect to sensitive data breaches).
1072
See, e.g., WTA Comments at 19 (discussing the costs that would accrue to smaller providers in complying with
“multiple regulatory regimes”).
1073
See supra para. 358.
1074
Comcast Comments at 81.
Federal Communications Commission FCC 16-148
155
approval before using, disclosing, or permitting access to customer PI directly ensures that such
information is not “expose[d]” without the “authorization” of the customer.
1075
The notice requirement
advances this purpose further by providing customers the information they need to make informed
choices regarding such use, disclosure, and access.
1076
As for the data security rule we adopt, its essential
purpose is to safeguard customer PI from inadvertent or malicious “expos[ure].”
1077
The data breach
notification rule reinforces these other requirements by providing customers, the Commission, and law
enforcement agencies with notice of instances in which customer PI was “exposed without
authorization.”
1078
Finally, we uphold customers’ ability to make decisions about the “expos[ure]” of
their data by prohibiting carriers from conditioning service on the surrender of privacy rights.
1079
363. Yet “protecting the confidentiality” of customer PI involves more than protecting it from
unauthorized exposure. AT&T draws a false distinction in arguing that certain aspects of the rules “have
nothing to do with confidentiality concerns and instead address only the uses of information within an
ISP’s possession.”
1080
On the contrary, upholding customer expectations and choices regarding the use of
their proprietary information is an integral part of “protecting the confidentiality of” that information for
purposes of Section 222.
1081
In support of this view, we note that restrictions on the use of individually
identifiable CPNI are part of the scheme enacted under Section 222(c) to address the “confidentiality of
[CPNI],”
1082
and use is the sole conduct regulated to address the “confidentiality of carrier information”
under subsection (b).
1083
We thus believe the most natural reading of the term “confidentiality” as used in
Section 222 is that it encompasses the use of information, not only “disclos[ure]” and permissions of
“access.” As a coalition of consumer advocacy groups explain, in creating Section 222 “Congress most
explicitly directed the Commission to ensure that users are not merely protected from exposure to third
parties, but can actively control how the telecommunications provider itself uses the information” it
collects.
1084
We agree with Verizon that “‘protect’ and ‘use’ are different words [that] must have different
meanings” within the statute,
1085
but our view is that these meanings differ in terms of breadth. The
“protect[ion] of confidentiality” is a concept that is broad enough to cover the different kinds of conduct
regulated under Section 222(c): use, disclosure, and permission of access. A carrier that uses, discloses,
or permits access to individually identifiable CPNI without customer approval violates its duty under
1075
See supra Part III.D.
1076
See supra Part III.C.
1077
See supra Part III.E.
1078
See supra Part III.F.
1079
See supra Part III.G.1.
1080
AT&T Comments at 108; see also Comcast Comments at 81 (“Even if Section 222(a) confers an independent
grant of authority, it is only the authority to adopt rules to ‘protect the confidentiality of’ proprietary information.
This means that any authority the Commission may have under [Section 222(a)] is limited to preventing proprietary
information from being exposed without authorization and does not extend to defining its permissible uses such as
for marketing or advertising.”); Verizon Comments at 59 (“Section 222(a) is far too thin a reed to authorize the
entire regulatory apparatus the Commission proposes to erect for PII that is not CPNI. Section 222(a) requires only
that carriers ‘protect the confidentiality’ of information; it does not govern permissible uses of information.”); Letter
from Loretta Polk, Vice President and Associate General Counsel, NCTA, to Marlene H. Dortch, Secretary, FCC,
WC Docket No. 16-106, at 2 (filed Oct. 21, 2016).
1081
But see Comcast Comments at 82 (urging the Commission to model its interpretation of Section 222(a) on the
FTC’s interpretation of different statutory language in the Gramm-Leach-Bliley Act).
1082
47 USC § 222(c) (capitalization omitted).
1083
47 USC § 222(b) (capitalization omitted).
1084
Public Knowledge et al. Reply at 4.
1085
See Verizon Comments at 60.
Federal Communications Commission FCC 16-148
156
Section 222(c) to protect the “confidentiality” of that CPNI. The same analysis applies under Section
222(a) with regard to customer PI more broadly. Accordingly, we find Section 222(a)’s duty to “protect
the confidentiality” of proprietary information supports our rules in full.
3. Section 222(c) Provides Authority for the Rules as to CPNI
364. In addition to our Section 222(a) authority discussed above, we have authority under
Section 222(c) to adopt the rules articulated in this Order as to individually identifiable CPNI. Subsection
(c) obligates carriers to obtain customer approval for any use or disclosure of individually identifiable
CPNI, except to provide the underlying telecommunications service or related services.
1086
Our rules
implement this mandate.
365. First, our rules establish three methods for obtaining the customer approval required
under Section 222(c): inferred consent, opt-in and opt-out. There exists longstanding Commission
precedent for requiring the use of these methods,
1087
and commenters generally support some combination
of the three.
1088
Under the rules we adopt in this Order, whether a carrier must seek an affirmative “opt-
in” depends primarily on whether the information at issue is sensitive.
1089
This distinction is permissible
under Section 222(c), which requires customer approval in general for most uses and disclosures of
individually identifiable CPNI but does not specify the form this approval must take in any particular
circumstance. Second, we require carriers to provide their customers with notice of their privacy policies,
both at the point of sale and through posting on their websites and in mobile apps.
1090
This is an essential
part of customer approval, as only informed customers can make meaningful decisions about whether and
how extensively to permit use or disclosure of their information. The need for this notice to be given at
the point of sale is particularly acute in circumstances where approval may take the form of an “opt-out.”
In such cases, the notice itself is integral to the “approval”: customers are presumed to approve of the use
or disclosure unless and until they affirmatively “opt out” of such activity. We also prohibit carriers
from conditioning the provision of service on consent to the use or disclosure of information protected
under Section 222.
1091
We believe that this prohibition is necessary to give effect to the customer
approval that subsection (c) requires.
1092
366. We next require carriers to take reasonable measures to secure the individually
identifiable CPNI they collect, possess, use and share.
1093
Such a requirement is necessary to uphold
customer decisions regarding use and disclosure of their information and to give effect to the terms of
carriers’ privacy policies. These other privacy protections would be vitiated if customers lacked any
assurance that their information would be secured against unauthorized or inadvertent disclosures, cyber
incidents, or other threats to the confidentiality of the information. Finally, we require carriers to report
data breaches to their customers, the Commission, and law enforcement, except when a carrier reasonably
determines that there is no reasonable likelihood of harm to customers.
1094
The Commission has long
required such reporting as part of a carrier’s duty to protect the confidentiality of its customers’
1086
See 47 USC § 222(c)(1); see also 47 U.S.C. § 222(d) (enumerating additional exceptions).
1087
See 2002 CPNI Order, 17 FCC Rcd at 14862-63, para. 2 (providing an overview of “opt-in” and “opt-out”
approval requirements adopted in that order).
1088
See supra Part III.D.
1089
See supra Part III.D.
1090
See supra Part III.C.
1091
See supra Part III.G.1.
1092
See supra Part III.G.1.
1093
See supra Part III.E.
1094
See supra Part III.F.
Federal Communications Commission FCC 16-148
157
information.
1095
Among other purposes, data breach notifications can meaningfully inform customer
decisions regarding whether to give, withhold, or retract their approval to use or disclose their
information.
367. In adopting these rules, we are respectful of other parts of the statute that limit or
condition the scope of Section 222(c). For instance, our rules preserve the statutory distinction between
individually identifiable “CPNI” and “aggregate customer information.”
1096
As explained above, we have
not modified the definition of either of these terms in a way that would impermissibly narrow the scope of
Section 222(c)(3).
1097
In addition, our rules include provisions that implement the exceptions to Section
222(c) that are set forth in Section 222(d).
1098
Finally, our rules are consistent with and pose no obstacle
to compliance with the requirements of Sections 222(e) and (g) that subscriber information be disclosed
in certain defined circumstances.
1099
B. Sections 201(b) and 202(a) Provide Additional Authority to Protect Against Privacy
Practices That Are “Unjust or Unreasonable” or “Unjustly or Unreasonably
Discriminatory”
368. While Section 222 provides sufficient authority for the entirety of the rules we adopt in
this Order, we conclude that Sections 201(b) and 202(a) also independently support the rules, because
they authorize the Commission to prescribe rules to implement carriers’ statutory duties not to engage in
conduct that is “unjust or unreasonable” or “unjustly or unreasonably discriminatory.”
1100
Our
enforcement of Sections 201(b) and 202(a) in the context of BIAS finds expression in the “no
unreasonable interference/disadvantage” standard adopted in the 2015 Open Internet Order.
1101
As we
explained in the 2015 Open Internet Order, “practices that fail to protect the confidentiality of end users’
proprietary information” are among the potential carrier practices that are “unlawful if they unreasonably
interfere with or disadvantage end-user consumers’ ability to select, access, or use broadband services,
applications, or content.”
1102
Above, we noted that financial incentives to surrender privacy rights in
connection with BIAS are one sort of practice that could potentially run afoul of this standard, and we
will accordingly monitor such practices closely. Yet, aside from prohibiting “take-it-or-leave-it”
offerings, we do not engage in any ex ante prohibition of such practices.
1103
369. In addition, Sections 201(b) and 202(a) provide backstop authority to ensure that no gaps
are formed in Congress’s multi-statute regulatory framework governing commercial privacy and data
security practices. As explained above, the FTC’s enabling statute grants the agency broad authority with
respect to such practices, but denies it authority over common carrier activities of common carriers.
1104
1095
See 2007 CPNI Order, 22 FCC Rcd at 6943-45, paras. 26-32; see also 47 CFR § 64.2011.
1096
See 47 U.S.C. § 222(h)(1) (“customer proprietary network information”), (h)(2) (“aggregate customer
information”).
1097
See supra Part III.B.4.
1098
See infra Appx. A.
1099
See 47 U.S.C. § 222(e), (g).
1100
47 U.S.C. §§ 201(b), 202(a); see Broadband Privacy NPRM, 31 FCC Rcd at 2596, paras. 305-06.
1101
2015 Open Internet Order, 30 FCC Rcd at 5609, para. 22, 5659-69, paras. 133-53.
1102
Id. at 5662, para. 141.
1103
See supra para. 297. But see Nokia Reply at 9 (“[F]or innovation to happen throughout the entire ecosystem, the
Commission must avoid policy frameworks that impose ex ante prohibitions on potential sources of value creation
particularly when those prohibitions are imposed on only one segment of the ecosystem: once again, in this instance,
providers of BIAS.”).
1104
See supra Part IV.A.2.
Federal Communications Commission FCC 16-148
158
That leaves this Commission as the sole federal agency with authority to regulate telecommunications
carriers’ treatment of personal and proprietary customer data obtained in the provision of BIAS and other
telecommunications services. While we believe Section 222 endows the Commission with ample
authority for the rules we adopt today to protect such data, both as to CPNI and other customer PI,
Sections 201(b) and 202(a) provide an independent legal basis for the rules. Indeed, both this
Commission and the FTC have long recognized that similar conduct would tend to run afoul of Section
201(b) and of Section 5 of the FTC Act, the statutory linchpin of the FTC’s privacy and data security
enforcement work.
1105
Thus, asserting Sections 201(b) and 202(a) as a basis for our rules merely
preserves consistent treatment of companies that collect sensitive customer informationincluding Social
Security numbers and financial recordsregardless of whether the company operates under the FCC’s or
FTC’s authority.
370. Accordingly, for these reasons and others discussed throughout this Report and Order, we
find that Sections 201(b) and 202(a) by their own terms, consistent the 2015 Open Internet Order’s
interpretation of those provisions in the context of BIAS, provide authority for the adoption of these rules.
Also, while we recognize that telecommunications services other than BIAS are beyond the reach of the
open Internet rules, providers of such services remain subject to enforcement directly under Sections
201(b) and 202(a), and those provisions authorize adoption of these rules.
C. Title III of the Communications Act Provides Independent Authority
371. With respect to mobile BIAS and other mobile telecommunications services, the rules we
adopt in this Order are also independently supported by our authority under Title III of the Act to protect
the public interest through spectrum licensing.
1106
Section 303(b) directs the Commission, consistent with
the public interest, to “[p]rescribe the nature of the service to be rendered by each class of licensed
stations and each station within any class.”
1107
These rules do so.
1108
They lay down rules about “the
nature of the service to be rendered” by licensed entities providing mobile telecommunications service;
making clear that this service may not be offered in ways that harm the interests of consumers is
protecting the confidentiality of their personal information.
1109
Today’s rules specify the form this service
must take for those who offer it pursuant to license. In providing such licensed service, carriers must
adhere to the rules we adopt today. Section 303(r) also supplements the Commission’s authority to carry
out its mandates through rulemaking,
1110
and Section 316 authorizes the Commission to adopt new
conditions on existing licenses if it determines that such action “will promote the public interest,
convenience, and necessity.
1111
Throughout this Order, we determine that the rules adopted here will
promote the public interest.
1105
See FCC and FTC, Joint FCC/FTC Policy Statement for the Advertising of Dial-Around and Other Long-
Distance Services to Consumers, 65 Fed. Reg. 44053-02, 44054 (July 17, 2000).
1106
See Broadband Privacy NPRM, 31 FCC Rcd at 2598, para. 310.
1107
47 U.S.C. § 303(b); see, e.g., 2015 Open Internet Order, 30 FCC Rcd at 5725, paras. 285-87.
1108
See Public Knowledge White Paper at 20-21. But see T-Mobile Comments at 23; CTIA Comments at 71-73.
1109
Cf., e.g., Facilitating the Deployment of Text-To-911 and Other Next Generation 911 Applications, PS Docket
Nos. 11-153, 10-255, Report and Order, 28 FCC Rcd 7556, 7587-92, paras. 89-99 (2013); Amendments to Part 4 of
the Commission’s Rules Concerning Disruptions to Communications, PS Docket Nos. 15-80, 11-82, ET Docket No.
16-63, Report and Order, Further Notice of Proposed Rulemaking, and Order on Reconsideration, 31 FCC Rcd
5817, 5896-97, paras. 202-05 (2016).
1110
47 U.S.C. § 303(r); see 2015 Open Internet Order, 30 FCC Rcd at 5725, para. 287 (citing Cellco P’ship v. FCC,
700 F.3d 534, 543 (D.C. Cir. 2012)).
1111
47 U.S.C. § 316(a)(1); see 2015 Open Internet Order, 30 FCC Rcd at 5725, para. 287.
Federal Communications Commission FCC 16-148
159
D. The Rules Are Also Consistent With the Purposes of Section 706 of the 1996 Act
372. We also believe that our rules are consistent with Section 706 of the 1996 Act and will
help advance its objective of promoting “the deployment on a reasonable and timely basis of advanced
telecommunications capability to all Americans.”
1112
We agree with commenters that strong broadband
privacy and data security practices tend to promote consumer trust and confidence, which can increase
demand for broadband and ultimately spur additional facilities deployment.
1113
Moreover, we have
adopted a flexible set of rules that are largely consistent with the FTC’s approach to privacy regulation,
creating a measure of consistency across the telecommunications ecosystem. We thus reject any
argument that the rules will impose novel costs or burdens on BIAS providers and other
telecommunications carriers that would discourage further deployment of advanced services.
1114
E. We Have Authority to Apply the Rules to Interconnected VoIP Services
373. In 2007, the Commission exercised ancillary jurisdiction to extend its Part 64 CPNI rules
to interconnected VoIP services.
1115
Since then, interconnected VoIP providers have operated under these
rules. Today, we exercise the same authority
1116
to apply to interconnected VoIP services the harmonized
set of rules we are adopting for BIAS and other telecommunications services. Interconnected VoIP
services remain within the Commission’s subject matter jurisdiction, and we continue to find that the
application of customer privacy requirements to these services is “reasonably ancillary to the effective
performance” of our statutory responsibilities.
1117
As the Commission explained in 2007, “American
consumers [can reasonably] expect that their telephone calls are private irrespective of whether the call is
made using the service of a wireline carrier, a wireless carrier, or an interconnected VoIP provider.”
1118
1112
See 47 U.S.C. § 1302(a).
1113
See Greenlining Institute Comments at 18-19 (“[C]ommodification and use of the customer’s personal
information without informed consent [interferes] with a consumer’s access to the BIAS telecommunications
transport, and lessen consumer trust (and the public’s trust) in the integrity of BIAS service.”); Public Knowledge
White Paper at 22-23 (“[P]rotection of CPNI may spur consumer demand . . . driving demand for broadband
connections, and consequently encouraging more broadband investment and deployment consistent with Section
706.”) (citing 2007 CPNI Order, 22 FCC Rcd at 6927, para. 59).
1114
But see CTIA Comments at 67. (“[F]urther network investment will not take place if ISPs lack the incentives or
resources to continue to deploy broadband infrastructure.”); ACA Comments at 70-71 (“In fact, the proposed rules
are more likely to shove a stick in the spokes of the virtuous circle than perpetuate it.”); Washington Legal
Foundation Comments at 7-9.
1115
See 2007 CPNI Order, 22 FCC Rcd at 6954-57, paras. 54-59; see also 47 CFR § 64.2003(o) (defining
“telecommunications carrier or carrier” for purposes of the CPNI rules to include interconnected VoIP providers).
1116
We make no decisions in this Order on the regulatory classification of interconnected VoIP services.
1117
See 2007 CPNI Order, 22 FCC Rcd at 6955, para. 55; see also United States v. Southwestern Cable, 392 U.S.
157, 177-78 (1968) (setting forth the two-part “ancillary jurisdiction” test); Comcast Corp. v. FCC, 600 F.3d 642,
654 (D.C. Cir. 2010) (holding that ancillary jurisdiction must be “necessary to further its regulation of activities over
which it does have express statutory authority”). We conclude that our jurisdiction to apply the rules in this Order to
interconnected VoIP providers is just as strong as it was in 2007. In addition to the analysis in the 2007 CPNI
Order, 22 FCC Rcd at 6954-57, paras. 54-59, we observe that applying these obligations to interconnected VoIP
providers is necessary to protect the privacy of customers of BIAS providers and other telecommunications
services. Given the growth in interconnected VoIP and the extent to which it increasingly is viewed as a substitute
for traditional telephone service, telecommunications carriers could be disadvantaged if they were subject to these
requirements but other interconnected VoIP providers were not. Consumers’ privacy interests could benefit to the
extent that providers of competitive services are subject to the same obligations. Furthermore, in light of Congress’s
amendment of the Act, including Section 222, to apply E-911 obligations to interconnected VoIP, the 911 system
could be disrupted to the extent that our harmonized Section 222 regime were no longer to apply to interconnected
VoIP.
1118
2007 CPNI Order, 22 FCC Rcd at 6956, para. 56.
Federal Communications Commission FCC 16-148
160
Furthermore, “extending Section 222’s protections to interconnected VoIP service customers is necessary
to protect the privacy of wireline or wireless customers that place calls to or receive calls from
interconnected VoIP providers.”
1119
These rationales hold equally true today. In addition, in 2008,
Congress ratified the Commission’s decision to apply Section 222’s requirements to interconnected VoIP
by adding language to Section 222 that expressly covers “IP-enabled voice service,”
1120
defined expressly
to incorporate the Commission’s definition of “interconnected VoIP service.”
1121
374. We believe that the rules we adopt today are no less suitable for interconnected VoIP
service, and are in fact better tailored to that service, than the rules adopted in 2007. As explained above,
we have adopted a harmonized set of rules for voice services and BIAS. There is considerable flexibility
built into these rules to permit providers of different services and with different business models to adopt
privacy practices appropriate for their businesses.
1122
Moreover, while the Order expands on existing
obligations in some respects, it also streamlines or removes several of the more prescriptive requirements
codified in the existing rules.
1123
We have also broadened the enterprise customer exemption
1124
and taken
measures to address the potential for disproportionate impacts on smaller providers, including those that
provide interconnected VoIP service.
1125
We therefore are not persuaded that our rules will overburden
interconnected VoIP providers in particular with “expand[ed] privacy obligations” that would “forestall
competition.”
1126
F. Constitutional Considerations
1. Our Sensitivity-Based Choice Framework Is Supported by the Constitution
375. In adopting section 222, Congress identified a substantial government interest in
protecting the privacy of customers of telecommunications services. In adopting and revising rules
pursuant to section 222 we have recognized and honored that same substantial interest. Nonetheless,
because our rules require carries to provide their customers with tools to grant or deny the carriers
approval to use customer information for marketing and other purposes, they can be said to restrict certain
types of commercial speech by telecommunications carriers, and therefore must be narrowly tailored to
further that substantial government interest.
1127
In the Central Hudson case, the Supreme Court found that
in order to meet the requirement that rules implicating commercial speech are narrowly tailored to meet a
substantial government interest, the government must conduct a threshold inquiry regarding whether the
commercial speech concerns lawful activity and is not misleading.
1128
If this threshold requirement is
met, as it is here, the government may restrict the speech only if (1) the government interest advanced by
the regulation is substantial; (2) the regulation directly and materially advances that interest; and (3) the
regulation is not more extensive than necessary to serve the interest.
1129
By adopting a sensitivity-based
1119
Id. at 6956, para. 57.
1120
See NET 911 Act; see also 47 U.S.C. § 222(d)(4), (f)(1), (g).
1121
47 U.S.C. § 222(d)(4), (f)(1), (g) (applying provisions of section 222 to “IP-enabled voice service”); § 615b(8)
(defining “IP-enabled voice service” as having “the meaning given the term ‘interconnected VoIP service’ by
section 9.3 of the Federal Communications Commission’s regulations (47 CFR 9.3)”).
1122
See, e.g., supra para. 242.
1123
See, e.g., supra para. 234 (removal of annual certifications requirement); para. 253 (customer authentication).
1124
See supra Part III.H.2. But see Voice on the Net Coalition Comments at 6.
1125
See infra Appx. B.
1126
But see Voice on the Net Coalition Comments at 4.
1127
Central Hudson Gas & Electric Corp. v. Pub. Serv. Comm’n of N. Y., 447 U.S. 557 (1980).
1128
Central Hudson, 447 U.S. at 566; see also U.S. West, 182 F.3d at 1233.
1129
Central Hudson, 447 U.S. at 566; NCTA v. FCC, 555 F.3d at 1000; U.S. West, 182 F.3d at 1233.
Federal Communications Commission FCC 16-148
161
framework for giving customers tools to make decisions about their telecommunications carriers’ use and
sharing of their information, the rules we adopt today meet that three part test.
a. Substantial Government Interest
376. We agree with the D.C. Circuit that Section 222 seeks to promote a substantial public
interest in protecting consumer privacy.
1130
The record indicates broad agreement on this point,
1131
which
is further reinforced by the wealth of case law reiterating the substantial state interest in protecting
privacy.
1132
Section 222 is designed to protect the interest of telecommunications consumers in limiting
unexpected and unwanted use and disclosure of their personal information by carriers that must collect
such information in order to provide the telecommunications service,
1133
and the record further indicates
that customers’ ability to know and control the information gathered by virtue of their relationships with
their telecommunications providers also comprises a substantial government interest.
1134
377. The failure to adequately protect customer PI can have myriad negative consequences for
customers and society at large. Revelations of private facts have been recognized as harms since at least
the time of Justices Warren and Brandeis.
1135
Failure to protect the privacy of consumer information can,
of course create a risk of financial harm, identity theft and physical threat.
1136
The Commission has also
found that emotional and dignitary harms are privacy harms, in other contexts.
1137
The FTC similarly
recognized that harms beyond the economic, physical, and intrusive are nonetheless real and
1130
NCTA v. FCC, 555 F.3d at 1001 (2009) (internal citations omitted) (“The Tenth Circuit supposed that § 222
sought to promote a governmental interest in protecting against the disclosure of ‘information [that] could prove
embarrassing,’ and it doubted whether this interest could be deemed ‘substantial.’ We do not share the Tenth
Circuit’s doubt. For one thing, we have already held, in an analogous context, that ‘protecting the privacy of
consumer credit information’ is a ‘substantial’ government interest. For another thing, we do not agree that the
interest in protecting customer privacy is confined to preventing embarrassment as the Tenth Circuit thought. There
is a good deal more to privacy than that. . . . The Supreme Court knows this as well Congress: ‘both the
common law and the literal understanding of privacy encompass the individual’s control of information concerning
his or her person.’”).
1131
CTIA Comments at 81-82 (recognizing substantial interest in customers’ control of their personal information);
CTIA Sept. 16, 2016 Ex Parte at 18-19 (conceding substantial privacy interest in online ecosystem while
questioning the breadth of the proposed rules); Consumer Federation of California Reply at 8-9 (enumerating state
interests in privacy found throughout federal and state law).
1132
See, e.g., NCTA v. FCC, 555 F.3d at 1001; Ohio v. Akron Ctr. for Reprod. Health, 497 U.S. 502, 529 (1990);
Carey v. Population Servs., Intern., 431 U.S. 678, 684 (1977); Whalen v. Roe, 429 U.S. 589, 599 (1977); Griswold
v. Connecticut, 381 U.S. 479, 483 (1965); Florida Bar v. Went For It, Inc., 515 U.S. 618, 625 (1995); Edenfield v.
