FCC and Consumer Internet Privacy II: What the Order Doesn’t Mandate

Last week we tackled the first part of the FCC Order regarding  Internet consumer privacy.  We’ve been through all of the ISP ‘Musts’, today we’ll review the ‘Shoulds’ and what the order does not cover.

 no-pay-to-play-internet-securityNo Pay to Play for Internet Privacy

ISPs should not force subscribers to pay inflated prices in order to maintain their privacy.  The Commission will conduct a case-by-case review, as providers are required under the order to disclose plans for discounts or other incentives in exchange for access and use of a subscriber’s personal information.

Data Security

Because of ever-advancing data security technology, the Order does not require a list of specific data security activities.  It does, provide guidelines for steps ISPs should consider in order to develop reliable data security initiatives:

  • Implement up-to-date and relevant industry best practices, including available guidance on how to manage security risks responsibly.
  • Provide appropriate accountability and oversight of its security practices. Implement robust customer authentication tools.
  • Properly dispose of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.

Common-Sense Data Breach Rules

Unless an ISP determines that no harm is reasonably likely to occur, a reportable data breach requirement is triggered when the provider determines that an unauthorized disclosure of a customer’s personal information has occurred.   in the event of a reportable breach, providers would be required to notify:

  • Affected customers of breaches of their data as soon as possible, but no later than 30 days after reasonable determination of a breach.
  • The Commission, the Federal Bureau of Investigation, and the U.S. Secret Service of breaches affecting 5,000 or more customers no later than 7 business days after reasonable determination of the breach.
  • The Commission at the same time as customers are first notified of breaches affecting fewer than 5,000 customers.

Timeline for Implementation

The order includes a timeline for implementation that the FCC feels is prioritized to provide immediate protection for consumers while giving ISPs the time necessary to coordinate the more involved requirements.  Timing is counted from the time the FCC publishes the order in the Federal Register.

90 days after posting, data security requirements will go into effect.  6 months after posting, data breach notification requirements will become effective. Approximately 12 months after publication, the Notice and Choice requirements become effective, however, smaller providers will have an additional 12 months to comply with this requirement.

internet-privacyWhat the Rules Do NOT Do

  • Regulate the privacy practices of websites or apps, like Amazon, E-Bay, Google, Twitter, Facebook, etc. The Federal Trade Commission has authority over such entities.
  • Regulate other services of broadband providers, such as operation of a social media website.
  • Address issues such as government surveillance, encryption, or law enforcement.

What does all this mean to you?

If your ISP is also a telecom provider, chances are,  like OTELCO, it already complies with these privacy rules.  If your ISP is separate from your telecom provider, the Internet privacy initiatives will be phased in per the timeline.

As important as these privacy safeguards are, it’s important that you do your part to protect yourself on the Internet where the FCC has no jurisdiction.  That’s our discussion next time.