Federal Communications Commission FCC 16-148 Before the Federal Communications Commission Washington, D.C. 20554 In the Matter of ) ) Protecting the Privacy of Customers of Broadband ) WC Docket No. 16-106 and Other Telecommunications Services ) REPORT AND ORDER Adopted: October 27, 2016 Released: November 2, 2016 By the Commission: Chairman Wheeler and Commissioner Rosenworcel issuing separate statements; Commissioner Clyburn approving in part, concurring in part and issuing a statement; Commissioners Pai and O’Rielly dissenting and issuing separate statements. TABLE OF CONTENTS Para. I. INTRODUCTION.................................................................................................................................. 1 II. EXECUTIVE SUMMARY.................................................................................................................... 6 III. ESTABLISHING BASELINE PRIVACY PROTECTIONS FOR CUSTOMERS OF TELECOMMUNICATIONS SERVICES ........................................................................................... 19 A. Background and Need for the Rules .............................................................................................. 20 B. Scope of Privacy Protections under Section 222 ........................................................................... 38 1. The Rules Apply to Telecommunications Carriers and Interconnected VoIP Providers ........ 39 2. The Rules Protect Customers’ Confidential Information........................................................ 41 3. Scope of Customer Information Covered by These Rules ...................................................... 46 4. De-identified Data ................................................................................................................. 106 C. Providing Meaningful Notice of Privacy Policies ....................................................................... 122 1. Required Privacy Disclosures................................................................................................ 126 2. Timing and Placement of Notices ......................................................................................... 137 3. Form and Format of Privacy Notices .................................................................................... 144 4. Advance Notice of Material Changes to Privacy Policies..................................................... 156 5. Harmonizing Voice Rules ..................................................................................................... 164 D. Customer Approval Requirements for the Use and Disclosure of Customer PI.......................... 166 1. Applying a Sensitivity-Based Customer Choice Framework................................................ 172 2. Congressionally-Recognized Exceptions to Customer Approval Requirements for Use and Sharing of Customer PI ........................................................................................... 201 3. Requirements for Soliciting Customer Opt-Out and Opt-In Approval ................................. 221 4. Customers’ Mechanisms for Exercising Privacy Choices..................................................... 228 5. Eliminating Periodic Compliance Documentation................................................................ 234 E. Reasonable Data Security ............................................................................................................ 235 1. BIAS and Other Telecommunications Providers Must Take Reasonable Measures to Secure Customer PI............................................................................................................... 238 2. Practices That Are Exemplary of Reasonable Data Security ................................................ 248 3. Extension of the Data Security Rule to Cover Voice Services.............................................. 256 F. Data Breach Notification Requirements ...................................................................................... 261 1. Harm-Based Notification Trigger.......................................................................................... 263 13911 Federal Communications Commission FCC 16-148 2. Notification to the Commission and Federal Law Enforcement ........................................... 275 3. Customer Notification Requirements.................................................................................... 283 4. Record Retention................................................................................................................... 292 5. Harmonization....................................................................................................................... 293 G. Particular Practices that Raise Privacy Concerns ........................................................................ 294 1. BIAS Providers May Not Offer Service Contingent on Consumers’ Surrender of Privacy Rights ....................................................................................................................... 295 2. Heightened Requirements for Financial Incentive Practices................................................. 298 H. Other Issues.................................................................................................................................. 304 1. Dispute Resolution ................................................................................................................ 304 2. Privacy and Data Security Exemption for Enterprise Voice Customers............................... 306 I. Implementation ............................................................................................................................ 310 1. Effective Dates and Implementation Schedule for Privacy Rules......................................... 311 2. Uniform Timeline for BIAS and Voice Services .................................................................. 316 3. Treatment of Customer Consent Obtained Prior to the Effective and Implementation Date of New Rule.................................................................................................................. 317 4. Limited Extension of Implementation Period for Small Carriers.......................................... 320 J. Preemption of State Law.............................................................................................................. 324 IV. LEGAL AUTHORITY....................................................................................................................... 332 A. Section 222 of the Act Provides Authority for the Rules ............................................................ 333 1. Section 222 Applies to BIAS Providers Along With Other Telecommunications Carriers.................................................................................................................................. 334 2. Section 222(a) Provides Authority for the Rules as to Customer PI..................................... 343 3. Section 222(c) Provides Authority for the Rules as to CPNI................................................ 364 B. Sections 201(b) and 202(a) Provide Additional Authority to Protect Against Privacy Practices That Are “Unjust or Unreasonable” or “Unjustly or Unreasonably Discriminatory” ........................................................................................................................... 368 C. Title III of the Communications Act Provides Independent Authority........................................ 371 D. The Rules Are Also Consistent With the Purposes of Section 706 of the 1996 Act ................... 372 E. We Have Authority to Apply the Rules to Interconnected VoIP Services .................................. 373 F. Constitutional Considerations...................................................................................................... 375 1. Our Sensitivity-Based Choice Framework Is Supported by the Constitution....................... 375 2. Other First Amendment Arguments ...................................................................................... 388 G. Severability .................................................................................................................................. 393 V. PROCEDURAL MATTERS.............................................................................................................. 394 A. Regulatory Flexibility Analysis ................................................................................................... 394 B. Paperwork Reduction Act............................................................................................................ 395 C. Congressional Review Act........................................................................................................... 397 D. Accessible Formats ...................................................................................................................... 398 VI. ORDERING CLAUSES..................................................................................................................... 399 APPENDIX A – Final Rules APPENDIX B – Final Regulatory Flexibility Analysis I. INTRODUCTION 1. In this Report and Order (Order), we apply the privacy requirements of the Communications Act of 1934, as amended (the Act) to the most significant communications technology of today—broadband Internet access service (BIAS). Privacy rights are fundamental because they protect important personal interests—freedom from identity theft, financial loss, or other economic harms,