Fane, 507 U.S. 761, 766 (1993). US West v. FCC, frequently cited in opposition to the constitutionality of this
Order, acknowledges the “substantial state interest” in privacy, and that Section 222, in particular, has a “specific
and dominant purpose” of protecting consumer privacy. 182 F.3d at 1234, 1236.
1133
See, e.g., 2002 CPNI Order, 17 FCC Rcd at 14875, para. 33.
1134
See supra note 1131.
1135
Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193, 213 (1890) (“If the invasion
of privacy constitutes a legal injuria, the elements for demanding redress exist, since already the value of mental
suffering, caused by an act wrongful in itself, is recognized as a basis for compensation.”); see also William L.
Prosser, Privacy, 48 Cal. L. Rev. 383, 389 (1960) (enumerating privacy torts, including “[p]ublic disclosure of
embarrassing private facts about the plaintiff”).
1136
See, e.g., supra note 696 (acknowledging potential for financial or physical harm).
1137
In implementing the Truth in Caller ID Act, the Commission found that “harm” was a broad concept
encompassing financial, physical, and emotional harm. See Rules and Regulations Implementing the Truth in Caller
ID Act of 2009, WC Docket No. 11-39, Report and Order, 26 FCC Rcd 9114, 9122, para. 22 (2011).
Federal Communications Commission FCC 16-148
162
cognizable,
1138
and the Administration’s CPBR defines “privacy risk” to include the potential to cause
“emotional distress, or physical, financial, professional, or other harm to an individual.”
1139
378. Some commenters argue that the Commission can only demonstrate an interest in
addressing the disclosure of customer PI and not in how carriers’ use customer PI.
1140
We disagree. The
Supreme Court has recognized that an important part of privacy is the right to know and have an effective
voice in how one’s information is being used, holding that “both the common law and the literal
understandings of privacy encompass the individual’s control of information concerning his or her
person.”
1141
The D.C. Circuit has similarly held that “it is widely accepted that privacy deals with
determining for oneself when, how, and to whom personal information will be disclosed to others.”
1142
This conception of privacy is embedded within the history of the Fair Information Practice Principles
1143
(which form the broadly-supported
1144
basis for our privacy rules), and within the long history of
communications privacy as well.
1145
Scholarly literature on privacy also finds that misuse by the
collecting entity can harm individuals’ privacy, even apart from disclosure.
1146
379. Direct surveys confirm consumers’ recognition of these harms. According to the 2016
Consumer Privacy Index by TRUSTe and the National Cybersecurity Alliance, 68 percent of consumers
were more concerned about not knowing how personal information was collected online than losing their
principal income.
1147
The Consumer Privacy Index also indicated that large numbers of consumers want
control over who has access to personal information (45 percent), how that information is used (42
percent), and the type of information collected (41 percent).
1148
Consumers also object to their data being
1138
2012 FTC Privacy Report at 7-9.
1139
2015 Administration CPBR Discussion Draft, § 4(g).
1140
See, e.g., Comments of Laurence Tribe on behalf of CTIA, NCTA and USTelecom at 27-29 (Tribe Comments).
1141
U.S. Dept. of Justice v. Reporters Comm. For Freedom of Press, 489 U.S. 749, 763 (1989) (cited in NCTA v.
FCC, 555 F.3d at 1001); see OTI Reply at 18-19.
1142
NCTA v. FCC, 555 F.3d at 1001; see OTI Reply at 20.
1143
From their inception, FIPPs have recognized privacy as an individual’s right to control uses of information about
himnot merely to control their disclosures. See HEW Report at 40-41 (finding that privacy is affected by the
recording, disclosure, and use of identifiable information).
1144
See, e.g., 2012 FTC Privacy Report at i; 2012 White House Privacy Blueprint; Online Interest-Based
Advertising Accountability Comments at 2; EPIC Comments at 2-3; Privacy Rights Clearinghouse at 2-3;
McDonald Reply at 1; Charter Comments at 6-7; Internet Association Comments at 6-7; ITIC Comments at 4;
USTelecom Comments at 11-12.
1145
The Federal Radio Act of 1927, and the original language of the Communications Act of 1934, prohibited
carriers not only from publishing or divulging information relevant to communications, but also from making uses
of the information solely to benefit themselves. See Max D. Paglin, A Legislative History of the Communications
Act of 1934, 721 (1989); Communications Act of 1934 § 605, 48 Stat. 1103 (now codified at 47 U.S.C. § 605(a));
Public Knowledge Reply at 4.
1146
See Daniel Solove, A Taxonomy of Privacy, 154 U. Pa. L. Rev. 477 (2006); M. Ryan Calo, The Boundaries of
Privacy Harm, 86 Ind. L.J. 11131, 1133 (2011) (noting the existence of both subjective and objective privacy
harms); OTI Reply at 20, 27.
1147
Consumer Privacy Index 2016; OTI Reply at 22.
1148
Consumer Privacy Index 2016. A Bain & Company survey of over 900 consumers found that two-thirds of
them felt it should be “illegal for companies to collect or use . . . data without getting prior consent.” Bain &
Company Press Release, How can companies acquire customer data while building customer loyalty at the same
time? Ask permission, Bain & Company (May 11, 2015), http://bain.com/about/press/press-releases/Digital-privacy-
survey-2015-press-release.aspx; OTI Reply at 23.
Federal Communications Commission FCC 16-148
163
used, and not only disclosed, in the service of targeted advertising.
1149
These studies demonstrate
empirically that consumers find loss of control over their information harmful, even apart from potential
monetary loss.
380. The risk of privacy harms directly affects behavior and activity by eroding trust in and
use of communications networks. As the Commission has found, if “consumers have concerns about the
privacy of their personal information, such concerns may restrain them from making full use of
broadband Internet access services and the Internet, thereby lowering the likelihood of broadband
adoption and decreasing consumer demand.”
1150
There is evidence that unexpected uses of private
customer information can increase fear, uncertainty, powerlessness, and vulnerability.
1151
This is not a
purely academic concern; the National Telecommunications and Information Administration (NTIA)
recently found that fear of privacy violations chills online activity, to the point where privacy concerns
prevented 45 percent of online households from conducting financial transactions, buying goods or
services, or posting on social networks.
1152
The Consumer Privacy Index found that 74 percent of
respondents limited their activity in the past year due to privacy concerns, including 36 percent who
stopped using certain websites and 29 percent stopped using an app.
1153
In contrast, when companies
protect consumers’ privacy, consumers’ adoption of their products, services, and technologies
increases.
1154
381. We therefore conclude that the government’s interest in protecting customer privacy is a
substantial onea fact recognized widely by consumers, the courts, and the Communications Act.
b. Direct and Material Advancement
382. The choice framework that we adopt directly and materially advances the substantial
government interests discussed above.
1155
We find that requiring customer approval for use and
disclosure of customer PI prevents information uniquely collected and collated by telecommunications
carriers from being used or disclosed against a customer’s wishes, consistent with customer expectations,
and as such directly and materially advances the government’s substantial government interest in
protecting customers’ privacy.
1156
Customers have an important interest in ensuring that their personal
1149
Joseph Turow et al., Americans Reject Tailored Advertising and Three Activities that Enable It 8, 13 (2009);
OTI Reply at 23-24, n.69
1150
2015 Open Internet Order, 30 FCC Rcd at 5821, para. 464.
1151
Solove at 520; OTI Reply at 29.
1152
Rafi Goldberg, NTIA, Lack of Trust in Internet Privacy and Security May Deter Economic and Other Online
Activities (May 13, 2016), https://www.ntia.doc.gov/blog/2016/lack-trust-internet-privacy-and-security-may-deter-
economic-and-other-online-activities.
1153
Consumer Privacy Index 2016; OTI Reply at 25.
1154
2012 FTC Privacy Report at 8-9.
1155
U.S. West, 182 F.3d at 1237.
1156
While we recognize that adopting these rules cannot protect customers from privacy violations that originate
from entities that are not telecommunications providers, the fact that the rules do not create universal privacy
protection does not mean that customers’ privacy interests are not advanced. See, e.g., Williams-Yulee v. Florida
Bar Ass’n, 135 S. Ct 1656, 1668 (2015) (citing R.A.V. v. St. Paul, 505 U.S. 377, 387 (1992)) (“Although a law’s
underinclusivity raises a red flag, the First Amendment imposes no freestanding ‘underinclusiveness limitation.’”);
id. (“A State need not address all aspects of a problem in one fell swoop; policymakers may focus on their most
pressing concerns. We have accordingly upheld lawseven under strict scrutinythat conceivably could have
restricted even greater amounts of speech in service of their stated interests.”); see also Trans Union Corp. v. F.T.C.,
267 F.3d 1138, 1143 (D.C. Cir. 2001) (citing Blount v. SEC, 61 F.3d 938, 946 (1995))(“A regulation is not fatally
underinclusive simply because an alternative regulation, which would restrict more speech or the speech of more
(continued….)
Federal Communications Commission FCC 16-148
164
information is not used by their BIAS providers or other telecommunications carrier without their prior
approval in a way that the customers do not or cannot reasonably expect.
1157
383. In addition, requiring telecommunications carriers to obtain opt-in approval for the use
and sharing of sensitive customer PI materially advances the government’s interest in protecting
telecommunications customers’ privacy and in enabling customer to avoid unwanted and unexpected use
and disclosure of sensitive customer PI. The opt-in requirements we adopt today provide
telecommunications customers control over how their sensitive customer PI can be used for purposes
besides those essential to the delivery of service. Likewise, we conclude that opt-out directly and
materially advances the government’s interest that a customer be given an opportunity to approve (or
disapprove) uses of his non-sensitive customer PI by mandating that carriers provide prior notice to
customers along with an opportunity to decline the carriers’ requested use.
c. The Rules Are No More Burdensome than Necessary to Advance the
Government’s Substantial Interest
384. Central Hudson requires that regulations on commercial speech be no more extensive
than necessary to advance the substantial interest.
1158
This does not mean that a regulation must be as
narrow as possible, however. The Supreme Court has held that “[t]he government is not required to
employ the least restrictive means conceivable . . . a fit that is not necessarily perfect, but reasonable; that
represents not necessarily the single best disposition but one whose scope is in proportion to the interest
served.”
1159
As explained below, our framework satisfies this test.
385. Non-Sensitive Customer PI. In most cases involving what we categorize as non-sensitive
customer PI, we find opt-in approval unnecessary to ensure adequate customer choice. We therefore find
that the opt-out framework for use and sharing of non-sensitive customer PI is a narrowly tailored means
to directly and materially advance the government’s interest in protecting consumers from unapproved
use of non-sensitive customer PI by telecommunications carriers. The record reflects that non-sensitive
information naturally generates fewer privacy concerns for customers, and as such does not require the
same level of customer approval as for sensitive customer PI.
1160
Further, the record reflects that
customers expect their providers to use their non-sensitive information to market improved services,
lower-priced service offerings, promotional discounts for new services, and other offers of value from
telecommunications carriers and their affiliates. The record also demonstrates that customers can reap
significant benefits in the form of more personalized service offerings and possible cost saving from their
carriers providing services based on the non-sensitive customer PI that carriers collect.
1161
Requiring
carriers to obtain opt-out consent from customers to use and share their non-sensitive information grants
carriers flexibility to make improvements and innovations based on customer PI, while still ensuring that
customers can control the use and sharing of their non-sensitive customer PI.
386. Sensitive Customer PI. We require opt-in approval only for the most important
(Continued from previous page)
people, could be more effective . . . a rule is struck for underinclusiveness only if it cannot fairly be said to advance
any genuinely substantial government interest.”). But see Tribe Comments at 22.
1157
See supra para. 87.
1158
Central Hudson, 447 U.S. at 569-70.
1159
Greater New Orleans Broad. Ass’n v. United States, 527 U.S. 173, 188 (1999) (internal quotation marks
omitted).
1160
See supra para. 198.
1161
The Commission has previously found, in the context of its voice CPNI rules, that “telecommunications
consumers expect to receive targeted notices from their carriers about innovative telecommunications offerings that
may bundle desired telecommunications services and/or products, save the consumer money, and provide other
consumer benefits.” 2002 CPNI Order, 17 FCC Rcd at 14877, para. 36.
Federal Communications Commission FCC 16-148
165
information to customerssensitive customer PI. We find that requiring opt-in approval for the use and
sharing of sensitive customer PI is a narrowly-tailored means of advancing the Commission’s interests in
protecting the privacy of sensitive customer PI, and in enabling customers meaningful choice on the use
and sharing of such sensitive customer PI. As discussed above in detail, the record reflects that customers
reasonably expect that their sensitive information will not be shared without their affirmative consent.
1162
Furthermore, it has been our experience implementing Section 222 that sensitive information, being more
likely to lead to more serious customer harm, requires additional protection,
1163
and the record here
supports that view .
1164
Commenters nearly unanimously argue that use and sharing of sensitive customer
information be subject to customer opt-in approval.
1165
Although we recognize that opt-in imposes
additional costs, we find that opt-in is warranted to maximize opportunities for informed choice about
sensitive information.
387. In contrast, we find that opt-out consent would be insufficient to protect the privacy of
sensitive customer PI.
1166
As we explain above, research has shown that default choices can be “sticky,”
meaning that consumers will remain in the default position, even if they would not have actively chosen
it.
1167
From this, we conclude that an opt-out regime for use and sharing of sensitive customer PI would
not materially and directly advance the government’s interest in protecting customer privacy because it
would not adequately address customers’ expectations that their sensitive customer PI is not used without
their affirmative consent.
2. Other First Amendment Arguments
388. Strict Scrutiny Under Sorrell. The customer choice rules we adopt today do not
impermissibly target particular speech or speakers, and thus a strict scrutiny analysis under Sorrell v. IMS
Health Inc.
1168
is unwarranted. In Sorrell, the state of Vermont specifically targeted “drug detailers” and
their marketing speech, which the state disfavored, in a framework that otherwise permitted
communications about medical prescriptions.
1169
By contrast, the rules adopted here do not disfavor any
particular activity. While a large number of commenters are particularly concerned with the limitations
that the rules may place upon marketing, customers’ privacy interests reach far beyond targeted
marketing, to include for instance risk of identity theft or other fraud, stalking, and revelations of private
communications, as well as the harms inherent in lacking control over the uses of their proprietary
information.
389. The fact that Section 222 and our rules thereunder apply to certain types of information
and certain providers is a function of their tailoring, not indications that they are content-based. As
explained above, our rules are tailored to address unique characteristics of telecommunications services
and of the relationship between telecommunications carriers and their customers.
1170
Were we to interpret
Sorrell to hold sector-specific privacy laws such as Section 222 and our rules to be content-based simply
1162
See supra para. 193, note 553.
1163
See, e.g., 2007 CPNI Order, 22 FCC Rcd at 6949-52, paras. 44-46.
1164
See supra para. 193.
1165
See supra para. 193.
1166
As a functional matter, while opt-out consent has been described as the least restrictive form of obtaining
customer approval, it is only “marginally less intrusive than opt-in for First Amendment purposes.” See CDT Reply
at 9, citing NCTA v. FCC, 555 F.3d at 1002.
1167
See supra para. 194.
1168
564 U.S. 552 (2011).
1169
Sorrell, 564 U.S. at 565.
1170
See supra Part. III.A.
Federal Communications Commission FCC 16-148
166
because they do not apply to all entities equally, it would stand to invalidate nearly every federal privacy
law, considering the sectoral nature of our federal privacy statutes.
1171
However, Sorrell stands for no
such thing, itself citing HIPAAlimited to covering certain specific entities and types of informationas
an example of a constitutionally sound privacy protection.
1172
390. Compelled Speech. Some commenters argue that the notice requirements
unconstitutionally compel speech from carriers.
1173
We disagree. Requirements to include purely factual
and uncontroversial information in commercial speech are constitutional so long as they are reasonably
related to the government’s substantial interest in protecting consumers.
1174
The notice requirements we
adopt here, just like the notice requirements in the CPNI rules before them and like numerous notice and
labeling requirements before,
1175
require only that companies provide factual and uncontroversial
information to consumers.
391. Constitutional Avoidance. Some commenters raise arguments citing the canon of
constitutional avoidance.
1176
We do not believe this is applicable. Constitutional avoidance is a canon of
statutory interpretation that states that a court should not resolve a case “by deciding a constitutional
question if it can be resolved in some other fashion.”
1177
As the Supreme Court has held, “[t]he so-called
canon of constitutional avoidance is an interpretive tool, counseling that ambiguous statutory language be
construed to avoid serious constitutional doubts.
1178
The Court further found “no precedent for applying
it to limit the scope of authorized executive action.”
1179
The canon of constitutional avoidance therefore
does not apply to this proceeding, does not require that we adopt an opt-out framework, and does not
mandate that we avoid regulating in this space.
392. Finally, to the extent that parties argue that today’s rules deny carriers a First Amendment
right of editorial control or impose prior restraints that implicate the First Amendment,
1180
we note that it
is well established that common carriers transmitting speech through communications networks are not
speakers for First Amendment purposes.
1181
1171
Indeed, if laws impacting expression were considered content-based for not being universal, nearly every
privacy and intellectual property law would need to pass strict scrutiny.
1172
Sorrell, 564 U.S. at 573; ACLU Reply at 5. Similarly, use-based exceptions to Section 222 and our rules do not
render the statute or rules content-based any more than purpose-based exceptions in HIPAA. Cf. OTI Reply at 11-
12.
1173
T-Mobile Comments at 42-44; Washington Legal Foundation Comments at 14-15.
1174
See Zauderer v. Office of Disc. Counsel, 471 U.S. 626, 651 (1985); see also, e.g., Am. Meat Inst. v. U.S. Dep’t of
Agriculture, 760 F.3d 18, 22 (D.C. Cir. 2014) (holding that country-of-origin labeling requirements were not
unconstitutionally compelled speech); N.Y. State Rest. Ass'n v. N.Y. City Bd. of Health, 556 F.3d 114, 133 (2d Cir.
2009); Nat'l Elec. Mfrs. Ass'n v. Sorrell, 272 F.3d 104, 113-15 (2d Cir. 2001).
1175
Id.
1176
See, e.g., Tribe Comments at 38-39.
1177
Black’s Law Dictionary, 377 (10th ed. 2014).
1178
FCC v. Fox Television Stations, Inc., 556 U.S. 502, 516 (2009) (citing Edward J. DeBartolo Corp. v. Florida
Gulf Coast Building & Constr. Trades Council, 485 U.S. 568, 575 (1988)).
1179
Id.
1180
See Letter from Mike Wendy, President, MediaFreedom to Marlene H. Dortch, Secretary, FCC, WC Docket No.
16-106, at 1 (filed Oct. 18, 2016).
1181
See U.S. Telecom Ass’n v. FCC, 825 F.3d at 742 (“[T]he communicative intent of the individual speakers who
use such transmission networks does not transform the networks themselves into speakers.”); U.S. v. Western Elec.
Co., 673 F. Supp. 525, 586 n. (D.D.C. 1987) (Greene, J.).
Federal Communications Commission FCC 16-148
167
G. Severability
393. In this Report and Order, we adopt a unified scheme of privacy protections for customers
of BIAS and other telecommunications services. While the unity and comprehensiveness of this scheme
maximizes its utility, we clarify that its constituent elements each operate independently to protect
consumers. Were any element of this scheme stayed or invalidated by a reviewing court, the elements
that remained in effect would continue to provide vital consumer protections. For instance,
telecommunications customers have long benefitted from Commission rules governing the treatment
CPNI. The rules we adopt today would continue to ensure that such information is protected even if they
did not extend to all of the information we define as customer PI. Similarly, the different forms of
conduct regulated under Section 222use, disclosure, and permission of accesseach pose distinct
threats to the confidentiality of customer PI. Finally, the benefit of the rules for customers of any
particular telecommunications service does not hinge on the same rules applying to other
telecommunications services. Accordingly, we consider each of the rules adopted in this Report and
Order to be severable, both internally and from the remaining rules. In the event of a stay or invalidation
of any part of any rule, or of any rule as it applies as to certain services, providers, forms of conduct, or
categories of information, the Commission’s intent is to otherwise preserve the rule to the fullest possible
extent.
V. PROCEDURAL MATTERS
A. Regulatory Flexibility Analysis
394. As required by the Regulatory Flexibility Act of 1980 (RFA),
1182
an Initial Regulatory
Flexibility Analysis (IRFA) was incorporated into the Broadband Privacy NPRM.
1183
The Commission
sought written public comment on the possible significant economic impact on small entities regarding
the proposals address in the 2016 Broadband Privacy NPRM, including comments on the IRFA. Pursuant
to the RFA, a Final Regulatory Flexibility Analysis is set forth in Appendix B.
B. Paperwork Reduction Act
395. This document contains new information collection requirements subject to the
Paperwork Reduction Act of 1995 (PRA), Public Law 104-13. It will be submitted to the Office of
Management and Budget (OMB) for review under Section 3507(d) of the PRA. OMB, the general public,
and other federal agencies are invited to comment on the new information collection requirements
contained in this proceeding. In addition, we note that pursuant to the Small Business Paperwork Relief
Act of 2002, Public Law 107-198, see 44 U.S.C. 3506(c)(4), we previously sought specific comment on
how the Commission might further reduce the information collection burden for small business concerns
with fewer than 25 employees.
396. In this present document, we require telecommunications carriers to: 1) disclose their
privacy practices to customers; 2) provide customers a mechanism for opting in or out of the use or
sharing of their customer PI; 3) notify customers of any unauthorized disclosure or use of their customer
PI; and 4) provide customers clear and conspicuous notice regarding any financial incentive programs
related to the use or disclosure of their customer PI. We have assessed the effects of these changes and
find that the burdens on small businesses will be addressed through the implementation plan adopted in
this Order, as well as accommodations made in response to small carriers concerns on the record. The
privacy policy notice rules, for example, afford carriers significant flexibility on how to comply with the
notice requirement. They mandate neither a specific format nor specific content to be contained in the
notice. We have also directed the Commission’s Consumer Advisory Committee to develop a
standardized notice format that will serve as a safe harbor once adopted. Similarly, the choice rules do
1182
See 5 U.S.C. § 603.
1183
Broadband Privacy NPRM, Appx. B.
Federal Communications Commission FCC 16-148
168
not prescribe a specific format for accepting a customer’s privacy choices. The choice rules are also
significantly harmonized with existing rules, with which most small providers currently comply.
Additionally, the heightened requirements for financial incentive programs allow all providers
considerable latitude to develop their programs within the parameters of the rule. Finally, the data breach
notification rules incorporate both a harm trigger and notification timeline that significantly lessen the
implementation requirements for small providers.
C. Congressional Review Act
397. The Commission will send a copy of this Report and Order in a report to be sent to
Congress and the Government Accountability Office pursuant to the Congressional Review Act (CRA),
see 5 U.S.C. § 801(a)(1)(A).
D. Accessible Formats
398. To request materials in accessible formats for people with disabilities (braille, large print,
electronic files, audio format), send an email to [email protected] or call the Consumer & Governmental
Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (tty).
VI. ORDERING CLAUSES
399. Accordingly, IT IS ORDERED that, pursuant to Sections 1, 2, 4(i)-(j), 201, 202, 222,
303(b), 303(r), 316, 338(i), 631, and 705 of the Communications Act of 1934, as amended, and Section
706 of the Telecommunications Act of 1996, as amended, 47 U.S.C. §§ 151, 152, 154(i)-(j), 201, 202,
222, 303(b), 303(r), 316, 338(i), 551, 605, 1302, this Report and Order IS ADOPTED.
400. IT IS FURTHER ORDERED that part 64 of the Commissions rules IS AMENDED as
set forth in Appendix A.
401. IT IS FURTHER ORDERED that the data security requirements set forth in new 47 CFR
§ 64.2005 SHALL BE effective 90 days after publication in the Federal Register.
402. IT IS FURTHER ORDERED that, except as set forth in the prior paragraph, this Report
and Order SHALL BE effective 30 days after publication of a summary in the Federal Register, except
that the amendments to 47 CFR §§ 64.2003, 64.2004, 64.2006, and 64.2011(b), which contain new or
modified information collection requirements that require approval by the Office of Management and
Budget under the Paperwork Reduction Act, WILL BECOME EFFECTIVE after the Commission
publishes a notice in the Federal Register announcing such approval and the relevant effective date. It is
our intention in adopting the foregoing Report and Order that, if any provision of the Report and Order or
the rules, or the application thereof to any person or circumstance, is held to be unlawful, the remaining
portions of such Report and Order and the rules not deemed unlawful, and the application of such Report
and Order and the rules to other person or circumstances, shall remain in effect to the fullest extent
permitted by law.
403. IT IS FURTHER ORDERED that the Commissions Consumer & Governmental Affairs
Bureau, Reference Information Center, SHALL SEND a copy of this Report and Order to Congress and
the Government Accountability Office pursuant to the Congressional Review Act, see 5 U.S.C. §
801(a)(1)(A).
404. IT IS FURTHER ORDERED that the Commissions Consumer & Governmental Affairs
Bureau, Reference Information Center, SHALL SEND a copy of this Report and Order, including the
Final Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of the Small Business
Administration.
