Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, 87274-87346 [2016-28006]

Agencies

• FEDERAL COMMUNICATIONS COMMISSION

[Federal Register Volume 81, Number 232 (Friday, December 2, 2016)]
[Rules and Regulations]
[Pages 87274-87346]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-28006]



[[Page 87273]]

Vol. 81

Friday,

No. 232

December 2, 2016

Part IV





Federal Communications Commission





-----------------------------------------------------------------------





47 CFR Part 64





Protecting the Privacy of Customers of Broadband and Other 
Telecommunications Services; Final Rule

Federal Register / Vol. 81 , No. 232 / Friday, December 2, 2016 / 
Rules and Regulations

[[Page 87274]]


-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 64

[WC Docket No. 16-106; FCC 16-148]


Protecting the Privacy of Customers of Broadband and Other 
Telecommunications Services

AGENCY: Federal Communications Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Federal Communications Commission 
(Commission) adopts final rules based on public comments applying the 
privacy requirements of the Communications Act of 1934, as amended, to 
broadband Internet access service (BIAS) and other telecommunications 
services. In adopting these rules the Commission implements the 
statutory requirement that telecommunications carriers protect the 
confidentiality of customer proprietary information. The privacy 
framework in these rules focuses on transparency, choice, and data 
security, and provides heightened protection for sensitive customer 
information, consistent with customer expectations. The rules require 
carriers to provide privacy notices that clearly and accurately inform 
customers; obtain opt-in or opt-out customer approval to use and share 
sensitive or non-sensitive customer proprietary information, 
respectively; take reasonable measures to secure customer proprietary 
information; provide notification to customers, the Commission, and law 
enforcement in the event of data breaches that could result in harm; 
not condition provision of service on the surrender of privacy rights; 
and provide heightened notice and obtain affirmative consent when 
offering financial incentives in exchange for the right to use a 
customer's confidential information. The Commission also revises its 
current telecommunications privacy rules to harmonize today's privacy 
rules for all telecommunications carriers, and provides a tailored 
exemption from these rules for enterprise customers of 
telecommunications services other than BIAS.

DATES: Effective January 3, 2017, except for Sec. Sec.  64.2003, 
64.2004, 64.2006, and 64.2011(b) which contain information collection 
requirements that have not yet been approved by OMB. The Federal 
Communications Commission will publish a document in the Federal 
Register announcing the effective date of these rules upon approval. 
Section 64.2005 is effective March 2, 2017.

FOR FURTHER INFORMATION CONTACT: For further information about this 
proceeding, please contact Sherwin Siy, FCC Wireline Competition 
Bureau, Competition Policy Division, Room 5-C225, 445 12th St. SW., 
Washington, DC 20554, (202) 418-2783, fcc.gov">sherwin.siy@fcc.gov. For 
additional information concerning the Paperwork Reduction Act 
information collection requirements contained in this document, send an 
email to fcc.gov">PRA@fcc.gov or contact Nicole Ongele at (202) 418-2991.

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Report 
and Order in WC Docket No. 16-106, FCC 16-148, adopted October 27, 2016 
and released November 2, 2016. The full text of this document is 
available for public inspection during regular business hours in the 
FCC Reference Information Center, Portals II, 445 12th Street SW., Room 
CY-A257, Washington DC 20554. It is available on the Commission's Web 
site at https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-148A1.pdf. 
The Commission will send a copy of this Report and Order in a report to 
be sent to Congress and the Government Accountability Office pursuant 
to the Congressional Review Act, see 5 U.S.C. 801(a)(1)(A).

Synopsis

I. Introduction

    1. In this Report and Order (Order), we apply the privacy 
requirements of the Communications Act of 1934, as amended (the Act) to 
the most significant communications technology of today--broadband 
Internet access service (BIAS). Privacy rights are fundamental because 
they protect important personal interests--freedom from identity theft, 
financial loss, or other economic harms, as well as concerns that 
intimate, personal details could become the grist for the mills of 
public embarrassment or harassment or the basis for opaque, but harmful 
judgments, including discrimination. In adopting section 222 of the 
Communications Act, Congress recognized the importance of protecting 
the privacy of customers using telecommunications networks. Section 222 
requires telecommunications carriers to protect the confidentiality of 
customer proprietary information. By reclassifying BIAS as 
telecommunications service, we have an obligation to make certain that 
BIAS providers are protecting their customers' privacy while 
encouraging the technological and business innovation that help drive 
the many benefits of our increasingly Internet-based economy.
    2. Internet access is a critical tool for consumers--it expands our 
access to vast amounts of information and countless new services. It 
allows us to seek jobs and expand our career horizons; find and take 
advantage of educational opportunities; communicate with our health 
care providers; engage with our government; create and deepen our ties 
with family, friends and communities; participate in online commerce; 
and otherwise receive the benefits of being digital citizens. Broadband 
providers provide the ``on ramp'' to the Internet. These providers 
therefore have access to vast amounts of information about their 
customers including when we are online, where we are physically located 
when we are online, how long we stay online, what devices we use to 
access the Internet, what Web sites we visit, and what applications we 
use.
    3. Without appropriate privacy protections, use or disclosure of 
information that our broadband providers collect about us would be at 
odds with our privacy interests. Through this Order, we therefore adopt 
rules that give broadband customers the tools they need to make 
informed choices about the use and sharing of their confidential 
information by their broadband providers, and we adopt clear, flexible, 
and enforceable data security and data breach notification 
requirements. We also revise our existing rules to provide harmonized 
privacy protections for voice and broadband customers--bringing privacy 
protections for voice telephony and other telecommunications services 
into the modern framework we adopt today.
    4. In response to the Notice of Proposed Rulemaking (NPRM), we 
received more than 275,000 submissions in the record of this 
proceeding, including comments, reply comments, and ex parte 
communications from consumers; broadband and voice providers and their 
associations; public interest groups; academics; federal, state, and 
local governmental entities; and others. We have listened and learned 
from the record. In adopting final rules, we rely on that record and in 
particular we look to the privacy and data security work done by the 
Federal Trade Commission (FTC), as well as our own work adopting and 
revising rules under section 222. We have also taken into account the 
concepts that animate the Administration's Consumer Privacy Bill of 
Rights (CPBR), and existing privacy and data security best practices.
    5. The privacy framework we adopt today focuses on transparency, 
choice,

[[Page 87275]]

and data security, and provides heightened protection for sensitive 
customer information, consistent with customer expectations. In 
adopting these rules we honor customer's privacy rights and implement 
the statutory requirement that carriers protect the confidentiality of 
customer proprietary information. These rules do not prohibit broadband 
providers from using or sharing customer information, but rather are 
designed to protect consumer choice while giving broadband providers 
the flexibility they need to continue to innovate. By bolstering 
customer confidence in broadband providers' treatment of confidential 
customer information, we also promote the virtuous cycle of innovation 
in which new uses of the network lead to increased end-user demand for 
broadband, which drives network improvements, which in turn lead to 
further innovative network uses, business growth, and innovation.

II. Executive Summary

    6. Today we adopt rules protecting the privacy of broadband 
customers. We also revise our current rules to harmonize our rules for 
all telecommunications carriers. In this Order, we first offer some 
background, explaining the need for these rules, and then discuss the 
scope of the rules we adopt. In discussing the scope of the rules, we 
define ``telecommunications carriers'' that are subject to our rules 
and the ``customers'' those rules are designed to protect. We also 
define the information protected under section 222 as customer 
proprietary information (customer PI). We include within the definition 
of customer PI three types of information collected by 
telecommunications carriers through their provision of broadband or 
other telecommunications services that are not mutually exclusive: (i) 
Individually identifiable Customer Proprietary Network Information 
(CPNI) as defined in section 222(h); (ii) personally identifiable 
information (PII); and (iii) content of communications. We also adopt 
and explain our multi-part approach to determining whether data has 
been properly de-identified and is therefore not subject to the 
customer choice regime we adopt for customer PI.
    7. We next adopt rules protecting consumer privacy using the three 
foundations of privacy--transparency, choice, and security:
    8. Transparency. Recognizing the fundamental importance of 
transparency to enable consumers to make informed purchasing decisions, 
we require carriers to provide privacy notices that clearly and 
accurately inform customers about what confidential information the 
carriers collect, how they use it, under what circumstances they share 
it, and the categories of entities with which they will share it. We 
also require that carriers inform their customers about customers' 
rights to opt in to or opt out (as the case may be) of the use or 
sharing of their confidential information. We require that carriers 
present their privacy notice to customers at the point of sale, and 
that they make their privacy policies persistently available and easily 
accessible on their Web sites, applications, and the functional 
equivalents thereof. Finally, consistent with FTC best practices and 
with the requirements in the CPBR, we require carriers to give their 
customers advance notice of material changes to their privacy policies.
    9. Choice. We find that because broadband providers are able to 
view vast swathes of customer data, customers must be empowered to 
decide how broadband providers may use and share their data. In this 
section, we adopt rules that give customers of BIAS and other 
telecommunications services the tools they need to make choices about 
the use and sharing of customer PI, and to easily adjust those choices 
over the course of time. Section 222 addresses the conditions under 
which carriers may ``use, disclose, or permit access to'' customer 
information. For simplicity throughout this document we sometimes use 
the terms ``disclose'' or ``share'' in place of ``disclose or permit 
access to.'' In adopting rules governing customer choice, we look to 
the best practices framework recommended by the FTC in its 2012 Privacy 
Report as well as the choice framework in the Administration's CPBR and 
adopt a framework that provides heightened protections for sensitive 
customer information. For purposes of the sensitivity-based customer 
choice framework we adopt today, we find that sensitive customer PI 
includes financial information, health information, Social Security 
numbers, precise geo-location information, information pertaining to 
children, content of communications, web browsing history, application 
usage history, and the functional equivalents of web browsing history 
or application usage history. With respect to voice services, we also 
find that call detail information is sensitive information. We also 
adopt a tiered approach to choice, by reference to consumer 
expectations and context that recognizes three categories of approval 
with respect to use of customer PI obtained by virtue of providing the 
telecommunications service:
     Opt-in Approval. We adopt rules requiring carriers to 
obtain customers' opt-in approval for use and sharing of sensitive 
customer PI (and for material retroactive changes to carriers' privacy 
policies). A familiar example of opt-in practices appears when a mobile 
application asks for permission to use geo-location information.
     Opt-out Approval. Balancing important governmental 
interests in protecting consumer privacy and the potential benefits 
that may result from the use of non-sensitive customer PI, we adopt 
rules requiring carriers to obtain customers' opt-out approval for the 
use and sharing of non-sensitive customer PI.
     Congressionally-Recognized Exceptions to Customer Approval 
Requirements. Consistent with the statute, we adopt rules that always 
allow broadband providers to use and share customer data in order to 
provide broadband services (for example to ensure that a communication 
destined for a particular person reaches that destination), and for 
certain other purposes.
    10. Data Security and Breach Notification. At its most fundamental, 
the duty to protect the confidentiality of customer PI requires 
telecommunications carriers to protect the customer PI they collect and 
maintain. We encourage all carriers to consider data minimization 
strategies and to embrace the principle of privacy by design. To the 
extent carriers collect and maintain customer PI, we require BIAS 
providers and other telecommunications carriers to take reasonable 
measures to secure customer PI. To comply with this requirement, a 
carrier must adopt security practices appropriately calibrated to the 
nature and scope of its activities, the sensitivity of the underlying 
data, the size of the provider, and technical feasibility. We decline 
to mandate specific activities that carriers must undertake in order to 
meet the reasonable data security requirement. We do, however, offer 
guidance on the types of data security practices we recommend providers 
strongly consider as they seek to comply with our data security 
requirement, while recognizing that what constitutes ``reasonable'' 
data security evolves over time.
    11. We also adopt data breach notification requirements. In order 
to ensure that affected customers and the appropriate federal agencies 
receive notice of data breaches that could result in harm, we adopt 
rules requiring BIAS

[[Page 87276]]

providers and other telecommunications carriers to notify affected 
customers, the Commission, and the FBI and Secret Service unless the 
carrier is able to reasonably determine that a data breach poses no 
reasonable risk of harm to the affected customers. In the interest of 
expedient law enforcement response, such notice must be provided to the 
Commission, the FBI, and Secret Service within seven business days of 
when a carrier reasonably determines that a breach has occurred if the 
breach impacts 5,000 or more customers; and must be provided to the 
applicable federal agencies at least three days before notice to 
customers. For breaches affecting fewer than 5,000 customers, carriers 
must notify the Commission without unreasonable delay and no later than 
thirty (30) calendar days following the carrier's reasonable 
determination that a breach has occurred. In order to allow carriers 
more time to determine the specifics of a data breach, carriers must 
provide notice to affected customers without unreasonable delay, but 
within no more than 30 days.
    12. Particular Practices that Raise Privacy Concerns. Next, we find 
that take-it-or-leave-it offerings of broadband service contingent on 
surrendering privacy rights are contrary to the requirements of 
sections 222 and 201 of the Act, and therefore prohibit that practice. 
We also adopt heightened disclosure and affirmative consent 
requirements for BIAS providers that offer customers financial 
incentives, such as lower monthly rates, in exchange for the right to 
use the customers' confidential information. Because the record 
contains very little about financial incentive practices of voice 
providers, this section of the Order is limited to BIAS providers.
    13. Next we address several other issues raised in our rulemaking, 
including dispute resolution; the request for an exemption for 
enterprise customers of telecommunications services other than BIAS; 
federal preemption; and the timeline for implementation.
    14. Dispute Resolution. We reaffirm customers' right to use the 
Commission's existing dispute resolution procedures and commit to 
initiating a rulemaking on the use of mandatory arbitration 
requirements in consumer contracts for broadband and other 
communications services, acting on a notice of proposed rulemaking in 
February 2017.
    15. Exemption for Enterprise Customers of Telecommunications 
Services other than BIAS. Recognizing that enterprise customers of 
telecommunications services other than BIAS have different privacy 
concerns and the capacity to protect their own interests, we find that 
a carrier that contracts with an enterprise customer for 
telecommunications services other than BIAS need not comply with the 
privacy and data security rules we adopt today if the carrier's 
contract with that customer specifically addresses the issues of 
transparency, choice, data security, and data breach and provides a 
mechanism for the customer to communicate with the carrier about 
privacy and data security concerns. As with the existing, more limited 
business customer exemption from our existing authentication rules, 
carriers will continue to be subject to the statutory requirements of 
section 222 even where this exemption applies.
    16. Preemption. In this section, we adopt the proposal in the NPRM 
and announce our intent to continue to preempt state privacy laws, 
including data security and data breach laws, only to the extent that 
they are inconsistent with any rules adopted by the Commission. This 
limited application of our preemption authority is consistent with our 
precedent in this area and with our long appreciation for the valuable 
role the states play in protecting consumer privacy.
    17. Implementation Timeline. The Order provides a timeline for 
orderly transition to the new rules with additional time given for 
small carriers to the extent that they may need to change their 
practices.
    18. Legal Authority. Finally, the Order closes by discussing our 
legal authority to adopt the rules.

III. Establishing Baseline Privacy Protections for Customers of 
Telecommunications Services

    19. In this section, we adopt a set of rules designed to protect 
the privacy of customers of BIAS and other telecommunications services. 
The rules we adopt today find broad support in the record, and are 
consistent with and build on existing regulatory and stakeholder-driven 
frameworks, including the Commission's prior decisions and existing 
section 222 rules, other federal privacy laws, state privacy laws, and 
recognized best practices. The framework for our baseline privacy 
protections focuses on providing transparency of carriers' privacy 
practices; ensuring customers have meaningful choice about the use and 
disclosure of their private information; and requiring carriers to 
adopt robust data security practices for customer information. In this 
section, we explain the rules we adopt to protect the privacy of 
customers of BIAS and other telecommunications services.

A. Background and Need for the Rules

    20. The Commission has a long history of protecting customer 
privacy in the telecommunications sector. Section 705 of the 
Communications Act, for example, is one of the most fundamental and 
oldest sector-specific privacy requirements, and protects the privacy 
of information carried by communications service providers. As early as 
the 1960s the Commission began to wrestle with the privacy implications 
of the use of communications networks to provide shared access to 
computers and the sensitive, personal data they often contained. 
Throughout the 1980s and 1990s, the Commission imposed limitations on 
incumbent telephone companies' use and sharing of customer information.
    21. Then, in 1996, Congress enacted Section 222 of the 
Communications Act providing statutory protections to the privacy of 
the data that all telecommunications carriers collect from their 
customers. Congress recognized that telecommunications networks have 
the ability to collect information from consumers who are merely using 
networks as conduits to move information from one place to another 
``without change in the form or content'' of the communications. 
Specifically, Congress sought to ensure ``(1) the right of consumers to 
know the specific information that is being collected about them; (2) 
the right of consumers to have proper notice that such information is 
being used for other purposes; and (3) the right of consumers to stop 
the reuse or sale of that information.''
    22. Section 222(a) imposes a duty on all telecommunications 
carriers to protect the confidentiality of their customers' 
``proprietary information,'' or PI. Section 222(c) imposes restrictions 
on telecommunications carriers' use and sharing of customer proprietary 
network information (CPNI) without customer approval, subject to 
certain exceptions including as necessary to provide the 
telecommunications service (or services necessary to or used in 
providing that telecommunications service), and as otherwise provided 
for by law. While we recognize, applaud, and encourage existing and 
continued marketplace self-regulation and privacy innovations, Congress 
has made clear that telecommunications carriers' privacy practices must 
comply with the obligations imposed by section 222. We

[[Page 87277]]

therefore reject arguments that we rely entirely on self-regulatory 
mechanisms.
    23. Over the last two decades, the Commission has promulgated, 
revised, and enforced privacy rules for telecommunications carriers 
that are focused on implementing the CPNI requirements of Section 222. 
As practices have changed, the Commission has refined its section 222 
rules. For example, after the emergence and growth of an industry made 
possible by ``pretexting''--the practice of improperly accessing and 
selling details of residential telephone calls--the Commission 
strengthened its section 222 rules to add customer authentication and 
data breach notification requirements. The current section 222 rules 
focus on transparency, choice, data security, and data breach 
notification.
    24. Meanwhile, as consumer use of the Internet exploded, the FTC, 
using its authority under section 5 of the FTC Act to prohibit ``unfair 
or deceptive acts or practices in or affecting commerce,'' has entered 
into a series of precedent-setting consent orders addressing privacy 
practices on the Internet, held workshops and conferences, and issued 
influential reports about privacy. Taken together, the FTC's privacy 
work has focused on the importance of transparency; honoring consumers' 
expectations about the use of their personal information and the 
choices they have made about sharing that information; and the 
obligation of companies that collect personal information to adopt 
reasonable data security practices. Because common carriers subject to 
the Communications Act are exempt from the FTC's section 5 authority, 
the responsibility falls to this Commission to oversee their privacy 
practices consistent with the Communications Act.
    25. Last year the Administration proposed a Consumer Privacy Bill 
of Rights. The goal of the CPBR is to ``establish baseline protections 
for individual privacy in the commercial arena and to foster timely, 
flexible implementations of these protections through enforceable codes 
of conduct developed by diverse stakeholders.'' It recognizes that 
Americans ``cherish privacy as an element of their individual 
freedom,'' and that ``[p]reserving individuals' trust and confidence 
that personal data will be protected appropriately, while supporting 
flexibility and the free flow of information, will promote continued 
innovation and economic growth in the networked economy.''
    26. Prior to 2015, BIAS was classified as an information service, 
which excluded such services from the ambit of Title II of the Act, 
including section 222, and the Commission's CPNI rules. Instead, 
broadband providers were subject to the FTC's unfair and deceptive acts 
and practices authority. In the 2015 Open Internet Order, we 
reclassified BIAS as a telecommunications service subject to Title II 
of the Act, an action upheld by the D.C. Circuit in United States 
Telecom Ass'n v. FCC. While we granted BIAS forbearance from many Title 
II provisions, we concluded that application and enforcement of the 
privacy protections in section 222 to BIAS is in the public interest 
and necessary for the protection of consumers. However, we questioned 
whether ``the Commission's current rules implementing section 222 
necessarily would be well suited to broadband Internet access 
service,'' and forbore from the application of these rules to broadband 
service, ``pending the adoption of rules to govern broadband Internet 
access service in a separate rulemaking proceeding.''
    27. In March 2016, we adopted the Broadband Privacy NPRM, which 
proposed a framework for applying the longstanding privacy requirements 
of the Act to BIAS. In the NPRM, we proposed rules protecting customer 
privacy using the three foundations of privacy--transparency, choice, 
and security--and also sought comment on, among other things, whether 
we should update rules that govern the application of section 222 to 
traditional telephone service and interconnected VoIP service in order 
to harmonize them with the results of this proceeding.
    28. A number of broadband providers, their associations, as well as 
some other commenters argue that because broadband providers are part 
of a larger online eco-system that includes edge providers, they should 
not be subject to a different set of regulations. These arguments 
ignore the particular role of network providers and the context of the 
consumer/BIAS provider relationship, and the sector specific privacy 
statute that governs the use and sharing of information by providers of 
telecommunications services. Based on our review of the record, we 
reaffirm our earlier finding that a broadband provider ``sits at a 
privileged place in the network, the bottleneck between the customer 
and the rest of the Internet''--a position that we have referred to as 
a gatekeeper. As such, BIAS providers can collect ``an unprecedented 
breadth'' of electronic personal information.
    29. We disagree with commenters that argue that BIAS providers' 
insight into customer online activity is no greater than large edge 
providers because customers' Internet activity is ``fractured'' between 
devices, multiple Wi-Fi hotspots, and different providers at home and 
at work. As commenters have explained, ``customers who hop between ISPs 
on a daily basis often connect to the same networks routinely,'' and as 
such, over time, ``each ISP can see a substantial amount of that user's 
Internet traffic.''
    30. While we recognize that there are other participants in the 
Internet ecosystem that can also see and collect consumer data, the 
record is clear that BIAS providers' gatekeeper position allows them to 
see every packet that a consumer sends and receives over the Internet 
while on the network, including, absent encryption, its contents. By 
contrast, edge providers only see a slice of any given consumers 
Internet traffic. As explained in the record, edge providers' 
visibility into consumers' web browsing activity is necessarily 
limited. According to the record, only three companies (Google, 
Facebook, and Twitter) have third party tracking capabilities across 
more than 10 percent of the top one million Web sites, and none of 
those have access to more than approximately 25 percent of Web pages. 
By ``third party tracking capability,'' we mean any method by which one 
party injects a tracking mechanism into a customer's traffic in order 
to monitor the customer's activity when the customer interacts with 
other parties. Cookies are a common third party tracker, but there are 
many other methods. In contrast, a BIAS provider sees 100 percent of a 
customer's unencrypted Internet traffic.
    31. At the same time, users have much more control over tracking by 
web third parties than over tracking by BIAS providers. A range of 
browser extensions are largely effective at blocking prominent third 
parties, ``but these tools do nothing to stop data collection on the 
wire.'' Further, Professor Nick Feamster explains that unlike other 
Internet participants that see Domain Name System (DNS) lookups only to 
their own domains (e.g., google.com, facebook.com, netflix.com), BIAS 
providers can see DNS lookups every time a customer uses the service to 
go to a new site.
    32. Return Path explains additional unique data to which only BIAS 
providers have access:

    Many BIAS customers are assigned a dynamic (`changing') IP 
address when they connect to their provider. In these cases, each 
time a consumer's computer (or router) is rebooted, the ISP 
dynamically assigns a new IP address to the networking device. While 
the BIAS provider will have a record of

[[Page 87278]]

precisely which user was connected to an IP address at a specific 
point in time, any third party will not, unless they subpoena the 
BIAS provider for data.

    Furthermore, as Mozilla explains, ``[b]ecause these are paid 
services, [the broadband provider has] the subscriber's name, address, 
phone number and billing history. The combination gives ISPs a very 
unique, detailed and comprehensive view of their users that can be used 
to profile them in ways that are commercially lucrative.''
    33. We agree with commenters that point out that encryption can 
significantly help protect the privacy of consumer content from BIAS 
providers. However, even with encryption, by virtue of providing BIAS, 
BIAS providers maintain access to a significant amount of private 
information about their customers' online activity, including what Web 
sites a customer has visited, how long and during what hours of the day 
the customer visited various Web sites, the customer's location, and 
what mobile device the customer used to access those Web sites. 
Moreover, research shows that encrypted web traffic can be used to 
infer the pages within an encrypted site that a customer visits, and 
that the amount of data transmitted over encrypted connections can also 
be used to infer the pages a customer visits.
    34. The record also indicates that truly pervasive encryption on 
the Internet is still a long way off, and that many sites still do not 
encrypt. We observe that several commenters rely on projections that 70 
percent of Internet traffic will be encrypted by the end of 2016. 
However, a significant amount of this encrypted data is video traffic 
from Netflix, which, according to commenters, accounts for 35 percent 
of North American Internet traffic. Moreover, ``raw packets make for a 
misleading metric.'' As further explained by one commenter ``watching 
the full Ultra HD stream of The Amazing Spider-Man could generate more 
than 40GB of traffic, while retrieving the WebMD page for `pancreatic 
cancer' generates less than 2MB.'' What's more, research shows that 
approximately 84 percent of health Web sites, 86 percent of shopping 
Web sites, and 97 percent of news Web sites remain unencrypted. These 
types of Web sites generate less Internet traffic but contain ``much 
more personalized data.'' We encourage continued efforts to encrypt 
personal information both in transit and at rest. At the same time, our 
policy must account for the fact that encryption is not yet ubiquitous 
and, in any event, does not preclude BIAS providers from having unique 
access to customer data.
    35. Thus, the record reflects that BIAS providers are not, in fact, 
the same as edge providers in all relevant respects. In addition to 
having access to all unencrypted traffic that passes between the user 
and edge services while on the network, customers' relationships with 
their broadband provider is different from those with various edge 
providers, and their expectations concomitantly differ. For example, 
customers generally pay a fee for their broadband service, and 
therefore do not have reason to expect that their broadband service is 
being subsidized by advertising revenues as they do with other Internet 
ecosystem participants. In addition, consumers have a choice in 
deciding each time whether to use--and thus reveal information--to an 
edge provider, such as a social network or a search engine, whereas 
that is not an option with respect to their BIAS provider when using 
the service.
    36. While some customers can switch BIAS providers, others do not 
have the benefit of robust competition, particularly in the fixed 
broadband market. Moreover, we have previously observed that 
``[b]roadband providers have the ability to act as gatekeepers even in 
the absence of `the sort of market concentration that would enable them 
to impose substantial price increases on end users.' '' Their position 
is strengthened by the high switching costs customers face when seeking 
a new service, which could deter customers from changing BIAS providers 
if they are unsatisfied the providers' privacy policies. Moreover, even 
if a customer was willing to switch to a new broadband provider, the 
record shows consumers often have limited options. We note, as stated 
in the 2016 Broadband Progress Report, approximately 51 percent of 
Americans still have only one option for a provider of fixed broadband 
at speeds of 25 Mbps download/3 Mbps upload. Given all of these 
factors, we conclude that, contrary to assertions in the record, BIAS 
providers hold a unique position in the Internet ecosystem, and 
disagree with commenters that assert that rules to protect the privacy 
of broadband customers are unnecessary.
    37. As discussed above and throughout this Order, our sector-
specific privacy rules are necessary to address the distinct 
characteristics of telecommunications services. The record demonstrates 
that strong customer privacy protections will encourage broadband usage 
and, in turn investment. We further find that when consumers are 
confident that their privacy is protected, they will be more likely to 
adopt and use broadband services. As aptly explained by Mozilla, 
``[t]he strength of the Web and its economy rests on a number of core 
building blocks that make up its foundational DNA. When these building 
blocks are threatened, the overall health and well-being of the Web are 
put at risk. Privacy is one of these building blocks.'' The privacy 
framework we adopt today will bolster consumer trust in the broadband 
ecosystem, which is essential for business growth and innovation.

