The chairman of the Federal Communications Commission announced in June that the agency plans this fall to address privacy in the context of consumers’ use of the Internet.
The spur for putting privacy on the agenda is the decision last winter by the FCC to enshrine the principle of an Internet open to all providers of content—a concept better known as net neutrality—within the agency’s authority to regulate common carriers pursuant to Title II of the Communications Act.
The decision included a determination that providers of broadband Internet service, including broadband delivered via mobile devices, will be subject to a section of the law that governs so-called customer proprietary network information (CPNI), which includes such things as the frequency, duration and timing of calls. In short, information that telecommunications companies know from providing service to customers.
Except for billing, emergencies and other exceptions provided by law, carriers cannot use CPNI without the approval of customers. But until the FCC’s net-neutrality ruling, the rules that govern use of CPNI applied only to services such as Voice over Internet Protocol—think Skype—that tie to the telephone network.
That seems likely to change. As the FCC noted in its net-neutrality ruling, the rules that govern use of CPNI by telephone companies would not be “well suited” to broadband Internet service. The reason: In recent years the FCC has revised the rules that govern CPNI after initially classifying broadband Internet service as a so-called information service, which exempted Internet service providers (ISPs) from common carrier status and later led a federal appeals court to order the FCC to revise its approach.
In addition, “the existing CPNI rules do not address many of the types of sensitive information to which a provider of broadband Internet services is likely to have access, such as (to cite just one example) customers’ web browsing history,” the FCC explained.
Until it can adopt rules that address the use of CPNI by broadband Internet providers specifically, the FCC says it “intends to focus on whether providers are taking reasonable, good-faith steps to comply” with restrictions on the use of CPNI set forth in the Communications Act. Note that CPNI does not include customers’ names, addresses and other personal information, the handling of which is governed by laws such as the Cable Television Privacy Act and the privacy notices that cable and phone companies deliver to subscribers.
So what protections for privacy should apply to broadband networks? In July, nine Democratic senators, including Elizabeth Warren and White House hopeful Bernie Sanders, wrote to FCC Chairman Tom Wheeler with some suggestions. The proposals include ensuring the definition of CPNI includes data pertaining to Internet usage, online activity and payments; directing ISPs to collect data transparently; requiring ISPs to obtain consumers’ express consent before sharing information; ordering ISPs to safeguard customers’ information and to notify customers in the event of a data breach; and giving consumers a clear process for resolving complaints.
“We call on the Commission to adopt a comprehensive definition of CPNI as it pertains to broadband,” the senators wrote. “Every click consumers make online paints a detailed picture of their personal and professional lives.”