FEDERAL COMMUNICATIONS COMMISSION
Federal Communications Commission FCC 16-148
169
Marlene H. Dortch
Secretary
Federal Communications Commission FCC 16-148
170
APPENDIX A
Final Rules
The Federal Communications Commission proposes to amend 47 CFR part 64 to read as follows:
PART 64 MISCELLANEOUS RULES RELATING TO COMMON CARRIERS
1. The authority citation for Part 64 is revised to read as follows:
AUTHORITY: 47 U.S.C. 154, 254(k), 403, Pub. L. 104104, 110 Stat. 56. Interpret or apply 47 U.S.C.
201, 202, 218, 222, 225, 226, 227, 228, 254(k), 301, 303, 332, 338, 551, 616, 620, 705, 1302, and the
Middle Class Tax Relief and Job Creation Act of 2012, Pub. L. 112-96, unless otherwise noted.
2. Revise Subpart U to read as follows:
Subpart U Protecting Customer Information
§ 64.2001 Basis and Purpose.
(a) Basis. The rules in this subpart are issued pursuant to the Communications Act of 1934, as
amended.
(b) Purpose. The purpose of the rules in this subpart is to implement section 222 of the
Communications Act of 1934, as amended, 47 U.S.C. 222.
§ 64.2002 Definitions.
(a) Broadband Internet access service (BIAS). The term “broadband Internet access service” or
“BIAS” has the same meaning given to such term in section 8.2(a) of this chapter.
(b) Broadband Internet Access service provider. The term “broadband Internet access service
provider” or “BIAS provider” means a person engaged in the provision of BIAS.
(c) Breach of security. The terms “breach of security,” “breach,” or “data breach,” mean any
instance in which a person, without authorization or exceeding authorization, has gained access to, used,
or disclosed customer proprietary information.
(d) Call detail information. Any information that pertains to the transmission of specific telephone
calls, including, for outbound calls, the number called, and the time, location, or duration of any call and,
for inbound calls, the number from which the call was placed, and the time, location, or duration of any
call.
(e) Customer. A customer of a telecommunications carrier is (1) a current or former subscriber to a
telecommunications service; or (2) an applicant for a telecommunications service.
(f) Customer proprietary information. The term “customer proprietary information” or “customer
PI” means any of the following a carrier acquires in connection with its provision of telecommunications
service:
(1) Individually identifiable customer proprietary network information (CPNI);
(2) Personally identifiable information (PII); and
(3) Content of communications.
(g) Customer proprietary network information (CPNI). The term “customer proprietary network
information” or “CPNI” has the same meaning given to such term in section 222(h)(1) of the
Communications Act of 1934, as amended, 47 U.S.C. 222(h)(1).
Federal Communications Commission FCC 16-148
171
(h) Interconnected Voice over Internet Protocol (VoIP) Service. The term “interconnected VoIP
service” has the same meaning given to such term in subsection (h) of this section.
(i) Material change. The term “material change” means any change that a customer, acting reasonably
under the circumstances, would consider important to his or her decisions regarding his or her privacy,
including any change to information required by the privacy notice described in section 64.2003.
(j) Opt-in approval. A method for obtaining customer consent to use, disclose, or permit access to the
customer’s proprietary information. This approval method requires that the carrier obtain from the
customer affirmative, express consent allowing the requested usage, disclosure, or access to the customer
proprietary information after the customer is provided appropriate notification of the carrier’s request
consistent with the requirements set forth in this subpart.
(k) Opt-out approval. A method for obtaining customer consent to use, disclose, or permit access to
the customer’s proprietary information. Under this approval method, a customer is deemed to have
consented to the use, disclosure, or access to the customer’s proprietary information if the customer has
failed to object thereto after the customer is provided appropriate notification of the carrier’s request for
consent consistent with the requirements set forth in this subpart.
(l) Person. The term “person” has the same meaning given such term in section 3 of the
Communications Act of 1934, as amended, 47 U.S.C. 153.
(m) Personally identifiable information (PII). The term “personally identifiable information” or “PII”
means any information that is linked or reasonably linkable to an individual or device.
(n) Sensitive customer proprietary information. The terms “sensitive customer proprietary
information” or “sensitive customer PI” include:
(1) financial information;
(2) health information;
(3) information pertaining to children;
(4) Social Security numbers;
(5) precise geo-location information;
(6) content of communications;
(7) call detail information; and
(8) web browsing history, application usage history, and the functional equivalents
of either.
(o) Telecommunications carrier or carrier. The terms “telecommunications carrier” or “carrier” shall
have the same meaning as set forth in section 3 of the Communications Act of 1934, as amended, 47
U.S.C. 153. For the purposes of this subpart, the term “telecommunications carrier” or “carrier” shall
include a person engaged in the provision of interconnected VoIP service, as that term is defined in
subsection (h) of this section.
(p) Telecommunications service. The term “telecommunications service” has the same meaning
given to such term in section 3 of the Communications Act of 1934, as amended, 47 U.S.C. 153. For the
purposes of this subpart, the term “telecommunications service” shall include interconnected VoIP
service, as that term is defined in subsection (h) of this section.
§ 64.2003 Notice Requirements for Telecommunications Carriers.
(a) A telecommunications carrier must notify its customers of its privacy policies. Such notice must
be clear and conspicuous, and in language that is comprehensible and not misleading.
(b) Contents. A telecommunications carrier’s notice of its privacy policies under subsection (a)
must:
Federal Communications Commission FCC 16-148
172
(1) Specify and describe the types of customer proprietary information that the
telecommunications carrier collects by virtue of its provision of telecommunications service and how it
uses that information;
(2) Specify and describe under what circumstances the telecommunications carrier discloses or
permits access to each type of customer proprietary information that it collects;
(3) Specify and describe the categories of entities to which the carrier discloses or permits access
to customer proprietary information and the purposes for which the customer proprietary information will
be used by each category of entities;
(4) Specify and describe customers’ opt-in approval and/or opt-out approval rights with respect
to their customer proprietary information, including:
(i) That a customer’s denial or withdrawal of approval to use, disclose, or permit access to
customer proprietary information will not affect the provision of any telecommunications services of
which he or she is a customer; and
(ii) That any grant, denial, or withdrawal of approval for the use, disclosure, or permission of
access to the customer proprietary information is valid until the customer affirmatively revokes such
grant, denial, or withdrawal, and inform the customer of his or her right to deny or withdraw access to
such proprietary information at any time.
(5) Provide access to a mechanism for customers to grant, deny, or withdraw approval for the
telecommunications carrier to use, disclose, or provide access to customer proprietary information as
required by section 64.2004 of this subpart;
(6) Be completely translated into a language other than English if the telecommunications carrier
transacts business with the customer in that language.
(c) Timing. Notice required under subsection (a) must:
(1) Be made available to prospective customers at the point of sale, prior to the purchase of
service, whether such point of sale is in person, online, over the telephone, or via another means; and
(2) Be made persistently available through: a clear and conspicuous link on the
telecommunications carrier’s homepage; the carrier’s application (app), if it provides one for account
management purposes; and any functional equivalent to the carrier’s homepage or app. If a carrier does
not have a website, it must provide notice to customers in paper form or another format agreed upon by
the customer.
(d) Material changes to a telecommunications carrier’s privacy policies. A telecommunications
carrier must provide existing customers with advance notice of one or more material changes to the
carrier’s privacy policies. Such notice must be clear and conspicuous, and in language that is
comprehensible and not misleading, and must:
(1) Be provided through email or another means of active communication agreed upon by the
customer;
(2) Specify and describe:
(i) The changes made to the telecommunications carrier’s privacy policies, including any
changes to what customer proprietary information the carrier collects, and how it uses, discloses, or
permits access to such information, the categories of entities to which it discloses or permits access to
customer proprietary information, and which, if any, changes are retroactive; and
Federal Communications Commission FCC 16-148
173
(ii) Customers’ opt-in approval and/or opt-out approval rights with respect to their customer
proprietary information, including the material specified in subsection (b)(4) of this section;
(3) Provide access to a mechanism for customers to grant, deny, or withdraw approval for the
telecommunications carrier to use, disclose, or permit access to customer proprietary information as
required by section 64.2004 of this subpart; and
(4) Be completely translated into a language other than English if the telecommunications carrier
transacts business with the customer in that language.
§ 64.2004 Customer Approval.
Except as described in subsection (a), a telecommunications carrier may not use, disclose, or permit
access to customer proprietary information except with the opt-out or opt-in approval of a customer as
described in this section.
(a) Limitations and Exceptions. A telecommunications carrier may use, disclose, or permit access to
customer proprietary information without customer approval for the following purposes:
(1) In its provision of the telecommunications service from which such information is derived, or
in its provision of services necessary to, or used in, the provision of such service.
(2) To initiate, render, bill, and collect for telecommunications service.
(3) To protect the rights or property of the telecommunications carrier, or to protect users of the
telecommunications service and other providers from fraudulent, abusive, or unlawful use of the service.
(4) To provide any inbound marketing, referral, or administrative services to the customer for the
duration of a real-time interaction, if such interaction was initiated by the customer.
(5) To provide location information and/or non-sensitive customer proprietary information to:
(i) A public safety answering point, emergency medical service provider or emergency
dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma
care facility, in order to respond to the user’s request for emergency services;
(ii) Inform the user’s legal guardian or members of the user’s immediate family of the user’s
location in an emergency situation that involves the risk of death or serious physical harm; or
(iii) Providers of information or database management services solely for purposes of
assisting in the delivery of emergency services in response to an emergency.
(6) As otherwise required or authorized by law.
(b) Opt-Out Approval Required. Except as otherwise provided in this section, a telecommunications
carrier must obtain opt-out approval from a customer to use, disclose, or permit access to any of the
customer’s non-sensitive customer proprietary information. If it so chooses, a telecommunications carrier
may instead obtain opt-in approval from a customer to use, disclose, or permit access to any of the
customer’s non-sensitive customer proprietary information.
(c) Opt-In Approval Required. Except as otherwise provided in this section, a telecommunications
carrier must obtain opt-in approval from a customer to:
(1) use, disclose, or permit access to any of the customer’s sensitive customer proprietary
information; or
Federal Communications Commission FCC 16-148
174
(2) make any material retroactive changei.e., a material change that would result in a use,
disclosure, or permission of access to any of the customer’s proprietary information previously collected
by the carrier for which the customer did not previously grant approval, either through opt-in or opt-out
consent, as required by subsections (b) and (c) of this section.
(d) Notice and Solicitation Required.
(1) Except as described in subsection (a) of this section, a telecommunications carrier must at a
minimum solicit customer approval pursuant to subsection (b) and/or (c), as applicable, at the point of
sale and when making one or more material changes to privacy policies. Such solicitation may be part of,
or the same communication as, a notice required by section 64.2003 of these rules.
(2) A telecommunications carrier’s solicitation of customer approval must be clear and
conspicuous, and in language that is comprehensible and not misleading. Such solicitation must disclose:
(i) The types of customer proprietary information for which the carrier is seeking customer
approval to use, disclose, or permit access to;
(ii) The purposes for which such customer proprietary information will be used;
(iii) The categories of entities to which the carrier intends to disclose or permit access to such
customer proprietary information; and
(iv) A means to easily access the notice required by section 64.2003(a) of this subpart and a
means to access the mechanism required by subsection (e).
(3) A telecommunications carrier’s solicitation of customer approval must be completely
translated into a language other than English if the telecommunications carrier transacts business with the
customer in that language.
(e) Mechanism for Exercising Customer Approval. A telecommunications carrier must make
available a simple, easy-to-use mechanism for customers to grant, deny, or withdraw opt-in approval
and/or opt-out approval at any time. Such mechanism must be clear and conspicuous, in language that is
comprehensible and not misleading, and made available at no additional cost to the customer. Such
mechanism must be persistently available on or through the carrier’s website; the carrier’s application
(app), if it provides one for account management purposes; and any functional equivalent to the carrier’s
homepage or app. If a carrier does not have a website, it must provide a persistently available mechanism
by another means such as a toll-free telephone number. The customer’s grant, denial, or withdrawal of
approval must be given effect promptly and remain in effect until the customer revokes or limits such
grant, denial, or withdrawal of approval.
§ 64.2005 Data Security.
(a) A telecommunications carrier must take reasonable measures to protect customer PI from
unauthorized use, disclosure, or access.
(b) The security measures taken by a telecommunications carrier to implement the requirement set
forth in this section must appropriately take into account each of the following factors:
(1) The nature and scope of the telecommunications carrier’s activities;
(2) The sensitivity of the data it collects;
(3) The size of the telecommunications carrier; and
(4) Technical feasibility.
Federal Communications Commission FCC 16-148
175
(c) A telecommunications carrier may employ any lawful security measures that allow it to
implement the requirement set forth in this section.
§ 64.2006 Data Breach Notification.
(a) Customer Notification. A telecommunications carrier shall notify affected customers of any
breach without unreasonable delay and in any event no later than 30 calendar days after the carrier
reasonably determines that a breach has occurred, subject to law enforcement needs, unless the
telecommunications carrier can reasonably determine that no harm to customers is reasonably likely to
occur as a result of the breach.
(1) A telecommunications carrier required to provide notification to a customer under this
subsection must provide such notice by one or more of the following methods:
(i) Written notification sent to either the customer’s email address or the postal address of
record of the customer, or, for former customers, to the last postal address ascertainable after
reasonable investigation using commonly available sources; or
(ii) Other electronic means of active communications agreed upon by the customer for
contacting that customer for data breach notification purposes.
(2) The customer notification required to be provided under this subsection must include:
(i) The date, estimated date, or estimated date range of the breach of security;
(ii) A description of the customer PI that was breached or reasonably believed to have been
breached;
(iii) Information the customer can use to contact the telecommunications carrier to inquire
about the breach of security and the customer PI that the telecommunications carrier
maintains about that customer;
(iv) Information about how to contact the Federal Communications Commission and any
state regulatory agencies relevant to the customer and the service; and
(v) If the breach creates a risk of financial harm, information about the national credit-
reporting agencies and the steps customers can take to guard against identity theft, including
any credit monitoring, credit reporting, credit freezes, or other consumer protections the
telecommunications carrier is offering customers affected by the breach of security.
(b) Commission Notification. A telecommunications carrier must notify the Commission of any
breach affecting 5,000 or more customers no later than seven business days after the carrier reasonably
determines that a breach has occurred and at least three business days before notification to the affected
customers, unless the telecommunications carrier can reasonably determine that no harm to customers is
reasonably likely to occur as a result of the breach. A telecommunications carrier must notify the
Commission of any breach affecting fewer than 5,000 customers without unreasonable delay and no later
than thirty (30) calendar days after the carrier reasonably determines that a breach has occurred, unless
the telecommunications carrier can reasonably determine that no harm to customers is reasonably likely to
occur as a result of the breach. Such notification shall be made through a central reporting system made
available by the Commission.
(c) Federal Law Enforcement Notification. A telecommunications carrier must notify the Federal
Bureau of Investigation (FBI) and the U.S. Secret Service (Secret Service) of a breach that affects 5,000
or more customers no later than seven business days after the carrier reasonably determines that such a
breach has occurred and at least three business days before notification to the affected customers, unless
the telecommunications carrier can reasonably determine that no harm to customers is reasonably likely to
occur as a result of the breach. Such notification shall be made through a central reporting system made
available by the Commission.
(d) Recordkeeping. A telecommunications carrier shall maintain a record, electronically or in some
Federal Communications Commission FCC 16-148
176
other manner, of any breaches and notifications made to customers, unless the telecommunications carrier
can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach.
The record must include the dates on which the carrier determines that a reportable breach has occurred
and the dates of customer notification. The record must include a written copy of all customer
notifications. Carriers shall retain the record for a minimum of two years from the date on which the
carrier determines that a reportable breach has occurred.
§ 64.2010 Business Customer Exemption for Provision of Telecommunications Services other than
BIAS.
Telecommunications carriers may bind themselves contractually to privacy and data security regimes
other than those described in this subpart for the provision of telecommunications services other than
BIAS to enterprise customers if the carrier’s contract with that customer specifically addresses the issues
of transparency, choice, data security, and data breach and provides a mechanism for the customer to
communicate with the carriers about privacy and data security concerns.
§ 64.2011 BIAS Offers Conditioned on Waiver of Privacy Rights.
(a) A BIAS provider must not condition, or effectively condition, provision of BIAS on a customer’s
agreement to waive privacy rights guaranteed by law or regulation, including this subpart. A BIAS
provider must not terminate service or otherwise refuse to provide BIAS as a direct or indirect
consequence of a customer’s refusal to waive any such privacy rights.
(b) A BIAS provider that offers a financial incentive, such as lower monthly rates, in exchange for a
customer’s approval to use, disclose, and/or permit access to the customer’s proprietary information must
do all of the following:
(1) Provide notice explaining the terms of any financial incentive program that is clear and
conspicuous, and in language that is comprehensible and not misleading. Such notice must be
provided both at the time the program is offered and at the time a customer elects to participate in
the program. Such notice must:
(i) Explain that the program requires opt-in approval to use, disclose, and/or permit
access to customer PI;
(ii) Include information about what customer PI the provider will collect, how it will be
used, and with what categories of entities it will be shared and for what purposes;
(iii) Be easily accessible and separate from any other privacy notifications, including but
not limited to any privacy notifications required by this subpart;
(iv) Be completely translated into a language other than English if the BIAS provider
transacts business with the customer in that language; and
(v) Provide at least as prominent information to customers about the equivalent service
plan that does not necessitate the use, disclosure, or access to customer PI beyond that
required or permitted by law or regulation, including under this subpart.
(2) Obtain customer opt-in approval in accordance with section 64.2004(c) of this subpart for
participation in any financial incentive program.
(3) If customer opt-in approval is given, the BIAS provider must make available a simple,
easy-to-use mechanism for customers to withdraw approval for participation in such financial
incentive program at any time. Such mechanism must be clear and conspicuous, in language that
is comprehensible and not misleading, and must be persistently available on or through the
carrier’s website; the carrier’s application (app), if it provides one for account management
purposes; and any functional equivalent to the carrier’s homepage or app. If a carrier does not
have a website, it must provide a persistently available mechanism by another means such as a
toll-free telephone number.
Federal Communications Commission FCC 16-148
177
§ 64.2012 Effect on State Law.
The rules set forth in this subpart shall preempt any State law only to the extent that such law is
inconsistent with the rules set forth herein and only if the Commission has affirmatively determined that
the State law is preempted on a case-by-case basis. The Commission shall not presume that more
restrictive State laws are inconsistent with the rules set forth herein.
Federal Communications Commission FCC 16-148
178
APPENDIX B
Final Regulatory Flexibility Analysis
1. As required by the Regulatory Flexibility Act of 1980, as amended (RFA),
1
an Initial
Regulatory Flexibility Analysis (IRFA) was incorporated into the Broadband Privacy NPRM for this
proceeding.
2
The Commission sought written public comment on the proposals in the Broadband Privacy
NPRM, including comment on the IRFA. The Commission received comments on the IRFA, which are
discussed below.
3
This present Final Regulatory Flexibility Analysis (FRFA) conforms to the RFA.
4
A. Need for, and Objectives of, the Rules
2. In the Order, we adopt privacy requirements for providers of broadband Internet access
service (BIAS) and other telecommunications services.
5
In doing so, we build upon the Commission’s
long history of protecting customer privacy in the telecommunications sector. Section 222 of the
Communications Act provides statutory protections to the privacy of the data that all telecommunications
carriers collect from their customers. Section 222(a) imposes a duty on all telecommunications carriers to
protect the confidentiality of their customers’ “proprietary information,” or PI. Section 222(c) imposes
restrictions on telecommunications carriers’ use and sharing of customer proprietary network information
(CPNI) without customer approval, subject to certain exceptions, including as necessary to provide the
telecommunications service (or services necessary to or used in providing that telecommunications
service), and as required by law.
6
3. Over the last two decades, the Commission has promulgated, revised, and enforced
privacy rules for telecommunications carriers that are focused on implementing the CPNI requirements of
Section 222. As practices have changed, the Commission has refined its Section 222 rules. The current
Section 222 rules focus on transparency, choice, data security, and data breach notification.
4. Prior to 2015, BIAS was classified as an information service, which excluded such
services from the ambit of Title II of the Act, including Section 222, and the Commission’s CPNI rules.
Instead, broadband providers were subject to the FTC’s unfair and deceptive acts and practices authority.
In the 2015 Open Internet Order, we reclassified BIAS as a telecommunications service subject to Title II
of the Act, an action upheld by the D.C. Circuit in United States Telecom Ass’n v. FCC. While we
granted BIAS forbearance from many Title II provisions, we concluded that application and enforcement
of the privacy protections in Section 222 to BIAS is in the public interest and necessary for the protection
of consumers. However, we questioned “whether the Commission’s current rules implementing section
222 necessarily would be well suited to broadband Internet access service,” and forbore from the
application of these rules to broadband service, “pending the adoption of rules to govern broadband
Internet access service in a separate rulemaking proceeding.”
7
5. In March 2016, we adopted the Broadband Privacy NPRM, which proposed a framework
1
See 5 U.S.C. § 603. The RFA, see 5 U.S.C. §§ 601-612, has been amended by the Small Business Regulatory
Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996).
2
Broadband Privacy NPRM, 31 FCC Rcd at 2611-32, Appx. B.
3
See Alaska Telephone Association Reply at 1-2; CCA Reply at 6; NTCA Reply at 15-16; RWA Comments at 2-13;
WISPA Comments at 4-5, 31-33; WISPA Reply at 1-3, 31-43; U.S. Small Business Administration Reply.
4
See 5 U.S.C. § 604.
5
See supra note 68.
6
See supra Part III.A.
7
2015 Open Internet Order, 30 FCC Rcd at 5820-22, paras. 462-64; see also supra Part III.A.
Federal Communications Commission FCC 16-148
179
for applying the longstanding privacy requirements of the Act to BIAS.
8
In the NPRM, we proposed rules
protecting customer privacy using the three foundations of privacytransparency, choice, and security
and also sought comment on, among other things, whether we should update rules that govern the
application of Section 222 to traditional telephone service and interconnected VoIP service in order to
harmonize them with the results of this proceeding.
9
6. Based on the record gathered in this proceeding, today we adopt a harmonized set of rules
applicable to BIAS providers and other telecommunications carriers. The privacy framework we adopt
focuses on transparency, choice, and data security, and provides heighted protection for sensitive
customer information, consistent with customer expectations. Our need to extend such privacy
requirements to BIAS providers is based, in part, on their particular role as network providers and the
context of the consumer/BIAS provider relationship. Based on our review of the record, we reaffirm our
earlier finding that a broadband provider “sits at a privileged place in the network, the bottleneck between
the customer and the rest of the Internet”
10
a position that we have referred to as a gatekeeper.
11
As
such, BIAS providers can collect “an unprecedented breadth” of electronic personal information.
12
7. In adopting these rules we honor customers’ privacy rights and implement the statutory
requirement that carriers protect the confidentiality of customer proprietary information. These rules do
not prohibit carriers from using or sharing customer information, but rather are designed to protect
consumer choice while giving carriers the flexibility they need to continue to innovate. By bolstering
customer confidence in carriers’ treatment of confidential customer information, we also promote the
virtuous cycle of innovation in which new uses of the network lead to increased end-user demand for
broadband, which drives network improvements, which in turn lead to further innovative network uses,
business growth and innovation.
B. Summary of Significant Issues Raised by Public Comments in Response to the IRFA
8. In response to the Broadband Privacy NPRM, five entities filed comments, reply
comments, and/or ex parte letters that specifically addressed the IRFA to some degree: Alaska Telephone
Association, Competitive Carriers Association, NTCA, Rural Wireless Association, and Wireless Internet
8
See generally Broadband Privacy NPRM, 31 FCC Rcd at 2500.
9
See, e.g., Broadband Privacy NPRM, 31 FCC Rcd at 2510, para. 24.
10
See Letter from Paul Ohm, Professor, Georgetown University Law Center, to Marlene H. Dortch, Secretary, FCC,
GN Docket No. 16-106 Attach., Testimony Before the Subcommittee on Communications and Technology,
Committee on Energy and Commerce, U.S. House of Representatives at 3 (filed June 19, 2016) (Paul Ohm
Testimony).
11
See 2015 Open Internet Order, 30 FCC Rcd at 5629, para. 80 (noting that “once a consumer chooses a broadband
provider, that provider has a monopoly on access to the subscriber”).
12
Letter from Kathleen McGee, Bureau Chief, Bureau of Internet and Technology, New York State Attorney
General, to Tom Wheeler, Chairman, FCC, GC Docket No. 16-106 at 2 (filed June 30, 2016) (NY Attorney General
June 30, 2016 Ex Parte Letter) (also claiming that BIAS providers can collect not only a consumer’s name, address
and financial information but also every website he or she visited, the links clicked on those websites, geo-location
information, and the content of electronic communications”); see also, e.g., Letter from Christopher N. Olsen,
Counsel to Ghostery, to Marlene H. Dortch, Secretary, FCC, GN Docket No. 16-106, Attach. at 3-5 (Ghostery Apr.
29, 2016 Ex Parte Letter); Consumer Action Comments at 1; Consumer Watchdog Comments at 4 (“The ISP is in a
unique position to amass deeply revealing personal profiles, share the data with third parties or use it for its own
purposes.”); Public Knowledge et al. Comments, Attach. Public Knowledge White Paper, Protecting Privacy,
Promoting Competition: A framework for Updating the Federal Communications Commission Privacy Rules for
the Digital World at 51-52, 55-56 (Public Knowledge White Paper); AAJ Comments at 8 (explaining that BIAS
providers are now privy to an extensive amount of personal information about their customers”); EFF Comments at
1.