B. Scope of Privacy Protections Under Section 222

    38. In adopting rules to protect the privacy of customers of BIAS 
and other telecommunications services, we must begin by specifying the 
entities and information at issue. We look to the language of the 
statute to determine the appropriate scope of our implementing rules. 
As discussed above, section 222(a) specifies that telecommunications 
carriers have a duty to protect the confidentiality of proprietary 
information of and relating to their customers, while section 222(c) 
provides direction about protections to be accorded ``customer 
proprietary network information.'' We therefore first adopt rules 
identifying the set of ``telecommunications carriers'' that are subject 
to our rules and define the ``customers'' these rules protect. Next we 
define ``customer proprietary information'' and include within that 
definition ``individually identifiable customer proprietary network 
information,'' ``personally identifiable information,'' and content of 
communications.
1. The Rules Apply to Telecommunications Carriers and Interconnected 
VoIP Providers
    39. For purposes of the rules we adopt today to implement section 
222, we adopt a definition of ``telecommunications carrier'' that 
includes all telecommunications carriers providing telecommunications 
services subject to Title II, including broadband Internet access 
service (BIAS). We also include interconnected VoIP services, which 
have been covered since 2007. Although not limited to voice services, 
our existing rules have been focused on voice services. When we 
reclassified BIAS as a telecommunications service, we recognized that 
our existing CPNI rules were not necessarily well suited to the 
broadband context, and we therefore forbore from applying the existing 
section 222 rules to BIAS. As part of this

[[Page 87279]]

rulemaking we have explored what privacy and data security rules we 
should adopt for BIAS and whether we can harmonize our rules for voice 
and BIAS. Throughout this Order we find that it is in the interests of 
consumers and providers to harmonize our voice and broadband privacy 
rules. We therefore adopt a single definition of telecommunications 
carrier for purposes of these rules, and except as otherwise provided, 
adopt harmonized rules governing the privacy and data security 
practices of all such telecommunications carriers.
    40. Because we adopt a single definition of telecommunications 
carrier we need not change the definitions of ``telecommunications 
carrier or carrier'' currently in our rules implementing section 222. 
In accordance with these definitions, we continue to consider entities 
providing interconnected VoIP service to be telecommunications carriers 
for the purposes of these rules. The Commission has not classified 
interconnected VoIP service as telecommunications service or 
information service as those terms are defined in the Act, and we need 
not and do not make such a determination today. We do amend the 
definition of telecommunications service to conform to the definition 
of telecommunications carrier. We also observe that because BIAS is now 
a telecommunications service, BIAS providers are now telecommunications 
carriers within the meaning of those rules. To remove any doubt as to 
the scope of these rules, we define BIAS for purposes of our rules 
pursuant to section 222 identically to our definition in the 2015 Open 
Internet Order. We define ``broadband Internet access service 
provider'' or ``BIAS provider'' to mean a person engaged in the 
provision of BIAS. As used in the foregoing sentence and in the 
definition of ``customer'' below, a ``person'' includes any individual, 
group of individuals, corporation, partnership, association, unit of 
government, or legal entity, however organized. Under the 2015 Open 
Internet Order's definition of BIAS, the term BIAS provider does not 
include ``premises operators--such as coffee shops, bookstores, 
airlines, private end-user networks (e.g., libraries and universities), 
and other businesses that acquire broadband Internet access service 
from a broadband provider to enable patrons to access the Internet from 
their respective establishments.'' Moreover, consistent with the 2015 
Open Internet Order, our rules do not govern information that BIAS 
providers obtain by virtue of providing other non-telecommunications 
services, such as edge services that the BIAS provider may offer like 
email, Web sites, cloud storage services, social media sites, music 
streaming services, and video streaming services (to name a few).
2. The Rules Protect Customers' Confidential Information
    41. Section 222 governs how telecommunications carriers treat the 
``proprietary'' and ``proprietary network'' information of their 
``customers.'' For purposes of the rules we adopt today implementing 
section 222, we define ``customer'' as (1) a current or former 
subscriber to a telecommunications service; or (2) an applicant for a 
telecommunications service. We adopt a single definition of customer, 
because we agree with those commenters that argue that harmonizing the 
definition of ``customer'' for both BIAS and other telecommunications 
services will ease consumer expectations, reduce confusion, and 
streamline compliance costs for BIAS providers, especially small 
providers. We also find that voice and BIAS customers face similar 
issues related to the protection of their private information when they 
apply for, subscribe to, and terminate their telecommunications 
services.
    42. In adopting this definition of customer, we find that BIAS 
providers' and other telecommunications carriers' duty to protect 
customer proprietary information under section 222 begins when a person 
applies for service and continues after a subscriber terminates his or 
her service. Our existing rules for voice services apply only to 
current customers. We are, however, persuaded by commenters that argue 
that the existing rule's limitation to current subscribers is too 
narrow. As data storage costs decrease and computing power increases, 
previous barriers to data analysis based on cost, time, or feasibility 
are receding. BIAS providers and other telecommunications carriers have 
the technical ability to retain and use applicant and customer 
information long after the application process or termination of 
service. If our rules do not protect applicants, consumers would lack 
basic privacy protections when they share any confidential information 
in order to apply for a telecommunications service. Similarly, current 
customers would be penalized for switching providers given that the 
``losing'' carrier would be free to stop protecting the confidentiality 
of any private information it retains. These outcomes would run counter 
to our firm commitment to promote broadband adoption, competition, and 
innovation. Making this change is consistent with the 2014 Notice of 
Apparent Liability issued in TerraCom, in which we explained that that 
``the carrier/customer relationship commences when a consumer applies 
for service.''
    43. We disagree with commenters that assert that including 
prospective and former customers within the definition of customer 
could unduly burden providers. If carriers want to limit their 
obligations with respect to applicants and former customers, they can 
and should adopt data minimization practices and destroy applicants' 
and former customers' confidential information as soon as practicable, 
in a manner consistent with any other applicable legal obligations.
    44. In addition, for purposes of these rules, we find it 
appropriate to attribute all activity on a subscription to the 
subscriber. We recognize that multiple people often use the BIAS or 
voice services purchased by a single subscriber. For example, 
residential fixed broadband and voice services often have a single 
named account holder, but all household members and their guests may 
use the Internet connection and voice service purchased by that 
subscriber. Likewise, enterprise customers may have many users on the 
same account. And, for mobile services, multiple users using separate 
devices may share one account. However, treating each individual user 
as a separate customer would be burdensome because the provider does 
not have a separate relationship with each of those users, outside of 
the relationship with the subscriber. To minimize burdens on both 
providers and customers, we find it is reasonable to define 
``customer'' to include users of the subscription (such as household 
members and their guests), but treat the subscriber as the person with 
authority to make privacy choices for all of the users of the service. 
As such, we disagree with commenters who argue that every individual 
using a BIAS subscription should qualify as a distinct customer with 
separate privacy controls.
    45. We recognize that some BIAS or voice subscriptions identify 
multiple users. For example, some mobile BIAS providers offer group 
plans in which each person has their own identified device, user ID, 
and/or telephone number. If a BIAS or other telecommunications provider 
is already treating each user as distinct and the subscriber authorizes 
the other users to control their account settings, we encourage 
carriers to give these users individualized privacy controls.

[[Page 87280]]

3. Scope of Customer Information Covered by These Rules
    46. In this section, we define the scope of information covered by 
the rules implementing section 222. Specifically, we import the 
statutory definition of customer proprietary network information (CPNI) 
into our implementing rules, and define customer proprietary 
information (customer PI) as including individually identifiable CPNI, 
personally identifiable information (PII), and content of 
communications. We recognize that these categories are not mutually 
exclusive, but taken together they identify the types of confidential 
customer information BIAS providers and other telecommunications 
carriers may collect or access in connection with their provision of 
service. Below, we provide additional guidance on the scope of these 
categories of customer information in the telecommunications context.
a. Customer Proprietary Network Information
    47. Consistent with the preexisting voice rules, we adopt the 
statutory definition of customer proprietary network information (CPNI) 
for all telecommunications services, including BIAS. Since this is our 
first opportunity to address this definition's application to BIAS, to 
offer clarity we provide guidance on the meaning of CPNI as it applies 
to BIAS. We focus on section 222(h)(1), which defines CPNI as 
information that relates to the quantity, technical configuration, 
type, destination, location, and amount of use of a telecommunications 
service subscribed to by any customer of a telecommunications carrier, 
and that is made available to the carrier by the customer solely by 
virtue of the carrier-customer relationship; as well as information 
contained in the bills pertaining to telephone exchange service or 
telephone toll service received by a customer of a carrier, but does 
not include subscriber list information. We agree with commenters that, 
due to its explicit focus on telephone exchange and telephone toll 
service, section 222(h)(1)(B) is not relevant to BIAS.
    48. We interpret the phrase ``made available to the carrier by the 
customer solely by virtue of the carrier-customer relationship'' in 
section 222(h)(1)(A) to include any information falling within a CPNI 
category that the BIAS provider collects or accesses in connection with 
the provision of BIAS. This includes information that may also be 
available to other entities. We disagree with commenters who propose 
that the phrase ``made available to the carrier by the customer solely 
by virtue of the carrier-customer relationship'' means that only 
information that is uniquely available to the BIAS provider may satisfy 
the definition of CPNI. These commenters contend that if a customer's 
information is available to a third party, it cannot qualify as CPNI, 
focusing on the term ``solely'' in the clause. However, the term 
``solely'' modifies the phrase ``by virtue of,'' not the phrase ``made 
available to the carrier.'' We therefore conclude that ``solely by 
virtue of the carrier-customer relationship'' means that information 
constitutes CPNI under section 222(h)(1)(A) if the provider acquires 
the information as a product of the relationship and not through an 
independent means. We note, for clarity, that both inbound and outbound 
traffic are made available to the carrier by the customer solely by 
virtue of the carrier-customer relationship. The directionality of the 
traffic is irrelevant as to whether it satisfies the statutory 
definition of CPNI.
    49. We also agree with the Center for Democracy and Technology that 
the fact that third-parties might gain access to the same data when a 
consumer uses their services ``does not negate the fact that the BIAS 
provider has gained access to the data only because the customer 
elected to use the BIAS provider's telecommunications service.'' The 
statute is silent as to whether such information might be available to 
other parties, which indicates that Congress did not intend for the 
definition of CPNI to hinge on such information being solely available 
to the customers' carrier. Indeed, in the voice context, CPNI certainly 
is available to other parties besides the customer's carrier and 
section 222 protects that data. For example, when a customer calls 
someone else, CPNI is also made available to the recipient's carrier 
and intermediaries facilitating the completion of the call. 
Furthermore, we find that commenters' narrow definition of CPNI is 
inconsistent with the privacy-protective purpose of the statute. We 
agree with some commenters' assertions that when a BIAS provider 
acquires information wholly apart from the carrier-customer 
relationship, such as purchasing public records from a third party, 
that information is not CPNI.
    50. However, consistent with the Commission's 2013 CPNI Declaratory 
Ruling, we find that information that a BIAS provider causes to be 
collected or stored on a customer's device, including customer premises 
equipment (CPE) and mobile stations, also meets the statutory 
definition of CPNI. The ``fact that CPNI is on a device and has not yet 
been transmitted to the carrier's own servers also does not remove the 
data from the definition of CPNI, if the collection has been done at 
the carrier's direction.''
    51. BIAS providers also have the ability, by virtue of the 
customer-carrier relationship, to create and append CPNI to a 
customer's Internet traffic. For example, if a carrier inserts a unique 
identifier header (UIDH), that UIDH is CPNI because, as we will discuss 
in greater detail below, it is information in the application layer 
header that relates to the technical configuration, type, destination, 
and amount of use of a telecommunications service.
    52. We do not believe it is necessary to categorize all personally 
identifiable information (PII) as CPNI, as suggested by Public 
Knowledge. While we agree with Public Knowledge's sentiment that PII is 
confidential information that deserves protection under the Act, and we 
agree that some information is both PII and CPNI, we find that the Act 
categorizes and protects all PII as proprietary information, under 
section 222(a), as discussed below.
(i) Guidance Regarding Information That Meets the Statutory Definition 
of CPNI in the Broadband Context
    53. In keeping with the Commission's past practice, we decline to 
set out a comprehensive list of data elements that do or do not satisfy 
the statutory definition of CPNI in the broadband context. We agree 
with commenters that ``no definition of CPNI should purport or aim to 
be comprehensive and exhaustive, as technology changes quickly and 
business models continually seek new ways to monetize and market user 
data.'' In the past, the Commission has enumerated certain data 
elements that it considers to be voice CPNI--including call detail 
records (including caller and recipient phone numbers, and the 
frequency, duration, and timing of calls) and any services purchased by 
the customer, such as call waiting; these data continue to be voice 
CPNI going forward. Similarly, we follow past practice and identify a 
non-exhaustive list of the types of information that we consider to 
constitute CPNI in the BIAS context. We find that such guidance will 
help provide direction regarding the scope of providers' obligations 
and help to increase customers' confidence in the security of their 
confidential information as technology continues to advance. We find 
that the following types of information relate to the quantity, 
technical configuration, type, destination, location, and amount of use 
of a telecommunications service

[[Page 87281]]

subscribed to by any customer of a telecommunications carrier, and as 
such constitute CPNI when a BIAS provider acquires or accesses them in 
connection with its provision of service:
 Broadband Service Plans
 Geo-location
 MAC Addresses and Other Device Identifiers
 IP Addresses and Domain Name Information
 Traffic Statistics
 Port Information
 Application Header
 Application Usage
 Application Payload
 Customer Premises Equipment and Device Information
    54. We will first give a brief overview of the structure of 
Internet communications, to help put these terms in context, and then 
discuss why each of these types of information, and other related 
components of Internet Protocol packets, qualify as CPNI.
(a) Background--Components of an Internet Protocol Packet
    55. The layered architecture of Internet communications informs our 
analysis of CPNI in the broadband context. While the concept of 
layering is not unique to the Internet, layering plays a uniquely 
prominent role for Internet-based communications and devices. For that 
reason, we begin with a brief technical overview of the layered 
structure of Internet communications.
    56. Multiple layers--often represented as a vertical stack--
comprise every Internet communication. Each layer in the stack serves a 
particular logical function and uses a network protocol that 
standardizes communication between systems, enabling rapid innovation 
in Internet-based protocols and applications. Within one device, 
information is typically transmitted vertically through the various 
layers. Across all devices, equivalent layers perform the equivalent 
functions. This compatibility and interoperability is typically 
represented as horizontal relationships. When an application sends data 
over the Internet, the process begins with application data moving 
downwards through the layers. Each layer adds additional networking 
information and functionality, wrapping the output of the layers above 
it with a ``header.'' The communication sent out over the Internet--
consisting of the application data wrapped in headers from each layer--
is called a ``packet.'' When a device receives data over the Internet, 
the reverse process occurs. Data moves upwards through the layers; each 
layer unwraps its associated information and passes the output upward, 
until the application on the recipient's device recovers the original 
application data. As a component of their provision of service, BIAS 
providers may analyze each of these layers for reasonable network 
management.
    57. Common representations of the Internet's architecture range 
from four to seven layers. To highlight design properties relevant to 
the broadband CPNI analysis, we describe a five-layer model in this 
explanation. From top to bottom, the layers are: Application payload, 
application header, transport, network, and link. We will briefly 
describe each of the five layers, from top to bottom:
    58. Application Payload. The information transmitted to and from 
each application a customer runs is commonly referred to as the 
application layer payload. The application payload is the substance of 
the communication between the customer and the entity with which she is 
communicating. Examples of application payloads include the body of a 
Web page, the text of an email or instant message, the video served by 
a streaming service, the audiovisual stream in a video chat, or the 
maps served by a turn-by-turn navigation app.
    59. Application Header. The application will usually append one or 
more headers to the payload; these headers contain information about 
the application payload that the application is sending or requesting. 
For example, in web browsing, the Uniform Resource Locator (URL) of a 
Web page constitutes application header information. In a conversation 
via email, instant message, or video chat, an application header may 
disclose the parties to the conversation.
    60. Transport Layer. Below the application header layer is the 
transport layer, which forwards data to the intended application on 
each device and can manage the flow of communications from one device 
to another device. Two transport protocols are widely deployed on the 
Internet: the Transmission Control Protocol (TCP), which ensures that 
data arrives intact, and the User Datagram Protocol (UDP), which 
provides fewer guarantees about data integrity. Port numbers are an 
example of data within the transport layer header; a port number 
specifies which application on a device should handle a network 
communication.
    61. Network Layer. The network layer is below the transport layer, 
and contains information used to route packets across the Internet from 
one device to another device. Almost all Internet traffic uses the 
Internet Protocol (IP) at the network layer. IP addresses are the most 
common example of data at the network layer; an IP address in a network 
header indicates the sender or recipient of an Internet packet.
    62. Link Layer. The final layer is the link layer, which is below 
the network layer. Link layer protocols route data between devices on 
the same local network. For example, devices on the same wired or 
wireless network can usually communicate directly with each other at 
the link layer. MAC addresses are an example of data at the link layer, 
and a wide range of link technologies (Ethernet, DOCSIS, Wi-Fi, and 
Bluetooth, among others) use them. A MAC address functions as a 
globally unique device identifier, ensuring that every device on a 
local network has a distinct address for sending and receiving data.
(b) Specific Examples of CPNI in the BIAS Context
    63. With this understanding of the architecture of Internet 
communications, we can now examine how the components of an IP data 
packet map to the statutory definition of CPNI. In this section, we 
provide guidance on what data elements constitute CPNI; this is 
distinct from the question of whether a data element constitutes 
individually identifiable CPNI and is thus ``customer proprietary 
information.'' Below, we provide guidance addressing how various data 
elements constitute CPNI under section 222.
    64. Broadband Service Plans. We find that broadband service plans 
meet the statutory definition of CPNI in the broadband context because 
they relate to the quantity, type, amount of use, location, and 
technical configuration of a telecommunications service. We agree with 
NTCA that ``information related to a customer's broadband service plan 
can be viewed as analogous to voice telephony service plans,'' which 
the Commission has long considered to be CPNI in the voice context. 
These plans detail subscription information, including the type of 
service (e.g., fixed or mobile; cable or fiber; prepaid or term 
contract), speed, pricing, and capacity (e.g., data caps). These data 
relate to the ``type'' of telecommunications service to which the 
customer subscribes, as well as how the BIAS provider will adjust the 
``technical configuration'' of their network to serve that customer. 
Information pertaining to subscribed capacity and speed relate to the 
``quantity'' of services the customer purchases, as well as the 
``amount'' of services the customer consumes. Service plans often 
include the customer's

[[Page 87282]]

address (for billing purposes or to identify the address of service), 
which relates to the location of use of the service.
    65. Geo-location. Geo-location is information related to the 
physical or geographical location of a customer or the customer's 
device(s), regardless of the particular technological method used to 
obtain this information. Providers often need to know where their 
customers are so that they can route communications to the proper 
network endpoints. The Commission has already held that geo-location is 
CPNI, and Congress emphasized the importance of geo-location data by 
adding Section 222(f).
    66. We disagree with commenters who ask us to draw technology-based 
distinctions for what types of location information are sufficiently 
precise to qualify as geo-location CPNI. BIAS providers can use many 
types of data--either individually or in combination--to locate a 
customer, including but not limited to GPS, address of service, nearby 
Wi-Fi networks, nearby cell towers, and radio-frequency beacons. We 
caution that these and other forms of location information in place now 
or developed in the future constitute geo-location CPNI when made 
available to the BIAS provider solely by virtue of the carrier-customer 
relationship.
    67. Media Access Control (MAC) Addresses and Other Device 
Identifiers. We conclude that device identifiers, such as MAC 
addresses, are CPNI in the broadband context because they relate to the 
technical configuration and destination of use of a telecommunications 
service. Link layer protocol headers convey MAC addresses, along with 
other link layer protocol information. A MAC address uniquely 
identifies the network interface on a device, and thus uniquely 
identifies the device itself (including the device manufacturer and 
often the model). MAC addresses relate to the technical configuration 
and destination of communications because BIAS providers use them to 
manage their networks and route data packets to the appropriate network 
device. We disagree with Sandvine, which argues that link layer 
information such as MAC addresses do not relate to the technical 
configuration of network traffic or the destination of packets. For the 
same reasons, we conclude that other device identifiers and other 
information in link layer protocol headers are CPNI in the broadband 
context because they relate to the technical configuration and 
destination of use of a telecommunications service.
    68. Internet Protocol (IP) Addresses and Domain Name Information. 
We conclude that source and destination IP addresses constitute CPNI in 
the broadband context because they relate to the destination, technical 
configuration, and/or location of a telecommunications service. An IP 
address is a routable address for each device on an IP network, and 
BIAS providers use the end user's and edge provider's IP addresses to 
route data traffic between them. As such, source and destination IP 
addresses are roughly analogous to telephone numbers in the voice 
telephony context. The Commission has previously held telephone numbers 
dialed to be CPNI. Further, our CPNI rules for TRS providers recognize 
IP addresses as call data information. By this analogy, we mean only 
that both are ``roughly similar numerical identifiers'' used to route 
telecommunications. We do not intend to imply that IP addresses are or 
should be administered in the same manner as telephone numbers. This 
definitional change to our regulations in no way asserts Commission 
jurisdiction over the assignment or management of IP addressing.
    69. We agree with those commenters that argue that the IP addresses 
a customer uses and those with which she exchanges packets constitute 
CPNI because both source and destination IP addresses relate to the 
destination of use of a telecommunications service; one links to the 
destination for inbound traffic while the other links to the 
destination for outbound traffic. IP addresses are also frequently used 
in geo-location. A BIAS provider is uniquely capable of geo-locating an 
IP address. Most notably, in the case of mobile broadband Internet 
access service, the provider knows the geo-location of the cell towers 
to which the customer's device connects and can use this to determine 
the customer's device location. As Public Knowledge explains, ``IP 
addresses can easily be mapped to geographic locations, meaning that 
both the subscriber and the service can be located.'' IP addresses 
relate to technical configuration because BIAS providers configure 
their systems to use IP addresses in the network layer to communicate 
data packets between senders and receivers.
    70. We disagree with commenters who argue that a customer's IP 
address is not CPNI. Some commenters argue that a customer's IP address 
is not CPNI because the BIAS provider assigns the IP address to the 
customer, and thus it is not ``made available to the carrier by the 
customer solely by virtue of the carrier-customer relationship.'' This 
reading of the text undermines the privacy-protective purpose of the 
statute. First, as the Commission has previously held, information that 
the provider causes to be generated by a customer's device or appended 
to a customer's traffic, in order to allow the provider to collect, 
access, or use that information, can qualify as CPNI if it falls within 
one of the statutory categories. Second, while the provider generates 
and assigns the number that will become the customer's IP address, that 
number is ultimately just a proxy for the customer, translated into a 
language that Internet Protocol understands. But for the carrier-
customer relationship, the customer would not have an IP address. Other 
commenters argue that IP addresses should not qualify as CPNI because 
``this information is necessarily sent onto the open Internet in order 
to make the service work.'' However, as discussed above, whether 
information is available to third parties does not affect whether it 
meets the statutory definition of CPNI.
    71. We also disagree with commenters who assert that dynamic IP 
addresses do not meet the statutory definition of CPNI. A dynamic IP 
address is one that the BIAS provider can change. As Return Path 
explains, ``[w]hile the BIAS provider will have a record of precisely 
which user was connected to [a dynamic] IP address at a specific point 
in time, any third party will not.'' A dynamic IP address may be used 
for a shorter period of time than a static IP address. We note that 
these potential privacy benefits of dynamic IP addresses depend upon 
the specific network configuration and practices of the BIAS provider. 
For example, a provider may assign a dynamic IP address to a customer 
for a long period of time, such that it is effectively equivalent to a 
static IP address. In certain configurations (e.g., IPv6 without 
privacy extensions), a dynamic IP address can be more revealing than a 
static IP address, because it includes other network identifiers (such 
as a MAC address). But a dynamic IP address still meets the statutory 
definition of CPNI because it relates to the technical configuration, 
type, destination, and/or location of use of a telecommunications 
service, for the reasons discussed above.
    72. We also conclude that information about the domain names 
visited by a customer constitute CPNI in the broadband context. Domain 
names (e.g., ``fcc.gov'') are common monikers that the customer uses to 
identify the end point to which they seek to connect. Whether or not 
the customer uses the

[[Page 87283]]

BIAS provider's in-house DNS lookup service is irrelevant to whether 
domain names satisfy the statutory definition of CPNI. Domain names 
also translate directly into IP addresses. Because of this easy 
translation, domain names relate to the destination and technical 
configuration of a telecommunications service.
    73. As discussed above, Internet traffic is communicated through a 
layered architecture, including a network layer that uses protocol 
headers containing IP addresses to route communications to the intended 
devices. Similar to IP addresses, other information in the network 
layer protocol headers is CPNI in the broadband context. BIAS providers 
configure their networks to use this information for routing, network 
management, and security purposes. These headers will also indicate the 
total size of the packet. As such, other information in the network 
layer protocol headers relates to the technical configuration and 
amount of use of a telecommunications service.
    74. Traffic Statistics. We conclude that traffic statistics meet 
the statutory definition of CPNI in the broadband context because they 
relate to the amount of use, destination, and type of a 
telecommunications service. We use the technology-neutral term 
``traffic statistics'' to encompass any quantification of the 
communications traffic, including short-term measurements (e.g., packet 
sizes and spacing) and long-term measurements (e.g., monthly data 
consumption, average speed, or frequency of contact with particular 
domains and IP addresses). There are many common forms of traffic 
statistics, such as IPFIX, and we believe it is important to focus on 
how BIAS providers use these data, rather than single out particular 
technologies. We believe that traffic statistics are analogous to call 
detail information regarding the ``duration[] and timing of [phone] 
calls'' and aggregate minutes used in the voice telephony context, both 
of which are CPNI. BIAS providers use traffic statistics to optimize 
the efficiency of their networks and protect against cyber threats, but 
can also use this data to draw inferences that implicate the amount of 
use, destination, and type of a telecommunications service. For 
example, BIAS providers can use traffic statistics to determine the 
amount of use (e.g., date, time, and duration), and to identify 
patterns such as when the customer is at home, at work, or elsewhere, 
or reveal other highly personal information. Traffic statistics related 
to browsing history and other usage can reveal the ``destination'' of 
customer communications. Further, a BIAS provider could deduce the 
``type'' of application (e.g., VoIP or web browsing) that a customer is 
using based on traffic patterns, and thus the purpose of the 
communication.
    75. Port Information. We conclude that port information is CPNI in 
the broadband context because it relates to the destination, type, and 
technical configuration, of a telecommunications service. A port is a 
logical endpoint of communication with the sender or receiver's 
application, and consequently relates to the ``destination'' of a 
communication. The transport layer protocol header of a data packet 
contains the destination port number, which determines which 
application receives the communication. Port destinations are analogous 
to telephone extensions in the voice context. Port numbers identify or 
at least provide a strong indication of the type of application used, 
and thus the purpose of the communication, such as email, web browsing, 
or other activities. Though sometimes port numbers may not reveal 
anything of significance, they often do, and therefore we conclude that 
they relate to the destination, type, or technical configuration of the 
service. BIAS providers configure their networks using port information 
for network management purposes, such as to block certain ports to 
ensure network security. As such, these practices relate to the 
``technical configuration'' of the telecommunications service. We agree 
with commenters that other transport layer protocol header information 
is CPNI in the broadband context because it relates to the technical 
configuration and amount of use of a telecommunications service. BIAS 
providers use other header information in this layer to configure their 
networks and monitor for security threats. For example, because UDP 
headers indicate packet size, they can reveal the amount of data the 
customer is consuming, and because TCP headers include sequence 
numbers, they can reveal information about a customer's device 
configuration.
    76. Application Header. We conclude that application header 
information is CPNI in the broadband context because it relates to the 
destination, type, technical configuration, and amount of use of a 
telecommunications service. As discussed above, the top-most layer of 
network architecture is the application layer; IP data packets contain 
application headers to instruct the recipient application on how to 
process the communication. Application headers contain data for 
application-specific protocols to help request and convey application-
specific content. Application headers are analogous in the voice 
telephony context to a customer's choices within telephone menus used 
to route calls within an organization (e.g., ``Push 1 for sales. Push 2 
for billing.''). The application header communicates information 
between the application on the end user's device and the corresponding 
application at the other endpoint of the communication. For example, 
application headers for web browsing typically use the Hypertext 
Transfer Protocol (HTTP) and contain the Uniform Record Locator (URL), 
operating system, and web browser; application headers for email 
typically contain the source and destination email addresses. 
Application headers may also include information relating to persistent 
identifiers, use of encryption, and virtual private networks (VPNs). 
Email headers may also include the subject line. The type of 
applications used, the URLs requested, and the email destination all 
convey information intended for use by the edge provider to render its 
service. Application headers can also reveal information about the 
amount of data being conveyed in the packet. BIAS providers may 
configure their networks using application headers for network 
management or security purposes.
    77. Consistent with our decision in the 2013 CPNI Declaratory 
Ruling, we agree with commenters that any information that the BIAS 
provider injects into the application header, such as a unique 
identifier header (UIDH), is also CPNI in the broadband context. BIAS 
providers sometimes append information to application headers, in 
particular HTTP headers, in order to uniquely tag communications with a 
specific subscriber account. Like other application header information, 
these data relate to the technical configuration, type, destination, 
and amount of use of a telecommunications service.
    78. Application Usage. We conclude that information detailing the 
customer's use of applications is CPNI in the broadband context because 
it relates to the type and destination of a telecommunications service. 
Unlike an application payload, which contains the substance of a 
communication in an IP packet, application usage information is data 
that reveals the customer's use of an application more generally. A 
BIAS provider often collects application usage information through its 
provision of service. Sometimes application usage information is 
quantified--similar to traffic statistics--into short-term or long-term 
measurements. Such

