"Privacy" is hot here in Washington. So hot that broadband service providers may soon find themselves subject to new and strengthened privacy and data security regulations touching a wide range of topics including the use of customer data for marketing, cloud computing and cybersecurity. This article provides a brief overview of what's happening, with a particular focus on the Federal Communications Commission's (FCC) activity in this area. While numerous privacy and data security bills with potential implications for broadband providers are pending in Congress, and more are in the works, e.g., Electronic Communication Privacy Act (ECPA) reform, the specifics of these initiatives are beyond the scope of this article.
Shared Jurisdiction Over Online Privacy And Data Security
The Federal Trade Commission (FTC) is the primary regulator in the online privacy and data security arena. Using its authority to prohibit unfair or deceptive practices, the FTC's enforcement actions and public policy statements have developed into a body of privacy and data security principles and forceful guidance for businesses. The FTC began regulating online privacy in the mid-1990s to address concerns about the collection and use of consumer information online.Generally, the FTC's enforcement cases require businesses handling personal information to provide "notice and choice" and to maintain an information security program along with policies and procedures to ensure that personal information is protected from unauthorized access, use or disclosure. In recent years, the FTC has brought enforcement actions against companies with allegedly unfair or deceptive privacy practices and inadequate data security programs, resulting in a series of settlements and consent orders. The FTC also has made numerous public statements in this area providing policy guidance on, among other things, when certain changes to privacy practices are material, and when businesses are obligated to provide notice and choice regarding such changes to consumers.
Broadband service providers have not been fully impacted by these developments. This is because, in some cases, the services provided were outside the scope of the FTC's jurisdiction and, in other cases, broadband service providers may have been loath to recognize that the services provided were no longer protected by the FTC Act's "common carrier exemption" and were thus inside the scope of the FTC's jurisdiction. This gap is to a significant extent attributable to the FCC's broadband classification decisions and the attendant ability of broadband providers to choose to offer their services on a common carrier basis or not.
Over much of the past decade, a series of FCC decisions classified broadband Internet access as an integrated information service and removed the requirement that the transmission component of the service be offered as a telecommunications service on a common carrier basis. Notably, a broadband service provider's decision to subject itself fully to FTC jurisdiction (by providing the service on a non-common carrier basis) does not free it from FCC jurisdiction. Though a recent court decision has cast considerable doubt over the extent to which the FCC can regulate broadband Internet access providers, the FCC has made clear that it believes it has ample authority to regulate regardless of whether the service is provided as an "integrated information service" (current classification, non-common carriage) or with a "telecommunications service" component (common carriage).
Nevertheless, in response to the considerable doubt created by the DC Circuit's Comcast decision regarding network management practices and the FCC's authority to regulate under "Title I" of the Communications Act using the doctrine of ancillary authority, the FCC appears poised to "reclassify" the transmission component of broadband Internet access service as a telecommunications service subject to broad regulation under "Title II" of the Communications Act. Such a decision, if made, could once again trigger the FTC Act's common carrier exemption which would strip the FTC of jurisdiction over broadband providers' transmission or "Internet connectivity" services. The FCC has sought comment on how it could do this without significantly compromising the FTC's ability to address privacy issues involving broadband Internet services and applications.
An FCC decision on broadband reclassification could come as early as September 2010. Though we cannot be certain of the outcome, we can be fairly certain that there will be ensuing litigation and continuing uncertainty with respect to which agency or agencies can impose privacy and data security regulations on broadband service providers.
Regulators Are Developing New And Updated Approaches To Privacy Law
One of the reasons for the FCC's maneuvering to affirm its regulatory authority over broadband Internet access is that it sees privacy and data security concerns as impediments to consumer broadband adoption and utilization. This conclusion and the FCC's attendant broadband privacy agenda was announced in its National Broadband Plan, adopted this past March. While a majority of FCC commissioners appear confident that the agency has authority to proceed with most aspects of the Plan in the wake of the Comcast decision, it remains to be seen whether specific privacy initiatives could be adopted without reclassification of broadband Internet access services.