Federal Communications Commission FCC 16-148
180
Service Providers Association (WISPA).
13
Some of these, as well as other entities, filed comments, reply
comments, and/or ex parte letters that more generally considered the small business impact of our
proposals.
14
9. Some commenters recommend that the Commission adopt specific exemptions or
provisions to alleviate burdens on small carriers. In particular, commenters recommend that the
Commission (1) exempt small carriers from some or all of the rules based on their size and/or practices;
15
(2) give small carriers additional time to comply with the rules;
16
(3) harmonize notice and choice
requirements with the preexisting voice CPNI rules;
17
(4) exempt small carriers from any privacy
dashboard requirements and otherwise give them flexibility in the structure of their privacy notices;
18
(5)
grandfather existing customer approvals for use and disclosure of customer information;
19
(6) exempt
small carriers from any opt-in approval requirements;
20
(6) not impose specific data security requirements
on small providers;
21
(7) not impose specific data breach reporting deadlines on small providers, and
instead allow them to report breaches as soon as practicable;
22
and (8) not hold small carriers liable for
misuse of customer PI by third parties with whom they share the information.
23
We considered these
proposals and concerns when composing the Order and the accompanying rules.
24
C. Response to Comments by the Chief Counsel for Advocacy of the Small Business
Administration
10. Pursuant to the Small Business Jobs Act of 2010, which amended the RFA, the
Commission is required to respond to any comments filed by the Chief Counsel for Advocacy of the
Small Business Administration (SBA), and to provide a detailed statement of any change made to the
proposed rules as a result of those comments.
25
11. The SBA filed comments in response to the IRFA encouraging the Commission to
examine measures, exemptions, and alternatives that would ease compliance by small
13
See Alaska Telephone Association Reply at 1-2; CCA Reply at 6; NTCA Reply at 15-16; RWA Comments at 2-
13; WISPA Comments at 4-5, 31-33; WISPA Reply at 1-3, 31-43.
14
See, e.g., ACA Comments at 38-39, 46-51, 57-58; ACA Reply at 4, 14-20; CCA Reply at 12-13, 25-26, 35, 40-41;
Education & Research Consortium et al. Comments at 5, 8-10; NTCA Comments at 18, 41-43, 49-51, 55; Rural
Wireless Association Comments at 2-14; USTelecom Comments at 19; WISPA Comments at 4-5, 28-29, 31-33;
WISPA Reply at 31-43; WTA Comments at 2-3, 10-17; WTA Reply at 5-10, 13; WTA & Nex-Tech Apr. 25, 2016
Ex Parte at 1.
15
See ACA Reply at 4; Alaska Telephone Association Reply at 1-2; WISPA Reply at 41; WTA Comments at 2-3;
WTA Reply at 5-6.
16
See ACA Comments at 46-49; CCA Reply at 40-41; WISPA Comments at 28-29.
17
See ACA Comments at 57-58; RWA Comments at 6-7; WTA Comments at 12.
18
See ACA Comments at 38-39, 46; ACA Reply at 4; CCA Reply at 25-26, 35; NTCA Comments at 41-43; WTA
Comments at 14-17; WTA Reply at 8-10. But see ACA Reply at 14-15 (asking for standardized notices with a safe
harbor); NTCA Comments at 41-42 (same).
19
See USTelecom Comments at 19; NTCA Comments at 55; WISPA Comments at 31; WTA Comments at 10, 16.
20
See NTCA Comments at 49-51.
21
See CCA Reply at 12-13; WISPA Comments at 31-33; WISPA Reply at 31-43; WTA Reply at 13.
22
See ACA Reply at 4; WISPA Comments at 31-33; WISPA Reply at 31-43.
23
Education & Research Consortium et al. Comments at 8-10.
24
See infra Appx. B, Part VI.F.
25
5 U.S.C. § 604(a)(3).
Federal Communications Commission FCC 16-148
181
telecommunications carriers with our rules.
26
SBA observed that compliance costs to small providers
may include “consulting fees, attorney’s fees, hiring or training in-house privacy personnel, customer
notification costs, and opportunity costs.”
27
In particular, SBA recommends giving small providers more
time to comply with the rules and it supports granting small providers an exemption from the rules
“wherever practicable.”
28
12. As explained in detail below, we have taken numerous measures in this Order to alleviate
burdens for small providers, consistent with the comments of the SBA. In particular, we have adopted
SBA’s proposal that we give small providers additional time to comply.
29
Also, while we do not exempt
small providers from any of our rules, we have taken alternative measures to address several of the
concerns with specific rule proposals that the SBA identifies. For instance, the data security rule we
adopt focuses on the “reasonableness” of a carrier’s security practices and does not prescribe any
minimum required practices a provider must undertake to achieve compliance.
30
The rule also
specifically recognizes that the size of the provider is one of the factors to be considered in determining
whether a provider has engaged in reasonable data security practices. By formulating the rule in this way,
we have addressed small provider concerns regarding the costs of implementing prescriptive
requirements.
31
We also note that among other accommodations directly responsive to small provider
concerns, we decline to require a consumer-facing dashboard.
D. Description and Estimate of the Number of Small Entities to Which the Rules Will
Apply
13. The RFA directs agencies to provide a description of, and where feasible, an estimate of
the number of small entities that may be affected by the rules.
32
The RFA generally defines the term
“small entity” as having the same meaning as the terms “small business,” “small organization,” and
“small governmental jurisdiction.”
33
In addition, the term “small business” has the same meaning as the
term “small business concern” under the Small Business Act.
34
A “small business concern” is one which:
(1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any
additional criteria established by the SBA.
35
14. For the purposes of these rules, we define small providers as providers with 100,000 or
fewer broadband connections as reported on their most recent Form 477, aggregated over all the
providers’ affiliates. We decline to count based on the number of customers from whom carriers collect
26
Letter from Darryl L. DePriest, Chief Counsel for Advocacy, and Jamie Belcore Saloom, Assistant Chief Counsel,
Office of Advocacy, U.S. Small Business Administration, to Marlene H. Dortch, Secretary, FCC, WC Docket No.
16-106 (filed June 27, 2016) (SBA Comments).
27
U.S. Small Business Administration Reply at 3.
28
U.S. Small Business Administration Reply at 4.
29
See supra Part III.I.4.
30
See supra Part III.E.
31
See supra Part III.E.1.
32
5 U.S.C. § 604.
33
5 U.S.C. § 601(6).
34
5 U.S.C. § 601(3) (incorporating by reference the definition of “small-business concern” in the Small Business
Act, 15 U.S.C. § 632). Pursuant to 5 U.S.C. § 601(3), the statutory definition of a small business applies “unless an
agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity
for public comment, establishes one or more definitions of such term which are appropriate to the activities of the
agency and publishes such definition(s) in the Federal Register.”
35
15 U.S.C. § 632.
Federal Communications Commission FCC 16-148
182
data, as we recognize that some data collection is necessary to the provisions of service. Cabining the
scope of small providers to those serving 100,000 or fewer subscribers is consistent with the 2015 Open
Internet Order.
36
15. The rules apply to all telecommunications carriers, including providers of BIAS. Below,
we describe the types of small entities that might provide these services.
1. Total Small Entities
16. Our rules may, over time, affect small entities that are not easily categorized at present.
We therefore describe here, at the outset, three comprehensive, statutory small entity size standards.
37
First, as of 2013, the SBA estimates there are an estimated 28.8 million small businesses nationwide
comprising some 99.9% of all businesses.
38
In addition, a “small organization” is generally “any not-for-
profit enterprise which is independently owned and operated and is not dominant in its field.”
39
Nationwide, as of 2007, there were approximately 1,621,315 small organizations.
40
Finally, the term
“small governmental jurisdiction” is defined generally as “governments of cities, towns, townships,
villages, school districts, or special districts, with a population of less than fifty thousand.”
41
Census
Bureau data for 2011 indicate that there were 90,056 local governmental jurisdictions in the United
States.
42
We estimate that, of this total, as many as 89,327 entities may qualify as “small governmental
jurisdictions.”
43
Thus, we estimate that most governmental jurisdictions are small.
2. Broadband Internet Access Service Providers
17. The Economic Census places BIAS providers, whose services might include Voice over
Internet Protocol (VoIP), in either of two categories, depending on whether the service is provided over
the provider’s own telecommunications facilities (e.g., cable and DSL ISPs), or over client-supplied
telecommunications connections (e.g., dial-up ISPs). The former are within the category of Wired
Telecommunications Carriers,
44
which has an SBA small business size standard of 1,500 or fewer
36
See supra Part III.I.4.
37
See 5 U.S.C. §§ 601(3)-(6).
38
See Small Bus. Admin., Office of Advocacy, Frequently Asked Questions about Small Business 1 (2016),
https://www.sba.gov/sites/default/files/advocacy/SB-FAQ-2016_WEB.pdf.
39
5 U.S.C. § 601(4).
40
Indep. Sector, The New Nonprofit Almanac and Desk Reference (2010).
41
5 U.S.C. § 601(5).
42
U.S. Census Bureau, Statistical Abstract of the United States: 2012, Section 8, page 267, tbl. 429,
https://www.census.gov/compendia/statab/2012/tables/12s0429.pdf/ (data cited therein are from 2007).
43
The 2007 U.S. Census data for small governmental organizations are not presented based on the size of the
population in each such organization. There were 89,476 local governmental organizations in 2007. If we assume
that county, municipal, township, and school district organizations are more likely than larger governmental
organizations to have populations of 50,000 or less, the total of these organizations is 52,095. As a basis of
estimating how many of these 89,476 local government organizations were small, in 2011, we note that there were a
total of 715 cities and towns (incorporated places and minor civil divisions) with populations over 50,000. U.S.
Census Bureau, City and Town Totals Vintage: 2011,
http://www.census.gov/popest/data/cities/totals/2011/index.html. If we subtract the 715 cities and towns that meet
or exceed the 50,000 population threshold, we conclude that approximately 88,761 are small. U.S. Census Bureau,
Statistical Abstract of the United States: 2012, Section 8, page 267, tbl. 429,
https://www.census.gov/compendia/statab/2012/tables/12s0429.pdf/ (data cited therein are from 2007).
44
U.S. Census Bureau, 2012 NAICS Definitions, “517110 Wired Telecommunications Carriers,”
http://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517110&search=2012%20NAICS%20Search.
Federal Communications Commission FCC 16-148
183
employees.
45
These are also labeled “broadband.” The latter are within the category of All Other
Telecommunications,
46
which has a size standard of annual receipts of $32.5 million or less.
47
These are
labeled non-broadband. According to Census Bureau data for 2012, there were 3,117 firms in the first
category, total, that operated for the entire year.
48
Of this total, 3,083 firms had employment of 999 or
fewer employees.
49
For the second category, the data show that 1,442 firms operated for the entire year.
50
Of those, 1,400 had annual receipts below $25 million per year. Consequently, we estimate that the
majority of broadband Internet access service provider firms are small entities.
18. The broadband Internet access service provider industry has changed since this definition
was introduced in 2007. The data cited above may therefore include entities that no longer provide
broadband Internet access service, and may exclude entities that now provide such service. To ensure that
this FRFA describes the universe of small entities that our action affects, we discuss in turn several
different types of entities that might be providing broadband Internet access service, which also overlap
with entities providing other telecommunications services. We note that, although we have no specific
information on the number of small entities that provide broadband Internet access service over
unlicensed spectrum, we include these entities in our Final Regulatory Flexibility Analysis.
3. Wireline Providers
19. Wired Telecommunications Carriers. The U.S. Census Bureau defines this industry as
“establishments primarily engaged in operating and/or providing access to transmission facilities and
infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using
wired communications networks. Transmission facilities may be based on a single technology or a
combination of technologies. Establishments in this industry use the wired telecommunications network
facilities that they operate to provide a variety of services, such as wired telephony services, including
VoIP services, wired (cable) audio and video programming distribution, and wired broadband internet
services. By exception, establishments providing satellite television distribution services using facilities
and infrastructure that they operate are included in this industry.”
51
The SBA has developed a small
business size standard for Wired Telecommunications Carriers, which consists of all such companies
having 1,500 or fewer employees.
52
Census data for 2012 shows that there were 3,117 firms that operated
that year. Of this total, 3,083 operated with fewer than 1,000 employees.
53
Thus, under this size standard,
the majority of firms in this industry can be considered small.
20. Local Exchange Carriers (LECs). Neither the Commission nor the SBA has developed a
size standard for small businesses specifically applicable to local exchange services. The closest
applicable NAICS Code category is Wired Telecommunications Carriers as defined in this FRFA. Under
45
13 CFR § 121.201, NAICS code 517110.
46
U.S. Census Bureau, 2012 NAICS Definitions, “517919 All Other Telecommunications,”,
http://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517919&search=2012%20NAICS%20Search.
47
13 CFR § 121.201, NAICS code 517919.
48
U.S. Census Bureau, 2007 Economic Census, Subject Series: Information, Table 5, “Establishment and Firm Size:
Employment Size of Firms for the United States: 2007 NAICS Code 517110” (2010).
49
See id.
50
U.S. Census Bureau, 2007 Economic Census, Subject Series: Information, “Establishment and Firm Size,”
NAICS code 5179191 (2010) (receipts size).
51
http://www.census.gov/cgi-bin/sssd/naics/naicsrch.
52
See 13 CFR § 120.201, NAICS Code 517110.
53
http://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?
pid=ECN_2012_US_51SSSZ5&prodType=table.
Federal Communications Commission FCC 16-148
184
the applicable SBA size standard, such a business is small if it has 1,500 or fewer employees.
54
According to Commission data, census data for 2012 shows that there were 3,117 firms that operated that
year. Of this total, 3,083 operated with fewer than 1,000 employees.
55
The Commission therefore
estimates that most providers of local exchange carrier service are small entities that may be affected by
the rules adopted.
21. Incumbent Local Exchange Carriers (Incumbent LECs). Neither the Commission nor the
SBA has developed a small business size standard specifically for incumbent local exchange services.
The closest applicable NAICS Code category is Wired Telecommunications Carriers as defined in this
FRFA. Under that size standard, such a business is small if it has 1,500 or fewer employees.
56
According
to Commission data, 3,117 firms operated in that year. Of this total, 3,083 operated with fewer than
1,000 employees.
57
Consequently, the Commission estimates that most providers of incumbent local
exchange service are small businesses that may be affected by the rules and policies adopted. Three
hundred and seven (307) Incumbent Local Exchange Carriers reported that they were incumbent local
exchange service providers.
58
Of this total, an estimated 1,006 have 1,500 or fewer employees.
59
22. Competitive Local Exchange Carriers (Competitive LECs), Competitive Access Providers
(CAPs), Shared-Tenant Service Providers, and Other Local Service Providers. Neither the Commission
nor the SBA has developed a small business size standard specifically for these service providers. The
appropriate NAICS Code category is Wired Telecommunications Carriers, as defined in this FRFA.
Under that size standard, such a business is small if it has 1,500 or fewer employees.
60
U.S. Census data
for 2012 indicate that 3,117 firms operated during that year. Of that number, 3,083 operated with fewer
than 1,000 employees.
61
Based on this data, the Commission concludes that the majority of Competitive
LECS, CAPs, Shared-Tenant Service Providers, and Other Local Service Providers, are small entities.
According to Commission data, 1,442 carriers reported that they were engaged in the provision of either
competitive local exchange services or competitive access provider services.
62
Of these 1,442 carriers, an
estimated 1,256 have 1,500 or fewer employees.
63
In addition, 17 carriers have reported that they are
Shared-Tenant Service Providers, and all 17 are estimated to have 1,500 or fewer employees.
64
Also, 72
carriers have reported that they are Other Local Service Providers.
65
Of this total, 70 have 1,500 or fewer
employees.
66
Consequently, based on internally researched FCC data, the Commission estimates that
54
13 CFR § 121.201, NAICS code 517110.
55
http://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?
pid=ECN_2012_US_51SSSZ5&prodType=table.
56
13 CFR § 121.201, NAICS code 517110.
57
http://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?
pid=ECN_2012_US_51SSSZ5&prodType=table.
58
See Trends in Telephone Service, Federal Communications Commission, Wireline Competition Bureau, Industry
Analysis and Technology Division at Table 5.3 (Sept. 2010) (Trends in Telephone Service).
59
Id.
60
13 CFR § 121.201, NAICS code 517110.
61
http://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?
pid=ECN_2012_US_51SSSZ5&prodType=table.
62
See Trends in Telephone Service, at tbl. 5.3.
63
Id.
64
Id.
65
Id.
66
Id.
Federal Communications Commission FCC 16-148
185
most providers of competitive local exchange service, competitive access providers, Shared-Tenant
Service Providers, and Other Local Service Providers are small entities.
23. We have included small incumbent LECs in this present RFA analysis. As noted above,
a “small business” under the RFA is one that, inter alia, meets the pertinent small business size standard
(e.g., a telephone communications business having 1,500 or fewer employees), and “is not dominant in its
field of operation.”
67
The SBA’s Office of Advocacy contends that, for RFA purposes, small incumbent
LECs are not dominant in their field of operation because any such dominance is not “national” in
scope.
68
We have therefore included small incumbent LECs in this RFA analysis, although we emphasize
that this RFA action has no effect on Commission analyses and determinations in other, non-RFA
contexts.
24. Interexchange Carriers. Neither the Commission nor the SBA has developed a definition
for Interexchange Carriers. The closest NAICS Code category is Wired Telecommunications Carriers as
defined in this FRFA. The applicable size standard under SBA rules is that such a business is small if it
has 1,500 or fewer employees.
69
U.S. Census data for 2012 indicates that 3,117 firms operated during that
year. Of that number, 3,083 operated with fewer than 1,000 employees.
70
According to internally
developed Commission data, 359 companies reported that their primary telecommunications service
activity was the provision of interexchange services.
71
Of this total, an estimated 317 have 1,500 or fewer
employees.
72
Consequently, the Commission estimates that the majority of interexchange service
providers are small entities that may be affected by the rules adopted.
25. Operator Service Providers (OSPs). Neither the Commission nor the SBA has developed
a small business size standard specifically for operator service providers. The appropriate size standard
under SBA rules is for the category Wired Telecommunications Carriers. Under that size standard, such a
business is small if it has 1,500 or fewer employees.
73
According to Commission data, 33 carriers have
reported that they are engaged in the provision of operator services. Of these, an estimated 31 have 1,500
or fewer employees and two have more than 1,500 employees.
74
Consequently, the Commission
estimates that the majority of OSPs are small entities that may be affected by these rules.
26. Prepaid Calling Card Providers. Neither the Commission nor the SBA has developed a
small business definition specifically for prepaid calling card providers. The most appropriate NAICS
code-based category for defining prepaid calling card providers is Telecommunications Resellers. This
industry comprises establishments engaged in purchasing access and network capacity from owners and
operators of telecommunications networks and reselling wired and wireless telecommunications services
(except satellite) to businesses and households. Establishments in this industry resell
telecommunications; they do not operate transmission facilities and infrastructure. Mobile virtual
67
5 U.S.C. § 601(3).
68
Letter from Jere W. Glover, Chief Counsel for Advocacy, SBA, to William E. Kennard, Chairman, Federal
Communications Commission (filed May 27, 1999). The Small Business Act contains a definition of “small
business concern,” which the RFA incorporates into its own definition of “small business.” 15 U.S.C. § 632(a); 5
U.S.C. § 601(3). SBA regulations interpret “small business concern” to include the concept of dominance on a
national basis. 13 CFR § 121.102(b).
69
13 CFR § 121.201, NAICS code 517110.
70
http://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?
pid=ECN_2012_US_51SSSZ5&prodType=table.
71
See Trends in Telephone Service, at tbl. 5.3.
72
Id.
73
13 CFR § 121.201, NAICS code 517110.
74
Trends in Telephone Service, tbl. 5.3.
Federal Communications Commission FCC 16-148
186
networks operators (MVNOs) are included in this industry.
75
Under the applicable SBA size standard,
such a business is small if it has 1,500 or fewer employees.
76
U.S. Census data for 2012 show that 1,341
firms provided resale services during that year. Of that number, 1,341 operated with fewer than 1,000
employees.
77
Thus, under this category and the associated small business size standard, the majority of
these prepaid calling card providers can be considered small entities. According to Commission data, 193
carriers have reported that they are engaged in the provision of prepaid calling cards.
78
All 193 carriers
have 1,500 or fewer employees.
79
Consequently, the Commission estimates that the majority of prepaid
calling card providers are small entities that may be affected by the rules adopted.
27. Local Resellers. Neither the Commission nor the SBA has developed a small business
size standard specifically for Local Resellers. The SBA has developed a small business size standard for
the category of Telecommunications Resellers. Under that size standard, such a business is small if it has
1,500 or fewer employees.
80
Census data for 2012 show that 1,341 firms provided resale services during
that year. Of that number, 1,341 operated with fewer than 1,000 employees.
81
Under this category and
the associated small business size standard, the majority of these local resellers can be considered small
entities. According to Commission data, 213 carriers have reported that they are engaged in the provision
of local resale services.
82
Of this total, an estimated 211 have 1,500 or fewer employees.
83
Consequently,
the Commission estimates that the majority of local resellers are small entities that may be affected by the
rules adopted.
28. Toll Resellers. The Commission has not developed a definition for Toll Resellers. The
closest NAICS Code Category is Telecommunications Resellers, and the SBA has developed a small
business size standard for the category of Telecommunications Resellers.
84
Under that size standard, such
a business is small if it has 1,500 or fewer employees.
85
Census data for 2012 show that 1,341 firms
provided resale services during that year. Of that number, 1,341 operated with fewer than 1,000
employees.
86
Thus, under this category and the associated small business size standard, the majority of
these resellers can be considered small entities. According to Commission data, 881 carriers have
reported that they are engaged in the provision of toll resale services.
87
Of this total, an estimated 857
have 1,500 or fewer employees.
88
Consequently, the Commission estimates that the majority of toll
resellers are small entities.
75
http://www.census.gov/cgi-bin/ssd/naics/naicsrch.
76
13 CFR § 121.201, NAICS code 517911.
77
http://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?
pid=ECN_2012_US_51SSSZ5&prodType=table.
78
See Trends in Telephone Service, at tbl. 5.3.
79
Id.
80
13 CFR § 121.201, NAICS code 517911.
81
http://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?
pid=ECN_2012_US_51SSSZ5&prodType=table.
82
See Trends in Telephone Service, at tbl. 5.3.
83
Id.
84
13 CFR § 121.201, NAICS code 517911.
85
http://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?
pid=ECN_2012_US_51SSSZ5&prodType=table.
86
Id.
87
Trends in Telephone Service, at tbl. 5.3.
88
Id.
Federal Communications Commission FCC 16-148
187
29. Other Toll Carriers. Neither the Commission nor the SBA has developed a definition for
small businesses specifically applicable to Other Toll Carriers. This category includes toll carriers that do
not fall within the categories of interexchange carriers, operator service providers, prepaid calling card
providers, satellite service carriers, or toll resellers. The closest applicable NAICS Code category is for
Wired Telecommunications Carriers as defined in paragraph 6 of this FRFA. Under the applicable SBA
size standard, such a business is small if it has 1,500 or fewer employees.
89
Census data for 2012 shows
that there were 3,117 firms that operated that year. Of this total, 3,083 operated with fewer than 1,000
employees.
90
Thus, under this category and the associated small business size standard, the majority of
Other Toll Carriers can be considered small. According to internally developed Commission data, 284
companies reported that their primary telecommunications service activity was the provision of other toll
carriage.
91
Of these, an estimated 279 have 1,500 or fewer employees.
92
Consequently, the Commission
estimates that most Other Toll Carriers are small entities.
4. Wireless Providers Fixed and Mobile
30. The telecommunications services category covered by these rules may cover multiple
wireless firms and categories of regulated wireless services. In addition, for those services subject to
auctions, we note that, as a general matter, the number of winning bidders that claim to qualify as small
businesses at the close of an auction does not necessarily represent the number of small businesses
currently in service. Also, the Commission does not generally track subsequent business size unless, in
the context of assignments and transfers or reportable eligibility events, unjust enrichment issues are
implicated.
31. Wireless Telecommunications Carriers (except Satellite). This industry comprises
establishments engaged in operating and maintaining switching and transmission facilities to provide
communications via the airwaves. Establishments in this industry have spectrum licenses and provide
services using that spectrum, such as cellular services, paging services, wireless internet access, and
wireless video services.
93
The appropriate size standard under SBA rules is that such a business is small
if it has 1,500 or fewer employees. For this industry, Census data for 2012 show that there were 967
firms that operated for the entire year. Of this total, 955 firms had fewer than 1,000 employees. Thus
under this category and the associated size standard, the Commission estimates that the majority of
wireless telecommunications carriers (except satellite) are small entities. Similarly, according to
internally developed Commission data, 413 carriers reported that they were engaged in the provision of
wireless telephony, including cellular service, Personal Communications Service (PCS), and Specialized
Mobile Radio (SMR) services.
94
Of this total, an estimated 261 have 1,500 or fewer employees.
95
Thus,
using available data, we estimate that the majority of wireless firms can be considered small.