[[Page 87284]]

information can reveal the type of applications the customer uses and 
with whom she communicates. As such, to the extent that the BIAS 
provider directs the collection or storage of such information, we 
conclude that it is CPNI. For the reasons discussed above, we disagree 
with commenters who contend that we should not consider such 
information to be CPNI because it is also available to other parties.
    79. Application Payload. We conclude that the application payload, 
which is the part of the IP packet containing the substance of the 
communication between the customer and entity with which the customer 
is communicating, can be considered CPNI. Examples of application 
payloads include the body of a Web page, the text of an email or 
instant message, the video shared by a streaming service, the 
audiovisual stream in a video chat, or the maps served by a ride-
sharing app. It is available to the carrier only because of the 
customer-carrier relationship and can relate to technical 
configuration, type, destination and amount of the use of the 
telecommunications service. BIAS providers are technically capable of 
configuring their networks to scan all parts of the data packet, 
including the payload, to detect security threats and block malicious 
packets. BIAS providers also use various network management techniques 
to minimize network congestion while transmitting application payloads. 
The application payload can help identify the parties to the 
communication (e.g., the online streaming video distributor of a 
streaming video, or the homepage of a news Web site), and thus the 
communication's destination. The payload's size and substance can also 
indicate the amount of data the customer is using, the type of 
communication, and the duration of the use of the service. Another way 
to think of the application payload is as the ``content of the 
communication.'' Because of the importance given to protecting content 
of communications in our legal system, we also discuss content 
separately as its own element of customer proprietary information.
    80. Customer Premises Equipment (CPE) and other Customer Device 
Information. Information pertaining to customer premises equipment 
(CPE) and other customer device information, such as that relating to 
mobile stations, is CPNI in the broadband context because it relates to 
the technical configuration, type, and destination of a 
telecommunications service. The Act defines CPE as ``equipment employed 
on the premises of a person (other than a carrier) to originate, route, 
or terminate telecommunications.'' The Commission has long-understood 
CPE to include customers' mobile devices, such as cell phones. Given 
this precedent, we believe that other consumer devices capable of being 
connected to broadband services, such as smartphones and tablets, also 
fall under the rubric of CPE, along with more traditional CPE such as a 
customer's computer, modem, router, videophone, or IP caption phone. 
However, we also observe that such devices would be considered ``mobile 
stations,'' which the Act defines as ``a radio-communication station 
capable of being moved and which ordinarily does move.'' We disagree 
with commenters that argue that only devices furnished by the BIAS 
provider can qualify as CPE; there is no such limitation in the 
statutory language.
    81. We find that the traits of CPE and other customer devices 
(e.g., model, operating system, software, and/or settings) a customer 
uses relates to the technical configuration and communications 
protocols the BIAS provider uses to interface that device with its 
network, as well as the type of service to which the customer 
subscribes (e.g., fixed or mobile, cable or fiber). CPE and mobile 
station information relates to the destination of the use of BIAS 
because it can identify the endpoint for inbound communications.
    82. We disagree with commenters who argue that we should not 
consider CPE and by extension other customer device information to be 
CPNI because CPE and other customer devices are also used for purposes 
other than BIAS, or because such information may be available to other 
parties. As discussed above, what matters is the nature of the 
information made available to the BIAS provider through its provision 
of service.
    83. We disagree with NTCA, which misinterprets the Bureau-level 
1998 CPNI Clarification Order to argue that the Commission has 
previously found that CPE is not covered by section 222. In the 1998 
CPNI Clarification Order, the Bureau addressed the issue of ``customer 
information independently derived from the carrier's prior sale of CPE 
to the customer or the customer's subscription to a particular 
information service offered by the carrier in its marketing of new 
CPE[.]'' By contrast, here we are addressing information about the CPE 
itself that is made available to the carrier by the customer solely by 
virtue of the carrier-customer relationship, i.e., information derived 
in the course of providing BIAS or another telecommunications service.
    84. Other Types of CPNI. We reiterate that the examples of CPNI 
discussed above are illustrative, not exhaustive. To the extent that 
other types of information satisfy the statutory definition of CPNI, 
those data may also be CPNI, either in the BIAS context or in the 
context of other telecommunications services.
b. Customer Proprietary Information (Customer PI)
    85. Section 222(a) imposes a general duty on all telecommunications 
carriers ``to protect the confidentiality of proprietary information 
of, and relating to, . . . customers.'' ``[P]roprietary information of, 
and relating to, . . . customers'' is information that BIAS providers 
and other telecommunications carriers acquire in connection with their 
provision of service, which customers have an interest in protecting 
from disclosure. We call this information ``customer proprietary 
information'' or ``customer PI.'' Customer PI consists of three non-
mutually-exclusive categories: (1) Individually identifiable customer 
proprietary network information (CPNI), (2) personally identifiable 
information (PII), and (3) content of communications. This 
interpretation of section 222(a) is consistent with other provisions of 
the Communications Act that use the term ``proprietary information,'' 
and with the Commission's use of that term before enactment of Section 
222. As we discuss in more detail below, protecting PII and content is 
at the heart of most privacy regimes and we recognized in TerraCom that 
the Communications Act protects them as customer PI because it 
``clearly encompasses private information that customers have an 
interest in protecting from public exposure.''
    86. As we previously explained, ``[i]n the context of section 222, 
it is clear that Congress used the term `proprietary information' 
broadly to encompass all types of information that should not be 
exposed widely to the public, whether because that information is 
sensitive for economic reasons or for reasons of personal privacy. We 
reaffirm our conclusion that `proprietary information' in section 
222(a), as applied to customers . . . clearly encompass[es] private 
information that customers have an interest in protecting from public 
exposure.'' As such, we disagree with commenters that argue that the 
word ``proprietary'' in section 222(a) means the statute only protects 
information the customer keeps secret from any other party. If only 
secret information qualified as private information, then not even 
Social Security numbers would be

[[Page 87285]]

``proprietary'' and subject to the protections of section 222 and our 
implementing rules. People regularly give their Social Security numbers 
to banks, doctors, utility companies, telecommunications carriers, 
employers, schools, and other parties in order to obtain various 
services--but this does not mean the information is not ``proprietary'' 
to them. To define ``proprietary'' as these commenters propose would 
render section 222(a) at worst meaningless and at best leaving a gap 
whereby sensitive proprietary information like a Social Security number 
would be unprotected.
    87. We disagree with commenters that assert that defining the 
category of customer PI in this way would dramatically expand the scope 
of providers' duties to protect private customer information. Based on 
the record before us, we find that BIAS providers--like other 
telecommunications carriers--are already on notice that they have a 
duty to keep such information secure and confidential based on, among 
other things, FTC guidance that applied to them prior to the 
reclassification of broadband in the 2015 Open Internet Order. 
According to FTC staff, ``[t]o date, the FTC has brought over 500 cases 
protecting the privacy and security of consumer information.'' We have 
held providers responsible for protecting these private data under 
section 222(a). In TerraCom, we also found that the failure to protect 
customer's private information was an unjust and unreasonable practice 
under section 201(b). Likewise, providers have been required to protect 
the content of communications for decades. Moreover, customers 
reasonably expect and want their providers to keep these data secure 
and confidential. Surveys reflect that 74 percent of Americans believe 
it is ``very important'' to be in control over their own information; 
as a Pew study found, ``[i]f the traditional American view of privacy 
is the `right to be left alone,' the 21st-century refinement of that 
idea is the right to control their identity and information.'' We agree 
with the Center for Democracy & Technology that ``[e]xcluding PII from 
the proposed rules would be contrary to decades of U.S. privacy 
regulation and public policy.'' We also observe that omitting PII from 
the scope of these rules would result in a gap in protection for PII 
under the Act's primary privacy regime for telecommunications services. 
Thus, were PII not included within the scope of customer PI, sensitive 
PII like Social Security numbers or private medical records would 
receive fewer protections than a broadband plan's monthly data 
allowance, a result we do not think intended by Congress. We discuss 
and define PII below.
c. Personally Identifiable Information (PII)
    88. Protecting personally identifiable information is at the heart 
of most privacy regimes. Historically, legal definitions of PII have 
varied. Some incorporated checklists of specific types of information; 
others deferred to auditing controls. Privacy protections must evolve 
and improve as technology--and our understanding of its potential--
evolves and improves. Our definition incorporates this modern 
understanding of data privacy and tracks the FTC, the Administration's 
proposed CPBR, and National Institute of Standards and Technology 
(NIST) guidelines on PII.
    89. We define personally identifiable information, or PII, as any 
information that is linked or reasonably linkable to an individual or 
device. Information is linked or reasonably linkable to an individual 
or device if it can reasonably be used on its own, in context, or in 
combination to identify an individual or device, or to logically 
associate with other information about a specific individual or device. 
The ``linked or reasonably linkable'' standard for determining the 
metes and bounds of personally identifiable information is well 
established and finds strong support in the record. In addition to 
NIST, CPBR, and the FTC, the Department of Education, the Securities 
and Exchange Commission, the Department of Defense, the Department of 
Homeland Security, the Department of Health and Human Services, and the 
Office of Management and Budget all use a version of this standard in 
their regulations and policies.
    90. We agree with the FTC staff that ``[w]hile almost any piece of 
data could be linked to a consumer, it is appropriate to consider 
whether such a link is practical or likely in light of current 
technology.'' While we recognize that `` `[i]dentifiable' information 
is increasingly contextual''--especially when a provider can cross-
reference multiple types and sources of information--anchoring the 
standard to a mere ``possibility of logical association'' could result 
in ``an overly-expansive definition.'' Thus, we adopt the 
recommendation of the FTC staff and others to add the term 
``reasonably'' to our proposed ``linked or linkable'' definition of 
PII. This conclusion has broad support in the record.
    91. We also adopt the FTC staff recommendation that PII should 
include information that is linked or reasonably linkable to a customer 
device. As discussed above, devices in the BIAS context include a 
customer's smartphone, tablet, computer, modem, router, videophone, IP 
caption phone, and other consumer devices capable of connecting to 
broadband services. We agree with the FTC staff that ``[a]s consumer 
devices become more personal and associated with individual users, the 
distinction between a device and its user continues to blur.'' The 
Digital Advertising Alliance likewise recognizes the connection between 
individuals and devices, stating in its guidance that information 
``connected to or associated with a particular computer or device'' is 
identifiable. While some commenters argue that we should not include 
information linkable to a device in the definition of PII, we find that 
such identifiers are often and easily linkable to an individual, as we 
discussed above.
    92. We disagree with commenters that argue that PII should only 
include information that is sensitive or capable of causing harm if 
disclosed. The ability of information to identify an individual defines 
the scope of PII. Whether or not any particular PII is sensitive or 
capable of causing harm if disclosed is a separate question from the 
definitional question of identifiability. We address the treatment of 
sensitive versus non-sensitive information below.
    93. We agree with commenters that we should offer illustrative, 
non-exhaustive examples of PII. We have analyzed descriptions of PII in 
the record, our prior orders, NIST, the FTC, the Administration's 
proposed CPBR, and other federal and state statutes and regulations. We 
find that examples of PII include, but are not limited to: Name; Social 
Security number; date of birth; mother's maiden name; government-issued 
identifiers (e.g., driver's license number); physical address; email 
address or other online contact information; phone numbers; MAC 
addresses or other unique device identifiers; IP addresses; and 
persistent online or unique advertising identifiers. Several of these 
data elements may also be CPNI. OTI asks us to clarify the meaning of 
``other online contact information.'' The term is meant to be 
technology neutral and encompass other methods of BIAS-enabled direct 
messaging.
    94. We disagree with commenters that argue that we should not 
consider MAC addresses, IP addresses, or device identifiers to be PII. 
First, as discussed above, a customer's IP address and MAC

[[Page 87286]]

address each identify a discrete customer and/or customer device by 
routing communications to a specific endpoint linked to the customer. 
Information does not need to reveal an individual's name to be linked 
or reasonably linkable to that person. A unique number designating a 
discrete individual--such as a Social Security number or persistent 
identifier--is at least as specific as a name. In many cases, a unique 
numerical identifier will be more specific than the person's actual 
name. Second, MAC addresses, IP addresses, and other examples of PII do 
not need to be able to identify an individual in a vacuum to be linked 
or reasonably linkable. BIAS providers can combine this information 
with other information to identify an individual (e.g., the BIAS 
provider's records of which IP addresses were assigned to which 
customers, or traffic statistics linking MAC addresses with other 
data). In situations where the BIAS provider sold or leased a device to 
a customer--such as a smartphone, modem, or router--the provider could 
associate device identifiers with the customer from its records. As the 
Supreme Court has observed, ``[w]hat may seem trivial to the 
uninformed, may appear of great moment to one who has a broad view of 
the scene and may put the questioned item of information in its proper 
context.''
    95. Customer Contact Information--Names, Addresses, and Phone 
Numbers of Individuals. Names, addresses, telephone numbers, and other 
information that is used to contact an individual are classic PII 
because they are linked or reasonably linkable to an individual or 
device. Some commenters argue that contact information is not protected 
under section 222 because ``Subscriber list information'' is exempt 
from the choice requirements for CPNI under section 222(e). However, 
subscriber list information, a relatively small subset of customer 
contact information, was subject to other considerations at the time of 
enactment.
    96. Subscriber list information is defined in the statute as ``any 
information (A) identifying the listed names of subscribers of a 
carrier and such subscribers' telephone numbers, addresses, or primary 
advertising classifications (as such classifications are assigned at 
the time of the establishment of such service), or any combination of 
such listed names, numbers, addresses, or classifications; and (B) that 
the carrier or an affiliate has published, caused to be published, or 
accepted for publication in any directory format.'' Through this 
definition, Congress recognized that a dispositive factor is whether 
the information has been published or accepted for publication in a 
directory format.
    97. The legislative history shows that Congress created a narrow 
carve out from the definition of CPNI for subscriber list information 
in order to protect the longstanding practice of publishing telephone 
books and to promote competition in telephone book publishing. The 
legislative history is clear that Congress did not intend for 
subscriber list information ``to include any information identifying 
subscribers that is prepared or distributed within a company or between 
affiliates or that is provided to any person in a non-public manner.'' 
Instead, Congress intended subscriber list information to be ``data 
that local exchange carriers traditionally and routinely make public. 
Subscribers have little expectation of privacy in this information 
because, by agreeing to be listed, they have declined the opportunity 
to limit its disclosure.'' Based on this legislative history, we find 
that the phrase ``published, caused to be published, or accepted for 
publication in any directory format'' is best read as limited to 
publicly available telephone books of the type that were published when 
Congress enacted the statute, or their direct equivalent in another 
medium, such as a Web site republishing the contents of a publicly 
available telephone book.
    98. Unlike landline voice carriers, neither mobile voice carriers 
nor broadband providers publish publicly-available directories of 
customer information. Nor does the record reflect more than speculation 
about any future interest in publishing directories. Because publishing 
of broadband customer directories is neither a common nor a long-
standing practice, we find that broadband customers have no expectation 
that that they are consenting to the public release of their name, 
postal address, or telephone number when they subscribe to BIAS. We 
therefore conclude that a directory of BIAS customers' names, 
addresses, and phone numbers would not constitute information published 
in a ``directory format'' within the meaning of the statute, and 
therefore there is no ``subscriber list information'' in the broadband 
context. As such, we disagree with commenters who ask us to ignore the 
publication requirement in order to exempt names, addresses, telephone 
numbers, and IP addresses from these rules.
    99. We recognize that the Commission has previously found that 
names, addresses, and telephone numbers are not CPNI, even when not 
published as subscriber list information. However, the Commission has 
not analyzed whether such customer contact information is PII, and 
therefore subject to protections under section 222(a). As discussed 
above, we make clear today that it is PII. As PII, this information is 
subject to our customer choice rules, discussed in detail below. Our 
customer choice rules will continue to allow this information to be 
used to publish publicly available telephone directories, consistent 
with the current practice of allowing customers to keep their 
information unlisted.
    100. Harmonization. We agree with the American Cable Association 
and various small providers who urge us to harmonize our BIAS and voice 
definitions under Section 222. Having one uniform set of definitions 
will simplify compliance and reduce consumer confusion. This is 
especially true for small providers who collect less customer 
information, use it for narrower purposes, and do not have the 
resources to maintain a bifurcated system. Consequently, we extend this 
definition of PII to all section 222 contexts.
d. Content of Communications
    101. We find that the Act protects the content of communications as 
customer PI. Content is a quintessential example of a type of 
``information that should not be exposed widely to the public . . . 
[and] that customers expect their carriers to keep private.'' Content 
is highly individualistic, private, and sensitive. Except in limited 
circumstances where savvy customers deploy protective tools, BIAS 
providers often have access to at least some, if not most, content 
through their provision of service. BIAS providers' inability to access 
encrypted content is irrelevant; what matters is the information the 
BIAS providers can access. Moreover, even when traffic is encrypted, 
some content may remain visible or inferable to the provider. We agree 
with FTC staff that ``[c]ontent data can be highly personalized and 
granular, allowing analyses that would not be possible with less rich 
data sets.'' In recognition of its importance, Congress has repeatedly 
and emphatically protected the privacy of communications content in 
various legal contexts, expressly prohibiting service providers from 
disclosing the contents of communications they carry, subject to 
statutorily enumerated exceptions, since at least 1912. We agree with 
commenters that ``Americans do not expect their broadband providers to 
be reading their electronic communications any more than they expect 
them to be

[[Page 87287]]

keeping a list of their correspondents.'' The same rationale that 
supports the treatment of the content of BIAS communications as 
customer PI supports the treatment of the content carried through other 
telecommunications services as customer PI.
    102. Definition of Content. At the outset, we define content as any 
part of the substance, purport, or meaning of a communication or any 
other part of a communication that is highly suggestive of the 
substance, purpose, or meaning of a communication. We sought comment on 
how to define content in the NPRM, but received no substantive 
recommendations; consequently we base our definition on the long-
established terminology of ECPA and Section 705. We recognize that 
sophisticated monitoring techniques have blurred the line between 
content and metadata, with metadata increasingly being used to make 
valuable determinations about users previously only possible with 
content. This has complicated traditional notions of how to define and 
treat content. We intend our definition to be flexible enough to 
encompass any element of the BIAS communication that conveys or implies 
any part of its substance, purport, or meaning. As a definitional 
matter, content in an inbound communication is no different from 
content in an outbound communication. As discussed above, because the 
categories of customer PI are not mutually exclusive, some content may 
also satisfy the definitions of CPNI and/or PII. Because we conclude 
that section 222(a) protects content as its own category of customer 
PI, we need not determine which types of content are also CPNI or PII.
    103. Multiple components of an IP data packet may constitute or 
contain BIAS content. First and foremost, we agree with commenters that 
the application payload is always content. As discussed above, the 
application payload is the part of the IP packet containing the 
substance of the communication between the customer and the entity with 
which she is communicating. Examples of application payloads include 
the body of a Web page, the text of an email or instant message, the 
video served by a streaming service, the audiovisual stream in a video 
chat, or the maps served by a ride-sharing app. BIAS providers' use of 
application payloads for network management is also one reason why BIAS 
content is not wholly equivalent to telephone conversations. Voice 
carriers do not scan a phone conversation to secure the network or 
reduce congestion. Application payloads in the broadband Internet 
context are far more sophisticated and complex than mere audio 
transmissions over a telephone line. However, other portions of the 
packet also may contain content. For example, as discussed above, the 
application header may reveal aspects of the application payload from 
which the content may be easily inferred--such as source and 
destination email addresses or Web site URLs. Application usage 
information may also reveal content by disclosing the applications 
customers use or the substance of how they use them. We agree with FTC 
Staff that BIAS content includes, but is not limited to, the ``contents 
of emails; communications on social media; search terms; Web site 
comments; items in shopping carts; inputs on web-based forms; and 
consumers' documents, photos, videos, books read, [and] movies 
watched[.]'' We emphasize that our examples of BIAS content are not 
exhaustive and others may manifest over time as analytical techniques 
improve.
    104. We reject arguments that protecting BIAS content under section 
222 is unnecessary or unlawful because section 705 of the Act, and the 
Electronic Communications Privacy Act (ECPA) or the Communications 
Assistance for Law Enforcement Act (CALEA), already protect content. 
Commenters do not claim that these various other laws are mutually 
exclusive with each other, belying the notion that the existence of 
multiple sources of authority in this area is inherently a problem. 
Instead, we find that section 222 complements these other laws in 
establishing a framework for protecting the content carried by 
telecommunications carriers. Given the importance of protecting 
content, it is reasonable to interpret section 222 as creating 
additional, complementary protection. Similarly, for example, both the 
Children's Online Privacy Protection Act and the Video Privacy 
Protection Act may protect videos that young children watch online.
    105. We also disagree with the argument that because the data 
protected by section 705 ``bear scant resemblance'' to content or other 
forms of customer PI, our interpretation of section 222 is erroneous. 
Congress can enact two statutory provisions that contain different 
scopes, and it is a cardinal principle of statutory construction that 
we should attempt to give meaning to both. Any incongruity between the 
scope of sections 222 and 705 only demonstrates that the statutes are 
complementary and part of Congress's broad scheme to protect customer 
privacy. Sections 222 and 705 independently require telecommunications 
carriers to protect communications content.
4. De-Identified Data
    106. In this section we describe a corollary regarding the 
circumstances in which information that constituted customer PI (i.e., 
PII, content, or individually identifiable CPNI) can comfortably be 
said to have been de-identified. As discussed below, based on the 
record we are concerned that carriers not be allowed to skirt the 
protections of our rules by making unsupported assertions that customer 
PI has been ``de-identified'' and thus is not subject to our consent 
regime, when in fact the information remains reasonably linkable to an 
individual or device. As 38 public interest organizations pointed out 
in a joint letter, ``[i]t is often trivial to re-identify data that has 
supposedly been de-identified.'' We accordingly adopt a strong, multi-
part approach regarding the circumstances under which carriers can 
properly consider data to be de-identified, using the three part test 
for de-identification articulated by the FTC in 2012. The 
Administration's CPBR also uses this standard. Specifically, we find 
that customer proprietary information is de-identified if the carrier 
(1) determines that the information is not reasonably linkable to an 
individual or device; (2) publicly commits to maintain and use the data 
in a non-individually identifiable fashion and to not attempt to re-
identify the data; and (3) contractually prohibits any entity to which 
it discloses or permits access to the de-identified data from 
attempting to re-identify the data. As discussed in greater detail 
below, this third part of the test applies to entities with which the 
provider contracts to share de-identified customer information. It does 
not apply to the general disclosure or publication of highly aggregated 
summary statistics that cannot be disaggregated--for example, the use 
of statistics in advertisements (e.g., ``We offer great coverage in 
rural areas, because that is where 70% of our customers live.'') We 
apply these requirements to both BIAS and other telecommunications 
services. The record does not demonstrate a need to treat de-identified 
information differently in the voice context versus the BIAS context. 
We agree with the Greenlining Institute and other commenters that a 
uniform regime, ``is easier for the carriers, easier [for] enforcement, 
and easier for customers to understand[.]''

