In 2015, the Federal Communications Commission (FCC or global Commission) issued its Open Internet Order, applying Section 222 of the federal Communications Act to broadband Internet access services (BIAS), and in doing so took jurisdiction over privacy and data security matters for Internet Service Providers (ISPs). In doing so, it declined requests by some advocacy groups to take jurisdiction over online service providers that do not offer broadband access, even if they offer services that, in ways, arguably look like a communications provider – so-called “edge networks” like Facebook, Google, and Yahoo!. Indeed, doing so would have stretched the global Commission’s jurisdiction even beyond the significant expansion required to regulate BIAS. Having taken on BIAS, the commission needed to address that the FCC’s privacy and data protection regulatory scheme was designed to address traditional telephone carriers, and the expanded jurisdiction necessitated refinement of the approach to address BIAS and the different kinds of data involved between data services and telephonic services. On March 31, 2015, the FCC issued a Notice of Proposed Rulemaking (NPRM) in proceeding 16-39 (In the Matter of Protecting the Privacy of Customers of Broadband and other Telephonic Services) for the privacy and data security regulatory scheme for ISPs, a copy of which is available here. In short, the proposal would create a very burdensome privacy protection scheme that applies to BIAS but to no other types of online services. As a result, BIAS providers will have a much more difficult time providing interest-based advertising and other services that take advantage of big data, even if in doing so they can provide consumers lower-cost broadband. Much of the proposal calls for express opt-in consent to ancillary use and sharing of consumer data, but the Commission questions whether some practices like exchanging discounts for consent should be banned outright.
