Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On Thursday, Federal Communications Commission (“FCC”) Chairman Tom Wheeler circulated a highly anticipated broadband data privacy and security Notice of Proposed Rulemaking (“NPRM”) to the other Commissioners, slating the proposals for a full Commission vote at the agency’s March 31 Open Meeting. The rules would apply to internet service providers (“ISPs”), but organizations throughout the online data ecosystem will want to pay close attention to this rulemaking and be prepared to comment on the FCC’s proposals.
Although the full details of the NPRM are still unknown, the FCC released a fact sheet providing a high-level overview of what we can expect to see in the document. In the fact sheet, the FCC highlights the unique relationship consumers have with their ISPs, stating that “[a]n ISP handles all of its customers’ network traffic, which means it has an unobstructed view of all of their unencrypted online activity—the websites they visit, the applications they use. If customers have a mobile device, their provider can track their physical and online activities throughout the day in real time.”
The fact sheet goes on to state that “even when data is encrypted, broadband providers can still see the websites that a customer visits, how often they visit them, and the amount of time they spend on each website,” warning that with this information, “ISPs can piece together enormous amounts of information about their customers—including private information such as a chronic medical condition or financial problems.”
According to the fact sheet, the NPRM:
Sets out to give consumers control over how their personal information is used and shared by their broadband service providers.
Separates the use and sharing of information into three categories:
Requires broadband providers to take “reasonable steps” to safeguard customer information from unauthorized use or disclosure, including, at a “minimum”: 1) adopting risk management practices; 2) instituting personnel training practices; 3) adopting strong customer authentication requirements; 4) identifying a senior manager responsible for data security; and 5) taking responsibility for the use and protection of customer information when shared with third parties.
Sets out specific data breach notification requirements, including notifying affected customers of breaches of their data within 10 days of discovery, and notifying the FCC of a breach no later than 7 days after discovery.
The NPRM will be voted on by the full Commission at the March 31 Open Commission Meeting and, if adopted, will be followed by a period of public comment.
This article was first published on Hogan Lovells’ Global Media and Communications Watch blog.
Authored by Mark Brennan and Arielle Brown