[[Page 87288]]

a. Adoption of the FTC's Multi-Part Test
    107. The record reflects that advances in technology and data 
analytics make it increasingly difficult to de-identify information 
such that it is not re-identifiable. The Administration's 2014 Big Data 
Report observed that ``[m]any technologists are of the view that de-
identification of data as a means of protecting individual privacy is, 
at best, a limited proposition.'' As the Electronic Privacy Information 
Center notes, ``[w]idely-publicized anonymization failures have shown 
that even relatively sophisticated techniques have still permitted 
researchers to identify particular individuals in large data sets.'' We 
also agree with the FTC's conclusion in its 2012 Privacy Report that 
``not only is it possible to re-identify non-PII data through various 
means, businesses have strong incentives to actually do so.''
    108. For these reasons, our approach to de-identification 
establishes a strong, technology-neutral standard as well as safeguards 
to mitigate the incentives to re-identify customers' proprietary 
information. Furthermore, because companies, including BIAS providers, 
have incentives to re-identify customer information so that it can be 
further monetized, we agree with Privacy Rights Clearinghouse that the 
burden of proving that individual customer identities and 
characteristics have been removed from the data must rest with the 
provider. Taking this burden assignment into account, we find that our 
multi-part approach, grounded in FTC guidance, will ensure that as 
technology changes, customer information is protected, while at the 
same time minimizing burdens and maintaining the utility of de-
identified customer information.
    109. As such, we disagree with those commenters who urge us to use 
a different de-identification framework, such as that used in the HIPAA 
safe harbor context. We find that the framework we adopt enables 
flexibility to accommodate evolving technology and statistical methods. 
In contrast, we find that developing a list of identifiers that must be 
removed from data to render such data de-identified is not feasible 
given the breadth of data to which BIAS providers have access, and 
would also rapidly become obsolete in the evolving broadband context.
    110. The three-part test we adopt today for de-identification also 
contemplates the statutory exception for ``aggregate customer 
information,'' as it defines the circumstances in which the Commission 
will find that ``individual customer identities and characteristics 
have been removed'' from collective data. Likewise, our approach 
addresses arguments in the record that the Commission must give meaning 
to the fact that the customer approval requirement of section 222(c)(1) 
applies to ``individually identifiable'' CPNI, as our test for de-
identification addresses whether an individual's CPNI or PII will not 
be deemed to be individually identifiable in practice due to steps 
taken by the carrier prior to using or sharing the data.
(i) Part One--Not Reasonably Linkable
    111. First, for information to be de-identified under our rules, we 
require providers to determine that the information is not linked or 
reasonably linkable to an individual or device. Because we are 
describing the scope of what is identifiable, we think it is 
appropriate to use the same standard that we use to define personally 
identifiable information (PII). Above we define PII as information that 
is linked or reasonably linkable to an individual or device, and 
conversely we find it appropriate to limit de-identified information to 
information that is not linked or reasonably linkable to an individual 
or device. As we discussed above in our definition of PII, we agree 
with commenters that the ``linked or reasonably linkable'' standard--
used by the FTC in its Privacy Report--provides useful guidance on what 
it means for information to be individually identifiable without being 
either overly rigid or vague. As we discussed above, information is 
linked or reasonably linkable to an individual or device if it can 
reasonably be used on its own, in context, or in combination (1) to 
identify an individual or device, or (2) to logically associate with 
other information about a specific individual or device. New methods 
are increasingly capable of re-identifying information previously 
thought to be sufficiently anonymized. For these reasons, we will not 
specify an exhaustive list of identifiers, nor will we declare certain 
techniques to be per se sufficient or insufficient to achieve de-
identification. The test instead focuses on the outcome required, that 
is, that to be de-identified, the data must no longer be linked or 
reasonably linkable to an individual or device. We also agree with AT&T 
that we should not ``dictate specific approaches to de-identifying 
data'' because ``[a]ny Commission-mandated approach would quickly 
become obsolete as new de-identification techniques are developed.''
    112. We make clear that reasonableness depends on ease of re-
identification, not the cost of de-identification. As discussed above, 
customers' privacy interests include many noncommercial values, such as 
avoidance of embarrassment, concern for one's reputation, and control 
over the context of disclosure of one's information. The decisive 
question here is not how difficult it is to de-identify the 
information, but rather the ease with which the information could be 
re-identified. The FTC's linkability standard aligns with our approach: 
``[W]hat qualifies as a reasonable level of [de-identification] depends 
upon the particular circumstances, including the available methods and 
technologies. In addition, the nature of the data at issue and the 
purposes for which it will be used are also relevant.''
    113. Consistent with the FTC's guidance and the carrier's burden to 
prove that information is in fact de-identified, if carriers choose to 
maintain customer PI in both identifiable and de-identified formats, 
they must silo the data so that one dataset is not reasonably linkable 
to the other. Cross-referencing the datasets links the de-identified 
information with an identified customer, thus rendering the de-
identified information linked or reasonably linkable. We agree with 
Verizon that ``providers should not be allowed to use de-identification 
and re-identification to circumvent consumers' privacy choices.''
    114. We disagree with commenters who argue that the linkability 
standard should apply only to individuals and should not extend to 
devices. As explained above, we agree with the FTC staff that ``[a]s 
consumer devices become more personal and associated with individual 
users, the distinction between a device and its user continues to 
blur.'' This is not an uncommon conclusion in the Internet ecosystem; 
the Digital Advertising Alliance also recognizes the connection between 
individuals and devices in its definition of de-identification, stating 
that ``[d]ata has been De-Identified when . . . the data cannot 
reasonably . . . be connected to or associated with a particular 
computer or device.''
    115. Similarly, for the reasons discussed above, we disagree with 
commenters who argue that IP addresses and MAC addresses should not be 
considered reasonably linkable to an individual or device on the theory 
that ``[t]hey only identify Internet endpoints, each of which, in turn, 
may reach multiple people or devices.'' The question in this test is 
whether the information in question is reasonably linkable to an 
individual or device. Consider, for example, a typical fixed 
residential customer. The BIAS provider

[[Page 87289]]

assigns that customer an IP address, and associates that customer with 
that IP address in its records. It is difficult to portray that 
scenario as not involving PII. On the other hand, if the BIAS provider 
shares the IP address with a third party without other identifying 
information, it may well be the case that the provider has not shared 
information that is ``reasonably linkable'' to an individual or device. 
Again, when confronted with the question, the Commission will look at 
all facts available and make a pragmatic determination of whether the 
information in question is ``reasonably linkable'' to an individual or 
device. NCTA expresses concern that finding that IP addresses can 
constitute PII will undermine judicial precedent under the Video 
Privacy Protection Act. As noted, we are not making categorical 
findings, but rather are looking to the ``reasonably linkable'' 
standard in finding whether information constitutes PII. We also 
observe that we are confronted with interpreting section 222 of the 
Communications Act and its requirements concerning the protection of 
``proprietary information of, and relating to, . . . customers.'' This 
is distinct from the language of the VPPA, which more specifically 
defines PII as ``information which identifies a person as having 
requested or obtained specific video materials or services from a video 
tape service provider.'' Accordingly, a Commission finding that certain 
information is or is not PII for purposes of section 222 of the 
Communications Act does not answer the question of whether or not a 
court should consider that information to be PII under the VPPA or any 
other statutory provision.
(ii) Part Two--Public Commitments
    116. Second, for information to meet our definition of de-
identified, carriers must publicly commit to maintain and use de-
identified information in a de-identified fashion and to not attempt to 
re-identify the data. Such public commitments inform customers of their 
legal rights and the provider's practices, and ``promot[e] 
accountability.'' As we discussed above, this level of transparency is 
a cornerstone of privacy best practices generally and these rules 
specifically. As such, we disagree with commenters who argue that such 
public commitments are unnecessary. This part of the test is consistent 
with FTC guidance--which has broad support in the record--and the CPBR. 
We agree that ``[c]ompanies that can demonstrate that they live up to 
their privacy commitments have powerful means of maintaining and 
strengthening consumer trust.'' Further, we find that this requirement 
will impose a minimal burden on providers, as a carrier can satisfy 
this requirement with a statement in its privacy policy.
(iii) Part Three--Contractual Limits on Other Entities
    117. Third, for information to meet our definition of de-
identified, we require telecommunications carriers to contractually 
prohibit recipients of de-identified information from attempting to re-
identify it. This requirement is consistent with the FTC's de-
identification guidelines and the Administration's CPBR, as well as 
industry best practices. The DAA guidance also requires that these 
commitments from recipients of the data be passed along to any further 
downstream recipients as well, which we support.
    118. Businesses are often in the best position to control each 
other's practices. For example, AT&T's Privacy FAQ explains, ``When we 
provide individual anonymous information to businesses, we require that 
they only use it to compile aggregate reports, and for no other 
purpose. We also require businesses to agree they will not attempt to 
identify any person using this information . . . .'' The record 
demonstrates that such contractual prohibitions are an important part 
of protecting consumer privacy because re-identification science is 
rapidly evolving. We agree with Verizon and other commenters that 
``anyone with whom the provider shares such de-identified data should 
be prohibited from trying to re-identify it.'' It is our expectation 
that carriers will need to monitor their contracts to maintain the 
carriers' continued adherence to these requirements. Consequently, we 
need not adopt a separate part of the test to delineate monitoring 
requirements. Further, we observe that third parties will have every 
incentive to comply with their contractual obligations to avoid both 
civil liability and enforcement actions by the FTC or the Commission 
(depending on the agency with authority over the third party). If 
violations occur, we expect carriers to take steps to protect the 
confidentiality of customer's proprietary information.
    119. We agree with commenters who recommend a narrow clarification 
to the third part of the de-identification framework in situations 
involving disclosure of highly abstract statistical information. These 
situations include, for example, mass market advertisements or annual 
reports that reference the total number of subscribers or the 
percentage of customers at certain speed thresholds. AT&T explains that 
these scenarios can involve customer information that is so ``highly 
abstract[ed]'' that it is, ``in many circumstances, simply impossible'' 
to re-identify the data. Professor Narayanan concurs, noting that when 
statistical data is highly abstract, there is minimal risk of re-
identification. We agree. Consequently, we will not require contractual 
commitments when the de-identified customer information is so highly 
abstracted that a reasonable data science expert would not consider it 
possible to re-identify it.
    120. A number of commenters also ask for a narrow exception to this 
part of the de-identification test for the purposes of various types of 
cybersecurity or de-identification research. As explained below, we 
find that certain uses and disclosures of customer PI for the purpose 
of conducting research to improve and protect networks and/or services 
are part of the telecommunications service or ``necessary to, or used 
in'' the provision of the telecommunications service for the purposes 
of these rules. Since telecommunications carriers must be able to 
provide secure networks to their customers, we include security 
research within the scope of research allowed under this limitation. 
Security research also falls under the exception covered in Part 
III.D.2.b, infra, regarding uses of customer PI to protect the rights 
and property of a carrier, or to protect users from fraud, abuse, or 
unlawful use of the networks.
(iv) Case-by-Case Application
    121. In adopting a technology-neutral standard to determine whether 
otherwise personally identifiable customer PI has been de-identified, 
we have eschewed an approach that finds particular techniques to be per 
se acceptable or unacceptable. We accordingly need not resolve the 
longstanding debate in the broader privacy literature concerning the 
circumstances under which data may be said to be reasonably de-
identified, including the specific debate in the record concerning the 
appropriate role of aggregation. That said, by adopting the three-part 
test, we have made clear that a carrier cannot ``make an end-run around 
privacy rules simply by removing certain identifiers from data, while 
leaving vast swaths of customer details largely intact.'' As Professor 
Ohm has stated, the FTC guidance on which we pattern our standard is 
``a very aggressive and appropriately strong form of de-
identification'' and it is one that requires strong technological 
protections as well as business processes in its implementation. The

[[Page 87290]]

Commission will carefully monitor carriers' practices in this area. We 
emphasize that carriers relying on de-identification for use and 
sharing of customer proprietary information should employ well-
accepted, technological best practices in order to meet the three-part 
test described above--and employ practices that keep pace with evolving 
technology and privacy science.

C. Providing Meaningful Notice of Privacy Policies

    122. In this section, we adopt privacy policy notice requirements 
for providers of broadband Internet access services and other 
telecommunications services. There is broad recognition of the 
importance of transparency as one of the core fair information practice 
principles (FIPPs), and it is an essential component of many privacy 
laws and regulations, including the Satellite and Cable Privacy Acts. 
Customer notification is also among the least intrusive and most 
effective measures at our disposal for giving consumers tools to make 
informed privacy decisions. In fact, it is only possible for customers 
to give informed consent to the use of their confidential information 
if telecommunications carriers give their customers easy access to 
clear and conspicuous, comprehensible, and not misleading information 
about what customer data the carriers collect; how they use it; who it 
is shared with and for what purposes; and how customers can exercise 
their privacy choices. Therefore, we adopt rules to ensure that BIAS 
providers' and other telecommunications carriers' privacy notices meet 
these essential criteria, which provide transparency and enable the 
exercise of choice.
    123. In adopting these transparency requirements, we build on and 
harmonize our existing section 222 rules for voice providers with BIAS 
providers' existing requirement to disclose their privacy policy under 
the 2010 and 2015 Open Internet Orders. For today's rules, we look to 
the record in this proceeding, which includes submissions from 
providers, consumer advocates, other government agencies, and others 
about what does and does not work with respect to privacy policies. We 
observe in particular that notice is fundamental to the FTC's privacy 
regime, acting as a basis for its implementation of FIPPs and forming 
required components of their enforcement proceedings. Based on that 
record, we adopt rules that require providers to disclose their privacy 
practices, but decline to be prescriptive about either the format or 
specific content of privacy policy notices in order to provide 
flexibility to providers and to minimize the burden of compliance 
levied by this requirement. Moreover, the record reflects that many 
BIAS providers and other telecommunications carriers already provide 
thorough notice of their privacy practices. In the interest of further 
minimizing the burden of transparency, particularly for small 
providers, we also direct the Consumer Advisory Committee to convene a 
multi-stakeholder process to develop a model privacy policy notice that 
will serve as a safe harbor for our notice requirements.
    124. We recognize that some commenters have criticized privacy 
notice requirements as providing incomplete protections for consumers. 
Notices by themselves do not give consumers the power to control their 
information; notices are not always read or understood, and newer 
developments in tracking and analytics can reveal more about consumers 
than most people realize. However, none of these criticisms eliminates 
the fundamental need for and benefit of privacy notices. If consumers 
do not have access to the information they need to understand what 
personal data is being collected and how their data is being used and 
shared, they cannot make choices about those practices. The fact that 
poorly written or poorly distributed notices can confound consumer 
understanding does not make well-formed notices useless, and while one 
consumer may ignore a notice, another who has a compelling desire to 
protect her privacy will benefit substantially from it. Notice also 
remains an essential part of today's privacy frameworks, even as big 
data analysis creates new privacy challenges. As the recent 
Administration Big Data Report explains, notice and choice structures 
may not be sufficient to account for all privacy effects of ``big 
data,'' but such frameworks are necessary to protect consumers from a 
range of active privacy threats.
    125. Below we lay out the specific transparency requirements we 
adopt today. First, we require that those privacy notices inform 
customers about what confidential information the providers collect, 
how they use it, and under what circumstances they share it. We also 
require that providers inform their customers about customers' rights 
to opt in to or out of (as the case may be) the use or sharing of their 
confidential information. This information must be presented in a way 
that is clear and conspicuous, in language that is comprehensible and 
not misleading. We will consider information to be misleading if it 
includes material misrepresentations or omissions. Second, we require 
that providers present their privacy notice to customers at the point 
of sale prior to the purchase of service, and that they make their 
privacy policies persistently available and easily accessible on their 
Web sites, apps, and the functional equivalents thereof. Finally, we 
require providers to give their customers advance notice of material 
changes to their privacy policies. In adopting these transparency 
rules, we are implementing, in part, sections 222(a) and 222(c)(1), 
under which we find that supplying customers with the information they 
need to make informed decisions about the use and sharing of their 
personal information is an element of ``informed'' approval within the 
meaning of section 222, as well as necessary to protecting the 
confidentiality of customer proprietary information.
1. Required Privacy Disclosures
    126. Customers must have access to information about the personal 
data that a BIAS provider or other telecommunications carrier collects, 
uses, and shares, in order to make decisions about whether to do 
business with that provider, and in order to exercise their own privacy 
decisions. Absent such notice, the broad range of data that a provider 
is capable of gathering by virtue of providing service could leave 
customers with only a vague concept of how their privacy is affected by 
their service provider. We also agree with the FTC that disclosing this 
information ``provides an important accountability function,'' as 
disclosure of this information ``constitute[s] public commitments 
regarding companies' data practices.'' To enable customers to exercise 
informed choice, and to reduce the potential for confusion, 
misunderstanding, and carrier abuse, we find that a carrier's privacy 
notices must accurately describe the carrier's privacy policies with 
regard to its collection, use, and sharing of its customers' data. 
Therefore, we adopt rules that require each telecommunications 
carrier's notice of privacy policies to accurately specify and 
describe:
     The types of customer PI that the carrier collects by 
virtue of its provision of service, and how the carrier uses that 
information;
     Under what circumstances a carrier discloses or permits 
access to each type of customer PI that it collects, including the 
categories of entities to which the carrier discloses or permits access 
to customer PI and the purposes for which the customer PI will be used 
by each category of entities; and

[[Page 87291]]

     How customers can exercise their privacy choices.
    We address each of these requirements in turn.
    127. Types of Customer PI Collected, and How It Is Used. In order 
to make informed decisions about their privacy, customers must first 
know what types of their information their provider collects through 
the customers' use of the service. Therefore, we require BIAS providers 
and other telecommunications carriers to specify the types of customer 
PI that they collect by virtue of provision of the telecommunications 
service, and how they use that information. Pursuant to the voice rules 
and the 2010 Open Internet Order, all BIAS providers already provide 
customers with information about their privacy policies. As such, we 
find that this requirement will not impose a significant burden on 
providers, and in some cases will decrease existing burdens.
    128. Likewise, customers have a right to know how their information 
is being used and under what circumstances it is being disclosed in 
order to make informed privacy choices. Notices that omit these 
explanations fail to provide the context that customers need to 
exercise their choices. We emphasize that the notice must be 
sufficiently detailed to enable a reasonable consumer to make an 
informed choice
    129. We do not require providers to divulge the inner workings of 
their data use programs. Instead, we find that to the extent that the 
notice requires providers to divulge the existence of such programs, 
the benefits to the market of more complete information, as well as the 
benefits to customers in knowing how their information is used, 
outweighs any individual advantage gained by any one competitor in 
keeping the existence of the programs secret. We therefore disagree 
with commenters that argue that these descriptions of how consumers' 
information will be used unduly jeopardize their competitive efforts.
    130. Sharing of Customer PI with Affiliates and Third Parties. We 
also require that providers' privacy policies notify customers about 
the types of affiliates and third parties with which they share 
customer information, and the purposes for which the affiliates and 
third parties will use that information. A critical part of deciding 
whether to approve of the sharing of information is knowing who is 
receiving that information and for what purposes. This information will 
allow customers to gauge their comfort with the privacy practices and 
incentives of those other entities, whether they are affiliates or 
third parties. It will also promote customer confidence in their 
telecommunications service by providing concrete information and 
reducing uncertainty as to how their information is being used by the 
various parties in the data-sharing and marketing ecosystems. While our 
existing CPNI rules are more specific in requiring that individual 
entities be disclosed, we seek to minimize customer confusion and 
provider burden by adopting an approach used by the FTC by allowing 
disclosure of categories of entities. We also encourage carriers to 
make these categories of entities as useful and understandable to 
customers as possible. By way of example, the FTC's regulations 
implementing the GLBA privacy rules will find a covered institution in 
compliance with its rules if it lists particular categories of third 
party entities that it shares information with, distinguishing, for 
instance, between financial services providers, other companies, and 
other entities. The FTC's rules further specify that institutions 
should provide examples of businesses in those categories. In the 
context of communications customers' information, relevant categories 
might include providers of communications and communications-related 
services, customer-facing sellers of other goods and services, 
marketing and advertising companies, research and development, and 
nonprofit organizations.
    131. We find that requiring providers to disclose categories of 
entities with which they share customer information and the purposes 
for which the customer PI will be used by each category of entities 
balances customers' rights to meaningful transparency with the reality 
of changing circumstances and the need to avoid overlong or over-
frequent notifications. Because we harmonize these rules across BIAS 
and other telecommunications services, we eliminate the requirement 
that telecommunications services specify the ``specific entities'' that 
receive customer information in their notices of privacy policies 
accompanying solicitations for customer approval. We therefore reject 
calls to mandate disclosure of a list of the specific entities that 
receive customer PI. While some customers may benefit from receiving 
such detailed information, we are persuaded by commenters who assert 
that requiring such granularity would be unduly burdensome on carriers 
and induce notice fatigue in many customers. For instance, carriers 
would be faced with the near-continuous need to provide new notices 
every time contracts with particular vendors change or if third parties 
alter their corporate structure--and customers, in turn, would be 
inconvenienced with an overabundance of notices. Furthermore, a list of 
specific entities may not in itself aid the average consumer in making 
a privacy decision more than the requirement that we adopt, which 
ensures that consumers understand what third parties that receive their 
information do as a general matter. We therefore adopt the requirement 
that carriers need only provide categories of entities with whom 
customer PI is shared, minimizing the burden on telecommunications 
carriers. If a provider finds that providing notice of the specific 
entities with which it shares customer PI would increase customer 
confidence, nothing prevents a provider from doing so, and we would 
encourage notices to include as much useful information to customers as 
possible, while maintaining their clarity, concision, and 
comprehensibility, as discussed in Part III.C.3, below. Doing so does 
not require bombarding customers with pages of dense legal language; 
providers may make use of layered privacy notices or other techniques 
to ease comprehension and readability as necessary.
    132. Customers' Rights with Respect to Their PI. We also adopt our 
NPRM proposal to require BIAS provider and other telecommunications 
carrier privacy notices to provide certain minimum information. 
Carriers need not, however, repeat any of these ``rights'' statements 
verbatim, and we encourage carriers to adapt these statements in 
manners that will be most effective based on their extensive experience 
with their customer base. Specifically, carriers' privacy notices must:
     Specify and describe customers' opt-in and opt-out rights 
with respect to their own PI. This includes explaining that:
    [cir] A denial of approval to use, disclose, or permit access to 
customer PI for purposes other than providing telecommunications 
service will not affect the provision of the telecommunications 
services of which they are a customer.
    [cir] any approval, denial, or withdrawal of approval for use of 
the customer PI for any purposes other than providing 
telecommunications service is valid until the customer affirmatively 
revokes such approval or denial, and that the customer has the right to 
deny or withdraw access to such PI at any time. However, the notice 
should also explain that the carrier may be compelled, or permitted, to 
disclose a customer's PI

[[Page 87292]]

when such disclosure is provided for by other laws.
     Provide access to a simple, easy-to-use mechanism for 
customers to provide or withdraw their consent to use, disclose, or 
permit access to customer PI as required by these rules.
    133. These notice requirements are intended to ensure that 
providers inform their customers that they have the right to opt into 
or out of the use and sharing of their information, as well as how to 
make those choices known to the provider. We discuss the choice 
mechanism itself in Part III.D.4, infra. Requiring providers to 
describe in a single place how information is collected, used, and 
shared, as well as what the consumers' rights are to control that 
collection, use, and sharing, enhances the opportunity for customers to 
make informed decisions. Likewise, requiring the notice to provide 
access to the choice mechanism ensures that the mechanism is easily 
available and accessible as soon as the customer receives the necessary 
privacy information. This is important, since studies have shown that 
``adding just a 15-second delay between the notice and the loading of 
[a] Web page where subjects choose whether to reveal their information 
eliminates the privacy-protective effect of the notice.'' As discussed 
further below, we decline to specify particular formats for carriers to 
provide access to their choice mechanisms, recognizing that different 
forms of access to the choice mechanism (e.g., a link to a Web site, a 
mobile dashboard, or a toll-free number) may be more appropriate 
depending on the context in which the notice may be given (e.g., on a 
provider's Web site, in a provider's app, or in a paper disclosure 
presented in a provider's store).
    134. Studies have shown that customers are often resigned to an 
inability to control their information, and may be under a mistaken 
impression that exercising their rights may result in degraded service. 
Thus, we require providers' notice of privacy policies to also inform 
customers that denying a provider the ability to use or share customer 
PI will not affect their ability to receive service. As noted below, 
this provision does not mean that carriers categorically cannot engage 
in financial incentive practices. This parallels the existing section 
222 rules, which require carriers to ``clearly state that a denial of 
approval will not affect the provision of any services to which the 
customer subscribes.'' Since providers drafting their notices have 
clear incentives to encourage customers to permit the use and sharing 
of customer PI, it can be easy for customers to misconstrue exactly 
what is conditioned upon their permission. These provisions are 
intended to make customers aware that the offer of choice is not merely 
pro forma.
    135. We permit providers to make clear and neutral statements about 
potential consequences when customers decline to allow the use or 
sharing of their personal information. We require that any such 
statements be clear and neutral in order to prevent them from obscuring 
the basic fact of the customer's right to prevent the use of her 
information without loss of service. Allowing difficult-to-read or 
biased statements would run counter to our goal of ensuring that 
notices overall are clear and conspicuous, comprehensible, and not 
misleading. NTCA recommends that we remove or modify from the NPRM's 
proposal the requirement that the explanation be brief. In the interest 
of allowing more flexibility, we remove this requirement, with the 
understanding that brevity is often, but not always, a component of 
clarity.
    136. We require providers to inform customers that their privacy 
choices will remain in effect until the customers change them, and that 
customers have the right to change them at any time. We acknowledge 
that ``[c]ustomers may make hasty decisions in the moment simply to 
obtain Internet access . . . [and] therefore appreciate the reminder 
that they have the opportunity to change their mind.'' We expect 
carriers' privacy promises to customers and the privacy choices 
customers make to be honored, including, for example, in connection 
with a carrier's bankruptcy. As the FTC has done in its groundbreaking 
work in this area, the FCC will be vocal in support of customer privacy 
interests that a carrier's bankruptcy may raise.
2. Timing and Placement of Notices
    137. There is broad agreement that, in order to be useful, privacy 
policy notices must be clearly, conspicuously, and persistently 
available, and not overly burdensome to the carrier or fatiguing to the 
customer. We therefore require telecommunications carriers to provide 
notices of privacy policies at the point of sale prior to the purchase 
of service, and also to make them clearly, conspicuously, and 
persistently available on carriers' Web sites and via carriers' apps 
that are used to manage service, if any. We also eliminate periodic 
notice requirements from the voice CPNI rules.
    138. Point of Sale. We agree with commenters that requiring notices 
at the point of sale ensures that notices are relevant in the context 
in which they are given, since this is a time when a customer can still 
decide whether or not to acquire or commit to paying for service, and 
it also allows customers to exercise their privacy choices when the 
carrier begins to collect information from them. In this, we agree with 
the FTC, which finds that the most relevant time is when consumers sign 
up for service. The proximity in time between sale and use of 
information means that a point-of-sale notice, in many if not most 
instances, serves the same function as a just-in-time notice--that of 
providing information at the most relevant point in time. Consumer 
groups such as the Center for Digital Democracy and providers such as 
Sprint also appear to agree on this point. The point-of-sale 
requirement is also consistent with the transparency requirements of 
the 2010 Open Internet Order, which requires disclosure of privacy 
policies at the point of sale. As such, we find that this requirement 
will impose a minimal incremental burden on BIAS providers. The record 
further indicates that providing notice at the point of sale can be 
less burdensome for a carrier, in part because it allows the provider 
to walk a customer through the terms of the agreement. Providing notice 
at the point of sale, and not after a customer has committed to a 
subscription, can also allow carriers to compete on privacy.
    139. We clarify that a ``point of sale'' need not be a physical 
location. Where the point of sale is over voice communications, we 
require providers to give customers a means to access the notice, 
either by directing them to an easily-findable Web site, or, if the 
customer lacks Internet access, providing the text of the notice of 
privacy policies in print or some other way agreed upon by the 
customer. We find that this requirement adequately addresses record 
concerns about the burdens associated with communicating polices orally 
to customers.
    140. Clear, Conspicuous, and Persistent Notice. We also require 
telecommunications carriers to make their notices persistently 
available through a clear and conspicuous link on the carrier's 
homepage, through the provider's application (if it provides one for 
account management purposes), and any functional equivalents of the 
homepage or application. This requirement also reflects the 
transparency requirements in the 2010 Open Internet Order, which 
mandate ``at a minimum, the prominent display of disclosures on a 
publicly available . . . Web site,'' and as such, should add a minimal 
burden for BIAS providers. Persistent and visible availability is 
critical; customers must be able to

[[Page 87293]]

review the notice and understand the carrier's privacy practices at any 
time since they may wish to reevaluate their privacy choices as their 
use of services change, as their personal circumstances change, or as 
they evaluate and learn about the programs offered by the provider. 
Persistent access to the notice of privacy policies also ensures that 
customers need not rely upon their memory of the notice that they 
viewed at the point of sale; so long as they have access to the 
provider's Web site, app, or equivalent, they can review the notice. As 
such, we require providers to at least provide a link to the web-hosted 
notice in a clear and conspicuous location on its homepage, to ensure 
that customers who visit the homepage may easily find it.
    141. We require the notice of privacy policies to be clearly and 
conspicuously present not only on the provider's Web site, but to be 
accessible via any application (``app'') supplied to customers by the 
provider that serves as a means of managing their subscription to the 
telecommunications service. As more consumers rely upon mobile devices 
to access online information, a provider's Web site may become less of 
a central resource for information about the provider's policies and 
practices. Certain mobile apps serve much the same function as a mobile 
Web site interface, giving customers tools to manage their accounts 
with their providers. As a significant point of contact with the 
customer, such apps are an ideal place for customers to be able to find 
the notice of privacy policies. We do not, however, expect that every 
app supplied by a provider must carry the notice of privacy policies 
for the entire service--for instance, a mobile broadband provider that 
bundles a sports news app or a mobile game with its phones and services 
would not need to provide the privacy notice we require here with those 
apps. Nor do we require providers who lack an app to develop one. 
However, we require carriers that provide apps that manage a customer's 
billing or data usage, or otherwise serve as a functional equivalent to 
a provider's Web site, to ensure that those apps provide at least a 
link to a viewable notice of privacy policies.
    142. Providing the notice both via the app and on the provider's 
Web site increases customers' ability to access and find the policy 
regardless of their primary point of contact with the provider. We do, 
however, wish to ensure that customers can still reach notices even as 
providers may develop other channels of contact with their customers, 
and thus require that the notice be made available on any functional 
equivalents of the Web site or app that may be developed. While we 
anticipate that all BIAS providers and most other telecommunications 
providers have a Web site, those that do not may provide their notices 
to customers in paper form or some other format agreed upon by the 
customer.
    143. No Periodic Notice Requirement. We decline to require periodic 
notice on an annual or bi-annual basis. While periodic notices might 
serve to remind customers of their ability to exercise privacy choices, 
we remain mindful of the potential for notice fatigue and find that 
notices at the point of sale, supplemented by persistently available 
notices on providers' Web sites, and notices of material change to 
privacy policies, is sufficient to keep customers informed. 
Additionally, we believe that periodic notices might distract from 
notices of material changes, reducing the amount of customer attention 
to such changes. We find that annual or periodic notices are 
unnecessary or even counterproductive in this context, and we reduce 
burdens on all telecommunications carriers--including smaller 
carriers--by eliminating the pre-existing every-two-year notice 
requirement from our section 222 rules.
3. Form and Format of Privacy Notices
    144. Recognizing the importance of flexibility in finding 
successful ways to communicate privacy policies to consumers, we 
decline to adopt any specific form or format for privacy notices. We 
agree with commenters that, in addition to running the risk of 
providing insufficient flexibility, mandated standardized requirements 
may unnecessarily increase burdens on providers, and prevent consumers 
from benefitting from notices tailored to a specific provider's 
practices. For example, the record reflects concerns that mandated 
standardized requirements can increase burdens on providers, and can 
also create a number of problems, including a lack of flexibility to 
account for the fact that different carriers may have different needs, 
such as creating comprehensive policies across different services. This 
concern is especially prevalent for smaller carriers. At the same time, 
we agree with commenters that whatever form of privacy notices a 
provider adopts, in order to adequately inform customers of their 
privacy rights, such privacy notices must clearly and conspicuously 
provide information in language that is comprehensible and not 
misleading, and be provided in the language used by the carrier to 
transact business with its customer. We therefore require providers to 
implement these general principles in formatting their privacy policy 
notices.
    145. These basic requirements for the form and format of privacy 
policies build on existing Commission precedent regarding notice 
requirements for voice providers and open Internet transparency 
requirements for BIAS providers, and incorporate FTC guidance on 
customer notice standards. These basic principles are well suited to 
accommodating providers' and customers' changing needs as new business 
models develop or as providers develop and refine new ways to convey 
complex information to customers. Within these basic guidelines, 
providers may use any format that conveys the required information, 
including layering and adopting alternative methods of structuring the 
notice or highlighting its provisions. We note that as standard 
business practices for conveying complex information improve, we expect 
notices of providers' privacy policies to keep pace. We encourage 
innovative approaches to educating customers about privacy practices 
and choices.
    146. While we decline to mandate a standardized notice at this 
time, the record demonstrates that voluntary standardization can 
benefit both customers and providers. As such, as described below, we 
adopt a voluntary safe harbor for a disclosure format that carriers may 
use in meeting the rules' standards for being clear and conspicuous, 
comprehensible, and not misleading.
    147. Clear, Conspicuous, Comprehensible and Not Misleading. 
Consistent with existing best practices, we require providers' privacy 
notices to be readily available and written and formatted in ways that 
ensure the material information in them is comprehensible and easily 
understood. The record reflects broad agreement that providers' privacy 
practices ``should be easily available [and] written in a clear way.'' 
A number of commenters noted that certain practices frustrate the 
ability of customers to find and identify the important parts of 
privacy notices, observing, for example, that notices could be 
presented among or alongside distracting material, use unclear or 
obscure language, presented with significant delays in ability for 
consumers to act, or be placed only at the bottom of ``endless 
scrolling'' pages. By mandating that notices be clear, conspicuous, 
comprehensible, and not misleading, we prohibit such practices and 
others that render notices unclear, illegible, inaccessible, or 
needlessly obtuse.

