We have been waiting for—and the Federal Communications Commission (FCC) delivered—its long anticipated broadband data privacy and security rules on March 10, 2015. Through the proposed rules, the FCC has declared its enforcement authority over the data privacy and security practices of Internet service providers (ISPs), much to the chagrin of the industry, which argues that the FTC framework is sufficient to protect consumers, and that there is no need for another regulatory body to get into the enforcement fray of data privacy and security.
Under the proposed rules, which are being considered by the full commission, broadband providers must obtain express opt-in consent from customers before using and sharing the customers’ data outside of providing services to customers. Like provisions in the Gramm-Leach-Bliley Act applicable to financial institutions, the providers would be able to use customer data to market other products or services offered by affiliates unless the customer opts out of the sharing of the information with those affiliates.
Consistent with other laws applicable to other industries, the proposed rules require ISPs to implement reasonable data security measures to protect consumer data, Significantly, the rules include notification requirements to customers within 10 days of a data breach and the FCC within 7 days of discovery of the breach, which is shorter than most laws applicable to other industries.
The Commission will review the proposed rules during its next meeting on March 31, 2016.