32. Wireless Communications Services. This service can be used for fixed, mobile,
radiolocation, and digital audio broadcasting satellite uses. The Commission defined “small business” for
the wireless communications services (WCS) auction as an entity with average gross revenues of $40
million for each of the three preceding years, and a “very small business” as an entity with average gross
89
13 CFR § 121.201, NAICS code 517110.
90
http://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?
pid=ECN_2012_US_51SSSZ5&prodType=table.
91
Trends in Telephone Service, at tbl. 5.3.
92
Id.
93
NAICS Code 517210. See http://www.census.gov/cgi-bin/ssd/naics/naiscsrch.
94
Trends in Telephone Service, at tbl. 5.3.
95
Id.
Federal Communications Commission FCC 16-148
188
revenues of $15 million for each of the three preceding years.
96
The SBA has approved these
definitions.
97
33. 1670–1675 MHz Services. This service can be used for fixed and mobile uses, except
aeronautical mobile.
98
An auction for one license in the 16701675 MHz band was conducted in 2003.
One license was awarded. The winning bidder was not a small entity.
34. Wireless Telephony. Wireless telephony includes cellular, personal communications
services, and specialized mobile radio telephony carriers. As noted, the SBA has developed a small
business size standard for Wireless Telecommunications Carriers (except Satellite).
99
Under the SBA
small business size standard, a business is small if it has 1,500 or fewer employees.
100
According to
Commission data, 413 carriers reported that they were engaged in wireless telephony.
101
Of these, an
estimated 261 have 1,500 or fewer employees and 152 have more than 1,500 employees.
102
Therefore, a
little less than one third of these entities can be considered small.
35. Broadband Personal Communications Service. The broadband personal communications
services (PCS) spectrum is divided into six frequency blocks designated A through F, and the
Commission has held auctions for each block. The Commission initially defined a “small business” for
C- and F-Block licenses as an entity that has average gross revenues of $40 million or less in the three
previous calendar years.
103
For F-Block licenses, an additional small business size standard for “very
small business” was added and is defined as an entity that, together with its affiliates, has average gross
revenues of not more than $15 million for the preceding three calendar years.
104
These small business size
standards, in the context of broadband PCS auctions, have been approved by the SBA.
105
No small
businesses within the SBA-approved small business size standards bid successfully for licenses in Blocks
A and B. There were 90 winning bidders that claimed small business status in the first two C-Block
auctions. A total of 93 bidders that claimed small business status won approximately 40 percent of the
1,479 licenses in the first auction for the D, E, and F Blocks.
106
On April 15, 1999, the Commission
completed the reauction of 347 C-, D-, E-, and F-Block licenses in Auction No. 22.
107
Of the 57 winning
bidders in that auction, 48 claimed small business status and won 277 licenses.
96
Amendment of the Commission’s Rules to Establish Part 27, the Wireless Communications Service (WCS), Report
and Order, 12 FCC Rcd 10785, 10879, para. 194 (1997).
97
See Letter from Aida Alvarez, Administrator, SBA, to Amy Zoslov, Chief, Auctions and Industry Analysis
Division, Wireless Telecommunications Bureau, FCC (filed Dec. 2, 1998) (Alvarez Letter 1998).
98
47 CFR § 2.106; see generally 47 CFR §§ 27.1-27.70.
99
13 CFR § 121.201, NAICS code 517210.
100
Id.
101
Trends in Telephone Service, tbl. 5.3.
102
Id.
103
See Amendment of Parts 20 and 24 of the Commission’s Rules Broadband PCS Competitive Bidding and the
Commercial Mobile Radio Service Spectrum Cap; Amendment of the Commission’s Cellular/PCS Cross-Ownership
Rule, Report and Order, 11 FCC Rcd 7824, 7850-52, paras. 57-60 (1996) (PCS Report and Order); see also 47 CFR
§ 24.720(b).
104
See PCS Report and Order, 11 FCC Rcd at 7852, para. 60.
105
See Alvarez Letter 1998.
106
See Broadband PCS, D, E and F Block Auction Closes, Public Notice, Doc. No. 89838 (rel. Jan. 14, 1997).
107
See C, D, E, and F Block Broadband PCS Auction Closes, Public Notice, 14 FCC Rcd 6688 (WTB 1999).
Before Auction No. 22, the Commission established a very small standard for the C Block to match the standard
(continued….)
Federal Communications Commission FCC 16-148
189
36. On January 26, 2001, the Commission completed the auction of 422 C and F Block
Broadband PCS licenses in Auction No. 35. Of the 35 winning bidders in that auction, 29 claimed small
business status.
108
Subsequent events concerning Auction 35, including judicial and agency
determinations, resulted in a total of 163 C and F Block licenses being available for grant. On February
15, 2005, the Commission completed an auction of 242 C-, D-, E-, and F-Block licenses in Auction No.
58. Of the 24 winning bidders in that auction, 16 claimed small business status and won 156 licenses.
109
On May 21, 2007, the Commission completed an auction of 33 licenses in the A, C, and F Blocks in
Auction No. 71.
110
Of the 12 winning bidders in that auction, five claimed small business status and won
18 licenses.
111
On August 20, 2008, the Commission completed the auction of 20 C-, D-, E-, and F-Block
Broadband PCS licenses in Auction No. 78.
112
Of the eight winning bidders for Broadband PCS licenses
in that auction, six claimed small business status and won 14 licenses.
113
37. Specialized Mobile Radio Licenses. The Commission awards “small entity” bidding
credits in auctions for Specialized Mobile Radio (SMR) geographic area licenses in the 800 MHz and 900
MHz bands to firms that had revenues of no more than $15 million in each of the three previous calendar
years.
114
The Commission awards “very small entity” bidding credits to firms that had revenues of no
more than $3 million in each of the three previous calendar years.
115
The SBA has approved these small
business size standards for the 900 MHz Service.
116
The Commission has held auctions for geographic
area licenses in the 800 MHz and 900 MHz bands. The 900 MHz SMR auction began on December 5,
1995, and closed on April 15, 1996. Sixty bidders claiming that they qualified as small businesses under
the $15 million size standard won 263 geographic area licenses in the 900 MHz SMR band. The 800
MHz SMR auction for the upper 200 channels began on October 28, 1997, and was completed on
December 8, 1997. Ten bidders claiming that they qualified as small businesses under the $15 million
size standard won 38 geographic area licenses for the upper 200 channels in the 800 MHz SMR band.
117
A second auction for the 800 MHz band was held on January 10, 2002 and closed on January 17, 2002
and included 23 BEA licenses. One bidder claiming small business status won five licenses.
118
(Continued from previous page)
used for F Block. Amendment of the Commission’s Rules Regarding Installment Payment Financing for Personal
Communications Services (PCS) Licensees, Fourth Report and Order, 13 FCC Rcd 15743, 15768, para. 46 (1998).
108
See C and F Block Broadband PCS Auction Closes; Winning Bidders Announced, Public Notice, 16 FCC Rcd
2339 (2001).
109
See Broadband PCS Spectrum Auction Closes; Winning Bidders Announced for Auction No. 58, Public Notice,
20 FCC Rcd 3703 (2005).
110
See Auction of Broadband PCS Spectrum Licenses Closes; Winning Bidders Announced for Auction No. 71,
Public Notice, 22 FCC Rcd 9247 (2007).
111
Id.
112
See Auction of AWS-1 and Broadband PCS Licenses Closes; Winning Bidders Announced for Auction 78, Public
Notice, 23 FCC Rcd 12749 (WTB 2008).
113
Id.
114
47 CFR § 90.814(b)(1).
115
Id.
116
See Letter from Aida Alvarez, Administrator, SBA, to Thomas Sugrue, Chief, Wireless Telecommunications
Bureau, Federal Communications Commission (filed Aug. 10, 1999) (Alvarez Letter 1999).
117
See Correction to Public Notice DA 96-586 “FCC Announces Winning Bidders in the Auction of 1020 Licenses
to Provide 900 MHz SMR in Major Trading Areas,Public Notice, 18 FCC Rcd 18367 (WTB 1996).
118
See Multi-Radio Service Auction Closes, Public Notice, 17 FCC Rcd 1446 (WTB 2002).
Federal Communications Commission FCC 16-148
190
38. The auction of the 1,053 800 MHz SMR geographic area licenses for the General
Category channels began on August 16, 2000, and was completed on September 1, 2000. Eleven bidders
won 108 geographic area licenses for the General Category channels in the 800 MHz SMR band and
qualified as small businesses under the $15 million size standard.
119
In an auction completed on
December 5, 2000, a total of 2,800 Economic Area licenses in the lower 80 channels of the 800 MHz
SMR service were awarded.
120
Of the 22 winning bidders, 19 claimed small business status and won 129
licenses. Thus, combining all four auctions, 41 winning bidders for geographic licenses in the 800 MHz
SMR band claimed status as small businesses.
39. In addition, there are numerous incumbent site-by-site SMR licenses and licensees with
extended implementation authorizations in the 800 and 900 MHz bands. We do not know how many
firms provide 800 MHz or 900 MHz geographic area SMR service pursuant to extended implementation
authorizations, nor how many of these providers have annual revenues of no more than $15 million. One
firm has over $15 million in revenues. In addition, we do not know how many of these firms have 1,500
or fewer employees, which is the SBA-determined size standard.
121
We assume, for purposes of this
analysis, that all of the remaining extended implementation authorizations are held by small entities, as
defined by the SBA.
40. Lower 700 MHz Band Licenses. The Commission previously adopted criteria for
defining three groups of small businesses for purposes of determining their eligibility for special
provisions such as bidding credits.
122
The Commission defined a “small business” as an entity that,
together with its affiliates and controlling principals, has average gross revenues not exceeding $40
million for the preceding three years.
123
A “very small business” is defined as an entity that, together with
its affiliates and controlling principals, has average gross revenues that are not more than $15 million for
the preceding three years.
124
Additionally, the lower 700 MHz Service had a third category of small
business status for Metropolitan/Rural Service Area (MSA/RSA) licenses“entrepreneur”which is
defined as an entity that, together with its affiliates and controlling principals, has average gross revenues
that are not more than $3 million for the preceding three years.
125
The SBA approved these small size
standards.
126
An auction of 740 licenses (one license in each of the 734 MSAs/RSAs and one license in
each of the six Economic Area Groupings (EAGs)) commenced on August 27, 2002, and closed on
September 18, 2002. Of the 740 licenses available for auction, 484 licenses were won by 102 winning
bidders. Seventy-two of the winning bidders claimed small business, very small business or entrepreneur
status and won a total of 329 licenses.
127
A second auction commenced on May 28, 2003, closed on June
13, 2003, and included 256 licenses: 5 EAG licenses and 476 Cellular Market Area licenses.
128
Seventeen winning bidders claimed small or very small business status and won 60 licenses, and nine
119
See 800 MHz Specialized Mobile Radio (SMR) Service General Category (851854 MHz) and Upper Band (861
865 MHz) Auction Closes; Winning Bidders Announced, Public Notice, 15 FCC Rcd 17162 (2000).
120
See 800 MHz SMR Service Lower 80 Channels Auction Closes; Winning Bidders Announced, Public Notice,
16 FCC Rcd 1736 (2000).
121
See generally 13 CFR § 121.201, NAICS code 517210.
122
See Reallocation and Service Rules for the 698746 MHz Spectrum Band (Television Channels 5259), Report
and Order, 17 FCC Rcd 1022 (2002) (Channels 5259 Report and Order).
123
See id. At 1087-88, para. 172.
124
See id.
125
See id., at 1088, para. 173.
126
See Alvarez Letter 1999.
127
See Lower 700 MHz Band Auction Closes, Public Notice, 17 FCC Rcd 17272 (WTB 2002).
128
See id.
Federal Communications Commission FCC 16-148
191
winning bidders claimed entrepreneur status and won 154 licenses.
129
On July 26, 2005, the Commission
completed an auction of 5 licenses in the Lower 700 MHz band (Auction No. 60). There were three
winning bidders for five licenses. All three winning bidders claimed small business status.
41. In 2007, the Commission reexamined its rules governing the 700 MHz band in the 700
MHz Second Report and Order.
130
An auction of 700 MHz licenses commenced January 24, 2008 and
closed on March 18, 2008, which included, 176 Economic Area licenses in the A Block, 734 Cellular
Market Area licenses in the B Block, and 176 EA licenses in the E Block.
131
Twenty winning bidders,
claiming small business status (those with attributable average annual gross revenues that exceed $15
million and do not exceed $40 million for the preceding three years) won 49 licenses. Thirty three
winning bidders claiming very small business status (those with attributable average annual gross
revenues that do not exceed $15 million for the preceding three years) won 325 licenses.
42. Upper 700 MHz Band Licenses. In the 700 MHz Second Report and Order, the
Commission revised its rules regarding Upper 700 MHz licenses.
132
On January 24, 2008, the
Commission commenced Auction 73 in which several licenses in the Upper 700 MHz band were
available for licensing: 12 Regional Economic Area Grouping licenses in the C Block, and one
nationwide license in the D Block.
133
The auction concluded on March 18, 2008, with 3 winning bidders
claiming very small business status (those with attributable average annual gross revenues that do not
exceed $15 million for the preceding three years) and winning five licenses.
43. 700 MHz Guard Band Licensees. In 2000, in the 700 MHz Guard Band Order, the
Commission adopted size standards for “small businesses” and “very small businesses” for purposes of
determining their eligibility for special provisions such as bidding credits and installment payments.
134
A
small business in this service is an entity that, together with its affiliates and controlling principals, has
average gross revenues not exceeding $40 million for the preceding three years.
135
Additionally, a very
small business is an entity that, together with its affiliates and controlling principals, has average gross
revenues that are not more than $15 million for the preceding three years.
136
SBA approval of these
definitions is not required.
137
An auction of 52 Major Economic Area licenses commenced on September
129
See id.
130
Service Rules for the 698746, 747762 and 777792 MHz Band; Revision of the Commission’s Rules to Ensure
Compatibility with Enhanced 911 Emergency Calling Systems; Section 68.4(a) of the Commission’s Rules
Governing Hearing Aid-Compatible Telephones; Biennial Regulatory ReviewAmendment of Parts 1, 22, 24, 27,
and 90 to Streamline and Harmonize Various Rules Affecting Wireless Radio Services; Former Nextel
Communications, Inc. Upper 700 MHz Guard Band Licenses and Revisions to Part 27 of the Commission’s Rules;
Implementing a Nationwide, Broadband, Interoperable Public Safety Network in the 700 MHz Band; Development
of Operational, Technical and Spectrum Requirements for Meeting Federal, State and Local Public Safety
Communications Requirements Through the Year 2010; Declaratory Ruling on Reporting Requirement under
Commission’s Part 1 Anti-Collusion Rule, Second Report and Order, 22 FCC Rcd 15289, 15359 n. 434 (2007) (700
MHz Second Report and Order).
131
See Auction of 700 MHz Band Licenses Closes, Public Notice, 23 FCC Rcd 4572 (WTB 2008).
132
700 MHz Second Report and Order, 22 FCC Rcd 15289.
133
See Auction of 700 MHz Band Licenses Closes, Public Notice, 23 FCC Rcd 4572 (WTB 2008).
134
See Service Rules for the 746764 MHz Bands, and Revisions to Part 27 of the Commission’s Rules, Second
Report and Order, 15 FCC Rcd 5299 (2000) (746764 MHz Band Second Report and Order).
135
See id. at 5343, para. 108.
136
See id.
137
See id. at 5343, para. 108 n.246 (for the 746764 MHz and 776794 MHz bands, the Commission is exempt from
15 U.S.C. § 632, which requires Federal agencies to obtain SBA approval before adopting small business size
standards).
Federal Communications Commission FCC 16-148
192
6, 2000, and closed on September 21, 2000.
138
Of the 104 licenses auctioned, 96 licenses were sold to
nine bidders. Five of these bidders were small businesses that won a total of 26 licenses. A second
auction of 700 MHz Guard Band licenses commenced on February 13, 2001, and closed on February 21,
2001. All eight of the licenses auctioned were sold to three bidders. One of these bidders was a small
business that won a total of two licenses.
139
44. Air-Ground Radiotelephone Service. The Commission has previously used the SBA’s
small business size standard applicable to Wireless Telecommunications Carriers (except Satellite), i.e.,
an entity employing no more than 1,500 persons.
140
There are approximately 100 licensees in the Air-
Ground Radiotelephone Service, and under that definition, we estimate that almost all of them qualify as
small entities under the SBA definition. For purposes of assigning Air-Ground Radiotelephone Service
licenses through competitive bidding, the Commission has defined “small business” as an entity that,
together with controlling interests and affiliates, has average annual gross revenues for the preceding
three years not exceeding $40 million.
141
A “very small business” is defined as an entity that, together
with controlling interests and affiliates, has average annual gross revenues for the preceding three years
not exceeding $15 million.
142
These definitions were approved by the SBA.
143
In May 2006, the
Commission completed an auction of nationwide commercial Air-Ground Radiotelephone Service
licenses in the 800 MHz band (Auction No. 65). On June 2, 2006, the auction closed with two winning
bidders winning two Air-Ground Radiotelephone Services licenses. Neither of the winning bidders
claimed small business status.
45. AWS Services (17101755 MHz and 21102155 MHz bands (AWS-1); 19151920 MHz,
1995–2000 MHz, 20202025 MHz and 21752180 MHz bands (AWS-2); 21552175 MHz band (AWS-
3)). For the AWS-1 bands,
144
the Commission has defined a “small business” as an entity with average
annual gross revenues for the preceding three years not exceeding $40 million, and a “very small
business” as an entity with average annual gross revenues for the preceding three years not exceeding $15
million. For AWS-2 and AWS-3, although we do not know for certain which entities are likely to apply
for these frequencies, we note that the AWS-1 bands are comparable to those used for cellular service and
personal communications service. The Commission has not yet adopted size standards for the AWS-2 or
AWS-3 bands but proposes to treat both AWS-2 and AWS-3 similarly to broadband PCS service and
AWS-1 service due to the comparable capital requirements and other factors, such as issues involved in
relocating incumbents and developing markets, technologies, and services.
145
138
See 700 MHz Guard Bands Auction Closes: Winning Bidders Announced, Public Notice, 15 FCC Rcd 18026
(WTB 2000).
139
See 700 MHz Guard Bands Auction Closes: Winning Bidders Announced, Public Notice, 16 FCC Rcd 4590
(WTB 2001).
140
13 CFR § 121.201, NAICS codes 517210.
141
Amendment of Part 22 of the Commission’s Rules to Benefit the Consumers of Air-Ground Telecommunications
Services, Biennial Regulatory ReviewAmendment of Parts 1, 22, and 90 of the Commission’s Rules, Amendment of
Parts 1 and 22 of the Commission’s Rules to Adopt Competitive Bidding Rules for Commercial and General
Aviation Air-Ground Radiotelephone Service, Order on Reconsideration and Report and Order, 20 FCC Rcd 19663,
paras. 28-42 (2005).
142
Id.
143
See Letter from Hector V. Barreto, Administrator, SBA, to Gary D. Michaels, Deputy Chief, Auctions and
Spectrum Access Division, Wireless Telecommunications Bureau, Federal Communications Commission (filed
Sept. 19, 2005).
144
The service is defined in section 90.1301 et seq. of the Commission’s Rules, 47 CFR § 90.1301 et seq.
145
See Service Rules for Advanced Wireless Services in the 1.7 GHz and 2.1 GHz Bands, Report and Order, 18 FCC
Rcd 25162, Appx. B (2003), modified by Service Rules for Advanced Wireless Services in the 1.7 GHz and 2.1 GHz
(continued….)
Federal Communications Commission FCC 16-148
193
46. 3650–3700 MHz band. In March 2005, the Commission released a Report and Order
and Memorandum Opinion and Order that provides for nationwide, non-exclusive licensing of terrestrial
operations, utilizing contention-based technologies, in the 3650 MHz band (i.e., 36503700 MHz). As of
April 2010, more than 1270 licenses have been granted and more than 7433 sites have been registered.
The Commission has not developed a definition of small entities applicable to 36503700 MHz band
nationwide, non-exclusive licensees. However, we estimate that the majority of these licensees are
Internet Access Service Providers (ISPs) and that most of those licensees are small businesses.
47. Fixed Microwave Services. Microwave services include common carrier,
146
private-
operational fixed,
147
and broadcast auxiliary radio services.
148
They also include the Local Multipoint
Distribution Service (LMDS),
149
the Digital Electronic Message Service (DEMS),
150
and the 24 GHz
Service,
151
where licensees can choose between common carrier and non-common carrier status.
152
At
present, there are approximately 36,708 common carrier fixed licensees and 59,291 private operational-
fixed licensees and broadcast auxiliary radio licensees in the microwave services. There are
approximately 135 LMDS licensees, three DEMS licensees, and three 24 GHz licensees. The
Commission has not yet defined a small business with respect to microwave services. For purposes of the
IRFA, we will use the SBA’s definition applicable to Wireless Telecommunications Carriers (except
satellite)i.e., an entity with no more than 1,500 persons.
153
Under the present and prior categories, the
SBA has deemed a wireless business to be small if it has 1,500 or fewer employees.
154
The Commission
does not have data specifying the number of these licensees that have more than 1,500 employees, and
thus is unable at this time to estimate with greater precision the number of fixed microwave service
licensees that would qualify as small business concerns under the SBA’s small business size standard.
Consequently, the Commission estimates that there are up to 36,708 common carrier fixed licensees and
up to 59,291 private operational-fixed licensees and broadcast auxiliary radio licensees in the microwave
services that may be small and may be affected by the rules and policies adopted herein. We note,
however, that the common carrier microwave fixed licensee category includes some large entities.
48. Broadband Radio Service and Educational Broadband Service. Broadband Radio
Service systems, previously referred to as Multipoint Distribution Service (MDS) and Multichannel
(Continued from previous page)
Bands, Order on Reconsideration, 20 FCC Rcd 14058, Appx. C (2005); Service Rules for Advanced Wireless
Services in the 19151920 MHz, 19952000 MHz, 20202025 MHz and 21752180 MHz Bands; Service Rules for
Advanced Wireless Services in the 1.7 GHz and 2.1 GHz Bands, Notice of Proposed Rulemaking, 19 FCC Rcd
19263, Appx. B (2005); Service Rules for Advanced Wireless Services in the 21552175 MHz Band, Notice of
Proposed Rulemaking, 22 FCC Rcd 17035, Appx. (2007).
146
See 47 CFR Part 101, Subparts C and I.
147
See 47 CFR Part 101, Subparts C and H.
148
Auxiliary Microwave Service is governed by Part 74 of Title 47 of the Commission’s Rules. See 47 CFR Part
74. Available to licensees of broadcast stations and to broadcast and cable network entities, broadcast auxiliary
microwave stations are used for relaying broadcast television signals from the studio to the transmitter, or between
two points such as a main studio and an auxiliary studio. The service also includes mobile TV pickups, which relay
signals from a remote location back to the studio.
149
See 47 CFR Part 101, Subpart L.
150
See 47 CFR Part 101, Subpart G.
151
See id.
152
See 47 CFR §§ 101.533, 101.1017.
153
13 CFR § 121.201, NAICS code 517210.
154
13 CFR § 121.201, NAICS code 517210 (2007 NAICS). The now-superseded, pre-2007 CFR citations were 13
CFR § 121.201, NAICS codes 517211 and 517212 (referring to the 2002 NAICS).
Federal Communications Commission FCC 16-148
194
Multipoint Distribution Service (MMDS) systems, and “wireless cable,” transmit video programming to
subscribers and provide two-way high speed data operations using the microwave frequencies of the
Broadband Radio Service (BRS) and Educational Broadband Service (EBS) (previously referred to as the
Instructional Television Fixed Service (ITFS)).
155
In connection with the 1996 BRS auction, the
Commission established a small business size standard as an entity that had annual average gross
revenues of no more than $40 million in the previous three calendar years.
156
The BRS auctions resulted
in 67 successful bidders obtaining licensing opportunities for 493 Basic Trading Areas (BTAs). Of the 67
auction winners, 61 met the definition of a small business. BRS also includes licensees of stations
authorized prior to the auction. At this time, we estimate that of the 61 small business BRS auction
winners, 48 remain small business licensees. In addition to the 48 small businesses that hold BTA
authorizations, there are approximately 392 incumbent BRS licensees that are considered small entities.
157
After adding the number of small business auction licensees to the number of incumbent licensees not
already counted, we find that there are currently approximately 440 BRS licensees that are defined as
small businesses under either the SBA or the Commission’s rules.
49. In 2009, the Commission conducted Auction 86, the sale of 78 licenses in the BRS
areas.
158
The Commission offered three levels of bidding credits: (i) a bidder with attributed average
annual gross revenues that exceed $15 million and do not exceed $40 million for the preceding three
years (small business) received a 15 percent discount on its winning bid; (ii) a bidder with attributed
average annual gross revenues that exceed $3 million and do not exceed $15 million for the preceding
three years (very small business) received a 25 percent discount on its winning bid; and (iii) a bidder with
attributed average annual gross revenues that do not exceed $3 million for the preceding three years
(entrepreneur) received a 35 percent discount on its winning bid.
159
Auction 86 concluded in 2009 with
the sale of 61 licenses.