[[Page 87294]]

    148. The NPRM framed these requirements in several ways, including 
that notices be ``clear and conspicuous,'' as well as ``clearly 
legible, use sufficiently large type, and be displayed in an area so as 
to be readily apparent to the consumer.'' In adopting these rules, we 
streamline these requirements by interpreting ``conspicuous'' to 
include requirements for prominent display, and eliminate the 
requirement for ``sufficiently large type,'' based upon the 
understanding that insufficiently large type would not be 
``comprehensible'' or ``clear and conspicuous.'' Removing this specific 
requirement also preserves the ability for providers who may be able to 
convey the necessary information through images or other non-textual 
means.
    149. We agree with the FTC's observation that existing notices of 
privacy policies are frequently too long and unclear; overlong notices 
are often inherently less comprehensible. As T-Mobile states, ``today's 
busy consumers often have limited ability to fully review the hundreds 
of privacy policies that apply to the apps, Web sites, and services 
they use, and prefer simpler notices that provide meaningful 
information.'' We recognize that providers must balance conveying the 
required information in a comprehensive and comprehensible manner, and 
therefore encourage, but do not require, providers to make their 
notices as concise as possible while conveying the necessary 
information. Layered notices, lauded by a few commenters, may be one of 
several ways to achieve these parallel objectives.
    150. The record also reflects that transparency is only effective 
in preventing deception when the information shared is meaningful to 
the recipient. We agree with the California Attorney General that 
companies should ``alert consumers to potentially unexpected data 
practices,'' and as such require that providers' notices not be 
misleading in addition to being comprehensible. This requirement is 
also consistent with FTC precedent.
    151. Other Languages. We agree with the FTC that providers should 
convey notices to their customers in a language that the customers can 
understand. We therefore require providers to convey their entire 
notices of privacy policies to customers in another language, if the 
telecommunications carrier transacts business with the customer in that 
other language. This requirement ensures that customers who are 
advertised to in a particular language may also understand their 
privacy rights in that same language. We note that for the purposes of 
this rule, ``language'' also includes American Sign Language, meaning 
that if the customer transacts business with the carrier in American 
Sign Language, the notice would need to be made available in that 
language. We conclude that this obligation appropriately balances 
accommodating customers who primarily use languages other than English 
and reducing the burden on providers, especially small providers, to 
translate notices into languages that are unused by their particular 
customers.
    152. Mobile-Specific Considerations. We decline to mandate any 
additional requirements for notices displayed on mobile devices. The 
record indicates that providers desire flexibility to adapt notices to 
be usable in the mobile environment for their customers, while consumer 
advocates stress that the requirements for usability must be met in 
some way, regardless of the specific formatting. So long as notices on 
mobile devices meet the above guidelines and convey the necessary 
information, they will comply with the rules. Providers are free to 
experiment within those broad guidelines and the capabilities of mobile 
display technology to find the best solution for their customers.
    153. Safe Harbor for Standardized Privacy Notices. To encourage 
adoption of standardized privacy notices without mandating a particular 
form, we direct the Consumer Advisory Committee, which is composed of 
both industry and consumer interests, to formulate a proposed 
standardized notice format, based on input from a broad range of 
stakeholders, within six months of the time that its new membership is 
reconstituted, but, in any event, no later than June 1, 2017. There is 
strong support in the record for creation of standardized notice, and 
for use of multi-stakeholder processes. Standardized notices can assist 
consumers in interpreting privacy policies, and allow them to better 
compare the privacy policies of different providers, allowing increased 
competition in privacy protections. Standardized notices can also 
reduce compliance costs for providers, especially small providers, by 
ensuring they can easily adopt a compliant form and format for their 
notices.
    154. The CAC has significant expertise in developing standard 
broadband disclosures and other consumer disclosure issues. We find 
that the Committee's experience makes it an ideal body to recommend a 
notice format that will be sufficiently clear and easy to read to allow 
consumers to easily understand and compare the privacy practices of 
different providers. To ensure that the notice will be clear and easy 
to read for all customers, it must also be accessible to persons with 
disabilities. We delegate authority to the Wireline Competition Bureau, 
Wireless Telecommunications Bureau, and Consumer & Governmental Affairs 
Bureau to work with the CAC on the draft standardized notice. If the 
CAC recommends a form or format that do not meet the Bureaus 
expectations, the Bureaus may ask the CAC to consider changes and 
submit a revised proposal for the Bureaus' review within 90 days of the 
Bureaus' request. The Bureaus may also seek public comment, as they 
deem appropriate, on any standardized notice the CAC recommends. We 
also delegate authority to the Bureaus to issue a Public Notice 
announcing any proposed format or formats that they conclude meet our 
expectations for the safe harbor for making consumer-facing 
disclosures.
    155. Providers that voluntarily adopt a privacy notice format 
developed by the CAC and approved by the Bureaus will be deemed to be 
in compliance with the rules' requirements that notices be clear, 
conspicuous, comprehensible, and not misleading. As with the Open 
Internet BIAS transparency rules, use of the safe harbor notice is a 
safe harbor with respect to the format of the required disclosure to 
consumers. A provider meeting the safe harbor could still be found to 
be in violation of the rules, for example, if the content of that 
notice is misleading, otherwise inaccurate, or fails to include all 
mandated information.
4. Advance Notice of Material Changes to Privacy Policies
    156. We require telecommunications carriers to provide advance 
notice of material changes to their privacy policies to their existing 
customers, via email or other means of active communication agreed upon 
by the customer. As with our requirements for the notice of privacy 
policy, if a carrier does not have a Web site, it may provide notices 
of material change notices to customers in paper form or some other 
format agreed upon by the customer. As with a provider's privacy policy 
notice, any advance notice of material changes to a privacy policy must 
be clear, conspicuous, comprehensible, and not misleading. The notice 
also must be completely translated into a language other than English 
if the telecommunications carrier transacts business with the customer 
in that language. This notice must inform customers of both (1) the 
changes being made; and (2) customers' rights with respect to the 
material change as it relates to their customer PI. In doing so, we 
follow our own precedent and that

[[Page 87295]]

of the FTC in recognizing the need for consumers to have up-to-date and 
relevant information upon which to base their choices. This requirement 
to notify customers of material change finds strong support in the 
record.
    157. The record reflects strong justifications for requiring 
providers to give customers advance notice of material changes to their 
privacy policies. In order to ensure that customer approval to use or 
share customer PI is ``informed'' consent, customers must have accurate 
and up-to-date information of what they are agreeing to in privacy 
policies. The notice of material change requirement that we adopt is 
consistent with the transparency requirements of the 2015 Open Internet 
Order, which require providers to disclose material changes in, among 
other things, ``commercial terms,'' which includes privacy policies. 
Notices of material change are essential to respecting customers' 
informed privacy choices; if a provider substantially changes its 
privacy practices after a customer has agreed to a different set of 
practices, the customer cannot be said to have given informed consent, 
consistent with Section 222. This is particularly important when 
providers are seeking a customer's opt-out consent, since the 
customer's privacy rights could change whether or not they had actual 
knowledge of the change in policy. We therefore disagree that such a 
requirement is outweighed by the risk of notice fatigue; to the extent 
that providers are frequently changing their policies materially, they 
should alert their customers to that fact, or risk rendering their 
earlier efforts at transparency fruitless.
    158. For the purposes of this rule, we consider a ``material 
change'' to be any change that a reasonable customer would consider 
important to her decisions on her privacy. This parallels the consumer 
interest-focused definition of ``material change'' used in the 2015 
Open Internet Order. The definition differs from that in the 2015 Open 
Internet Order in two respects: the customer's interest is defined by 
the customer's decisions on privacy, and not choice of provider, 
service, or application; and the reference to edge providers, which are 
not relevant to the material changes at issue, has been removed. Such 
changes would primarily include any changes to the types of customer PI 
at issue, how each type of customer PI is used or shared and for what 
purpose, or the categories of entities with which the customer PI is 
shared. To provide guidance on the standard above, at minimum, if any 
of the required information in the initial privacy notification 
changes, then the carrier must provide the required update notice. We 
adopt this guidance because the initial notice contains the information 
on which customers are making their privacy decisions, and changes to 
that information may alter how consumers grant permissions to their 
carriers. We also limit carriers' requirements under this section to 
existing customers, since only existing customers (and not new 
applicants) would have a current privacy policy that could be 
materially changed.
    159. Delivering Notices of Material Changes. For consumers to 
understand carriers' privacy practices, carriers must keep them up to 
date and persistently available, but must also ensure that customers' 
knowledge of them is up to date. It is not reasonable, for instance, to 
expect consumers to visit carriers' privacy policies on a daily basis 
to see if anything has changed. Therefore, we require 
telecommunications carriers to notify an affected customer of material 
changes to their privacy policies by contacting the customer with an 
email or some other form of active communication agreed upon by the 
customer.
    160. We require active forms of communication with the customer 
because merely altering the text of a privacy policy on the carrier's 
Web site alone is insufficient. There is little chance that, absent 
some form of affirmative contact, a customer would periodically visit 
and review a provider's notices of privacy policies for any changes. We 
also recommend, but do not require, providers to solicit customers' 
contact preferences to enable customers to choose their preferred 
method of active contact (such as email, text messaging, or some other 
form of alert), as not all customers have the same contact preferences. 
This is particularly true for voice services, where it may be less 
likely that customers will visit a provider's Web site, and providers 
may not have a customer's email address. While this does require each 
provider to have some means of contacting the customer, it does not 
require gathering more customer information, since, by virtue of 
providing service, a provider will necessarily be able to contact a 
customer, whether by email, text message, voice message, or postal 
mail. Some commenters have expressed concern that requiring carriers to 
send multiple notices in different formats for each material change 
would present ``significant logistical challenges.'' The rules do not 
require multiple formats for each notice of material change, but allow 
carriers to use one method, whether that is email or some other active 
method agreed upon by the customer.
    161. The active notice requirements reflect the rationale behind 
the transparency requirements of the 2015 Open Internet Order, which 
require directly notifying end users if the provider is about to engage 
in a network practice that will significantly affect a user's use of 
the service. As explained in that Order, the purpose is to ``provide 
the affected [] users with sufficient information . . . '' to make 
choices that will affect their usage of the service. Given these 
existing obligations, we disagree with commenters who suggest that 
providing more than one notice is overly burdensome.
    162. In addition to the active notice required above, we encourage 
providers to include notices of changes in customers' billing 
statements, whether a customer has selected electronic billing, paper 
bills, or some other billing format. Providing notice via bills can 
help ensure that customers will receive the notice, and makes it more 
likely that they will correctly attribute the notice as coming from 
their provider.
    163. Contents of Advance Notice of Material Changes. As proposed in 
the NPRM, the advance notice of material change must specify and 
describe the changes made to the provider's privacy policies, including 
any changes to what customer PI the provider collects; how it uses, 
discloses, or permits access to such information; and the categories of 
entities with which it shares that information. This explanation should 
also include whether any changes are retroactive (i.e., they will 
involve the use or sharing of past customer PI that the provider can 
access). As discussed in Part III.D.1.a(ii) below, if the material 
change affects previously collected information, then, consistent with 
FTC precedent and recommendations, the carrier must obtain opt-in 
consent for that new use of previously collected information. The 
entire notice must be clear and conspicuous, comprehensible, and not 
misleading. The notice of material change need not contain the entirety 
of the provider's privacy policies, so long as it accurately conveys 
the relevant changes and provides easy access to the full policies. 
Moreover, the notice of material change must not simply provide fully 
updated privacy policies without specifically identifying the changes--
as stated above, the changes must be identified clearly, conspicuously, 
comprehensibly, and in a manner that is not misleading. For the same 
reasons that we impose this requirement with respect to the notice of 
privacy policies, we also require that

[[Page 87296]]

the notice of material change be translated into a language other than 
English if the telecommunications carrier transacts business with the 
customer in that language. As with the initial notice of privacy 
policies, the notice of material change must also explain the 
customer's rights with regard to this information. We do not, however, 
require that carriers use any particular language in these 
explanations, and encourage carriers to adapt their notices in ways 
that best suit their customers. We decline to specify how much advance 
notification providers must give their customers before making material 
changes to their privacy policies, recognizing that the appropriate 
amount of time will vary, inter alia, based on the scope of the change 
or the sensitivity of the information at issue. However, BIAS providers 
and other telecommunications carriers must give customers sufficient 
advance notice to allow the customers to exercise meaningful choice 
with respect to those changed policies.
5. Harmonizing Voice Rules
    164. As noted above, we apply these rules to all providers of 
telecommunications services. Harmonizing the rules for broadband and 
other telecommunications services will allow providers that offer 
multiple (and frequently bundled) services within this category to 
operate under a more uniform set of privacy rules, reducing potential 
compliance costs. For example, our rules will enable providers to 
provide the necessary notices for both voice and broadband services at 
the point of sale, allowing the information to be conveyed in one 
interaction for customers purchasing bundles, minimizing burdens on 
providers and customers alike. Furthermore, this consistency also 
enhances the ability of customers purchasing BIAS and other 
telecommunications services from a single provider to make informed 
choices regarding the handling of their information.
    165. In harmonizing our notice rules across BIAS and other 
telecommunications services, we are able to reduce burdens on providers 
by eliminating certain existing requirements that we find are no longer 
necessary. For instance, because we require that notice of privacy 
practices be readily available on providers' Web sites, an already 
common practice, we eliminate the requirement that notices of privacy 
practices be re-sent to customers every 2 years. Further, because the 
record evinces the growing need for flexibility in applying the 
principles of transparency, we eliminate requirements that notices 
provide that ``the customer has a right, and the carrier has a duty, 
under federal law, to protect the confidentiality of CPNI'' --a 
requirement that has apparently been interpreted as requiring that 
language to appear verbatim in privacy policies. Similarly, we 
eliminate requirements that emails containing notices of material 
changes contain specific subject lines, leaving to providers the means 
by which they can meet the general requirements that any communication 
must be clear and conspicuous, comprehensible, and not misleading. We 
find that in lieu of these more prescriptive requirements, the common-
sense rules we adopt above better ensure that customers receive truly 
informative notices without unnecessary notice fatigue or unnecessary 
regulatory burdens on carriers.

D. Customer Approval Requirements for the Use and Disclosure of 
Customer PI

    166. In this section, we adopt rules that give customers of BIAS 
and other telecommunications services the tools they need to make 
choices about the use and sharing of their personal information, and to 
easily adjust those choices over the course of time. Respecting the 
choice of the individual is central to any privacy regime, and a 
fundamental component of FIPPs. In adopting section 222, Congress 
imposed a duty on telecommunications carriers to protect the 
confidentiality of their customers' information, and specifically 
required that carriers obtain customer approval for use and sharing of 
individually identifiable customer information. In adopting rules to 
implement these statutory requirements, we look to the record, which 
includes substantial discussion about customers' expectations in the 
context of the broader Internet ecosystem, as well as existing 
regulatory, enforcement, and best practices guidance. We are persuaded 
that sensitivity-based choice rules are the best way to implement the 
mandates of section 222, honor customer expectations, and provide 
carriers the ability to engage their customers.
    167. We therefore adopt rules that require express informed consent 
(opt-in approval) from the customer for the use and sharing of 
sensitive customer PI. As described in greater detail below, our rules 
treat the following information as sensitive: Precise geo-location, 
health, financial, and children's information; Social Security numbers; 
content; and web browsing and application usage histories and their 
functional equivalents. For voice providers, our rules also treat call 
detail information as sensitive. With respect to non-sensitive customer 
PI, carriers must, at a minimum, provide their customers the ability to 
opt out of the carrier's use or sharing of that non-sensitive customer 
information. Carriers must also provide their customers with an easy-
to-use, persistent mechanism to adjust their choice options. As 
discussed below, we do not consider a carrier's sharing of customer PI 
with the carrier's own agents to constitute sharing with third parties 
that requires either opt-in or opt-out consent.
    168. The sensitivity-based choice approach we adopt is not 
monolithic. We recognize certain congressionally-directed exceptions to 
customer approval rights. Most obviously, carriers can, and indeed 
must, use and share customer PI in order to provide the underlying 
telecommunications service, to bill and collect payment for that 
service, and for certain other limited purposes by virtue of delivering 
the service. Congress also recognized that there are other laws and 
regulations that allow or require carriers to use and share customer PI 
without consent. Therefore, we adopt exceptions to our choice framework 
that allow carriers to use and share information for the 
congressionally directed purposes outlined in the Communications Act, 
and as otherwise required or authorized by law.
    169. In the first part of this section, we discuss our application 
of a sensitivity-based framework to the use and sharing of customer PI. 
We explain what we consider to be sensitive customer PI, and how our 
rules apply the sensitivity-based framework. In the second part of this 
section, we explain and implement the limitations and exceptions to 
that choice framework.
    170. In the next parts of this section, we discuss the mechanisms 
for customer approval provided for in our rules. We explain how and 
when carriers must solicit and obtain customer approval to use and 
share the customer's PI under the framework we adopt today, and require 
carriers to provide customers with easy access to a choice mechanism 
that is simple, easy-to-use, clearly and conspicuously disclosed, 
persistently available, and made available at no additional cost to the 
customer. Finally, we eliminate the requirements that 
telecommunications providers keep particular records of their use of 
customer PI and periodically report compliance to the Commission.
    171. These rules apply both to BIAS and other telecommunications 
services.

[[Page 87297]]

The record reflects strong support for consistency between privacy 
regimes for all telecommunications services, both to reduce possible 
consumer confusion, and to decrease compliance burdens for all affected 
telecommunications carriers, particularly small providers. Therefore, 
within the scope of our authority over telecommunications carriers, we 
apply these rules to all BIAS providers and other telecommunications 
carriers.
1. Applying a Sensitivity-Based Customer Choice Framework
    172. Except as otherwise provided by law and subject to the 
congressionally-directed exceptions discussed below, we adopt a 
customer choice framework that distinguishes between sensitive and non-
sensitive customer information. We adopt rules that require BIAS 
providers and other telecommunications carriers to obtain a customer's 
opt-in consent before using or sharing sensitive customer PI. We also 
require carriers to obtain customer opt-in consent for material 
retroactive uses of customer PI, as discussed below. We also adopt 
rules requiring carriers to, at a minimum, offer their customers the 
ability to opt out of the use and sharing of non-sensitive customer 
information. Carriers may also choose to obtain opt-in approval from 
their customers to use or share non-sensitive customer PI. To ensure 
that consumers have effective privacy choices, we require carriers to 
provide their customers with a persistent, easy-to-access mechanism to 
opt in to or opt out of their carriers' use or sharing of customer PI.
    173. In adopting a sensitivity-based framework, we move away from 
the purpose-based framework--in which the purpose for which the 
information will be used or shared determines the type of customer 
approval required--in the current rules and in the rules we proposed in 
the NPRM. Having sought comment on a sensitivity-based framework in the 
NPRM, and having received substantial support for it in the record, we 
find that incorporating a sensitivity element into our framework allows 
our rules to be more properly calibrated to customer and business 
expectations. This approach is also consistent with the framework 
recommended by the FTC in its comments and its 2012 staff report, and 
used by the FTC in its settlements. We make this transition for both 
BIAS and other telecommunications services because the record 
demonstrates that a sensitivity-based framework better reflects 
customer expectations regarding how their privacy is handled by their 
communications carriers.
    174. Some commenters argue that all customer information is 
sensitive, and that subjecting only certain information to opt-in 
approval imposes an unnecessary burden on consumers who want to protect 
the privacy of their information to opt-out. While we appreciate that 
consumers are not monolithic in their preferences, as discussed below, 
we think the rule we adopt today strikes the right balance and gives 
consumers control over the use and sharing of their information. We 
decline to conclude that all customer PI is sensitive by default, and 
instead identify specific types of sensitive information, consistent 
with the FTC. Other commenters express concern that drawing a 
distinction between sensitive and non-sensitive information requires a 
broadband provider to analyze a customer's web browsing history and 
content to identify sensitive information, rendering the point of the 
distinction moot. Some commenters argue that carriers can use a system 
of whitelists to determine sensitive versus non-sensitive Web sites. 
This argument mistakenly presumes that the sensitivity of a customer's 
traffic relies upon the type or contents of the sites visited, and not 
simply the fact of the customer having visited them. However, this 
dispute and the concerns underlying it are themselves mooted by our 
decision to treat content, browsing history, and application usage 
history as sensitive and subject to opt-in consent. Thus, recognizing 
customer expectations and the comments reflecting them in the record, 
we adopt rules that base the level of approval carriers must obtain 
from customers upon the sensitivity of the customer PI at issue.
    175. Adopting this choice framework implements the requirement in 
section 222(c)(1) that carriers, subject to certain exceptions, must 
obtain customer approval before using, sharing, or permitting access to 
individually identifiable CPNI. Further, we find that except where a 
limitation or exception discussed below applies, obtaining consent 
prior to using or sharing customer PI is a necessary component of 
protecting the confidentiality of customer PI pursuant to section 
222(a). We also observe that drawing distinctions that allow opt-out or 
opt-in approval is well-grounded in our section 222 precedent and 
numerous other privacy statutes and regimes. The Commission has long 
held that allowing a customer to grant partial use of CPNI is 
consistent with one of the underlying principles of section 222: To 
ensure that customers maintain control over their own information.
    176. Below, we explain the framework and its application. First, we 
define the scope of sensitive customer PI and explain our reasons for 
requiring opt-in consent to use or share sensitive customer PI. 
Consistent with FTC enforcement work and best practices guidance, we 
also require telecommunications carriers that seek to make retroactive 
material changes to their privacy policies to obtain opt-in consent 
from customers. Next, we discuss our reasons for allowing carriers to 
use and share non-sensitive customer PI subject to opt-out approval.
a. Approval Requirements for the Use and Sharing of Sensitive Customer 
PI
(i) Defining Sensitive Customer PI
    177. For purposes of the sensitivity-based customer choice 
framework we adopt today, we find that sensitive customer PI includes, 
at a minimum, financial information; health information; Social 
Security numbers; precise geo-location information; information 
pertaining to children; content of communications; call detail 
information; and a customer's web browsing history, application usage 
history, and their functional equivalents. Although a carrier can be in 
compliance with our rules by providing customers with the opportunity 
to opt in to the use and sharing of these specifically identified 
categories of information, we encourage each carrier to consider 
whether it collects, uses, and shares other types of information that 
would be considered sensitive by some or all of its customers, and 
subject the use or sharing of that information to opt-in consent.
    178. In identifying these categories as sensitive and subject to 
opt-in approval, we draw on the record and consider the context, which 
is the customer's relationship with his broadband or other 
telecommunications provider. The record demonstrates strong support for 
designating these specific categories of information as sensitive: 
Health information, financial information, precise geo-location 
information, children's information, and Social Security numbers. The 
FTC explicitly regards these categories of information as sensitive, as 
well. Despite some commenters' assertions to the contrary, the FTC does 
not claim to define the outer bounds of sensitive information with this 
list. For example, in its 2009 Staff Report on online behavioral 
advertising and in its comments to this proceeding, the FTC clearly 
indicated that its list was non-exhaustive. Furthermore, Commission 
precedent and consumer expectations demonstrate