The National Broadband Plan calls upon Congress, the FTC and the FCC to clarify and strengthen privacy protections to foster continued innovation and competition in online applications and to spur broadband adoption and utilization. Recognizing that the increased use of broadband and online applications has given rise to a "digital identity" for consumers, the Plan concludes that privacy concerns can serve as a barrier to the adoption and utilization of broadband as well as a barrier to continued innovation and competition in applications. To address these barriers, the Plan recommends the adoption of clear and strong privacy protections allowing consumers to better manage their "online profiles."
In the Plan, the FCC concludes that the current patchwork of laws and regulations addressing privacy provide insufficient protections for consumers. To rectify these shortcomings, the Plan's specific privacy-related recommendations include the following:
• Congress, the FTC and the FCC should clarify the relationship between users and their online profiles, and address the obligations of firms that collect, analyze, monetize personal information or create digital profiles .
• The FCC and FTC should jointly develop principles to require that customers provide informed consent before broadband service providers share certain types of information with third parties .
• Congress should consider taking action to spur development of trusted "identity providers" to act as intermediaries to assist consumers in managing their online data.
• FCC consumer online security efforts should support broader national online security policy, and should be coordinated with the FTC, other federal agencies and the White House Cyber Office.
• The federal government should create an interagency working group to coordinate child online safety efforts.
The Plan also identifies reforming the Privacy Act, which governs how the government handles personal data, as a key legislative priority.
The FCC also has shown an interest in influencing the development of the nascent cloud computing industry through regulation. Cloud computing, or Internet-based computer services, enables users to remotely access data and applications that are physically located on remote computer networks operated by third parties. The transfer of data and applications from local networks to those of third parties raises substantial security and privacy concerns. The FCC has taken comments on cloud computing's potential to positively impact a broad array of topics, ranging from civic engagement to economic efficiency, and what additional regulatory protections might be needed to fully realize the promise of this technology. Broadband service providers should expect the FCC (and the FTC) to take an increasingly active role in shepherding the development of cloud computing through the promulgation and enforcement of additional security, identity management and disclosure regulations.
Along similar lines, the FCC also has entered the cybersecurity arena. In April, the FCC issued an inquiry seeking comment on the creation of a "cybersecurity certification" program and other actions it might take to improve cybersecurity. In August, the FCC issued a public notice seeking comment on the National Broadband Plan's recommendation to create a cybersecurity roadmap to identify vulnerabilities to communications networks and end users, and to develop countermeasures and solutions in preparation for, and response to, cyber threats and attacks in coordination with other federal stakeholders. The FCC seeks to conclude the latter proceeding in November.
Finally, the FCC remains active in areas of privacy and data security regulation where it is more firmly established. It continues to impose fines on carriers for failing to properly certify compliance with its customer proprietary network information (CPNI) regulations. In addition, the agency is considering a petition requesting clarification of the agency's telemarketing sales rules under the Telecommunications Consumer Protection Act (TCPA) and has proposed to conform those rules with the FTC's telemarketing sales rule.
Of course, the FTC remains very active in the privacy arena, exercising its jurisdiction over broadband Internet access and related issues to enforce consumer protection and fair competition laws. Broadband providers should take notice of the FTC's aggressive enforcement actions, and regularly evaluate their information security programs and ensure that their privacy policies accurately reflect their practices and are being applied consistently.
Taken together, momentum and developments at the FCC, DOC and the FTC suggest that broadband service providers will be faced with a series of new privacy regulations as regulators seek to meet perceived challenges posed by changing technologies and data collection and utilization practices. Broadband service providers should take note of and monitor these developments as they have the potential to significantly alter regulatory requirements and to impose new costs on their businesses.
John J. Heitmann is a Partner in Kelley Drye & Warren's Washington, DC office and a founding member of the Telecommunications practice group. He focuses his practice on representing service providers and users in regulatory, appellate, litigation and transactional matters involving a broad range of communications law issues.