160
Of the ten winning bidders, two bidders that claimed small business status won
4 licenses; one bidder that claimed very small business status won three licenses; and two bidders that
claimed entrepreneur status won six licenses.
50. In addition, the SBA’s Cable Television Distribution Services small business size
standard is applicable to EBS. There are presently 2,436 EBS licensees. All but 100 of these licenses are
held by educational institutions. Educational institutions are included in this analysis as small entities.
161
Thus, we estimate that at least 2,336 licensees are small businesses. Since 2007, Cable Television
Distribution Services have been defined within the broad economic census category of Wired
Telecommunications Carriers; that category is defined as follows: “This industry comprises
155
Amendment of Parts 21 and 74 of the Commission’s Rules with Regard to Filing Procedures in the Multipoint
Distribution Service and in the Instructional Television Fixed Service and Implementation of Section 309(j) of the
Communications ActCompetitive Bidding, Report and Order, 10 FCC Rcd 9589, 9593, para. 7 (1995).
156
47 CFR § 21.961(b)(1).
157
47 U.S.C. § 309(j). Hundreds of stations were licensed to incumbent MDS licensees prior to implementation of
Section 309(j) of the Communications Act of 1934, 47 U.S.C. § 309(j). For these pre-auction licenses, the
applicable standard is SBA’s small business size standard of 1500 or fewer employees.
158
Auction of Broadband Radio Service (BRS) Licenses, Scheduled for October 27, 2009, Notice and Filing
Requirements, Minimum Opening Bids, Upfront Payments, and Other Procedures for Auction 86, Public Notice, 24
FCC Rcd 8277 (2009).
159
Id. at 8296 para. 73.
160
Auction of Broadband Radio Service Licenses Closes, Winning Bidders Announced for Auction 86, Down
Payments Due November 23, 2009, Final Payments Due December 8, 2009, Ten-Day Petition to Deny Period,
Public Notice, 24 FCC Rcd 13572 (2009).
161
The term “small entity” within SBREFA applies to small organizations (nonprofits) and to small governmental
jurisdictions (cities, counties, towns, townships, villages, school districts, and special districts with populations of
less than 50,000). 5 U.S.C. §§ 601(4)-(6). We do not collect annual revenue data on EBS licensees.
Federal Communications Commission FCC 16-148
195
establishments primarily engaged in operating and/or providing access to transmission facilities and
infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using
wired telecommunications networks. Transmission facilities may be based on a single technology or a
combination of technologies.”
162
The SBA has developed a small business size standard for this category,
which is: all such firms having 1,500 or fewer employees. To gauge small business prevalence for these
cable services we must, however, use the most current census data that are based on the previous category
of Cable and Other Program Distribution and its associated size standard; that size standard was: all such
firms having $13.5 million or less in annual receipts.
163
According to Census Bureau data for 2007, there
were a total of 996 firms in this category that operated for the entire year.
164
Of this total, 948 firms had
annual receipts of under $10 million, and 48 firms had receipts of $10 million or more but less than $25
million.
165
Thus, the majority of these firms can be considered small.
5. Satellite Service Providers
51. Satellite Telecommunications Providers. Two economic census categories address the
satellite industry. The first category has a small business size standard of $30 million or less in average
annual receipts, under SBA rules.
166
The second has a size standard of $30 million or less in annual
receipts.
167
52. The category of Satellite Telecommunications “comprises establishments primarily
engaged in providing telecommunications services to other establishments in the telecommunications and
broadcasting industries by forwarding and receiving communications signals via a system of satellites or
reselling satellite telecommunications.”
168
For this category, Census Bureau data for 2012 show that there
were a total of 333 firms that operated for the entire year.
169
Of this total, 299 firms had annual receipts of
under $25 million.
170
Consequently, we estimate that the majority of Satellite Telecommunications firms
are small entities that might be affected by our action.
53. The second category of Other Telecommunications comprises, inter alia, “establishments
primarily engaged in providing specialized telecommunications services, such as satellite tracking,
communications telemetry, and radar station operation. This industry also includes establishments
primarily engaged in providing satellite terminal stations and associated facilities connected with one or
more terrestrial systems and capable of transmitting telecommunications to, and receiving
telecommunications from, satellite systems.”
171
For this category, census data for 2012 show that there
162
U.S. Census Bureau, 2012 NAICS Definitions, “517110 Wired Telecommunications Carriers,” (partial
definition), http://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517110&search=2012.
163
13 CFR § 121.201, NAICS code 517110.
164
U.S. Census Bureau, 2007 Economic Census, Subject Series: Information, Receipts by Enterprise Employment
Size for the United States: 2007, NAICS code 517510 (rel. Nov. 19, 2010).
165
Id.
166
13 CFR § 121.201, NAICS Code 517410.
167
13 CFR § 121.201, NAICS Code 517919.
168
U.S. Census Bureau, 2012 NAICS Definitions, “517410 Satellite Telecommunications,”
http://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517410&search=2012.
169
U.S. Census Bureau, 2012 Economic Census of the United States, Table EC1251SSSZ4, Information: Subject
Series - Estab and Firm Size: Receipts Size of Firms for the United States: 2012, NAICS code 517410
http://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?pid=ECN_2012_US_51SSSZ4&prodT
ype=table.
170
Id.
171
U.S. Census Bureau, 2012 NAICS Definitions, “517919 All Other Telecommunications,”
http://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517919&search=2012.
Federal Communications Commission FCC 16-148
196
were 1,442 firms that operated for the entire year. Of these firms, a total of 1,400 had gross annual
receipts of less than $25 million.
172
Thus, a majority of All Other Telecommunicationsfirms
potentially affected by the rules adopted can be considered small.
6. Cable Service Providers
54. Cable and Other Program Distributors. Since 2007, these services have been defined
within the broad economic census category of Wired Telecommunications Carriers; that category is
defined as follows: “This industry comprises establishments primarily engaged in operating and/or
providing access to transmission facilities and infrastructure that they own and/or lease for the
transmission of voice, data, text, sound, and video using wired telecommunications networks.
Transmission facilities may be based on a single technology or a combination of technologies.”
173
The
SBA has developed a small business size standard for this category, which is: all such firms having 1,500
or fewer employees. To gauge small business prevalence for these cable services we must, however, use
current census data that are based on the previous category of Cable and Other Program Distribution and
its associated size standard; that size standard was: all such firms having $13.5 million or less in annual
receipts.
174
According to Census Bureau data for 2007, there were a total of 2,048 firms in this category
that operated for the entire year.
175
Of this total, 1,393 firms had annual receipts of under $10 million, and
655 firms had receipts of $10 million or more.
176
Thus, the majority of these firms can be considered
small.
55. Cable Companies and Systems. The Commission has also developed its own small
business size standards, for the purpose of cable rate regulation. Under the Commission’s rules, a “small
cable company” is one serving 400,000 or fewer subscribers, nationwide.
177
Industry data shows that
there were 1,141 cable companies at the end of June 2012.
178
Of this total, all but ten cable operators
nationwide are small under this size standard.
179
In addition, under the Commission’s rules, a “small
172
http://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?
pid=ECN_2012_US_51SSSZ4&prodType=table.
173
U.S. Census Bureau, 2012 NAICS Definitions, “517110 Wired Telecommunications Carriers,” (partial
definition), http://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517110&search=2012.
174
13 CFR § 121.201, NAICS code 517110.
175
U.S. Census Bureau, 2007 Economic Census, Subject Series: Information, “Establishment and Firm Size,”
NAICS code 517110 (rel. Nov. 19, 2010).
176
Id.
177
47 CFR § 76.901(e). The Commission determined that this size standard equates approximately to a size
standard of $100 million or less in annual revenues. Implementation of Sections of the 1992 Cable Act: Rate
Regulation, Sixth Report and Order and Eleventh Order on Reconsideration, 10 FCC Rcd 7393, 7408 (1995).
178
NCTA, Industry Data, Number of Cable Operating Companies (June 2012), http://www.ncta.com/Statistics.aspx
(visited Sept. 28, 2012). Depending upon the number of homes and the size of the geographic area served, cable
operators use one or more cable systems to provide video service. See Annual Assessment of the Status of
Competition in the Market for Delivery of Video Programming, Fifteenth Report, 28 FCC Rcd 10496, 10505-06,
para. 24 (2013) (15
th
Annual Competition Report).
179
See SNL Kagan, “Top Cable MSOs 12/12 Q”,
http://www.snl.com/InteractiveX/TopCableMSOs.aspx?period=2012Q4&sortcol=subscribersbasic&sortorder=desc.
We note that, when applied to an MVPD operator, under this size standard (i.e., 400,000 or fewer subscribers) all
but 14 MVPD operators would be considered small. See NCTA, Industry Data, Top 25 Multichannel Video Service
Customers (2012), http://www.ncta.com/industry-data. The Commission applied this size standard to MVPD
operators in its implementation of the CALM Act. See Implementation of the Commercial Advertisement Loudness
Mitigation (CALM) Act, Report and Order, 26 FCC Rcd 17222, 17245-46, para. 37 (2011) (CALM Act Report and
Order) (defining a smaller MVPD operator as one serving 400,000 or fewer subscribers nationwide, as of December
31, 2011).
Federal Communications Commission FCC 16-148
197
system” is a cable system serving 15,000 or fewer subscribers.
180
Current Commission records show
4,945 cable systems nationwide.
181
Of this total, 4,380 cable systems have less than 20,000 subscribers,
and 565 systems have 20,000 or more subscribers, based on the same records. Thus, under this standard,
we estimate that most cable systems are small entities.
56. Cable System Operators. The Communications Act also contains a size standard for
small cable system operators, which is “a cable operator that, directly or through an affiliate, serves in the
aggregate fewer than 1 percent of all subscribers in the United States and is not affiliated with any entity
or entities whose gross annual revenues in the aggregate exceed $250,000,000.”
182
There are
approximately 52,403,705 cable video subscribers in the United States today.
183
Accordingly, an operator
serving fewer than 524,037 subscribers shall be deemed a small operator if its annual revenues, when
combined with the total annual revenues of all its affiliates, do not exceed $250 million in the
aggregate.
184
Based on available data, we find that all but nine incumbent cable operators are small
entities under this size standard.
185
We note that the Commission neither requests nor collects information
on whether cable system operators are affiliated with entities whose gross annual revenues exceed $250
million.
186
Although it seems certain that some of these cable system operators are affiliated with entities
whose gross annual revenues exceed $250 million, we are unable at this time to estimate with greater
precision the number of cable system operators that would qualify as small cable operators under the
definition in the Communications Act.
7. All Other Telecommunications
57. All Other Telecommunications” is defined as follows: This U.S. industry is comprised
of establishments that are primarily engaged in providing specialized telecommunications services, such
as satellite tracking, communications telemetry, and radar station operation. This industry also includes
establishments primarily engaged in providing satellite terminal stations and associated facilities
connected with one or more terrestrial systems and capable of transmitting telecommunications to, and
receiving telecommunications from, satellite systems. Establishments providing Internet services or voice
over Internet protocol (VoIP) services via client-supplied telecommunications connections are also
included in this industry.
187
The SBA has developed a small business size standard for All Other
Telecommunications,” which consists of all such firms with gross annual receipts of $32.5 million or
less.
188
For this category, census data for 2012 show that there were 1,442 firms that operated for the
entire year. Of these firms, a total of 1,400 had gross annual receipts of less than $25 million.
189
Thus, a
majority of All Other Telecommunicationsfirms potentially affected by the rules adopted can be
considered small.
180
47 CFR § 76.901(c).
181
The number of active, registered cable systems comes from the Commission’s Cable Operations and Licensing
System (COALS) database on Aug. 28, 2013. A cable system is a physical system integrated to a principal headend.
182
47 CFR § 76.901 (f) and notes ff. 1, 2, and 3.
183
See SNL KAGAN at www.snl.com/interactivex/MultichannelIndustryBenchmarks.aspx.
184
47 CFR § 76.901(f) and notes ff. 1, 2, and 3.
185
See SNL KAGAN at www.snl.com/interactivex/TopCable MSOs.aspx.
186
The Commission does receive such information on a case-by-case basis if a cable operator appeals a local
franchise authority's finding that the operator does not qualify as a small cable operator pursuant to section 76.901(f)
of the Commission’s rules. See 47 CFR § 76.901(f).
187
http://www.census.gov/cgi-bin/ssssd/naics/naicsrch.
188
13 CFR § 121.201; NAICS Code 517919
189
http://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?
pid=ECN_2012_US_51SSSZ4&prodType=table.
Federal Communications Commission FCC 16-148
198
E. Description of Projected Reporting, Recordkeeping, and Other Compliance
Requirements for Small Entities
58. The Order adopts requirements concerning (1) the provision of meaningful notice of
privacy policies; (2) customer approval for the use and disclosure of customer PI; (3) reasonable data
security; (4) data breach notification; and (5) particular practices that raise privacy concerns. The rules
we adopt in the Order will apply to all telecommunications carriers, including BIAS and voice service
providers.
59. Providing Meaningful Notice of Privacy Policies. We adopt privacy policy notice
requirements for all telecommunications carriers, including small providers. We require
telecommunications carriers to provide notices of privacy policies at the point of sale prior to the purchase
of service, and also to make notices clearly, conspicuously, and persistently available on carriers’
websites and via carriers’ apps that are used to manage service, if any. These notices must clearly inform
customers about what customer proprietary information the providers collect, how they use it, and under
what circumstances they share it. We also require that providers inform their customers about customers’
rights to opt in to or out (as the case may be) of the use or sharing of their proprietary information. We
require that privacy notices be clear, conspicuous, comprehensible, and not misleading; and written in the
language with which the carrier transacts business with the customer; but we do not require that they be
formatted in any specific manner. Finally, we require providers to give their customers advance notice of
material changes to their privacy policies.
190
We have declined to require periodic notice on an annual or
bi-annual basis, similar to what the preexisting CPNI rules require.
60. Customer Approval Requirements for the Use and Disclosure of Customer PI. We
require carriers to obtain express, informed customer consent (i.e., opt-in approval) for the use and
sharing of sensitive customer PI. With respect to non-sensitive customer PI, carriers must, at a minimum,
provide their customers the ability to opt out of the carrier’s use or sharing of that non-sensitive customer
information. Carriers must also provide customers with easy access to a choice mechanism that is simple,
easy-to-use, clearly and conspicuously disclosed, persistently available, and made available at no
additional cost to the customer.
191
We require telecommunications carriers to solicit customer approval at
the point of sale, and permit further solicitations after the point of sale. We also require that carriers
actively contact their customers in these subsequent solicitations, to ensure that customers are adequately
informed. Finally, we require the solicitations to be clear and conspicuous, comprehensible, not
misleading, and to contain the information necessary for a customer to make an informed choice. This
means the solicitations must inform customers of the types of customer proprietary information that the
carrier is seeking to use, disclose, or permit access to, how those types of information will be used or
shared, and the categories of entities with which that information is shared. In order to maintain
flexibility, we do not require particular formats or methods by which a carrier must communicate its
solicitation of consent to customers.
192
61. Our rules allow providers to use and disclose customer data without approval if the data
is properly de-identified. This option gives providers carriers, including small providers, a way to use
customer information that avoids both the risks associated with identifiable information and any
compliance costs associated with obtaining customer approval.
193
62. Reasonable Data Security. We require telecommunications carriers to take reasonable
measures to secure customer PI. We decline to mandate specific activities that providers must undertake
in order to meet this reasonableness requirement. We do, however, offer guidance on the types of data
190
See supra Part III.C.
191
See supra Part III.D.
192
See id.
193
See supra Part III.B.4.
Federal Communications Commission FCC 16-148
199
security practices we recommend carriers strongly consider as they seek to comply with our data security
requirement, while recognizing that what constitutes “reasonable” data security is an evolving concept.
When considering whether a carrier’s data security practices are reasonable, we will weigh the nature and
scope of the carrier’s activities, the sensitivity of the underlying data, the size of the carrier, and technical
feasibility. We recognize that the resources and data practices of small carriers are likely to be different
from large carriers, and therefore what constitutes “reasonable” data security for a small carrier and a
large carrier may differ. The totality of the circumstances, and not any individual factor, is determinative
of whether a carrier’s practices are reasonable. By requiring providers to take reasonable data security
measures, we make clear that providers will not be held strictly liable for all data breaches.
194
63. Data Breach Notification Requirements. We require BIAS providers and other
telecommunications carriers to notify affected customers, the Commissionand, when a breach affects
5,000 or more customers, the FBI and Secret Serviceof data breaches that meet a harm-based trigger. In
particular, a carrier must report the breach unless it reasonably determines that no harm to customers is
reasonably likely to occur. Customer breach notifications must include the date, estimated date, or
estimated date range of the breach; a description of the customer PI that was breached; contact
information for the carrier; contact information for the FCC and any relevant state agencies; and
information about credit-reporting agencies and steps customers can take to avoid identity theft.
195
We
also require providers to keep records, for two years, of the dates of breaches and the dates when
customers are notified.
64. When a reportable breach affects 5,000 or more customers, a provider must notify the
Commission and the FBI and Secret Service within seven (7) business days of when the carrier
reasonably determines that such a breach has occurred, and at least three (3) business days before
notifying customers. The Commission will create a centralized portal for reporting breaches to the
Commission and other federal law enforcement agencies.
196
Carriers must notify affected customers
without unreasonable delay, and no later than 30 calendar days following the carriers’ reasonable
determination that a breach has occurred, unless the FBI or Secret Service requests a further delay. When
a reportable breach does not meet the 5,000-customer threshold for reporting to the FBI and Secret
Service, the Commission may be notified of the breach within the same no-more-than-30-days timeframe
as affected customers.
65. Particular Practices That Raise Privacy Concerns. The Order prohibits BIAS providers
from conditioning the provision of service on a customer’s consenting to use or sharing of the customer’s
proprietary information over which our rules provide the consumer with a right of approval.
197
However,
the Order does not prohibit BIAS providers from offering financial incentives to permit the use or
disclosure of such information.
198
The Order requires BIAS providers offering such incentives to provide
clear notice explaining the terms of any financial incentive program and to obtain opt-in consent. The
notice must be clear and conspicuous and explained in a way that is comprehensible and not misleading.
The explanation must include information about what customer PI the provider will collect, how it will be
used, with what types of entities it will be shared, and for what purposes.
199
BIAS providers must make
financial incentive notices easily accessible and separate from any other privacy notifications.
200
When a
194
See supra Part III.E.
195
See supra Part III.F.
196
See id.
197
See supra Part III.G.2.
198
See id.
199
See id.
200
See id.
Federal Communications Commission FCC 16-148
200
BIAS provider markets a service plan that involves an exchange of personal information for reduced
pricing or other benefits, it must also provide at least as prominent information to customers about an
equivalent plan that does not include such an exchange. BIAS providers must also comply with all
notice requirements of our rules when providing a financial incentive notice.
201
F. Steps Take to Minimize the Significant Economic Impact on Small Entities and
Significant Alternatives Considered
66. The RFA requires an agency to describe any significant, specifically small business,
alternatives that it has considered in reaching its proposed approach, which may include the following
four alternatives (among others): “(1) the establishment of differing compliance or reporting requirements
or timetables that take into account the resources available to small entities; (2) the clarification,
consolidation, or simplification of compliance and reporting requirements under the rule for such small
entities; (3) the use of performance rather than design standards; and (4) an exemption from coverage of
the rule, or any part thereof, for such small entities.”
202
67. The Commission considered the economic impact on small providers, as identified in
comments filed in response to the NPRM and IRFA, in reaching its final conclusions and taking action in
this proceeding. Moreover, in formulating these rules, we have sought to provide flexibility for small
providers whenever possible, including by avoiding prescription of the specific practices carriers must
follow to achieve compliance.
203
Additionally, harmonizing our rules across all telecommunications
services will reduce and streamline compliance costs for small carriers.
204
We have also adopted a
phased-in implementation schedule, under which small providers are given an extra twelve months to
come into compliance with the notice and approval requirements we adopt today. As discussed below, we
have designed the rules we adopt today with the goal of minimizing burdens on all carriers, and
particularly on small carriers.
68. Providing Meaningful Notice of Privacy Policies. Recognizing the importance of
flexibility in finding successful ways to communicate privacy policies to consumers, we decline to adopt
any specific form or format for privacy notices. We adopt rules that require providers to disclose their
privacy practices, but decline to be prescriptive about either the format or specific content of privacy
policy notices in order to provide flexibility to providers and to minimize the burden of compliance levied
by this requirement. In the interest of further minimizing the burden of transparency, particularly for
small providers, we also direct the Consumer Advisory Committee to develop a model privacy policy
notice that will serve as a safe harbor for our notice requirements.
205
We also decline to adopt specific
notice requirements in mobile formats and we decline to require periodic notices of privacy practices.
206
69. Customer Approval Requirements for the Use and Disclosure of Customer PI. In
formulating customer approval requirements we have taken specific actions to reduce burdens on small
carriers. First, as requested by small carriers and other commenters, we harmonize the voice and BIAS
customer approval regimes into one set of rules.
207
Second, we do not require carriers to provide a
“privacy dashboard” for customer approvals; carriers may use any choice mechanism that is easy to use,
persistently available, and clearly and conspicuously provided. This reduces the need for small carriers to
201
See supra Part III.C.
202
5 U.S.C. § 603(c)(1)(c)(4).
203
See supra, e.g., Parts III.E.1; III.F.1.
204
See, e.g., ACA Comments at 57-58; WTA-NexTech Ex Parte at 1-2.
205
See supra paras. 153-155.
206
See supra paras. 143, 152.
207
See supra para. 171.
Federal Communications Commission FCC 16-148
201
develop specific customer service architecture.
208
Third, we decline to require a specific format for
accepting customer privacy choices and therefore allow carriers, particularly small carriers, that lack
sophisticated websites or apps to accept customer choices through other means, such as by email or
phone, so long as these means are persistently available. Fourth, we eliminate the periodic compliance
documentation and reporting requirements that create recordkeeping burdens in our pre-existing CPNI
rules.
209
To further reduce compliance burdens, we have clarified that choice solicitations may be
combined a carrier’s other privacy policy notices.
70. Reasonable Data Security. In the NPRM we proposed rules that included an overarching
data security expectation and specified particular types of practices that carriers would need to implement
to comply with that standard, while allowing carriers flexibility in implementing the proposed
requirements. Based on the record in this proceeding, we have modified the overarching data security
standard to more directly focus on reasonableness of the carriers’ data security practices based on the
particulars of the carrier’s situation. Also based on the record, we decline to mandate specific activities
that carriers must undertake in order to meet the reasonable data security requirement. We do, however,
offer guidance on the types of data security practices we recommend carriers strongly consider as they
seek to comply with our data security requirementrecognizing, of course, that what constitutes
“reasonable” data security is an evolving concept.
210
This guidance should be of particular benefit to
smaller providers that may have less established data security programs. Also, our rule directs all
providersincluding small providersto adopt contextually appropriate security practices. Contextual
factors specified in the rule include the size of the provider and nature and scope of its activities. In
including such factors, we take into account small providers’ concerns that certain security measures that
may be appropriate for larger carriers, such as having a dedicated official to oversee data security
implementation, are likely beyond the needs and resources of the smallest carriers.
71. Data Breach Notification Requirements. In formulating our data breach rules, we
specifically considered their impact on small carriers and crafted rules designed to balance the burdens on
small carriers with the privacy and information security needs of those carriers’ customers. First, our
adoption of a harm-based trigger substantially reduces compliance burdens on small carriers by not
requiring excessive notifications and by granting carriers the flexibility to focus their limited resources on
preventing and ameliorating breaches, rather than issuing notifications for inconsequential events. The
record shows that because small carriers tend to collect and use customer data far less extensively than
larger carriers, they are less likely to have breaches that would trigger the notification requirements of our
rules.
211
Second, our customer notification timeline also provides small carriers with greater flexibility;
allowing up to 30 days to notify customers of a breach allows small carriers with fewer resources more
time to investigate than the 10 days originally proposed. Third, we are creating a centralized portal for
reporting data breaches to the Commission and law enforcement. This will streamline the notification
process, which particularly reduces burdens on small carriers with fewer staff dedicated to breach
mitigation.
212
Finally, for breaches affecting fewer than 5,000 customers, we extend the Commission
notification deadline from seven (7) business days to thirty (30) calendar days. This provision will
significantly reduce compliance burdens for small carriers, many of whom have fewer than 5,000
customers.
213
72. Implementation. To provide certainty to customers and carriers alike, we establish a
208
See supra Part III.D.4.
209
See supra Part III.D.5.
210
See supra Part III.E.2.
211
See supra Part III.F.1.
212
See supra Part III.F.2.
213
See supra Part III.F.3.
Federal Communications Commission FCC 16-148
202
timeline by which carriers must implement the privacy rules we adopt today. Carriers that have complied
with FTC and industry best practices will be well-positioned to achieve prompt compliance with our
privacy rules. We recognize, however, that carriers, especially small carriers, will need some time to
update their internal business processes as well as their customer-facing privacy policies and choice
mechanisms in order to come into compliance with some of our rules.