[[Page 87298]]

strong support for certain additional categories of sensitive 
information. For instance, the Commission has also afforded enhanced 
protection to call detail information for voice services. Consumer 
research also supports identifying several types of information as 
sensitive: The 2016 Pew study, noted by a number of commenters in the 
record, found that large majorities of Americans considered Social 
Security numbers, health information, communications content (including 
phone conversations, email, and texts), physical locations over time, 
phone numbers called or texted, and web history to be sensitive. Each 
of these categories has a clear and well attested case in the record 
and in federal law for being considered sensitive.
    179. Consistent with the FTC and the record, we conclude that 
precise geo-location information is sensitive customer PI. Congress 
specifically amended section 222 to protect the privacy of wireless 
location information as the privacy impacts of it became clear. Real-
time and historical tracking of precise geo-location is both sensitive 
and valuable for marketing purposes due to the granular detail it can 
reveal about an individual. Such data can expose ``a precise, 
comprehensive record of a person's public movements that reflects a 
wealth of detail about her familial, political, professional, 
religious, and sexual associations.'' In some cases, a BIAS provider 
can even pinpoint in which part of a store a customer is browsing. The 
FTC has found that precise geo-location data ``includ[es] but [is] not 
limited to GPS-based, WiFi-based, or cell-based location information.'' 
As noted above in paragraph 66, we do not draw distinctions between 
technologies used to determine precise geo-location. We make clear, 
however, that we do not consider a customer's postal or billing address 
to be sensitive precise geo-location information, but rather to be non-
sensitive customer PI when used in context as customer contact 
information.
    180. The record also reflects the historical and widely-held tenet 
that the content of communications is particularly sensitive. Like 
financial and health information, Congress recognized communications as 
being so critical that their content, information about them, and even 
the fact that they have occurred, are all worthy of privacy 
protections. This finding is strongly supported by the record, and 
consistent with FTC guidance. As the FTC explains, ``content data can 
be highly personalized and granular, allowing analyses that would not 
be possible with less rich data sets.'' We therefore concur with the 
large number of commenters who assert that content must be protected 
and agree with Access Now in finding that ``the use or sharing . . . of 
the content of user communications is a clear violation of the right to 
privacy.'' As such, we consider communications contents to be sensitive 
information. Designating content as sensitive customer PI will not, 
despite NCTA's concerns, require a carrier to obtain additional 
customer approval to accept or respond to communications with its 
customers.
    181. We also add to the list of sensitive customer PI a customer's 
web browsing and application usage history, and their functional 
equivalents. A customer's web browsing and application usage history 
frequently reveal the contents of her communications, but also 
constitute sensitive information on their own--particularly considering 
the comprehensiveness of collection that a BIAS provider can enjoy and 
the particular context of the BIAS provider's relationship with the 
subscriber. The Commission has long considered call detail information 
sensitive, regardless of whether a customer called a restaurant, a 
family member, a bank, or a hospital. The confidentiality of that 
information, and its sensitivity, do not rely upon what category of 
entity the customer is calling. The same is true of a customer's web 
browsing and application usage histories. We therefore decline to 
define a subset of non-sensitive web browsing and application usage 
history, as a number of commenters urge. Some commenters raise the 
issue of cases drawing distinctions between ``content'' and 
``metadata'' in the context of ECPA as standing for the proposition 
that all non-content data is non-sensitive. We disagree. While the text 
of ECPA requires a court to make determinations of what is and is not 
``content'' of communications to determine that statute's 
applicability, neither the statute nor the case law interpreting it 
suggests that information other than content cannot be considered 
sensitive under the Communications Act.
    182. Web browsing and application usage history, and their 
functional equivalents are also sensitive within the particular context 
of the relationship between the customer and the BIAS provider, in 
which the BIAS provider is the on-ramp to the Internet for the 
subscriber and thus sees all domains and IP addresses the subscriber 
visits or apps he or she uses while using BIAS. This is a different 
role than even the large online ad networks occupy--they may see many 
sites a subscriber visits, but rarely see all of them. The notion is 
that before a BIAS provider tracks the Web sites or other destinations 
its customer visits the customer should have the right to decide 
upfront if he or she is comfortable with that tracking for the purposes 
disclosed by the provider.
    183. As EFF explains, BIAS providers can acquire a lot of 
information ``about a customer's beliefs and preferences--and likely 
future activities--from Web browsing history or Internet usage history, 
especially if combined with port information, application headers, and 
related information about a customer's usage or devices.'' For 
instance, a user's browsing history can provide a record of her reading 
habits--well-established as sensitive information--as well as 
information about her video viewing habits, or who she communicates 
with via email, instant messaging, social media, and video and voice 
tools. The cable and satellite privacy provisions of the Act were 
created in significant part to protect the privacy of video viewing 
habits. Video rental records have also been recognized by Congress as 
worthy of particular privacy protection. As such, we disagree with 
Google's assertions that web browsing has not traditionally been 
considered sensitive information. Furthermore, the domain names and IP 
addresses may contain potentially detailed information about the type, 
form, and content of a communication between a user and a Web site. In 
some cases, this can be extremely revealing: For instance, query 
strings within a URL may include the contents of a user's search query, 
the contents of a web form, or other information. Browsing history can 
easily lead to divulging other sensitive information, such as when and 
with what entities she maintains financial or medical accounts, her 
political beliefs, or attributes like gender, age, race, income range, 
and employment status. More detailed analysis of browsing history can 
more precisely determine detailed information, including a customer's 
financial status, familial status, race, religion, political leanings, 
age, and location. The wealth of information revealed by a customer's 
browsing history indicates that it, even apart from communications 
content, deserves the fullest privacy protection.
    184. Web browsing, however, is only one form of sensitive 
information about a customer's online activities. The use of other 
applications besides web browsers also provides a significant amount of 
insight into a user's behavior. Any of the information transmitted to 
and from a customer via a browser can

[[Page 87299]]

just as easily be transmitted via a company-specific or use-specific 
application. Whether on a mobile device or a desktop computer, the 
user's newsreader application will give indications of what he is 
reading, when, and how; an online video player's use will transmit 
information about the videos he is watching in addition to the video 
contents themselves; an email, video chat, or over-the-top voice 
application will transmit and receive not only the messages themselves, 
but the names and contact information of his various friends, family, 
colleagues, and others; a banking or insurance company application will 
convey information about his health or finances; even the mere 
existence of those applications will indicate who he does business 
with. A customer using ride-hailing applications, dating applications, 
and even games will reveal information about his personal life merely 
through the fact that he uses those apps, even before the information 
they contain (his location, his profile, his lifestyle) is viewed.
    185. Considering the particular visibility of this information to 
telecommunications carriers, we therefore find that web browsing 
history and application usage history, and their functional 
equivalents, are sensitive customer PI. We do not take a position on 
how sensitive this information would be in other contexts, or what 
levels of customer approval would be appropriate in those 
circumstances. Web browsing history and application usage history 
includes information from network traffic related to web browsing or 
other applications (including the application layer of such traffic), 
and information from network traffic indicating the Web site or party 
with which the consumer is communicating (e.g., their domains and IP 
addresses). We include their functional equivalents to ensure that the 
privacy of customers' online activities (today most frequently 
encompassed by browsing and application usage history) will be 
protected regardless of the specific technology or architecture used. 
We expect this to be particularly significant as the Internet of Things 
continues to develop. While a customer may expect that the people and 
businesses she interacts with will know some things about her--her 
bookstore will know what she's bought by virtue of having sold it to 
her--this is distinct from having her voice or broadband provider 
extract that information from her communications paths and therefore 
knowing every store she has visited and everything she has purchased. 
Furthermore, as mentioned above, a carrier not only has the technical 
ability to access the information about the customer's calls to the 
bookstore or visits to its Web site; it could also, unlike the store, 
associate that information with the customer's other communications. 
Edge providers, even those that operate ad networks, simply do not have 
sufficient access to an individual to put together such a comprehensive 
view of a consumer's online behavior. And, to the extent a customer 
wants to prevent edge providers from collecting information about her, 
she can adopt a number of readily available privacy-enhancing 
technologies. While the knowledge of any one fact from a customer's 
online history (the use of an online app) may be known to several 
parties (including the BIAS provider, the app itself, the server of an 
in-app advertisement), the BIAS provider has the technical ability to 
access the most complete and most unavoidable picture of that history. 
We therefore disagree with commenters who believe that browsing history 
or application usage are not sensitive in the context of the customer/
BIAS provider relationship.
    186. Also, contrary to some commenters' arguments, the existence of 
encryption on Web sites or even in apps does not remove browsing 
history from the scope of sensitive information. As noted above, 
encryption is far from fully deployed; the volume of encrypted data 
does not represent a meaningful measure or privacy protection; and 
carriers have access to a large and broad amount of user data even when 
traffic is encrypted, including, frequently, the domains and IP 
addresses that a customer has visited. Comcast notes that few dispute 
on the record that a growing volume of traffic is encrypted. However, 
the volume of encrypted data is not indicative of how much customer 
privacy is protected. For instance, a very small amount of browsing 
information can reveal that a customer is visiting a site devoted to a 
particular disease, while many times that data, unencrypted, would only 
reveal that the user had streamed a particular video. Comcast argues 
that because BIAS providers are limited to this information, they have 
less access to information overall. While the record indicates that 
BIAS providers have a less granular view of encrypted web traffic than 
unencrypted, it does not change the breadth of the carrier's view or 
the fact that it acquires this information by virtue of its privileged 
position as the customer's conduit to the internet. Nor does it change 
the fact that this still constitutes a record of the customer's online 
behavior, which, as noted above, can reveal details of a customer's 
life even at the domain level.
    187. In deciding to treat broadband customers' web browsing 
history, application history, and their functional equivalents as 
sensitive information, we agree with commenters, including technical 
experts, who explain that attempting to neatly parse customer data 
flowing through a network connection into sensitive and non-sensitive 
categories is a fundamentally fraught exercise. As a number of 
commenters have noted, a network provider is ill-situated to reliably 
evaluate the cause and meaning of a customer's network usage. We 
therefore disagree with the suggestion made by some commenters that web 
browsing is not sensitive, because providers have established methods 
of sorting data which do not require them to ``manually inspect'' the 
contents of packets.
    188. This remains true even when providers do not attempt to 
classify customers' browsing and application usage as they use BIAS, 
but instead employ blacklists or whitelists of sensitive or non-
sensitive sites and applications. Although commenters cite various 
industry attempts to categorize consumer interests, and identify the 
sensitive categories among those, the definitions vary significantly 
between them. Even within one set of classifications, the lines between 
what is and is not considered sensitive information can be difficult to 
determine. For instance, as Common Sense Kids Action points out, 
determining when browsing information belongs to a child, teen, or 
adult customer or user would require more than knowing the user's 
online destination. Further, as OTI notes, something that is non-
sensitive to a majority of people may nevertheless be sensitive to a 
minority, which may have the unintended consequence of disparately 
impacting the privacy rights of racial and ethnic minorities and other 
protected classes. By treating all web browsing data as sensitive, we 
give broadband customers the right to opt in to the use and sharing of 
that information, while relieving providers of the obligation to 
evaluate the sensitivity and be the arbiter of any given piece of 
information.
    189. We also observe that treating web browsing and application 
usage history as sensitive in the context of the BIAS/customer 
relationship is consistent with industry norms among BIAS providers. 
Until recently, for example, to participate in AT&T's GigaPower Premium 
Offer (i.e., to receive the fixed

[[Page 87300]]

broadband service GigaPower at a lower cost), customers had to opt in 
to AT&T Internet Preferences. Under AT&T's Internet Preferences, ``you 
agree to share with us your individual browsing, like the search terms 
you enter and the Web pages you visit, so we can tailor ads and offers 
to your interests.'' AT&T explained that ``AT&T Internet Preferences 
works independently of your browser's privacy settings regarding 
cookies, do-not-track and private browsing'' and that ``[i]f you opt-in 
to AT&T Internet Preferences, AT&T will still be able to collect and 
use your Web browsing information independent of those settings.'' In 
short, AT&T appears to have tracked web browsing history only pursuant 
to customer opt-in. Similarly, participation in Verizon's Verizon 
Selects program is on an opt-in basis. That opt-in program uses web 
browsing and application usage data, along with location, to develop 
marketing information about its customers. We provide these examples 
only to demonstrate that BIAS providers already treat web browsing and 
application usage history as sensitive and as subject to opt-in 
consent, and we do not mean to suggest that these existing or past 
programs are reasonable or consistent with the rules and standards we 
discuss in this Order.
    190. We disagree with the assertions made by a number of 
advertising trade associations that web browsing history should not be 
considered sensitive customer PI because courts have ``found that the 
advertising use of web browsing histories tied to device information 
does not harm or injure consumers.'' We find this to be inapposite to 
the task we confront in applying Section 222 of the Act. These cases 
deal with a factually different, and significantly narrower, scenarios 
than we address through web browsing history in this Order. For 
instance, in both cases, the courts found that plaintiffs had failed to 
allege that they had suffered ``loss'' as that term is narrowly defined 
under the Computer Fraud and Abuse Act. We do not adopt the CFAA's 
definitions of ``damage'' or ``loss'' for the purposes of this Order.
    191. We recognize that there are other types of information that a 
carrier could add to the list of sensitive information, for example 
information that identifies customers as belonging to one or more of 
the protected classes recognized under federal civil rights laws. 
Commenters also describe as sensitive other forms of governmental 
identification, biometric identifiers, and electronic signatures. Other 
privacy frameworks, both governmental and commercial, identify other 
types of information as particularly sensitive, such as race, religion, 
political beliefs, criminal history, union membership, genetic data, 
and sexual habits or sexual orientation. Most of these categories 
already overlap with our established categories, or the use or sharing 
of such information would be subject to opt-in requirements pursuant to 
the requirement to obtain opt-in consent for the use and sharing of 
content and web browsing and application usage history. Moreover, as 
explained above, carriers are welcome to give their customers the 
opportunity to provide opt-in approval for the use and sharing of 
additional types of information. However, we recognize that as 
technologies and business practices evolve, the nature of what 
information is and is not sensitive may change, and as customer 
expectations or the public interest may require us to refine the 
categories of sensitive customer PI, we will do so. For instance, some 
commenters have suggested that information considered non-sensitive at 
one point might reveal through later analysis information about 
protected classes.
(ii) Opt-In Approval Required for Use and Sharing of Sensitive Customer 
PI and Retroactive Material Changes in Use of Customer PI
    192. As the FTC recognizes, ``the more sensitive the data, the more 
consumers expect it to be protected and the less they expect it to be 
used and shared without their consent.'' We therefore require BIAS 
providers and other telecommunications carriers to obtain a customer's 
opt-in consent before using, disclosing, or permitting access to his or 
her sensitive customer PI, except as otherwise required by law and 
subject to the other exceptions outlined in Part III.D.2.
    193. Consistent with the Commission's existing CPNI rules and wider 
precedent, opt-in approval requires that the carrier obtain 
affirmative, express consent from the customer for the requested use, 
disclosure, or access to the customer PI. Because section 222(a) 
requires protection of the confidentiality of all customer PI, we 
include all types of sensitive customer PI, and not just sensitive, 
individually identifiable CPNI, within the definition of opt-in 
approval. The broad support in the record for protecting sensitive 
information nearly unanimously argues that use and sharing of sensitive 
customer information be subject to customer opt-in approval. The record 
demonstrates that customers expect that their sensitive information 
will not be shared without their affirmative consent, and sensitive 
information, being more likely to lead to more serious customer harm, 
requires additional protection. For instance, the FTC recognizes that 
consumer expectations drive increased protections for sensitive 
information. We find that requiring opt-in approval for the use and 
sharing of sensitive customer PI reasonably balances burdens between 
carriers and their customers. If a carrier's uses or sharing of 
customers' sensitive personal information benefits those customers, the 
customer has every incentive to make that choice, and the carrier has 
every incentive to make the benefits of that choice clear to the 
customer. We anticipate that this will increase the amount of clear and 
informative information that customers will have about the costs and 
benefits of participation in these programs. Carriers' incentives to 
encourage customer opt-in will likely be tempered by carriers' desire 
to avoid alienating customers with too-frequent solicitations to opt 
in.
    194. In contrast, we find that opt-out consent would be 
insufficient to protect the privacy of sensitive customer PI. Research 
has shown that default choices can be ``sticky,'' meaning that 
consumers will remain in the default position, even if they would not 
have actively chosen it. Further, opt-in regimes provide additional 
incentives for a company to invest in making notices clear, 
conspicuous, comprehensible, and direct. Additionally, empirical 
evidence shows that relatively few customers opt out even though a 
larger number express a preference not to share their information, 
suggesting that they did not receive notice or were otherwise 
frustrated in their ability to exercise choice. In an opt-in scenario, 
however, we anticipate that many consumers, solicited by carriers 
incentivized to provide and improve access to their notice and choice 
mechanisms, will wish to affirmatively exercise choice options around 
the use and sharing of sensitive information. Although we recognize 
that opt-in imposes additional costs, based on these factors we find 
that opt-in is warranted to maximize opportunities for informed choice 
about sensitive information.
    195. Material Retroactive Changes. Notwithstanding the fact that 
our choice framework generally differentiates between sensitive and 
non-sensitive information, we agree with the FTC and other commenters 
that material retroactive changes require a customer's opt-in consent 
for changes to the use and sharing of both sensitive and non-sensitive 
information. The record demonstrates widespread conviction

[[Page 87301]]

that material retroactive changes to privacy policies should require 
opt-in approval from customers. Retroactive changes in privacy policies 
particularly risk violating customers' privacy expectations because 
they result in a carrier using or sharing information already collected 
from a customer for one purpose or set of purposes for a different 
purpose. Because of this, we require that telecommunications carriers 
obtain customers' opt-in approval before making retroactive material 
changes to privacy policies. It is a ``bedrock principle'' of the FTC 
that ``companies should provide prominent disclosures and obtain 
affirmative express consent before using data in a manner materially 
different than claimed at the time of collection.'' This means that, 
whether customer PI is sensitive or non-sensitive, a telecommunications 
carrier must obtain opt-in permission if it wants to use or share data 
that it collected before the time that the change was made. For 
instance, if a carrier wanted to change its policy to share a 
customer's past monthly data volumes with third party marketers, it 
would need to obtain the customer's opt-in permission. In contrast, if 
the carrier changes its policy to share the customer's future monthly 
data volumes with those same marketers, it would only need the 
customer's opt-out consent.
b. Approval Requirements for the Use and Sharing of Non-Sensitive 
Customer PI
    196. We recognize that customer concerns about the use and sharing 
of their non-sensitive customer PI will be less acute than sharing of 
sensitive PI, and that there are significant benefits to customers and 
to businesses from some use and sharing of non-sensitive customer PI. 
However, we reject suggestions that consumers should be denied choice 
about the use and sharing of any of their non-sensitive information. 
Empowering consumers by providing choice is a standard component of 
privacy frameworks. Further, ensuring choice is necessary as a part of 
effectuating the duty to protect the confidentiality of customer PI 
under section 222(a) and the duty to obtain the approval of the 
customer before using, disclosing, or permitting access to individually 
identifiable CPNI under section 222(c)(1). Therefore, consistent with 
the FTC privacy framework, we require BIAS providers and other 
telecommunications carriers to obtain the customer's opt-out approval 
to use, disclose, or permit access to non-sensitive customer PI. We 
note that our requirements for customer opt-out approval serve as a 
floor, not a ceiling, to the level of customer approval to be provided. 
Thus, a carrier may set up its programs to solicit and receive customer 
opt-in approval if it so chooses.
    197. We define opt-out approval as a means for obtaining customer 
consent to use, disclose, or permit access to the customer's 
proprietary information under which a customer is deemed to have 
consented to the use, disclosure, or access to the customer's covered 
information if the customer has failed to object thereto after the 
carrier's request for consent. This definition, based on the existing 
CPNI voice rules, applies to all non-sensitive customer PI for all 
covered telecommunications carriers. The current CPNI rules define opt-
out approval to require a thirty-day waiting period before a carrier 
can consider a customer's opt-out approval effective. We eliminate this 
requirement, and similarly decline to apply it to BIAS providers or 
other telecommunications carriers. As borne out in the record, we find 
that requiring carriers to enable customers to opt out at any time and 
with minimal effort will reduce the likelihood that customers' privacy 
choices would not be respected. As such, we believe that the 30-day 
waiting period is no longer necessary and provide additional regulatory 
flexibility by eliminating it. We make clear, however, that while we do 
not adopt a specific timeframe for effectuating customers' opt-out 
approval choices, we do not expect carriers to assume that a customer 
has granted opt-out consent when a reasonable customer would not have 
had an opportunity to view the solicitation. We conclude that this 
flexible standard will appropriately account for the faster pace of 
electronic transactions, while preventing carriers from using customer 
PI before customers have had the opportunity to opt out.
    198. We agree with commenters who assert that non-sensitive 
information naturally generates fewer privacy concerns for customers, 
and as such does not require the same level of customer approval as for 
sensitive customer PI. From this, we conclude that an opt-out approval 
regime for use and sharing of non-sensitive customer PI would likely 
meet customers' privacy expectations. We agree with ANA that ``[a]n 
opt-out framework for uses of non-sensitive information also matches 
consumers' expectations regarding treatment of their data,'' and CTIA 
that ``[b]y tying its rules to the sensitivity of the data, the 
Commission will ensure that they align with consumer expectations and 
what consumers know to be fair.'' While an opt-out regime places a 
greater burden than an opt-in regime upon customers who do not wish for 
their carrier to use or share their non-sensitive information, research 
suggests that those same customers will likely be more motivated to 
actively exercise their opt-out choices. Further, we conclude that 
permitting carriers to use and share non-sensitive data with customers' 
opt-out approval--rather than opt-in approval--grants carriers 
flexibility to make improvements and innovations based on customer PI. 
For example, ACA notes that an opt-out framework can allow ``providers, 
including small providers, to explore, market, and deploy innovative, 
value-added services to their consumers, including home security and 
home automation services that will drive the `Internet of Things.' '' 
Thus, we reject arguments that ``opt-out is not an appropriate 
mechanism to obtain user approval'' in any circumstances.
    199. We disagree with commenters who assert that customer approval 
to use and share customer PI for the purposes of all first party 
marketing is generally implied in Section 222. We find that allowing 
carriers to use or share customer PI for all first party marketing does 
not comport with section 222's customer approval and data protection 
requirements. Section 222(c)(1) explicitly requires customer approval 
to use and share CPNI for purposes other than providing the 
telecommunications service, and subject to certain other limited 
exceptions. Likewise, section 222(a) imposes a duty on carriers to 
protect the confidentiality of customer PI. We conclude that permitting 
carriers to use and share customer PI to market all carrier and 
affiliate services based on inferred customer approval is inconsistent 
with these statutory obligations. Our conclusion is also consistent 
with Commission precedent and FTC Staff comments. This same rationale 
applies to other telecommunications carriers. We note that, as 
discussed below, limited types of first-party marketing (of categories 
of service to which a customer subscribes, and services necessary to, 
or used in, those services) do not require customer approval. While 
some comments assert that customers expect some degree of targeted 
marketing absent explicit customer approval, the record also indicates 
that customers expect choice with regard to the privacy of their online 
communications. Inferring consent for all first-party marketing would 
leave consumers without the right to opt out of receiving any manner of 
marketing from their telecommunications carrier--

[[Page 87302]]

violating that basic precept recognized by Justice Louis Brandeis of 
the ``right of the individual to be let alone.'' We accordingly adopt 
an opt-out regime for first-party marketing that relies on non-
sensitive customer PI to fulfill Section 222 and provide customers with 
the choice that they desire without unduly hindering the marketing of 
innovative services.
    200. Giving consumers control of the use and disclosure of their 
information, even for first-party marketing, is consistent with other 
consumer protection laws and regulations adopted by both the FTC and 
FCC. For instance, the popular and familiar National Do Not Call 
registry, created by the FTC, the FCC, and the states empowers 
consumers to opt out of most telemarketing calls. Consumers have 
registered over 222 million phone numbers with the Do Not Call Registry 
in order to stop unwanted marketing calls. Also, pursuant to rules 
adopted by both the FTC and the FCC, consumers to have the right to opt 
out of receiving calls even from companies with which they have a prior 
business relationship, with businesses required to place the consumer 
on a do-not-call list upon the consumer's request. The CAN SPAM Act of 
2003, and the rules the FTC adopted under CAN SPAM, also give consumers 
the right to opt out of the receipt of future commercial email from and 
require senders of commercial email to provide a working mechanism in 
their email to facilitate those opt-outs. Our rules follow these many 
models.
2. Congressionally-Recognized Exceptions to Customer Approval 
Requirements for Use and Sharing of Customer PI
    201. In this section, we detail the scope of limitations and 
exceptions to the customer approval framework discussed above. In the 
first part of this section, based on our review of the record and our 
analysis of the best way to implement section 222, we find that no 
additional customer consent is needed in order for a BIAS provider or 
other telecommunications carrier to use and share customer PI in order 
to provide the telecommunications service from which such information 
is derived or provide services necessary to, or used in, the provision 
of such telecommunications service. These limitations on customer 
approval requirements allow a variety of necessary activities beyond 
the bare provision of services, including research to improve or 
protect the network or telecommunications, and limited first-party 
marketing of services that are part of, necessary to, or used in the 
provision of the telecommunications service. In the second part of this 
section, we apply the statutory exceptions detailed in section 222(d) 
to all customer PI, allowing telecommunications carriers to use and 
share customer PI to: (1) Initiate, render, bill, and collect for 
telecommunications services; (2) protect the rights or property of the 
carrier, or to protect users and other carriers from fraudulent, 
abusive, or unlawful use of, or subscription to, telecommunications 
services; (3) provide any inbound telemarketing, referral, or 
administrative services to the customer for the duration of a call; and 
(4) provide customer location information and non-sensitive customer PI 
in certain specified emergency situations. We also take this 
opportunity to clarify that our rules do not prevent use and sharing of 
customer PI to the extent such use or sharing is allowed or required by 
other law.
    202. The statutory mandate of confidentiality is not an edict of 
absolute secrecy. The need to use and share customer information to 
provide telecommunications services, to initiate or render a bill, to 
protect the network, and to engage in the other practices identified 
above are inherent in a customer's subscription. While Congress 
specified this in the context of its more detailed provisions on 
customer approval for CPNI in sections 222(c)-(d), it left to the 
Commission the details of determining the scope of the duty of 
confidentiality. We therefore exercise our authority to adopt 
implementing rules in order to harmonize the application in our rules 
of section 222(a) as to customer PI with the limitations and exceptions 
of sections 222(c)-(d). Doing so ensures that carriers are not burdened 
with disparate or duplicative approval requirements based upon whether 
a particular piece of information is classified as CPNI, PII, or both. 
We disagree with commenters who argue that extending these limitations 
and exceptions to approval requirements unduly risk customers' privacy. 
We make clear that carriers using or sharing customer PI should remain 
particularly cognizant of their obligation to comply with the data 
security standards in Part III.E, below. We also emphasize that 
carriers should be particularly cautious about using sensitive customer 
PI, especially the content of communications, and carriers should 
carefully consider whether its use is necessary before making use of it 
subject to these limitations and exceptions. Furthermore, we observe 
that BIAS providers and other telecommunications carriers remain 
subject to all other applicable laws and regulations that affect their 
collection, use, or disclosure of communications, including but not 
limited to, the Electronic Communications Privacy Act (ECPA), the 
Communications Assistance for Law Enforcement Act (CALEA), section 705 
of the Communications Act, and the Cybersecurity Information Sharing 
Act (CISA).
a. Provision of Service and Services Necessary to, or Used in, 
Provision of Service
    203. Section 222 makes clear that no additional customer consent is 
needed to use customer PI to provide the telecommunications service 
from which it was derived, and services necessary to, or used in the 
telecommunications service. Consent to use customer PI for the 
provision of service is implied in the service relationship. We note 
that the need for providers to transmit and disclose certain types of 
customer PI (including IP addresses and the contents of communications) 
in the course of providing service in no way obviates customers' 
privacy interests in this information. Customers expect their 
information to be used in the provision of service--after all, 
customers fully intend for their communications to be transmitted to 
and from recipients--and they necessarily give their information to the 
carrier for that purpose. For instance, a number of commenters objected 
to our inclusion of IP addresses as forms of customer PI, because they 
are necessary to route customers' communications, or otherwise provide 
telecommunications service. This concern is misplaced; while a BIAS 
provider needs to share its customer's IP address to provide the 
broadband service, there is no basis to share that information for 
other non-exempt purposes absent customer consent. Indeed, because of 
the explicit limitation described by section 222(c)(1)(A) and 
implemented here, we do not need to exclude IP addresses or other forms 
of information from the scope of customer PI in order to allow the 
provision of telecommunications service, or services necessary to or 
used in providing telecommunications service. Thus, we import these 
statutory mandates into our rules and apply them to all customer PI.
    204. We continue to find, as did previous Commissions, that 
telecommunications customers expect their carriers to market them 
improved service offerings within the scope of service to which they 
already subscribe, and as such, conclude that such limited first-party 
marketing is part of the provision of the telecommunications

