Broadband Privacy: What This Is About and Why It Matters

Broadband privacy policy needs to address the ways that Internet access service providers (including fixed and mobile telephone, cable, and satellite providers) collect, use, and share data broadband customers send and receive via the Internet. Given the central role the Internet plays in our daily lives and the sensitivity of the data we share online, consumers need assurance that ISPs will respect and protect privacy. Clearer protections will also reduce the potential for discriminatory practices, address chilling effects on speech, and encourage even broader use of the Internet.

What this is about:

  • In February 2015, the FCC reclassified broadband as a “telecommunications service,” making broadband providers common carriers subject to Title II of the Communications Act. That law provides the FCC’s authority for Net Neutrality rules that prevent unreasonable discrimination by broadband providers. It also includes provisions that require providers to act in a way that is just and reasonable and that require providers to protect privacy. The FCC has regulated privacy under Title II for decades, but the application of that authority to broadband is new.
  • Section 222(a) requires carriers to protect the confidentiality of customers’, carriers’, and equipment manufacturers’ “proprietary information.” Proprietary information is not defined.
  • Beyond the general duty set forth in 222(a), Section 222(c) also mandates specific privacy practices for Customer Proprietary Network Information (“CPNI”). CPNI includes “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications system,” and information contained in bills.
  • The FCC likely will seek to clarify the privacy obligations of broadband providers under Title II in a rulemaking in coming months. In addition, the FCC will explore other sources of statutory authority, such as the basic consumer protection provisions of Title II (Sections 201 and 202), its broad regulatory authority over wireless (Section 303), and other relevant provisions.

Why this matters:

  • Broadband, and the services it supports, have become essential to our lives. 80% of American adults now have a home or mobile broadband subscription.
  • From their position as gatekeepers to that essential service, broadband providers have access to enormous amounts of revealing data customers send and share online about communications, banking, health and medicine, employment, and everything in between. Broadband providers collect, use, and share some information about their customers.
  • Prior to reclassification, broadband providers’ privacy obligations were regulated by the FTC, which prohibits consumer privacy violations that it deems “unfair or deceptive,” but which lacks the authority to establish prospective privacy rules.
  • With an essential service like broadband, it is important to have prospective privacy rules so that people feel confident enough in the service to widely adopt and use it, and so that consumers do not unduly self-censor their online behavior due to privacy concerns. Prospective rules are also crucially important to protect sensitive information such as browsing history.
  • A major goal of the upcoming FCC rulemaking is to clarify privacy protections for broadband customer information. For example, the FCC could clarify whether data such as the origin, destination, and size of content being sent over the Internet is CPNI, and if so, what privacy protections apply. The FCC could also clarify what constitutes “proprietary information” under Section 222(a) and what carriers must do to satisfy their duty to protect that information.
  • Given these considerations, an FCC rulemaking can serve two important ends: (1) clarifying what information broadband providers are required to safeguard under Section 222 and other authorities in Title II, and (2) stating how broadband providers must protect this information.