214
73. The notice and choice rules we adopt today will become effective the later of (1) eight
weeks after announcement PRA approval, or (12) twelve months after the Commission publishes a
summary of the Order in the Federal Register. Carriers will need to analyze the new, harmonized privacy
rules as well as coordinate with various business segments and vendors, and update programs and
policies. Carriers will also need to engage in consumer outreach and education. These implementation
steps will take time and we find, as supported in the record, that twelve months after publication of the
Order in the Federal Register is an adequate minimum implementation period to implement the new
notice and approval rules.
215
In order to minimize disruption to carriers’ business practices, we do not
require carriers to obtain new consent from all their customers. Rather, we treat as valid or “grandfather”
any customer consent that was obtained prior to the effective date of our rules and thus is consistent with
our new requirements. We decline to more broadly grandfather preexisting consents obtained by small
carriers because we find that the parameters set forth in our rules create the appropriate balance to limit
compliance costs while providing customers the privacy protections they need.
216
74. The data breach rule we adopt today will become effective the later of (1) eight weeks
after announcement PRA approval, or (2) six months after the Commission publishes a summary of the
Order in the Federal Register. Although we recognize that carriers may have to modify practices and
policies to implement our new rule, we find the harm trigger we adopt and timeline for notifying
customers lessen the implementation requirements. Moreover, harmonization of our data breach rule for
BIAS and voice services enable providers to streamline their notification processes, which should also
lessen carriers’ need for implementation time. Given these steps to minimize compliance burdens, we
find six months is an adequate minimum timeframe.
217
75. The data security requirements we adopt today will become effective 90 days after
publication of a summary of the Order in the Federal Register. We find this to be an appropriate
implementation period for the data security requirements because carriers should already be largely in
compliance with these requirements because the reasonableness standard adopted in this Order provides
carriers flexibility in how to approach data security and resembles the obligation to which they were
previously subject pursuant to Section 5 of the FTC Act. We therefore do not think the numerous steps
outlined by commenters that would have been necessary to comply with the data security proposals in the
NPRM apply to the data security rules we adopt.
218
76. The prohibition on conditioning offers to provider BIAS on a customer’s agreement to
waive privacy rights will become effective 30 days after publication of a summary of the Order in the
Federal Register. We find that unlike other privacy rules, consumers should benefit from this prohibition
promptly. We find no basis for any delay in the effective date of this important protection. All other
privacy rules adopted in the Order will be effective 30 days after publication of a summary of the Order in
214
See supra Part III.I.
215
See supra Part III.I.1.
216
See supra Part III.I.3.
217
See supra Part III.I.1.
218
See id.
Federal Communications Commission FCC 16-148
203
the Federal Register.
219
We also adopt a uniform implementation timetable for both BIAS and other
telecommunications services.
220
77. To provide additional flexibility to small carriers, we give small carriers an additional
twelve months to implement the notice and customer approval rules we adopt today.
221
We find that an
additional one-year phase-in will allow small providers time to make the necessary investments to
implement these rules. The record reflects that small providers have comparatively limited resources and
rely extensively on vendors over which they have limited leverage to compel adoption of new
requirements. We recognize our notice and choice framework may entail upfront costs for small carriers.
As such, we find that this limited extension is appropriate.
222
78. We have considered, but opt against, providing small providers with even longer or
broader extension periods, or with exemptions from the rules, as some commenters suggest.
223
In part,
this is because the measures we have taken to reduce burdens for small providers have in many cases
mitigated commenters’ specific concerns. For instance, we find that we have addressed small provider
concerns about the adoption of specific security requirements, such as annual risk assessments, by
adopting a data security rule that does not prescribe any such requirements.
224
Moreover, as advocated by
small providers, we adopt a customer choice framework that distinguishes between sensitive and non-
sensitive customer information, as well as decline to mandate a customer-facing dashboard to help
manage their implementation and compliance costs. Furthermore, we find that our data breach
notification requirements and “take-it-or-leave-it” prohibition do not require implementation extension for
small providers as compliance with these protections should not be costly for small carriers that generally
collect less customer information and use customer information for narrower purposes.
79. Report to Congress: The Commission will send a copy of the Order, including this
FRFA, in a report to be sent to Congress pursuant to the Congressional Review Act.
225
In addition, the
Commission will send a copy of the Order, including this FRFA, to the Chief Counsel for Advocacy of
the SBA. A copy of the Order and FRFA (or summaries thereof) will also be published in the Federal
Register.
226
219
See id.
220
See supra Part III.I.2.
221
See supra Part III.I.4.
222
See id.
223
See supra Appx. B, Part VI.B.
224
See supra Part III.E.1.
225
See 5 U.S.C. § 801(a)(1)(A).
226
See 5 U.S.C. § 604(b).
Federal Communications Commission FCC 16-148
204
STATEMENT OF
CHAIRMAN TOM WHEELER
Re: Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC
Docket No. 16-106.
Last week, I visited Consumer Reports’ headquarters in Yonkers, New York, where I toured their
product testing facility and met with senior leadership. When looking at a smart refrigerator that collects
and shares data over the Internet, the discussion turned to privacy. Who would have ever imagined that
what you have in your refrigerator would be information available to AT&T, Comcast, or whoever your
network provider is?
The more our economy and our lives move online, the more information about us goes over our
Internet Service Provider (ISP) and the more consumers want to know how to protect their personal
information in the digital age.
Today, the Commission takes a significant step to safeguard consumer privacy in this time of
rapid technological change, as we adopt rules that will allow consumers to choose how their Internet
Service Provider (ISP) uses and shares their personal data.
The bottom line is that it’s your data. How it’s used and shared should be your choice.
Over the past six months, we’ve engaged with consumer and public interest groups, fixed and
mobile ISPs, advertisers, app and software developers, academics, other government actors including the
FTC, and individual consumers, to figure out the best approach. Based on the extensive feedback we’ve
received, we crafted today’s rules to provide consumers increased choice, transparency and security
online.
The time has also come to address the harmful impacts of mandatory arbitration requirements on
consumers of communications services. To address this issue comprehensively, we have begun an
internal process designed to produce a Notice of Proposed Rulemaking on this important topic by
February 2017.
I want to thank the FTC and the Administration for leading the way with the FTC’s privacy
framework, and the Administration’s Consumer Privacy Bill of Rights.
I’d like to acknowledge the companies who believe consumers care about privacy, and came to
the table with constructive feedback.
To the consumer and public interest groups who have for years fought for consumer privacy
protections in a digital age, thank you.
To our incredibly talented wireline bureau team lead by Matt DelNero and Lisa Hone, your hard
work and dedication is inspiring.
And to the Chairman’s Office team, led by Ruth Milkman and Stephanie Weiner. Thank you.
Federal Communications Commission FCC 16-148
205
STATEMENT OF
COMMISSIONER MIGNON L. CLYBURN
APPROVING IN PART AND CONCURRING IN PART
Re: Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC
Docket No. 16-106.
Why has this Commission, received more than a quarter of a million filings, of which the vast
majority show support for the adoption of strong privacy rules? Because consumers care deeply about
their privacyand so should we.
Ninety-one percent of Americans believe, consumers have lost control of how their personal
information is collected, and used by companies. That’s ninety-one percent. With news seemingly
breaking every week, about a cyberattack, massive data breaches, and companies collecting and selling
customer data to government agencies, that number should come as no surprise to anyone.
So when faced with the question, of should I support requiring companies to give consumers
more notice, more choice, and more transparency, you hear no double speak from me. Simply put,
additional consent here means, that consumers will have more of a say, in how their personal information
is used—and I for one, think that is a good thing.
Today, we substantially adopt the FTC’s framework on privacy, with some tweaks to account for
the current era, and unique position broadband providers occupy in our everyday lives. Where we deviate,
we do so with the protection of consumers in mind. This Order, I am proud to say, adopts strong privacy
protections, and provides robust choice for those who consent to the use, or sharing of their information,
as a means of receiving new products, more targeted advertising, or other innovative offerings made
possible by big data.
I am grateful to the Chairman and Commissioner Rosenworcel, who agreed to many of my edits.
In particular, this item incorporates my suggestions to account for people with disabilities and strengthens
protections for protected classes under our national civil rights laws. It also toughens our pay-for-privacy
safeguards, and improves the abilities of businesses to contract for their own privacy protections.
But what it does not do, is address the issue of mandatory arbitration, an issue I outlined in my
remarks at the #Solutions2020 Forum last week. Mandatory arbitration, put simply, forces consumers
with grievances against a company, out of the court system, and into a private dispute resolution system.
In other words, their options are limited.
In an op-ed appearing in TIME earlier this week, Senator Franken and I described in detail, why
mandatory arbitration is a consumer un-friendly practice.
For those who take exception, I must remind them that in this privacy proceeding, we did provide
notice, we developed a record, and had an opportunity to give relief to millions of consumers nationwide,
including the 99.9% of mobile wireless customers, who are forced to give up their day in court when they
sign up for connectivity. In a rulemaking about transparent notice and choice to consumers for their
privacy, I believe it is a natural fit to ensure transparent notice and choice, in the context of dispute
resolution.
Public justice systems, discipline private conduct. But private justice systems are “an oxymoron,”
according to one appeals court judge, and he is not alone in that thought. The Consumer Financial
Protection Bureau, has found that limiting forced arbitration clauses, have a powerful deterrent effect,
resulting in companies changing business practices in more consumer-friendly ways. An inscrutable,
unfairly levied below-the-line fee on a bill, may be disputed by a thousand consumers, but a provider can
collect that fee from a million customers who may never notice that line item as they pay their monthly
bill.
Federal Communications Commission FCC 16-148
206
Without the watchful eye of the court system, a company can limit its losses to those thousand
who do take notice, while keeping the proceeds from the millions who did not. And as one arbitrator put
it, “why would an arbitrator cater to a person they will never see again,” over a corporation who is
repeatedly footing the bill?
Several agencies have stepped up and declared these provisions unlawful in other contexts, and
yes, I am disappointed that we did not join this vanguard, in ensuring that consumers are not unwittingly
giving up their day in court, when they sign up for communications services. And because of this, I
respectfully concur in part. Nevertheless, I am heartened, Mr. Chairman, that we are committed to
addressing this issue, in a separate proceeding, with a firm timeline.
To the Wireline Competition Bureau and Office of General Counsel staff, who have wrestled
through these difficult issues for years, and somewhat frenetically over the past few days, I thank you.
You have further empowered the American consumer through this item, and for that, and more, I am
grateful.
Federal Communications Commission FCC 16-148
207
STATEMENT OF
COMMISSIONER JESSICA ROSENWORCEL
Re: Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC
Docket No. 16-106.
To understand the future of privacy, I think it is important to begin by focusing on the forces
shaping our new digital world. I see three.
First, we live in an era of always-on connectivity. Connection is no longer just convenient. It
fuels every aspect of modern civic and commercial life. Sitting outside this connectivity is consigning
yourself to the wrong side of the digital divideand that has a cost because it hampers any shot at 21
st
century success.
Second, it used to be that the communications relationship was primarily between a customer and
his or her carrier. But the number of third parties participating in our digital age connections and
transactions has multiplied exponentially. Dial a call, write an e-mail, make a purchase, update a profile,
peruse a news site, store photographs in the cloud, and you should assume that service providers,
advertising networks, and companies specializing in analytics have access to your personal information.
Lots of it. For a long time. Our digital footprints are no longer in sand; they are in wet cement.
Third, the monetization of data is big business. The cost of data storage has declined
dramatically. The market incentives to keep our data and slice and dice it to inform commercial activity
are enormousand they are going to grow.
Today these forces collide for all of us in our lives lived online, where what we download, post,
say and do says so much about who we are to the world.
But the truth is we are just getting started. Because the future will feature a whole new world of
the Internet of Things, where the connectivity we have today will look quaint. Every piece of
machinery, pallet of equipment, thermostat, smoke detector, street light, garbage pail, parking meter
you name itwill be a connected device. This creates powerful opportunities that will make us more
effective and more efficient, our cities smarter and our communities more connected. But these benefits
come with big security challenges. We had an object lesson in these challenges last weekend, with one
of the largest Distributed Denial of Service attacks in history, with botnets taking control of insecure
connected devices, and compromising them by flooding servers and sites with overwhelming traffic.
So when consumers survey this new digital landscape they wonder what privacy means. They do
not want the digital age to decimate their fabled right to be left alone. They want privacybut more
importantly they want control. They want to control the whiplash from these new digital forcesand
take some ownership of what is done with their personal information.
Today, the Commission provides consumers with the tools to do just that. We updatefor the
first time in nearly a decadeour privacy policies under Section 222 of the Communications Act. We
establish new rules protecting the privacy of broadband customers. We adopt an opt-in regime for use
and sharing of sensitive customer personal information and an opt-out regime for use and sharing of non-
sensitive customer personal information. We put in place data security and breach notification policies
so every consumer has confidence that efforts are in place to prevent harm from unlawful access to their
data.
This is real privacy control for consumers. It helps in the here and now. But with respect to the
future of privacy, I think we still have work to do.
Our domestic privacy policies largely rest on a foundation of old sector-specific laws. So
continuing work to harmonize our privacy frameworks is hardbut deserves time and attention. To this
end, the policies we adopt today are in many ways in sync with the approach taken by our colleagues at
the Federal Trade Commission under Section 5 of the Federal Trade Commission Act. To the extent
Federal Communications Commission FCC 16-148
208
they are not, let’s face the factswe are dealing with old laws, new technologies, and hard choices about
existing regulatory schemes.
Privacy policy discussion, including ours here today, frequently focuses on three values
transparency, choice, and security. But I think it is time to introduce a fourthsimplicity. The forces at
work in the digital world today are only going to make privacy more complex for all of us to control. But
consumers should not have to be network engineers to understand who is collecting their data and they
should not have to be lawyers to understand if their information is protected. So it is incumbent on every
policymaker with privacy authority to think about how to make our policies more simple and more
consistent. In fact, I think it is time for a 21
st
century inter-agency privacy council, where this
Commission and our colleagues across government can do a better job of aligning privacy policies across
the board. That won’t be easy. But for the future of privacy, future of consumer control, and future of the
digital economyit will be worth the effort.
Federal Communications Commission FCC 16-148
209
DISSENTING STATEMENT OF
COMMISSIONER AJIT PAI
Re: Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC
Docket No. 16-106.
For the last two decades, the United States has embraced a technology-neutral framework for
online privacy. Administered by the Federal Trade Commission, this framework applied across all
sectors of the online ecosystem. It reflected the uniform expectation of privacy that consumers have
when they go online. It didn’t matter whether an edge provider or ISP obtained your data. And it
certainly didn’t matter whether, as a consumer, you understood what those regulatory classifications
meantlet alone the technical and legal intricacies that dictate when a single online company is operating
in its capacity as an edge provider as opposed to an ISP. Regardless of all of that, the FTC’s unified
approach meant that you could rest assured knowing that a single and robust regulatory approach
protected your online data.
1
That’s why since the beginning of this proceeding, I have pushed for the Federal
Communications Commission to parallel the FTC’s framework as closely as possible. I agreed with my
colleague that consumers have a “uniform expectation of privacy” and that the FCC thus “will not be
regulating the edge providers differently” from ISPs.
2
I agreed that “consumers should not have to be
network engineers to understand who is collecting their data and they should not have to be lawyers to
determine if their information is protected.”
3
I agreed that “harmonizing FCC policies with other federal
authorities with responsibilities for privacy is a responsible course of action.”
4
And I agreed with the
FTC when it said that an approach that imposes unique rules on ISPs that do not apply to all online actors
that collect and use consumer data is “not optimal.”
5
These are the core principles that I have held
throughout this proceeding.
I was disappointedbut not surprisedwhen FCC leadership circulated an Order that departed
so dramatically from those principles. Over the past three weeks, my office diligently pursued a
compromise framework that would have minimized the vast differences between the Order’s approach
and the FTC’s regimeone that would have protected consumer privacy while also allowing for more
competition in the online advertising market, where edge providers are currently dominant.
For example, I asked my colleagues to acknowledge that persistent online identifiers (like static
IP addresses) pose a larger privacy issue than more transitive identifiers. Distinguishing between the two
in our de-identification standard would incentivize ISPs to compete with edge providers for online ads
and do so through more privacy-protective technologies. Unfortunately, my colleagues were unwilling to
compromise on thisor in any other meaningful respect.
1
Indeed, the Obama Administration itself told the European Union that the FTC framework was strong and that
nothing more, from a regulatory perspective, was needed to protect online consumers against predatory practices.
2
Statement of Chairman Tom Wheeler, Hearing before the U.S. House of Representatives Subcommittee on
Communications and Technology, “Oversight of the Federal Communications Commission,” Preliminary Transcript
at 141 (Nov. 17, 2015).
3
Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. 16-
106, Notice of Proposed Rulemaking, 31 FCC Rcd 2500, 2637 (2016) (Statement of Commissioner Jessica
Rosenworcel).
4
Commissioner Jessica Rosenworcel Responses to Questions for the Record Submitted to the House Energy and
Commerce Subcommittee on Communications and Technology’s Hearing on “Oversight of the Federal
Communications Commission” at 3 (July 12, 2016), available at http://bit.ly/2eOhvkg.
5
Federal Trade Commission Bureau of Consumer Protection Staff Comments at 8.
Federal Communications Commission FCC 16-148
210
That leaves us with rules that radically depart from the FTC framework. And that leaves us with
rules that apply very different regulatory regimes based on the identity of the online actor. As my
colleagues’ earlier comments make clear, as the FTC has made plain, this makes no sense.
Now, today’s Order tries to justify this new and complex approach by arguing that ISPs and edge
providers see vastly different amounts of your online data. It recounts what it says is a vast sea of data
that ISPs obtain. It then says that “By contrast, edge providers only see a slice of any given consumers
Internet traffic.”
6
A “slice.” Really? The era of Big Data is here. The volume and extent of personal
data that edge providers collect on a daily basis is staggering. But because the Order wants to treat ISPs
differently from edge providers, it asserts that the latter only sees a “slice” of consumers’ online data.
This is not data-driven decision-making, but corporate favoritism.
The reality—something today’s Order does not acknowledgeis that edge providers do not just
see a slice of your online data. Consider what the Electronic Privacy Information Center told us:
The FCC describes ISPs as the most significant component of online communications
that poses the greatest threat to consumer privacy. This description is inconsistent with
the reality of the online communications ecosystem. Internet users routinely shift from
one ISP to another, as they move between home, office, mobile, and open WiFi services.
However, all pathways lead to essentially one Internet search company and one social
network company. Privacy rules for ISPs are important and necessary, but it is obvious
that the more substantial threats for consumers are not the ISPs.
7
Indeed, any review of the headlines rebuts the FCC’s assertion that edge providers only see a
fraction of your data. Consider these stories, almost all from just the past few weeks: “Google quietly
updates privacy policy to drop ban on personally identifiable web tracking.”
8
“Privacy Debate Flares
With Report About Yahoo Scanning Emails.”
9
“Apple keeps track of all the phone numbers you contact
using iMessage.”
10
“Twitter location data reveals users’ homes, workplaces.”
11
“Amnesty International
rates Microsoft’s Skype among worst in privacy.”
12
But due to the FCC’s action today, those who have more insight into consumer behavior (edge
providers) will be subject to more lenient regulation than those who have less insight (ISPs). This doesn’t
make sense. And when you get past the headlines, slogans, and self-congratulations, this is the reality
that Americans should remember: Nothing in these rules will stop edge providers from harvesting and
monetizing your data, whether it’s the websites you visit or the YouTube videos you watch or the emails
you send or the search terms you enter on any of your devices.
6
Order at para. 30.
7
EPIC Comments at 15.
8
Anmol Sachdeva, Google quietly updates privacy policy to drop ban on personally identifiable web tracking, The
Tech Portal (Oct. 21, 2016), available at http://bit.ly/2dIvcmY.
9
Robert McMillan & Damian Paletta, Privacy Debate Flares With Report About Yahoo Scanning Emails, Wall
Street Journal (Oct. 5, 2016), available at http://on.wsj.com/2dI7ovW.
10
Oscar Raymundo, Apple keeps track of all the phone numbers you contact using iMessage, MacWorld (Sept. 28,
2016), available at http://bit.ly/2ev8QVi.
11
Patrick Nelson, Twitter location data reveals users’ homes, workplaces, NetworkWorld (May 18, 2016), available
at http://bit.ly/1XmHAYf.
12
Dennis Bednarz, Amnesty International rates Microsoft’s Skype among worst in privacy, WinBeta (Oct. 23,
2016), available at http://bit.ly/2f8RnDv.
Federal Communications Commission FCC 16-148
211
So if the FCC truly believes that these new rules are necessary to protect consumer privacy, then
the government now must move forward to ensure uniform regulation of all companies in the Internet
ecosystem at the new baseline the FCC has set.
That means the ball is now squarely in the FTC’s court. The FTC could return us to a level
playing field by changing its sensitivity-based approach to privacy to mirror the FCC’s. No congressional
action would be needed in order for the FTC to establish regulatory consistency and prevent consumer
confusion.
Were it up to me, the FCC would have chosen a different pathone far less prescriptive and one
consistent with two decades of privacy law and practice. The FCC should have restored the level playing
field that once prevailed for all online actors using the FTC’s framework. After all, as everyone
acknowledges, consumers have a uniform expectation of privacy. They shouldn’t have to be network
engineers to understand who is collecting their data. And they shouldn’t need law degrees to determine
whether their information is protected.
But the agency has rejected that approach. Instead, it has adopted one-sided rules that will
cement edge providers’ dominance in the online advertising market and lead to consumer confusion about
which online companies can and cannot use their data. I dissent.
Federal Communications Commission FCC 16-148
212
DISSENTING STATEMENT OF
COMMISSIONER MICHAEL O’RIELLY
Re: Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC
Docket No. 16-106.
Today, the Commission attempts to solve a problem of its own making and, in the process,
creates a host of new ones. Having reclassified broadband Internet access service as a
telecommunications service, the FCC usurped part of the FTC’s role in overseeing broadband privacy.
Not content to inherit a system that, by almost all accounts, was working quite well to protect consumers,
the FCC quickly embarked on an expansionist mission, seeking to impose situationally-defective new
requirements that are stricter than most consumers would ever want or expect and that exceed the
Commission’s authority. Finding itself out of its depth, the FCC was forced to rein in some of the most
extreme proposals and align itself better with the FTC framework. Landing in a less bad spot, however,
should not be confused with setting sound policy. I must dissent for a number of reasons.
Beginning with legal authority, the Commission’s attempt to fit broadband into section 222 is
fundamentally flawed. The plain language of the statute speaks in terms of telephone service.
1
Accordingly, in its effort to shoehorn broadband into this regime, the Commission is forced to ignore or
explain away language that clearly contradicts its position, regulate by analogy, or simply create new
obligations out of thin air.
2
To start, there is no independent authority in section 222(a) to regulate privacy or data security,
regardless of the technology. As I have said before, the purpose of section 222(a) was to set forth the
general parameters of who would be covered by the new rules contained in the other subsections. Before
the 1996 Act, the rules only applied to AT&T, the BOCs, and GTE. Section 222(a) changed that by
extending the general duty to protect proprietary information to all telecommunications carriers, while
sections 222(b) and (c) detail when and how that duty is to be exercised. Specifically, section 222(b)
protects other carriers from anti-competitive practices by requiring the confidentiality of carrier
proprietary information, while section 222(c) protects the privacy expectations of consumers with respect
to their call records by requiring the confidentiality of customer proprietary network information”, or
CPNI. Given this three-part structure, it is not surprising that section 222(a) employs a term proprietary
information that encompasses both the carrier proprietary information used in 222(b) as well as the
CPNI used in section 222(c). It does not give the Commission license to ignore its own history and read
section 222(a) and its terminology out of context.
Additionally, the use of “equipment manufacturers” in subsection (a) does not provide or
authenticate any independent authority to act under the subsection, as the Commission tries to imagine in
this item. Instead, it merely functions to cross reference overall concerns that some believed that
equipment procurement by old-school Bell Operating Companies would lead to sharing of improper
information from manufacturers. To the extent that concern existed, it was addressed directly in various
places in section 273 with specific authority to act provided to the Commission in subsection (g) and,
thus, it is inappropriate to read such authority into section 222(a).
1
See, e.g., CTIA Comments at 16-23; Comcast Comments at 67.
2
Interestingly, when deciding that the section 222(e) exception for subscriber list information does not apply to
broadband subscriber information, the order takes pains to examine the intent of Congress regarding the exception
and analyzes the publishing technologies and information sharing practices that were in place at the time of
enactment. In deciding that the rest of section 222 applies to broadband, however, the order breezes right past
Congressional intent. Accordingly, section 222(e) is focused on “telephone books” or “direct equivalents” (no
“functional equivalents” here) but somehow section 222(c) covers applications.
Federal Communications Commission FCC 16-148
213
Commenters supplied additional reasons that refute the FCC’s interpretation. They point out that
the FCC’s expansive interpretation of section 222(a) cannot stand because it would nullify other
provisions of section 222.
3
And they show that Congress carefully crafted Section 222 to regulate CPNI
and deliberately chose not to use the broader category of “personally identifiable information,or PII,
unlike elsewhere in the Act.
4
These arguments further demonstrate that the order’s interpretation of
section 222(a) is not a permissible or reasonable one. Only a court intent on ignoring its obligations could
not understand what the Commission is attempting to do here.