[[Page 87303]]

service within the meaning of Section 222(c)(1)(A). As with earlier 
CPNI orders, we decline to enumerate a definitive list of ``services 
necessary to, or used in, the provision of . . . telecommunications 
service'' within the meaning of section 222(c)(1). However, we provide 
guidance with respect to certain services raised in the record, and 
specifically find that this exception includes the provision and 
marketing of communications services commonly bundled together with the 
subscriber's telecommunications service, customer premises equipment, 
and services formerly known as ``adjunct-to-basic services.'' We 
further find that the provision of inside wiring and technical support; 
reasonable network management; and research to improve and protect the 
network or the telecommunications either fall within this category or 
constitute part of the provision of telecommunications service.
    205. Services that are Part of, Necessary to, or Used in the 
Provision of Telecommunications Service. The Commission has 
historically recognized that, as a part of providing service, carriers 
may, without customer approval, use and share CPNI to market service 
offerings among the categories of service to which the customer already 
subscribes. We therefore adopt a variation of our proposal, which 
mirrored the existing rule, and permit telecommunications carriers to 
infer approval to use and share non-sensitive customer PI to market 
other communications services commonly marketed with the 
telecommunications service to which the customer already subscribes. 
For example, the carrier could infer consent to market voice (whether 
fixed and/or mobile) and video service to a customer of its broadband 
Internet access service. We limit this exception to the use and sharing 
of non-sensitive information, because we agree with a number of 
commenters that this type of marketing remains part of what customers 
expect from their telecommunications carrier when subscribing to a 
service. For example, under our rules, a BIAS provider can offer 
customers new or different pricing or plans for the customers' existing 
subscriptions (e.g., a carrier may, without the customer's approval, 
use the fact that the customer regularly reaches a monthly usage cap to 
market a higher tier of service to the customer). This exception also 
allows carriers to conduct internal analyses of non-sensitive customer 
PI to develop and improve their products and services and to develop or 
improve their offerings or marketing campaigns generally, apart from 
using the customer PI to target specific customers.
    206. The Commission also has historically recognized certain 
functions offered by telecommunications carriers as inherently part of, 
or necessary to, or used in, the provision of telecommunications 
service. Consistent with Commission precedent, we reaffirm that 
services formerly known as ``adjunct-to-basic,'' including, but not 
limited to, speed dialing, computer-provided directory assistance, call 
monitoring, call tracing, call blocking, call return, repeat dialing, 
call tracking, call waiting, caller ID, call forwarding, and certain 
centrex features, are either part of the provision of 
telecommunications service or are ``necessary to, or used in'' the 
provision of that telecommunications service. Similarly, the Commission 
has, in prior orders, recognized that the provision and marketing of 
certain other services as being ``necessary to, or used in'' the 
provision of service, such as call answering, voice mail or messaging, 
voice storage and retrieval services, fax storage and retrieval 
services, and protocol conversion, and we continue to do so today. In 
the 2015 Open Internet Order, we concluded that DNS, caching, and 
network-oriented, security-related blocking functions including 
parental controls and firewalls fall within the telecommunications 
systems management exception and are akin to adjunct-to-basic services. 
Likewise, we continue to find that CPE, as well as other customer 
devices, inside wiring installation, maintenance, and repair, as well 
as technical support, serve as illustrative examples of services that 
are either part of the telecommunications service or are ``necessary 
to, or used in'' the provision of the underlying telecommunications 
service for the purposes of these rules. In each case here and below, 
whether the particular function is a part of the telecommunications 
service or a separate service ``necessary to, or used in'' the 
telecommunications service may depend on the particular circumstances 
of the underlying telecommunications service and the customer, and we 
need not address this distinction to determine that the statutory 
limitation applies. Customers require working inside wiring to receive 
service, and often depend upon technical support to fully utilize their 
services. As such, carriers may use and share non-sensitive customer 
PI, without additional customer approval, to provide and market such 
services.
    207. In importing these historical findings into the rules we adopt 
today and applying them to the current telecommunications environment, 
we make clear that our rules no longer permit CMRS providers to use or 
share customer PI to market all information services without customer 
approval. In first making these findings, the Commission noted the 
potential to revisit this decision if it became apparent that customer 
expectations, and the public interest, changed. The 1999 CPNI 
Reconsideration Order interpreted section 222(c)(1) as permitting CMRS 
providers to market information services in general to their customers 
without customer approval, but limited the information services for 
which wireline carriers could infer approval. That decision was made 
when the mobile information services market was in its infancy. As the 
third party mobile application market has developed, we can no longer 
find that such an exception is consistent with giving consumers 
meaningful choice over the use and sharing of their information. 
Moreover, we have a strong interest in our rules being technologically 
neutral.
    208. Reasonable Network Management. We agree with commenters 
asserting that BIAS providers need to use customer PI to engage in 
reasonable network management. We have previously explained that a 
network practice is ``reasonable if it primarily used for and tailored 
to achieving a legitimate network management purpose, taking into 
account the particular network architecture and technology of the 
broadband service.'' As we further elaborated in the 2015 Open Internet 
Order, reasonable network management includes, but is not limited to 
network management practices that are primarily used for, and tailored 
to, ensuring network security and integrity, including by addressing 
traffic that is harmful to the network; network management practices 
that are primarily used for, and tailored to, addressing traffic that 
is unwanted by end users; and network practices that alleviate 
congestion without regard to the source, destination, content, 
application, or service. We recognize that reasonable network 
management plays an important role in providing BIAS, and consider 
reasonable network management to be part of the telecommunications 
service or ``necessary to, or used in'' the provision of the 
telecommunications service. As such, we clarify that BIAS providers may 
infer customer approval to use, disclose, and permit access to customer 
PI to the extent necessary for reasonable

[[Page 87304]]

network management, as we defined that term in the 2015 Open Internet 
Order.
    209. Research to Improve and Protect Networks or 
Telecommunications. We also find that certain uses and disclosures of 
customer PI for the purpose of conducting research to improve and 
protect networks or telecommunications are part of the 
telecommunications service or ``necessary to, or used in'' the 
provision of the telecommunications service for the purposes of these 
rules. Since telecommunications carriers must be able to provide secure 
networks to their customers, we include security research within the 
scope of research allowed under this limitation. Security research also 
falls under the exception covered in Part III.D.2.b, infra, regarding 
uses of customer PI to protect the rights and property of a carrier, or 
to protect users from fraud, abuse, or unlawful use of the networks. 
For instance, Professor Feamster explains that ``network research 
fundamentally depends on cooperative data sharing agreements with 
ISPs,'' and that, lack of access to certain types of customer PI, 
``will severely limit vendors' and developers' ability to build and 
deploy network technology that functions correctly, safely, and 
securely.'' Comcast also emphasizes the need to share customer PI with 
``trusted vendors, researchers, and academics . . . under strict 
confidentiality agreements . . . to improve both the integrity and 
reliability of the service.'' NCTA also argues that carriers must be 
able to use customer data for internal operational purposes such as 
improving network performance. Some commenters, such as CDT, caution 
that a research exemption, read too broadly, might permit privacy 
violations. We share these concerns, and emphasize that in the interest 
of protecting the confidentiality of customer PI, carriers should seek 
to minimize privacy risks that may stem from using and disclosing 
customer PI for the purpose of research, and should ensure that the 
entities to which they disclose customer PI will likewise safeguard 
customer privacy. Telecommunications carriers and researchers should 
design research projects that incorporate principles of privacy-by-
design, and agree not to publish or otherwise publicly share 
individually identifiable data without customer consent. This would 
include, for instance, practicing data minimization and not using more 
identifiable information than necessary for the research task. In 
addition, the existing rules permit CMRS providers to infer customer 
approval to use and share CPNI for the purpose of conducting research 
on the health effects of CMRS. We retain this limited provision, 
extending it to all customer PI. We reiterate that that carriers should 
endeavor to minimize privacy risks to customers.
b. Specific Exceptions
    210. In addition to the activities included in the provision of 
service and services necessary to, or used in, provision of service, 
carriers do not need to seek customer approval to engage in certain 
specific activities that represent important policy goals detailed in 
section 222(d). We apply those exceptions to the customer approval 
framework to all customer PI.
    211. Initiate, Render, Bill, and Collect for Service. We import 
into our rules and apply to all customer PI the statutory exception 
permitting carriers to use, disclose, and permit access to CPNI ``to 
initiate, render, bill, and collect for telecommunications services'' 
without obtaining additional customer consent. As the Rural Wireless 
Association explains, carriers frequently need to share ``certain 
customer information'' ``with billing system vendors, workforce 
management system vendors, consultants that assist with certain 
projects, help desk providers, and system monitoring solutions 
providers.'' Also, as noted below, to the extent that the carrier is 
using an agent to perform acts on its behalf, the carrier's agents, 
acting in the scope of their employment, stand in the place of the 
carrier, both in terms of rights and liabilities.
    212. Protection of Rights and Property. We also import into our 
rules and apply to all customer PI the statutory provision permitting 
carriers to use, disclose, and permit access to CPNI ``to protect the 
rights or property of the carrier, or to protect users of those 
services and other carriers from fraudulent, abusive, or unlawful use 
of, or subscription to, such services'' without obtaining specific 
customer approval. We agree with the broad set of commenters who 
expressed the opinion that this exception should be incorporated into 
the rules, and further agree that it should also apply to customer PI 
beyond CPNI. We also find that these rules comport with the 
Cybersecurity Information Sharing Act of 2015 (CISA), which permits 
certain sharing of cyber threat indicators between telecommunications 
providers and the federal government or private entities, 
``notwithstanding any other provision of law.'' We do not assume that 
the scope of our exception is coterminous with the definition of cyber 
threat information in CISA. As noted, however, to the extent 
information is allowed to be shared pursuant to CISA, our rules do not 
inhibit such sharing. Moreover, to the extent that other federal laws, 
such as CISA, permit or require use or sharing of customer PI, our 
rules expressly do not prohibit such use or sharing.
    213. We also agree with commenters that this provision of our rules 
encompasses the use and sharing of customer PI to protect against spam, 
malware such as viruses, and other harmful traffic, including 
fraudulent, abusive, or otherwise unlawful robocalls. As proposed, this 
includes any form of customer PI, not merely calling party phone 
numbers. We caution that carriers using or sharing customer PI pursuant 
to this section of the rules should remain vigilant about limiting such 
use and sharing to the purposes of protecting their networks and users, 
and complying with their data security requirements. We acknowledge 
Access Now's concern that an overbroad reading of this exception could 
result in carriers actively and routinely monitoring and reporting on 
customers' behavior and traffic, and make clear that the rule does not 
allow carriers to share their customers' information wholesale on the 
possibility that doing so would enhance security; use and sharing of 
customer PI for these purposes must be reasonably tailored to 
protecting the network and its users.
    214. We agree with commenters that recommend that we consider this 
provision of our rules to encompass not only actions taken to combat 
immediate security threats, but also uses and sharing to research and 
develop network and cybersecurity defenses. When combined with the 
immunity granted by CISA, this exception addresses carriers' concerns 
about participating in cybersecurity sharing initiatives. As noted 
above, CISA permits the sharing of cybersecurity threat indicators 
``notwithstanding any other provision of law.'' These provisions should 
also alleviate the concern expressed in the interim update on 
information sharing from the Communications Security, Reliability, and 
Interoperability Council (CSRIC), that our rules may conflict with 
CISA. Security is an essential part of preventing bad actors from 
gaining unauthorized access to the system or making abusive use of it 
with spam, malware, or denial of service attacks. Research and 
development into new techniques and technologies for addressing fraud 
and abuse may require internal use of customer PI, but also disclosures 
to third-party researchers

[[Page 87305]]

and other collaborators. However, as with other applications of this 
exception, carriers should not disclose more information than is 
reasonable to achieve this purpose, and should take reasonable steps to 
ensure that the parties with which they share information use this 
information only for the purposes for which it was disclosed. Feamster 
et al. suggest that security research receive a specific exemption, so 
long as security disclosures be limited to those that: Promote 
security, stability, and reliability of networks; do not violate 
privacy; and benefit research in a way that outweighs privacy risks. 
They also highlight particular categories of researchers to whom 
disclosure represents less privacy risk. While we decline to include 
this specific exemption and its criteria, we note that similar steps to 
mitigate privacy risks and determine trustworthy recipients can be 
useful factors in determining reasonableness.
    215. Providing Inbound Services to Customers. Customers expect that 
a carrier will use their customer PI when they initiate contact with 
the carrier in order to ask for support, referral, or new services in a 
real-time context. Therefore, within the limited context of the 
particular interaction, carriers can use customer PI to render the 
services that the customer requests without receiving additional 
approval from the customer. This provision represents a more 
generalized version of the exception in section 222(d)(3), which 
specifies that carriers may use customer PI ``for the duration of [a 
support, referral, or request for new services] call.'' Under the rule 
we adopt today, carriers may use customer PI for the duration of any 
real-time interaction, including voice calls, videoconferencing, and 
online chats. However, given the less formal nature of such requests, a 
carrier's authorization to use the customer PI without additional 
permission should only last as long as that particular interaction 
does, and not persist longer. We find that this provision will achieve 
the same purpose as existing section 64.2008(f) of our rules, which 
allows carriers to waive certain notice requirements for one-time usage 
of customer PI. We believe that carriers' ability to use customer PI 
for these purposes without additional customer permission obviates the 
need for streamlined notice and consent requirements in one-time 
interactions.
    216. Some commenters have argued that our rules should permit a 
carrier to share customer PI with its agents absent customer approval, 
noting the need to share customer PI with agents to provide customer 
support, billing, or other tasks. We agree that such sharing is often 
necessary, and the limitations and exceptions outlined above allow 
carriers to share customer PI with their agents without additional 
customer approval. To the extent that a carrier needs to share customer 
PI with an agent for a non-exempt task, it needs no more customer 
approval than it would have needed in order to perform that task 
itself. This is consonant with the Communications Act's requirement 
that carriers' agents, acting in the scope of their employment, stand 
in the place of the carrier, both in terms of rights and liabilities.
    217. Providing Certain Customer PI in Emergency Situations. In 
adopting section 222, Congress recognized the important public safety 
interests in ensuring that carriers can use and share necessary 
customer information in emergency situations. Section 222(d)(4) 
specifically allows carriers to provide call location information of 
commercial mobile service users to: (1) Certain specified emergency 
services, in response to a user's call for emergency services; (2) a 
user's legal guardian or immediate family member, in an emergency 
situation that involves the risk of death or serious physical harm; and 
(3) to providers of information or database management services solely 
for the purpose of assisting in the delivery of emergency services in 
the case of an emergency. We adopt rules mirroring these exceptions, 
and expand the scope of information that may be disclosed under these 
circumstances to include customer location information and non-
sensitive customer PI.
    218. While commercial mobile service users' location may be the 
information most immediately relevant to emergency services personnel, 
other forms of customer PI may also be relevant for customers using 
services other than commercial mobile services, especially if customers 
are seeking emergency assistance through means other than dialing 9-1-1 
on a voice line. Expanding the types of information available in an 
emergency to include non-sensitive information such as other known 
contact information for the customer or the customer's family or legal 
guardian will allow carriers the flexibility necessary to keep 
emergency services informed with actionable information. However, 
recognizing the concerns that too broad an exception could lead to 
increased exposure of sensitive information, we extend the exception 
only to customer location information and non-sensitive customer PI.
    219. We recognize that, as with any provision that allows 
disclosure of a customer's information, this exception can potentially 
be abused. Various bad actors may use pretexting techniques, pretending 
to be a guardian, immediate family member, emergency responder, or 
other authorized entity to gain access to customer PI. As with all of 
the other provisions of these rules, we expect carriers to abide by the 
security standards set forth in Part III.E, below. Under these 
standards, we expect that carriers will reasonably authenticate third 
parties to whom they intend to disclose or permit access to customer 
PI. This need to act reasonably also applies to authenticating 
emergency services and other entities covered under this exception, as 
well as authenticating customers themselves.
    220. We decline suggestions that we allow carriers only to divulge 
customer PI in emergency situations to emergency contact numbers 
specified by the customer in advance. While such a safeguard could 
prevent a certain amount of pretexting, we believe that such a 
requirement would be overly restrictive and, in the case of call 
information, contrary to the statute. If such a requirement were in 
place, customers who failed to supply or update emergency contact 
information would be denied the ability for guardians or family members 
from being contacted. Recognizing the permissible nature of section 
222(d), we do not prohibit carriers from using such a safeguard if they 
so choose.
3. Requirements for Soliciting Customer Opt-Out and Opt-In Approval
    221. In this section, we discuss the requirements for soliciting 
customer approval for the use and sharing of customer PI. First, we 
require telecommunications carriers to solicit customer approval at the 
point of sale, and permit further solicitations after the point of 
sale. Next, we require that carriers actively contact their customers 
in these subsequent solicitations, to ensure that customers are 
adequately informed. Finally, we require the solicitations to be clear 
and conspicuous, to be comprehensible and not misleading, and to 
contain the information necessary for a customer to make an informed 
choice regarding her privacy.
    222. Timing of Solicitation. Based on the record before us, we 
conclude that BIAS providers and other telecommunications carriers must 
solicit customers' privacy choices at the point of sale. We agree with 
the FTC and other commenters that the point of sale remains a logical 
time for customers

[[Page 87306]]

to exercise privacy decisions because it precedes the carriers' uses of 
customer PI; frequently allows for clarification of terms between 
customer and carrier; and avoids the need for customers to make privacy 
decisions when distracted by other considerations, and is the time when 
customers are making decisions about material terms.
    223. We further find that, in addition to soliciting choice at 
point-of-sale, a carrier seeking customer approval to use customer PI 
may also solicit that permission at any time after the point after the 
sale, so long as the solicitation provides customers with adequate 
information as specified in these rules. This allows carriers to supply 
customers with relevant information at the most relevant time and in 
the most relevant context. Moreover, a carrier that makes material 
changes to its privacy policy must solicit customers' privacy choices 
before implementing those changes. Material retroactive changes require 
opt-in customer approval as discussed above in Part III.D.1.a(ii). 
Consistent with our sensitivity-based framework, prospective material 
changes require opt-in approval if they entail use or sharing of 
sensitive customer PI, and opt-out approval if they entail use or 
sharing of non-sensitive customer PI.
    224. Methods of Solicitation. We agree with commenters who 
recommend that we not require particular formats or methods by which a 
carrier must communicate its solicitation of consent to customers. On 
this point, we agree with NTCA and USTelecom, which request flexibility 
in determining the means of solicitation, arguing that carriers are 
best placed to determine the most effective ways of reaching their 
customers.
    225. The existing voice rules contain specific requirements for 
solicitations sent as email, such as a requirement that the subject 
line clearly and accurately identify the subject matter of the email. 
We decline to include such specific requirements and thereby provide 
carriers with additional flexibility to develop clear notices that best 
serve their customers. However, the clarity and accuracy of an email 
subject line are highly relevant to an overall assessment of whether 
the solicitation as a whole was clear, conspicuous, comprehensible and 
not misleading.
    226. Contents of Solicitation. Carriers' solicitations of opt-in or 
opt-out consent to use or share customer PI must clearly and 
conspicuously inform customers of the types of customer PI that the 
carrier is seeking to use, disclose, or permit access to; how those 
types of customer PI will be used or shared; and the categories of 
entities with which that information is shared. The solicitations must 
also be comprehensible and not misleading, and be translated into a 
language other than English if the telecommunications carrier transacts 
business with the customer in that language. As with our notice 
requirements, we decline to specify a particular format or wording for 
this solicitation, so long as the solicitation meets the standards 
described above. The solicitation must provide a means to easily access 
the carrier's privacy policy as well as a means to easily access to a 
mechanism, described below in Part III.D.4, by which the customer can 
easily exercise his choice to permit or deny the use or sharing of his 
customer PI. Access to the choice mechanism may take a variety of 
forms, including being built into the solicitation, or provided as a 
link to the carrier's Web site, an email address that will receive the 
customer's choice, or a toll-free number that a customer can call to 
make his choice.
    227. As a point of clarification, the distinction between notice 
and consent solicitation is one of functionality, not necessarily of 
form. Choice solicitations may be combined with notices of privacy 
policies or notices of material change in privacy policies, but only to 
the extent that both the notices and solicitations meet their 
respective requirements for being clear and conspicuous, 
comprehensible, and not misleading. For instance, a carrier instituting 
a new program that uses non-sensitive customer PI prospectively could 
send an existing customer a notice of material change to the privacy 
policy that contained the opt-out solicitation (described in this Part) 
and access to the customer's choice mechanism (described in Part 
III.D.4, infra). This communication would, subject to the ease-of-use 
requirements, satisfy the rules. We further clarify that we are not 
requiring carriers to have special ``customer PI'' choice mechanisms 
that are different and stand alone from other mechanisms that may 
exist, so long as those mechanisms satisfy the outcomes required by our 
rules (such as, among other things, that they be clear and 
conspicuous). Likewise, we are not mandating a ``blanket'' choice 
mechanism. A carrier is free to give the customer the ability to pick 
and choose among which marketing channels the customer will opt out of. 
At the same time, if a carrier wanted to give the customer the ability 
to opt out of all marketing with a single click, that would be 
consistent with our rules.
4. Customers' Mechanisms for Exercising Privacy Choices
    228. In soliciting a customer's approval for the use or sharing of 
his or her customer PI, we require carriers to provide customers with 
access to a choice mechanism that is simple, easy-to-use clear and 
conspicuous, in language that is comprehensible and not misleading, and 
made available at no additional cost to the customer. This choice 
mechanism must be persistently available on or via the carrier's Web 
site; on the carrier's app, if it provides one for account management 
purposes; and on any functional equivalents of either. We intend for 
this requirement to mirror the requirements for a provider's provision 
of its notice of privacy policies. If a carrier lacks a Web site, it 
must provide a persistently available mechanism by another means such 
as a toll-free telephone number. However, we decline to specify any 
particular form or format for this choice mechanism. Carriers must act 
upon customers' privacy choices promptly.
    229. Format. As with our requirements for notices and for 
solicitations of approval, the actual mechanism provided by the carrier 
by which customers may inform the carrier of their privacy choices must 
be clear and conspicuous, and in language that is comprehensible and 
not misleading. Because users' transaction costs, in terms of time and 
effort expended, can present a major barrier to customers exercising 
choices, carriers' choice mechanisms must also be easy to use, ensuring 
that customers can readily exercise their privacy rights.
    230. We encourage but do not require carriers to make available a 
customer-facing dashboard. While a customer-facing dashboard carries a 
number of advantages, we are mindful of the fact that it may not be 
feasible for certain carriers, particularly small businesses, and that 
improved technologies and user interfaces may lead to better options. 
Preserving this flexibility benefits both carriers and customers by 
enabling carriers to adopt a mechanism that suits the customer's 
abilities and preferences and the carrier's technological capabilities. 
As noted, we are particularly mindful of the needs of smaller carriers. 
For example, WTA explains that ``[a] privacy dashboard as envisioned in 
the NPRM would require providers to aggregate information that is 
likely housed today on multiple systems and develop both internal and 
external user interfaces.'' ACA adds that creating a privacy dashboard 
would be a ``near-impossible task'' for small BIAS providers. 
Particularly in light of the

[[Page 87307]]

concerns expressed by small providers and their representatives, we 
decline to mandate that BIAS providers make available a customer-facing 
dashboard.
    231. Timing to Implement Choice. We require carriers to give effect 
to a customer's grant, denial, or withdrawal of approval ``promptly.'' 
Aside from the ordinary time that might be required for processing 
incoming requests, customers must be confident that their choices are 
being respected. The flexibility of this standard enables carriers to 
account for the relative size of the carrier, the type and amount of 
customer PI being used, and the particular use or sharing of the 
customer PI. Since the carrier process and technical mechanics of 
implementing a customer denial of approval for a new use may well 
differ from implementing a customer's denial of a previously approved 
practice, we do not expect that the time frames for each will 
necessarily be the same. The Commission has long held this 
interpretation to be consistent with the language and design of section 
222.
    232. Choice Persistence. As in our existing rules and as proposed 
in the NPRM, we require a customer's choice to grant or deny approval 
for use of her customer PI to remain in effect until a customer revokes 
or limits her choice. We find that customers reasonably expect that 
their choices will persist and not be changed without their affirmative 
consent (in the case of sensitive customer PI and previously collected 
non-sensitive customer PI) or at least the opportunity to object (in 
the case of yet to be collected non-sensitive customer PI).
    233. Small Carriers. Some small carriers expressed concern on the 
record that their Web sites do not allow for customers to manage their 
accounts, and thus could not offer an in-browser way for customers to 
immediately exercise their privacy choices on the carriers' Web sites. 
Since we decline to require a specific format for accepting customer 
privacy choices, any carriers, including small carriers, that lack 
choice mechanisms that customers can operate directly from the 
carrier's Web site or app may be able to accept customer preferences by 
providing on their Web sites, in their apps, and any functional 
equivalents, an email address, 24-hour toll-free phone number, or other 
easily accessible, persistently available means to exercise their 
privacy choices.
5. Eliminating Periodic Compliance Documentation
    234. We eliminate the specific compliance recordkeeping and annual 
certification requirements in section 64.2009 for voice providers. 
Eliminating these requirements reduces burdens for all carriers, and 
particularly small carriers, which often may not need to record 
approval if they do not use or share customer PI for purposes other 
than the provision of service. We find that carriers are likely to keep 
records necessary to allow for any necessary enforcement without the 
need for specific requirements, and that notifications of data breaches 
to customers and to enforcement agencies (including the Commission) 
will ensure compliance with the rules and a workable level of 
transparency for customers.