Since there is no independent authority in section 222(a), the categories of information that the
FCC made up within section 222(a) “customer proprietary information” and its subset “personally
identifiable information” are outside the scope of the provision. Yet even if the Commission attempted
to ground its rules solely in section 222(c), which I do not concede applies to broadband either, it would
still face significant legal problems. Many of the elements that the Commission wants to capture within
its rules are not “customer proprietary network information”.
First, proprietary information is “information that a person or entity owns to the exclusion of
others,” and thus it is not proprietary “if other individuals or entities can access the information and use it
for their own commercial purposes.”
5
That is why, in defining CPNI in section 222(h), Congress
specified that it is limited to information that is made available to carriers “solely by virtue of the carrier-
customer relationship.”
6
Unlike traditional voice calls where the only parties that had access to call
records were those already subject to section 222(c) the local exchange carrier and in some instances the
interexchange carrier multiple parties that are unregulated by section 222 have access to an end users
online activities.
7
Indeed, “an ISP need not rely on its own relationship with its customers to collect
information about their online activities because it could obtain the same information independently (at a
price) from data brokers or other unregulated third parties.”
8
Accordingly, this information would fall
outside the scope of section 222(c).
9
The order responds that proprietary information can’t mean information kept secret from
everyone else, because other personal information would not be protected by the CPNI rules. And it
resorts to platitudes that adhering to the law as it is drafted would “undermine the privacy protective
purpose of the statute.” But those arguments misunderstand the limited purpose of section 222. It was
never intended to cover all information about a person. It defines and protects a specific set of call record
information, and until just recently, that has been the Commission’s interpretation as well.
10
Far from
3
See, e.g., CTIA Comments at 27; AT&T Comments at 105-107; Verizon Comments at 57-58.
4
Verizon Comments at 58-59 (citing Whitman v. American Trucking Ass’ns, Inc., 531 U.S. 457, 468 (2001); Dole
Food Co. v. Patrickson, 538 U.S. 468, 476 (2003)).
5
CTIA Comments at 34.
6
47 U.S.C. § 222(h).
7
AT&T Comments at 101.
8
Id. at 102.
9
Even under the Commission’s erroneous theory, to which I do not subscribe, that section 222(a) provides
independent authority, this type of information would have to be excluded because section 222(a) likewise uses the
term proprietary. Accordingly, section 222(a) also does not cover PII. Verizon also makes the point that, at most,
section 222(a) requires “that carriers ‘protect the confidentiality’ of information; it does not govern permissible uses
of information” and, therefore, “is far too thin a reed to authorize the entire regulatory apparatus the Commission
proposes to erect for PII that is not CPNI.” Verizon Comments at 59.
10
See, e.g., Verizon Comments at 56 (“The fact that the Commission has only nowafter 18 years claimed to
discover new authority within Section 222 over all PII held by all telecommunications carriers, rather than only
CPNI, belies that novel statutory interpretation. As the Supreme Court has cautioned, ‘[w]hen an agency claims to
discover in a long-extant statute an unheralded power to regulate a significant portion of the American economy, we
(continued….)
Federal Communications Commission FCC 16-148
214
creating a gap, as the order claims, Congress made an intentional allocation of responsibility. Section 222
directs the Commission to protect a discrete category of information and, to the extent Congress is
concerned about other types of information, it has enacted other laws covering them, and it can enact
additional laws going forward. The FCC is not empowered to supplement its own authority, even if it
believes it has policy reasons to do so.
11
At times, the order runs circles around itself. For instance, the order takes the position that
“proprietary information” covers “information that should not be exposed widely to the public.” But
when confronted with the fact that IP addresses are necessarily disclosed on the open Internet to make the
service work, the order responds that “whether information is available to third parties does not affect
whether it meets the statutory definition of CPNI.”
12
Second, section 222(c)(1) is limited to “individually identifiable” CPNI. Therefore, the order’s
inclusion of information that is reasonably linked or linkable to a person or device is impermissibly
broad.
13
If a device “cannot be linked to a specific individual[,] . . . information that may be linked to the
device would fall outside the scope of the statute and should not be subject to these rules.”
14
As a backstop, the order also lists a number of other provisions that provide absolutely no
authority for these rules.
15
As I’ve said before, those provisions were never intended to regulate privacy
or data security. In addition, by specifically enacting section 222, Congress made clear that the authority
to regulate privacy is found in that provision. Any other reading would render section 222 superfluous.
While the FCC has no authority to adopt broadband privacy rules, I am compelled to comment on
the serious deficiencies in the rules themselves in the event that somehow a court erroneously,
irresponsibly and lawlessly finds that there is authority for them. In particular, the order fails to
adequately justify the rules, including why it takes a different approach from the FTC in several key
respects, leaving ISPs with substantially greater burdens than other Internet companies. The order falls
back on the tired refrain that broadband providers are “gatekeepers” and that, in that role, they are able to
see more information about their customers than edge providers. This ridiculous notion has been
thoroughly debunked in the record.
16
The fact that consumers use multiple platforms to access the
(Continued from previous page)
typically greet its announcement with a measure of skepticism. We expect Congress to speak clearly if it wishes to
assign to an agency decisions of vast economic and political significance.’”) (citing Utility Air Regulatory Grp. v.
EPA, 134 S. Ct. 2427, 2444 (2014) (citation and internal quotation marks omitted)).
11
For example, the order now claims that a broad definition of protected information is required to better align FCC
rules with the FTC approach. Putting aside for a moment the fact that the FCC does not actually line up with the
FTC approach in several key respects, the FCC cannot exceed the limits of the authority delegated to it by Congress.
As one commenter noted: “The law is clear that an agency cannot ‘use its definitional authority to expand its own
jurisdiction.’” Comcast Comments at 68 (citing Am. Bankers Ass’n v. SEC, 804 F.2d 739, 754-55 (D.C. Cir. 1986)).
12
Of course, IP addresses do not qualify as CPNI in any event, as commenters have demonstrated. See, e.g.,
Comcast Comments at 77-81.
13
See, e.g., AT&T Oct. 17, 2016 Ex Parte at 4.
14
Id.
15
See also AT&T Comments at 108-113; CTIA Comments at 59-73.
16
See, e.g., Peter Swire, Associate Director, The Institute for Information Security & Privacy at Georgia Tech, et al.,
Working Paper, Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by
Others at 24-25 (filed May 27, 2016); EPIC Comments at 16 (“The FCC describes ISPs as the most significant
component of online communications that poses the greatest threat to consumer privacy. This description is
inconsistent with the reality of the online communications ecosystem. Internet users routinely shift from one ISP to
another, as they move between home, office, mobile, and open WiFi services. However, all pathways lead to
essentially one Internet search company and one social network company.”); Comcast Comments at 26-34; Verizon
Comments at 16-24.
Federal Communications Commission FCC 16-148
215
Internet, coupled with the increasing prevalence of encryption, significantly undermines the order’s
claims that broadband providers have unique or unparalleled access to customers and their information.
The Commission’s lame attempt at discounting the traffic subject to encryption does a disservice to
common sense and ignores the plain fact that consumer traffic from the most popular Internet sites is
already encrypted with more to come. Accordingly, to the extent that the rules rely on the faulty
gatekeeper proposition, the Commission should be overturned for that reason alone.
The FCC claims that, in moving to a sensitivity-based framework, the rules will be “more
properly calibrated to customer and business expectations.” But requiring opt-in notice for web browsing
history and application usage data is a significant departure from the FTC approach, which is the basis for
current expectations.
17
Under the FTC approach, those categories have not been treated as sensitive.
While this approach has been in effect, there has been no evidence of any privacy harms, and businesses
have been able to “provide great value to consumers in the form of discounts, convenient features, and
other new and innovative services.”
18
Requiring opt-in consent for these categories will destroy that value
and upend years of settled expectations, burdening rather than benefitting most users.
19
It will also create confusion. Consumers will receive notices from the broadband providers
asking them to opt in. If they do not opt in, but continue to see advertisements based on their web
browsing and application usage, some will understandably assume that their broadband providers are
violating their privacy policies when, in fact, the ads originate from third parties not subject to FCC
rules.
20
It is also unnecessary. As commenters pointed out, to the extent that web browsing history and
application usage data concerns sensitive information, such as health or financial records, it is already
covered by the other categories that the FTC, and now the FCC, consider to be sensitive.
21
Commenters
also submitted documentation into the record showing how broadband providers and other Internet
companies currently differentiate and avoid the use of sensitive web browsing and application usage
information under the current FTC framework.
22
Therefore, there is no reason to adopt an added layer of
sensitivity that sweeps too broadly.
17
See, e.g., ITTA Oct. 21, 2016 Ex Parte at 2-3 (noting that “Web browsing and app usage history are not
considered sensitive by the FTC” that “the FTC’s Privacy Report endorsed an opt-out approach towards web
browsing data used for behavioral advertising” and that “[a]gainst the backdrop of the longstanding, embedded
commercial practice of consumers benefiting from targeted advertising based on web browsing history, consumers
do not have the same expectations of privacy in this context as they do with other categories of information.”).
18
T-Mobile Oct. 14, 2016 Ex Parte at 2. See also, e.g., Comcast Comments at 26-34; Verizon Comments at 17-24.
19
See, e.g., Comcast Comments at 44-52; T-Mobile Oct. 14, 2016 Ex Parte at 1-2.
20
See, e.g., Comcast Comments at 43; ITTA Oct. 21, 2016 Ex Parte at 3.
21
Comcast Comments at 43.
22
See, e.g., Internet Commerce Coalition Oct. 18, 2016 Ex Parte at 2-3 (describing how ISPs and Internet
companies use a combination of “white lists” and “black lists” that “isolate and exclude data categorized as sensitive
by the FTC”); AT&T Oct. 17 Ex Parte at 3 (“Like any other Internet company, a broadband provider can avoid the
use of sensitive information by categorizing website and app usage based on standard industry interest categories
established by the Interactive Advertising Bureau (‘IAB’) and other leading industry associations. This process
involves correlating non-content web address or app information (e.g., visit to a sports website) with a pre-
established “white list” of permissible interest categories (e.g., sports lover) available from the IAB. The list of
interest categories can be refined as needed to exclude any sensitive categories.”); American Association of
Advertising Agencies et. al Oct. 21, 2016 Ex Parte at 2 (“[C]ompanies across the Internet, including ISPs, have for
decades used a combination of administrative and technical controls to limit the use of sensitive data for marketing
and advertising purposes, absent consumer consent. These practices were developed to comply with the FTC’s
privacy framework and the self-regulatory program administered by the DAA.”); Future of Privacy Forum Reply at
(continued….)
Federal Communications Commission FCC 16-148
216
The order responds that it is better to be overinclusive because what is non-sensitive to most
people could be sensitive to some. But, again, given that there has been no evidence of harm while this
approach has been in effect at the FTC, there is no reason to re-draw the line in a way that will burden
most consumers. That is not to say that privacy conscious consumers should have no remedy at all.
Rather, they should be presented with clear notice of how their providers differentiate sensitive
information and have the ability to opt out if they do not think methods are sufficient to protect them.
23
The Commission must realize that an overly broad opt-in regime has significant consequences for
consumers because [i]t is well understood that an opt-in consent mechanism results in far fewer
individuals conveying their consent than is the case under an opt-out consent mechanism” even when
substantial benefits are at stake.
24
As one commenter noted:In the marketing context, a rough rule of
thumb is that opt-out consent mechanisms may yield approximately 82% or much higher of individuals
preserving their consent, whereas an opt-in consent model may yield only approximately 18% or much
lower of individuals consenting.”
25
While the Commission anticipates that, in an opt-in regime, many
consumers will wish to affirmatively exercise choice options, the “statistics on opt-in consent rates cited
above show that this is not the case, and that many individuals will simply not pay attention to the choice
or skip past it to get to the service.”
26
This isn’t consumer choice, it’s recognition of consumer apathy.
Perhaps most troubling is that the order explicitly contemplates that it will apply to the Internet of
Things. And, it makes this sweeping power grab without explaining how it has authority to do so. When
I first cautioned that reclassifying broadband would lead to the FCC regulating edge providers and
applications, some scoffed. Then it happened and now it is front and center again. Here, the FCC is
refreshingly honest about its ambitions in this item, and I have every reason to expect that the
Commission will make good on this vast new stake it has claimed. Those in the edge community should
reconsider their belief that the FCC will never venture into their business models: The Commission is
intentionally setting itself on a collision course with the FTC’s definition with the intention to up the
burdens on edge providers and all technology companies, either here or at the FTC.
The ultimate absurdity of these rules is that broadband providers remain free to purchase and use
the information they need from those other Internet companies, including edge providers, because these
other companies, not covered by the rules, will continue to operate under the FTC’s opt-out regime. The
rules prohibit a broadband provider from using sensitive “customer proprietary information” without opt-
in consent, but “customer proprietary information” is limited to information that the provider “acquires in
(Continued from previous page)
8; Google Oct. 3, 2016 Ex Parte at 1; NCTA Oct. 20, 2016 Ex Parte at 3-5; INCOMPAS Oct. 21, 2016 Ex Parte at
3.
23
ITIF Oct. 20, 2016 Ex Parte at 2.
24
Comcast Comments at 48; Technology Policy Institute Oct. 17, 2016 Ex Parte at 2 (“All available research
suggests that opt-in consent dramatically reduces participation. Any data classified under opt-in is less likely to be
available to support services, innovation, and competition, as we and others discussed in previous filings.”) (citing
Tom Lenard and Scott Wallsten, Technology Policy Institute, An Economic Analysis of the FCC’s Privacy Notice of
Proposed Rulemaking (May 2016); Avi Goldfarb, Catherine E. Tucker and Liad Wagman, Comments on Notice of
Proposed Rule Making: ‘Protecting the Privacy of Customers of Broadband and Other Telecommunications
Services(May 20, 2016)).
25
Comcast Comments at 48 (citing Mindi Chahal, Consumers less likely to ‘opt in’ to marketing than to ‘opt out,’
Marketing Week (May 7, 2014), https://www.marketingweek.com/2014/05/07/consumers-less-likely-to-opt-in-to-
marketing-than-to-opt-out/).
26
Id. at 52.
Federal Communications Commission FCC 16-148
217
connection with its provision of telecommunications service.” Information obtained from an edge
provider does not meet that definition.
27
Therefore, all that the FCC has really done is raise the transaction costs. The FCC, in its typical
nanny state fashion, seems to assume that consumers prefer an opt-in regime. But when consumers find
out the end result is that they may have to pay more for heightened privacy rules that they never asked
for, I doubt they will be grateful that the FCC intervened on their behalf. Indeed, this is a grandiose
attempt to enact legacy talking points into rules so that Commission leadership can pat itself on the back
while consumers receive no actual, practical protections. Added costs and burdens for providers? Yes.
Benefits for consumers? No.
In another departure from the FTC framework and widespread consumer expectations, the order
limits inferred consent to first party marketing within a service category, as well as the marketing of
customer premises equipment (CPE) and communications services commonly bundled together with the
subscriber’s telecommunications service.Here again, there is no rational reason to place undue
restrictions on broadband providers.
28
While allowing providers to inform their customers about certain
bundled offerings is a welcome change to the original, untenable draft, I would have extended inferred
consent to the marketing of all products and services offered by broadband providers and affiliates as long
as the affiliated relationship is clear to consumers.
29
Therefore, at a minimum, I would not require opt out
consent to market new products and services that are “reasonably understood by customers as within the
existing service relationship.”
30
As the record demonstrated, consumers expect to receive information
from their providers about new products, services, and discounts.
31
In addition, if broadband providers
27
And even if the Commission “fixed” the definition, it would still be precluded by the statute from placing
restrictions on a broadband provider’s purchase or use of third-party data. See, e.g., Comcast Comments at 75-76.
28
See, e.g., NCTA Oct. 20, 2016 Ex Parte at 8 (“The FCC has recognized that the statute permits carriers to use
customer data to market products and services distinct from the underlying telecommunications service from which
the data is collected. In interpreting the degree to which Section 222 accommodates first party marketing, the
Commission stated that the relevant inquiry should focus on ‘the customer’s reasonable expectations of privacy in
connection with CPNI.’”) (citing Implementation of the Telecommunications Act of 1996: Telecommunications
Carriers’ Use of Customer Proprietary Network Information, Order on Reconsideration and Petitions for
Forbearance, 14 FCC Rcd 14409, para. 41 (1999) (1999 CPNI Order)).
29
See 2012 FTC Privacy Report at 41-42; Internet Commerce Coalition Oct. 18, 2016 Ex Parte at 4 (explaining that
“first-party marketing of an ISP’s other products and services should be permissible based on implied consent, as
both the FTC and Administration have previously concluded”); NCTA Oct. 20, 2016 Ex Parte at 8 (noting that
“both the FTC and White House privacy frameworks afford companies flexibility to use customer data to engage in
first-party marketing and advertising of their own services based on implied consent”) (citing 2012 FTC Privacy
Report at 40 (“[M]ost first-party marketing practices are consistent with the consumer’s relationship with the
business and thus do not necessitate consumer choice”); The White House, Consumer Data Privacy in a Networked
World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, at 17 (2012)
(“[C]ompanies may infer consent to use personal data to conduct marketing in the context of most first-party
relationships, given the familiarity of this activity in digital and in person commerce, the visibility of this kind of
marketing, the presence of an easily identifiable party to contact to provide feedback, and consumers’ opportunity to
end their relationship with a company if they are dissatisfied with it.”)); ITTA Oct. 21, 2016 Ex Parte at 2-3.
30
AT&T Oct. 17, 2016 Ex Parte at 2 (1999 CPNI Order, 14 FCC Rcd 14409, para. 42). See also NCTA Oct. 20,
2016 Ex Parte at 8; ITTA Oct. 21, 2016 Ex Parte at 2-3.
31
See, e.g., Cox Communications Inc. October 20, 2016 Ex Parte at 2 (“Regulatory authorities and experts
recognize first-party marketing is a wide-spread practice and a well understood tool for establishing and maintaining
. . . customer relationships. Both the FTC and the White House privacy frameworks specifically recognize this
commonly accepted practice and permit companies to use customer data to communicate with their customers and
personalize their customers’ experience based on the customer’s implied consent in most instances. Even existing
FCC CPNI rules permit carriers to use CPNI to engage in some first-party marketing, without customer approval.
Regulating such activities here would be unprecedented and would not reflect customers’ current expectations of
their broadband providers: to anticipate what they want and when they want it, to provide maximum value, and then
(continued….)
Federal Communications Commission FCC 16-148
218
“cannot market new products and services on the same terms as online companies or even other brick
and mortar businesses there will be less incentive to invest and develop new services.”
32
In addition, I was appalled to see a case-by-case approach imported to review mislabeled “pay for
privacy” offers. These are consumer incentives offered every day in the real world and now ISPs will
need to obtain a blessing from an agency that has no privacy experience.
33
The result is that broadband
providers will be reluctant to extend, and may even forgo, valuable offers and discounts that consumers
would want for fear that they will fall into another zero-rating style abyss. From that experience, we
know that the game is perpetually on hold awaiting heavenly intervention, and some players have just
stopped playing. Trying that again here in the privacy context does not make any sense, unless the real
intention is to effectively ban pay for privacy offers without actually saying so in an attempt to avoid a
legal challenge.
Moreover, I reject the Commission’s effort to insert itself into mandatory arbitration clauses by
committing to initiate a proceeding on the issue. As commenters explained in the record, mandatory
arbitration clauses have benefitted both companies and consumers. In particular, “[m]ultiple studies have
found that consumers obtain relief in arbitration at rates higher than they do in court, while being less
costly and time-consuming for consumers than litigation.
34
I have heard the argument that eliminating
these clauses will enable consumers to band together in class action lawsuits, but that is unrealistic. The
fact-specific nature of many of the disputes that end up in arbitration such as an incorrect bill do not
lend themselves to class certification.
35
Any foray into mandatory arbitration clauses is unlikely to withstand legal challenge, so
committing to initiate a proceeding is a complete waste of Commission resources. Under the Federal
Arbitration Act (FAA), any “written provision in any . . . contract evidencing a transaction involving
commerce to settle by arbitration a controversy thereafter arising out of such contract or transaction . . .
shall be valid, irrevocable, and enforceable, save upon such grounds as exist at law or in equity for the
revocation of any contract.”
36
Supreme Court precedent has made clear that Congressional intent to
override the FAA can only be demonstrated through a “contrary congressional command” that is
“discernible from the text, history, or purposes of the statute” and it must be explicit.
37
Accordingly,
“given the stringency of this test, the Supreme Court has never held that any federal statute overrides the
(Continued from previous page)
tell them about it.”) (citations omitted); NCTA Oct. 20, 2016 Ex Parte at 7-8 (also noting that broadband providers
are new entrants to many products and services offered by large edge providers).
32
Cox Communications Inc. October 20, 2016 Ex Parte at 3.
33
Technology Policy Institute Oct. 17, 2016 Ex Parte at 1 (“Requiring regulatory approval for new business models
is likely to reduce experimentation, and reducing the number of potential methods of paying for service is likely to
harm consumers.”); Nokia Oct. 14, 2016 Ex Parte at 2 (describing the benefits of such offers).
34
Verizon Oct. 21, 2016 Ex Parte at 2. See also CTIA Comments at 50-55.
35
See CTIA Comments at 50 (“Most wrongs suffered by wireless consumers are relatively small and individualized,
involving excess charges on a bill, a defective piece of equipment, or the like. These claims are simply too small to
justify paying a lawyer to handle the matter and, in any event, most consumers do not have the resources to do so
and a lawyer is needed to navigate the complicated procedures that apply in court. And claims of this sort cannot be
brought as class actions because they involve facts specific to an individual consumer’s situation. . . . For this large
category of consumer claims, arbitration provides the only realistic option for obtaining a fair resolution of the
dispute.”).
36
Verizon Oct. 21, 2016 Ex Parte at 2 (citing 9 U.S.C. § 2).
37
CTIA Comments at 56 (citing Shearson/Am. Express, Inc. v. McMahon, 482 U.S. 220, 226-227 (1987);
CompuCredit Corp. v. Greenwood, 132 S. Ct. 665, 673 (2012)).
Federal Communications Commission FCC 16-148
219
FAA.”
38
And nothing in section 222 or the Communications Act generally meets that high hurdle.
39
In
short, the Commission would be asking for another muni broadband style reversal.
Shifting to data security and data breach, I recognize that the Commission has significantly
moved away from the irrationally strict and unworkable proposals in the NPRM by adopting a
reasonableness standard for data security and a harm-based approach for data breach notifications.
However, the Commission still lacks authority to adopt all of these rules, and I remain concerned that the
Commission is not giving providers sufficient time to come into compliance.
40
Even the larger providers
requested at least 12 months,
41
but the Commission does not even afford the smallest providers that much
time. The training and auditing alone could take more time than what is given. If it is so important to act
on data security and data breach notifications, then the Commission should at least ensure that it is done
right rather than right now.
As a whole, this order places substantial, unjustified costs on businesses and consumers. Had the
FCC conducted a cost-benefit analysis, which it committed to do but failed to live up to once again, it
would have been unable to justify adopting these significant additional restrictions. Given that consumer
privacy has been adequately protected under the current FTC framework and that there has been no
evidence of any privacy harms, there is no benefit to be gained from increased regulation. On the other
hand, there are substantial costs, including the increased transaction costs to purchase the information
from unregulated Internet companies that will ultimately be passed on to consumers, the lost opportunity
and revenues for broadband providers precluded from competing against Internet companies in the online
advertising space, the foreclosure of innovative services that providers won’t be able to offer and
consumers won’t receive, and the costs to consumers themselves who will be forced to participate in the
opt-in regime and will pay more as a result.
While there are some statements about changes made to reduce compliance costs (i.e., one type of
cost that is reviewed, in part, by the Office of Management and Budget), there is no overall analysis of the
costs and benefits of this order. To the extent Commission leadership promised that rulemakings would
serve as cost-benefit analyses, which I have explained is not adequate to comply with the relevant
Executive Orders in any event, this order never engages in a serious discussion of the costs raised by
commenters, failing to deliver even on that meager promise.
Finally, I want to point out that, despite my fundamental objections to this item based on the lack
of statutory authority to adopt broadband privacy rules, I was willing to try to find common ground on
specific issues, including the treatment of web browsing and app usage information, in order to mitigate
the most harmful aspects of the order. My overtures were completely rebuffed by my colleagues. If
anyone thinks that the only thing standing in the way of a more bipartisan Commission is an intransigent
Commission minority, then this proceeding has proven, once again, that is absolutely incorrect.
38
CTIA Comments at 56.
39
See, e.g., Verizon Comments at 74; CTIA Comments at 56-58.
40
See, e.g., WISPA Comments at 27-28 (seeking a two-year extension for all the Commission rules); ITTA Sept. 30,
2016 Ex Parte at 3 (same).
41
See, e.g., Verizon Sept. 23, 2016 Ex Parte at 1 (“Once rules are adopted, providers must go through an extensive
and complex implementation process. Specifically, providers must perform an assessment of their existing processes
and systems to determine what changes must be made; review, update, and negotiate supplier and other contracts;
update written requirements documents; research, design, code, and test updates to customer care, self-serve, and
back-office applications and systems; train employees and suppliers; draft customer communications; develop notice
methods and periods; and set up a system for ensuring ongoing compliance. These actions will take a significant
amount of time to complete, requiring approximately 18 months from the date rules are adopted.”).