E. Reasonable Data Security

    235. In this section, we adopt a harmonized approach to data 
security that protects consumers' confidential information by requiring 
BIAS providers and other telecommunications carriers to take reasonable 
measures to secure customer PI. The record reflects broad agreement 
with our starting proposition that strong data security practices are 
crucial to protecting the confidentiality of customer PI. There is also 
widespread agreement among industry members, consumer groups, 
academics, and government entities about the importance of flexible and 
forward-looking reasonable data security practices.
    236. In the NPRM we proposed rules that included an overarching 
data security expectation and specified particular types of practices 
that providers would need to implement to comply with that standard, 
while allowing providers flexibility in implementing the proposed 
requirements (e.g., taking into account, at a minimum, the nature and 
scope of the provider's activities and the sensitivity of the customer 
PI held by the provider). Based on the record in this proceeding, we 
have modified the overarching data security standard to more directly 
focus on the reasonableness of the providers' data security practices. 
Also based on the record, we decline to mandate specific activities 
that providers must undertake in order to meet the reasonable data 
security requirement. We do, however, offer guidance on the types of 
data security practices we recommend providers strongly consider as 
they seek to comply with our data security requirement--recognizing, of 
course, that what constitutes ``reasonable'' data security is an 
evolving concept.
    237. The approach we take today underscores the importance of 
ensuring that providers have robust but flexible data security 
practices that evolve over time as technology and best practices 
continue to improve. It is consistent with the FTC's body of work on 
data security, the NIST Cybersecurity Framework (NIST CSF), the 
Satellite and Cable Privacy Acts, and the CPBR, and finds broad support 
in the record. In harmonizing the rules for BIAS providers and other 
telecommunications carriers we apply this more flexible and future-
focused standard to voice providers as well, replacing the more rigid 
data security procedures codified in the existing rules and thus 
addressing the potential that these existing procedures are both under- 
and over-inclusive--with the expectation that strong and flexible, 
harmonized, forward-looking rules will benefit consumers and industry.
1. BIAS and Other Telecommunications Providers Must Take Reasonable 
Measures To Secure Customer PI
    238. The rule that we adopt today requires that every BIAS provider 
and other telecommunications carrier take reasonable measures to 
protect customer PI from unauthorized use, disclosure, or access. To 
comply with this requirement, a provider must adopt security practices 
appropriately calibrated to the nature and scope of its activities, the 
sensitivity of the underlying data, the size of the provider, and 
technical feasibility.
    239. As we observed in the NPRM, privacy and security are 
inextricably linked. Section 222(a) imposes a duty on 
telecommunications carriers to ``protect the confidentiality of 
proprietary information of and relating to . . . customers.'' 
Fulfilling this duty requires a provider to have sound data security 
practices. A telecommunications provider that fails to secure customer 
PI cannot protect its customers from identity theft or other serious 
personal harm, nor can it assure its customers that their choices 
regarding use and disclosure of their personal information will be 
honored. As commenters point out, contemporary data security practices 
are generally oriented toward ``confidentiality, integrity, and 
availability,'' three dynamic and interrelated principles typically 
referred to together as the ``CIA'' triad. Confidentiality refers 
specifically in this context to protecting data from unauthorized 
access and disclosure; integrity refers to protecting information from 
unauthorized modification or destruction; and availability refers to 
providing authorized users with access to the information when needed. 
Our discussion of ``confidentiality'' as part of the CIA triad of data 
security

[[Page 87308]]

principles is not intended to suggest that the term has the same 
meaning under section 222 of the Act as it has in the CIA context. We 
agree with NTCA that confidentiality, integrity and availability are 
best understood as ``elements of a single duty'' to secure data, and 
their collective purpose is to ``illustrate the various considerations 
that must be engaged when the management of confidential information is 
considered.'' The record confirms that these are core principles that 
underlie the modern-day practice of data security. Thus, we expect 
providers to take these principles into account when developing, 
implementing, and monitoring the effectiveness of adopted measures to 
meet their data security obligation.
    240. By requiring providers to take reasonable data security 
measures, we make clear that providers will not be held strictly liable 
for all data breaches. Instead, we give providers significant 
flexibility and control over their data security practices while 
holding these practices to a standard of reasonableness that respects 
context and is able to evolve over time. There is ample precedent and 
widespread support in the record for this approach. FTC best practices 
guidance advises companies to ``make reasonable choices'' about data 
security, and in numerous cases the FTC has taken enforcement action 
against companies for failure to take ``reasonable and appropriate'' 
steps to secure customer data. Many states also have laws that require 
regulated entities to take ``reasonable measures'' to protect the 
personal data they collect. The CPBR reaffirms this standard, directing 
companies to ``establish, implement and maintain safeguards reasonably 
designed to ensure the security of'' personal customer information. 
Placing the responsibility on companies to develop and manage their own 
security practices is also a core tenet of the NIST CSF. A diverse 
range of commenters in this proceeding support adoption of a data 
security requirement for BIAS providers that is consistent with these 
principles. Indeed, several providers acknowledge the importance of and 
need for reasonable data security.
    241. By clarifying that our standard is one of ``reasonableness'' 
rather than strict liability, we address one of the major concerns that 
providers--including small providers and their associations--raise in 
this proceeding. WTA, for instance, argues that a strict liability 
standard ``is particularly inappropriate for small providers that lack 
the resources to install the expensive and constantly evolving 
safeguards necessary to comply with a strict liability regime.'' We 
agree with these parties, and others such as the Federal Trade 
Commission staff, that our rules should focus on the reasonableness of 
the providers' practices and not hold providers, including smaller 
providers, to a standard of strict liability.
    242. We also agree with those commenters that argue that the 
reasonableness of a provider's data security practices will depend 
significantly on context. The rule therefore identifies four factors 
that a provider must take into account when implementing data security 
measures: The nature and scope of its activities; the sensitivity of 
the data it collects; its size; and technical feasibility. Taken 
together, these factors give considerable flexibility to all providers. 
No one factor, taken independently, is determinative.
    243. We include ``size'' in part based on the understanding in the 
record that smaller providers employ more limited data operations in 
comparison to their larger provider counterparts. While the other 
contextual factors already account considerably for the varying data 
collection and usage practices of providers of different sizes, we 
agree with commenters that size is an independent factor in what 
practices are reasonable for smaller providers, particularly to the 
extent that the smaller providers engage in limited data usage 
practices. For instance, WTA explains that ``its members do not 
currently, and have no plans to, retain customer Internet browsing 
histories and related information on an individual subscriber basis 
because the cost . . . would significantly outweigh any potential 
monetary benefit derived from data relating to the small subscriber 
bases of [rural carriers].'' Several small provider commenters also 
point out that many such providers have few employees and limited 
resources. Accordingly, certain security measures that may be 
appropriate for larger providers, such as having a dedicated official 
to oversee data security implementation, are likely beyond the needs 
and resources of the smallest providers. Our decision not to adopt 
minimum required security practices should further allay concerns about 
the impact of the rule on small providers. Our inclusion of ``size'' as 
a factor makes clear that small providers are permitted to adopt 
reasonable security practices that are appropriate for their 
businesses. At the same time, we emphasize that all providers must 
adopt practices that take into account all four contextual factors. For 
instance, a small provider with very expansive data collection and 
usage practices could not point to its size as a defense for not 
implementing security measures appropriate for the ``nature and scope'' 
of its operations.
    244. The rule also takes into account the distinction between 
sensitive and non-sensitive information that underlies our customer 
approval requirements. Because the protection of both sensitive and 
non-sensitive customer PI is necessary to give effect to customer 
choices about the use and disclosure of their information, our data 
security rule must cover both. The State Privacy and Security Coalition 
argues that the security rule proposed in the NPRM would be too 
burdensome when applied to non-sensitive information. We believe the 
modifications we have made to the proposal, including our decision not 
to adopt minimum required security practices, sufficiently address this 
concern. At the same time, we decline to require ``the same, strict 
data security protections'' for all such information. Rather, we direct 
providers to calibrate their security measures to ``the sensitivity of 
the underlying data.'' This approach finds broad support in the record 
and is consistent with FTC guidance and precedent. Where sensitive and 
non-sensitive customer PI are commingled, a carrier should err on the 
side of treating the information as sensitive. Similarly, our inclusion 
of ``technical feasibility'' as a factor makes clear that reasonable 
data security practices must evolve as technology advances. Because our 
rule gives providers broad flexibility to consider costs when 
determining what security measures to implement over time, we do not 
find it necessary to include ``cost of security measures'' as a 
separate factor as AT&T and other commenters propose. This means that 
every provider must adopt security measures that reasonably address the 
provider's data security risks.
    245. In their comments, the National Consumers League recommended 
that we establish data security threshold requirements that providers 
could build on, but not fall below. We find that unnecessary in light 
of the rules we adopt today. We believe that the flexible and forward-
looking rule we adopt combined with the discussion that follows 
regarding exemplary practices makes clear that the rule sets a high and 
evolving standard of data security. A provider that fails to keep 
current with industry best practices and other relevant guidance in 
designing and implementing its data security practices runs the risk of 
both a preventable data breach and that it will be found out of 
compliance with our data security rule.

[[Page 87309]]

We also observe that we have already acted in multiple instances to 
enforce carriers' broad statutory obligations to take reasonable 
precautions to protect sensitive customer information. In the TerraCom 
proceeding, for instance, we took action against a carrier under 
section 222 of the Act for its failure to employ ``appropriate security 
measures'' to protect customers' Social Security numbers and other data 
from exposure on the public Internet. Moreover, in TerraCom and other 
data security enforcement proceedings, parties have agreed to detailed 
data security obligations on individual carriers as conditions of 
settlement. For example, as part of one consent decree entered into by 
AT&T and the Commission's Enforcement Bureau, AT&T agreed to develop 
and implement a compliance plan aimed at preventing recurrence of a 
major data security lapse. We have the ability to pursue similar 
remedial conditions in the context of any enforcement proceeding that 
may arise under the data security rule we adopt today, based on the 
facts of the case.
    246. In addition, the flexibility we have built into our rule 
addresses concerns about potential conflict with the NIST Cybersecurity 
Framework (NIST CSF) and with other initiatives to confront data 
security as well as broader cyber threats. The Commission values the 
NIST CSF and has demonstrated its commitment to promoting its adoption 
across the communications sector, and we have accordingly fashioned a 
data security rule that closely harmonizes with the NIST CSF's flexible 
approach to risk management. The rule gives providers ample flexibility 
to implement the NIST CSF on a self-directed basis, and it imposes on 
BIAS providers a standard for data security similar to that which 
governs edge providers and other companies operating under the FTC's 
general jurisdiction. We also reject any suggestions that our rule will 
impinge on BIAS providers' efforts to improve Internet security or 
protect their customers from malware, phishing attacks, and other cyber 
threats. Indeed, protecting against such attacks and threats will only 
bolster a company's claims that it has reasonable data security 
practices. Moreover, as explained above, the rules adopted in this 
Report and Order do not prohibit or impose any constraint on cyber 
threat information sharing that is lawfully conducted pursuant to the 
Cybersecurity Information Sharing Act of 2015 (CISA). Indeed, we 
believe that information sharing is a vital part of promoting data 
security across the industry.
    247. Finally, we recognize that there is more to data security than 
the steps each individual provider takes to secure the data it 
possesses. For instance, effective consumer outreach and education can 
empower customers to be pro-active in protecting their own data from 
inadvertent or malicious disclosures. We also encourage providers to 
continue to engage constructively with the Commission, including 
through the CSRIC and related efforts, to develop and refine data 
security best practices. Also, as carriers develop and manage their 
security practices, we encourage them to be forward-looking. In 
particular, carriers should make efforts to anticipate future data 
security threats and proactively work to mitigate future risk drivers.
2. Practices That Are Exemplary of Reasonable Data Security
    248. While we do not prescribe specific practices that a provider 
must undertake to comply with our data security rule, the requirement 
to engage in reasonable data security practices is set against a 
backdrop of existing privacy and data security laws, best practices, 
and public-private initiatives. Each of these is a potential source of 
guidance on practices that may be implemented to protect the 
confidentiality of customer PI. For the benefit of small providers, and 
others, below we discuss in more detail an evolving set of non-
exclusive practices that we consider relevant to the question of 
whether a provider has complied with the requirement to take reasonable 
data security measures. While certain of these practices were 
originally proposed as minimum data security requirements, we discuss 
them here as part of a set of practices that we presently consider 
exemplary of a reasonable and evolving standard of data security. We 
agree with commenters that dictating a minimum set of required 
practices could foster a ``compliance mindset'' that is at odds with 
the dynamic and innovative nature of data security. Providers with less 
established data security programs may interpret such requirements as a 
checklist of what is required to achieve reasonable data security, an 
attitude we seek to discourage. We also seek to avoid codifying 
practices as the state of the art continues to rapidly evolve. For 
example, National Consumers League recommends adoption of multi-factor 
authentication as a required ``minimum baseline.'' Yet the record 
includes discussion of a variety of techniques for robust customer 
authentication, not all of which would necessarily qualify as ``multi-
factor'' in all circumstances. Our approach places the responsibility 
on each provider to develop and implement data security practices that 
are reasonable for its circumstances and to refine these practices over 
time as circumstances change. Rather than mandate what these practices 
must entail, we provide guidance to assist each provider in achieving 
reasonable data security on its own terms. Taking this approach will 
also allay concerns that overly prescriptive rules would frustrate 
rather than improve data security.
    249. While providers are not obligated to adopt any of the 
practices we suggest, we believe that together they provide a solid 
foundation for data security that providers can modify and build upon 
as their risks evolve and, as such, the presence and implementation of 
such practices will be factors we will consider in determining, in a 
given case, if a provider has complied with the reasonable data 
security requirement. However, these practices do not constitute a 
``safe harbor.'' A key virtue of the flexible data security rule we 
adopt today is that it permits data security practices to evolve as 
technology advances and new methods and techniques for data security 
come to maturity. We are concerned that any fixed set of security 
practices codified as a safe harbor would fail to keep pace with this 
evolutionary process. The availability of a safe harbor may also 
discourage experimentation with more innovative data security practices 
and techniques. While it may be possible to construct a safe harbor 
``with concrete requirements backed by vigorous enforcement'' that also 
takes the evolution of data security practices into account, we find no 
guidance in the record on how to do so in a workable fashion. 
Accordingly, our approach is to evaluate the reasonableness of any 
provider's data security practices on a case-by-case basis under the 
totality of the circumstances, taking into account the contextual 
factors that are part of the rule. This approach is well-grounded in 
precedent and will provide sufficient guidance to providers. Our 
approach to data security also mirrors the FTC's, under which the 
reasonableness of an individual company's data security practices is 
assessed against a background of evolving industry guidance. The CPBR 
also takes a similar approach.
    250. Engagement with Industry Best Practices and Risk Management 
Tools. We encourage providers to engage with and implement up-to-date 
and relevant

[[Page 87310]]

industry best practices, including available guidance on how to manage 
security risks responsibly. One powerful tool that can assist providers 
in this respect is the NIST CSF, which many commenters endorse as a 
voluntary framework for cyber security and data security risk 
management. We agree that proper implementation of the NIST CSF, as 
part of a provider's overall risk management, would contribute 
significantly to reasonable data security, and that use of the NIST CSF 
can guide the implementation of specific data security practices that 
are within the scope of that framework. We encourage providers to 
consider use of the NIST CSF, as the widespread adoption of this common 
framework permits the Commission to optimize its engagement with the 
industry. That said, we clarify that use of the NIST CSF is voluntary, 
and providers retain the option to use whatever risk management 
approach best fits their needs. In addition, we encourage providers to 
look to guidance from the FTC, as well as materials that have been 
issued to guide the implementation of data security requirements under 
HIPAA, GLBA, and other relevant statutory frameworks. Finally, we note 
that a Commission multi-stakeholder advisory body, the Communications 
Security, Reliability, and Interoperability Council (CSRIC), has 
produced a rich repository of best practices on various aspects of 
communications security as well as alerting the Commission of useful 
activities for which Commission leadership can effectively convene 
stakeholders to address industry-wide risk factors. In particular, 
CSRIC has developed voluntary mechanisms by which the communications 
industry can address cyber risk, based upon the NIST CSF. Many 
providers and industry associations that have participated in this 
proceeding are active contributors to the CSRIC's work. We encourage 
providers to consider implementation of the CSRIC best practices as 
appropriate.
    251. Strong Accountability and Oversight. Strong accountability and 
oversight mechanisms are another factor we consider exemplary of 
reasonable data security. As an initial matter, we agree with the FTC 
that the development of a written comprehensive data security program 
is a practice that is a best practice in promoting reasonable data 
security. As the FTC explains, putting a data security program in 
writing can ``permit internal and external auditors to measure the 
effectiveness of the program and provide for continuity as staff 
members leave and join the team.'' A written security program can also 
reinforce the specific practices a provider implements to achieve 
reasonable data security.
    252. A second accountability mechanism that helps a company engage 
in reasonable data security is the designation of a senior management 
official or officials with personal responsibility over and 
accountability for the implementation and maintenance of the provider's 
data security practices as well as an official responsible for its 
privacy practices. Companies that take this step are advised to couple 
designation of corporate privacy and security roles and 
responsibilities with effective interaction with Boards of Directors 
(or, for firms without formal Board oversight, such other structure 
governing the firm's risk management and oversight), to provide a 
mechanism for including cyber risk reduction expense within overall 
risk management plans and resource allocations. That said, we do not 
specify the qualifications or status that such an official would need 
to possess, and we recognize that for a smaller provider these 
responsibilities may rest with someone who performs multiple functions 
or may be outsourced. Another practice that is indicative of reasonable 
data security is training employees and contractors on the proper 
handling of customer PI. Employee training is a longstanding component 
of data security under the Commission's existing rules. We encourage 
providers to seek out expert guidance and best practices on the design 
and implementation of efficacious training programs. Finally, 
accountability and oversight are also relevant in the context of 
sharing customer PI with third parties. We agree with commenters that 
providers must take reasonable steps to promote the safe handling of 
customer PI they share with third parties. Perhaps the most 
straightforward means of achieving this accountability is to obtain 
data security commitments from the third party as a condition of the 
disclosure. We also remind providers that they are directly accountable 
for the acts and omissions of their agents, including independent 
contractors, for the entirety of the data lifecycle. This means that 
the acts and omissions of agents will be taken into account in 
assessing whether a provider has engaged in reasonable data security 
practices.
    253. Robust Customer Authentication. The strength of a provider's 
customer authentication practices also is probative of reasonable data 
security. We have recognized that there is no single approach to 
customer authentication that is appropriate in all cases, and 
authentication techniques and practices are constantly evolving. That 
said, the record documents some discernable trends in this area that we 
would currently expect providers to take into account. For instance, we 
encourage providers to consider stronger alternatives to relying on 
rudimentary forms of authentication like customer-generated passwords 
or static security questions. Providers may also consider the use of 
heightened authentication procedures for any disclosure that would 
place a customer at serious risk of harm if the disclosure were 
improperly made. In addition, we encourage providers to periodically 
reassess the efficacy of their authentication practices and consider 
possible improvements. Another practice we encourage providers to 
consider is to notify customers of account changes and attempted 
account changes. These notifications provide a valuable tool for 
customers to monitor their own accounts' security. Providers that 
implement them should consider the potential for ``notice fatigue'' in 
determining how often and under what circumstances these notifications 
are sent.
    254. Other Practices. The record identifies other practices that we 
encourage providers to consider when implementing reasonable security 
measures. For instance, several commenters cite the importance of 
``data minimization,'' which involves thinking carefully about what 
data to collect, how long to retain it, and how to dispose of it 
securely. The principle of data minimization is also embodied in FTC 
guidance, in the CPBR, and in the Satellite and Cable Privacy Acts. We 
encourage providers to look specifically to the FTC's ``Disposal Rule'' 
for guidance on the safe destruction and disposal of customer PI. We 
also encourage providers to consider data minimization practices that 
apply for the entirety of the data lifecycle, from collection to 
deletion. In addition, several commenters recommend strong data 
encryption, another practice that the FTC advises companies to 
consider. We agree with commenters that technologically sound data 
encryption can significantly improve data security, in part by 
minimizing the consequences of a breach. Finally, we believe that the 
lawful exchange of information regarding cyber incidents and threats is 
relevant to promoting data security, and encourage providers to 
consider engagement in established information sharing practices.
    255. The exemplary practices discussed above are not an exhaustive

[[Page 87311]]

list of reasonable data security practices. A provider that implements 
each of these practices may still fall short of its data security 
obligation if there remain unreasonable defects in its protection of 
the confidentiality of customer PI. Conversely, a provider may satisfy 
the rule without implementing each of the listed practices. The key 
question is whether a provider has taken reasonable measures to secure 
customer PI, based on the totality of the circumstances. In taking this 
approach, we acknowledge that the adoption of more prescriptive, 
bright-line requirements could offer providers greater certainty as to 
what reasonable data security requires. Yet virtually all providers 
that have addressed the issue--including small providers and their 
associations--oppose such requirements. Rather, these providers prefer 
the approach we have taken in this Report and Order, i.e., the adoption 
of a ``reasonableness'' standard that mirrors the FTC's. Also like the 
FTC, we have provided the industry with guidance on how to achieve 
reasonable data security in compliance with our rule. We anticipate 
building upon this guidance over time as data security practices evolve 
and with them the concept of reasonable data security.
3. Extension of the Data Security Rule To Cover Voice Services
    256. In light of the record, we conclude that harmonization of the 
data security requirements that apply to BIAS and other 
telecommunications services is the best option for providers and 
consumers alike. Accordingly, we extend to voice services the data 
security rule we have adopted for BIAS. This data security rule 
replaces the more inflexible data security requirements presently 
codified in Part 64 of the rules.
    257. There are many reasons to harmonize the data security 
requirements that apply to BIAS and voice services. As an initial 
matter, many providers offer services of both kinds and often sell them 
together in bundled packages. We agree with commenters that argue that 
applying different security requirements to the two kinds of services 
may confuse customers and add unnecessary complexity to providers' data 
security operations, which may be particularly burdensome for smaller 
providers. In addition, the evidence suggests that the data security 
requirements of the existing rules no longer provide the best fit with 
the present and anticipated communications environment. For instance, 
expert commentary on the topic of robust customer authentication 
indicates that this is a complex area where providers need flexibility 
to adapt their practices to new threats. The highly specific procedures 
outlined in the existing voice rules are incongruous with this approach 
to customer authentication.
    258. Moreover, retaining the prescriptive data security rules that 
apply to voice services could impede the development and implementation 
of more innovative data security measures for BIAS. Providers subject 
to both sets of rules may determine that the easiest and most cost-
effective path to compliance is to adopt for both services the more 
rigid data security practices that the voice rules require. Such an 
outcome would contravene our intent to establish a robust and flexible 
standard for BIAS data security that evolves over time.
    259. Accordingly, we find that the best course is to replace the 
data security rules that currently govern voice services with the more 
flexible standard we are adopting for BIAS. We find that the rule as 
written is sufficiently broad to cover BIAS and other 
telecommunications services. We also clarify that the exemplary 
practices we discuss above may be implemented differently depending on 
the services an entity provides. For instance, data security best 
practices that pertain specifically to broadband networks or services 
may or may not be relevant in the context of providing voice services.
    260. In harmonizing the data security rules for voice services and 
BIAS, we acknowledge that voice providers have operated for many years 
under the existing rules and have tailored their data security 
practices accordingly. We do not expect any provider to revamp its data 
security practices overnight. On the contrary, as explained below, we 
are adopting an implementation schedule that affords providers ample 
time to bring their practices into compliance with the new rules.

F. Data Breach Notification Requirements

    261. In this section we adopt rules requiring BIAS providers and 
other telecommunications carriers to notify affected customers, the 
Commission, the FBI, and the Secret Service of data breaches unless the 
provider reasonably determines that no harm to customers is reasonably 
likely to occur. The data breach notification requirements adopted in 
this Report and Order extend to breaches involving a carrier's vendors 
and contractors. For purposes of these rules, we define a breach as any 
instance in which a person, without authorization or exceeding 
authorization, has gained access to, used, or disclosed customer 
proprietary information. The record clearly demonstrates that data 
breach notification plays a critical role in protecting the 
confidentiality of customer PI. An obligation to notify customers and 
law enforcement agencies when customer data is improperly accessed, 
used, or disclosed incentivizes carriers to adopt strong data security 
practices. Breach notifications also empower customers to protect 
themselves against further harms, help the Commission identify and 
confront systemic network vulnerabilities, and assist law enforcement 
agencies with criminal investigations. At the same time, unnecessary 
notification can cause notice fatigue, erosion of consumer confidence 
in the communications they receive from their provider, and inflated 
compliance costs. The approach we adopt today finds broad support in 
the record and will maximize the benefits of breach notification as a 
consumer protection and public safety measure while avoiding 
unnecessary burdens on providers and their customers. Furthermore, our 
approach is consistent with how federal law enforcement agencies, such 
as the FBI and Secret Service, conduct and coordinate data breach 
investigations.
    262. First, we address the circumstances that will obligate BIAS 
providers and other telecommunications carriers to notify the 
Commission, federal law enforcement agencies, and customers of data 
breaches. We note that these obligations are not mutually exclusive 
with other data breach notification obligations stemming from other 
state, local, or federal laws, or contractual obligations. This 
includes a discussion of two related elements adopted today: The harm-
based notification trigger and the updated definition for ``breach.'' 
We then address the requirements that BIAS providers and other 
telecommunications carriers must follow for providing notice to the 
Commission and other federal law enforcement. Next, we describe the 
specific notification requirements that BIAS providers and other 
telecommunications carriers must follow in providing data breach 
notifications to customers, including: The required timing for sending 
notification; the necessary contents of the notification; and the 
permissible methods of notification. We then discuss the data breach 
record retention requirements. Finally, we explain our decision to 
adopt rules that harmonize data breach requirements for BIAS providers 
and other telecommunications carriers.

[[Page 87312]]

1. Harm-Based Notification Trigger
    263. We require breach notification unless a carrier can reasonably 
determine that no harm to customers is reasonably likely to occur as a 
result of the breach. We do so to enable customers to receive the data 
breach notifications that they need to take steps to protect 
themselves, and to provide the Commission, the FBI, and Secret Service 
with the information they need to evaluate the efficacy of data 
security rules as well as detect systemic threats and vulnerabilities. 
In the NPRM we sought comment on what should trigger data breach 
notification, and based on the record, we conclude that the trigger 
most suitable for our purposes is one based on the potential for 
customer harm. Among its many benefits, this harm-based trigger will 
avoid burdening providers and customers alike with excessive 
notifications, and it will allow providers the flexibility to focus 
limited resources on data security and ameliorating customer harms 
resulting from data breaches rather than on notifications that have 
minimal benefit to customers. The record reflects various harms 
inherent in unnecessary notification, including notice fatigue, erosion 
of consumer confidence in the communications they receive from their 
provider, and compliance costs. The harm-based notification trigger we 
adopt addresses these concerns, by limiting the overall volume of 
notifications sent to customers and eliminating correspondence that 
provides minimal or no customer benefit.
    264. Our harm-based trigger has a strong basis in existing state 
data breach notification frameworks. The triggers employed in these 
laws vary from state to state, but in general they permit covered 
entities to avoid notifying customers of breaches where the entity 
makes some determination that the breach will not or is unlikely to 
cause harm. Likewise, the FTC ``supports an approach that requires 
notice unless a company can establish that there is no reasonable 
likelihood of economic, physical, or other substantial harm.'' Our rule 
similarly requires the carrier to reasonably determine that no harm to 
customers is reasonably likely to occur. As such, we disagree with 
commenters arguing that standards based on determinations of harm leave 
consumers more vulnerable to that harm. On the contrary, the record, 
and the many state laws addressing data breach notifications, 
demonstrate that providers have ample experience determining a 
likelihood of harm. Additionally, the reasonableness standard that 
applies to both the carrier's evaluation and the likelihood of harm 
adds an objective component to these determinations.
    265. Further, the harm-based trigger places the burden on a carrier 
that detects a breach to reasonably determine that no harm to customers 
is reasonably likely to occur as a result of the breach. This responds 
to concerns such as AAJ's that it is ``frequently impossible'' for a 
carrier to immediately discern the full scope and ramifications of a 
breach. Our harm-based trigger does not relieve a carrier of its 
notification obligation simply by virtue of its failure or inability to 
ascertain the harmful effects of a breach. Rather, carriers must take 
the investigative steps necessary to reach a reasonable determination 
that no such harm is reasonably likely. Where a carrier's investigation 
of a breach leaves it uncertain whether a breach may have resulted in 
customer harm, the obligation to notify remains. By contrast, requiring 
customer notification only when a provider determines the presence of 
some risk of harm would create perverse incentives not to carefully 
investigate breaches.
    266. In adopting a harm-based trigger, we clarify that its scope is 
not limited to ``easily recognized financial harm.'' In the NPRM, we 
acknowledged that ``harm'' is a concept that can be broadly construed 
to encompass ``financial, physical, and emotional harm.'' We conclude 
that the same construction of harm is appropriate for our final breach 
notification rule. This decision is consistent with the fundamental 
premise of this proceeding that customer privacy is about more than 
protection from economic harm. The record demonstrates that commenters' 
privacy concerns stem from more than just avoiding financial harms. As 
such, we disagree with commenters who assert that financial loss or 
identity theft should be the primary metrics for determining the level 
of harm or whether harm exists at all. Some commenters have called 
``for the FCC to help determine how organizations can better respond to 
breaches in which personal, non-financial data is breached.'' We find 
that within the meaning of section 222(a), threats to the 
``confidentiality'' of customer PI include not only identity theft or 
financial loss but also reputational damage, personal embarrassment, or 
loss of control over the exposure of intimate personal details.
    267. Relatedly, we establish a rebuttable presumption that any 
breach involving sensitive customer PI presumptively poses a reasonable 
likelihood of customer harm and would therefore require customer 
notification. This rebuttable presumption finds a strong basis in the 
record. Even commenters that favor minimal breach reporting generally 
concede that customers are entitled to notification when their most 
sensitive information is misused or disclosed. The presumption also 
aligns with our decision to base the level of customer approval 
required for use or disclosure of customer PI on whether the PI is 
sensitive in nature. As we explain above, this distinction upholds the 
widespread expectation that customers should be able to maintain 
particularly close control over their most sensitive personal data. 
While breaches of sensitive customer PI often present severe risks of 
concrete economic harm, there is a more fundamental harm that comes 
from the loss of control over information the customer reasonably 
expects to be treated as sensitive.
    268. We also find that our employing a harm-based trigger will 
substantially reduce the burdens of smaller providers in reporting 
breaches of customer PI. We agree with commenters stating that a 
framework--such as ours--that allows providers to assess the likelihood 
of harm to their customers will ultimately be less costly and ``will 
not overburden small providers.'' The record indicates that smaller 
providers tend to collect and use customer data, including sensitive 
information, far less extensively than larger providers. More modest 
collection and usage of customer PI leaves a provider less prone to 
breaches that would trigger a data breach notification obligation under 
our rule.
    269. Finally, we clarify that our harm-based notification trigger 
applies to breaches of data in an encrypted form. Whether a breach of 
encrypted data presents a reasonable likelihood of harm will depend in 
significant part on the likelihood that unauthorized third parties 
reasonably would be expected to be able to decrypt the data. It also 
will depend on, among other things, the scope and magnitude of 
potential harm if the data were unencrypted. Factors that make 
decryption more or less likely are therefore relevant in determining 
whether a reasonable likelihood of customer harm is present in such 
instances. These factors may include the quality of the encryption and 
whether third parties can access the encryption key. Ultimately, a 
provider must notify affected customers if it cannot reasonably 
determine that a breach poses no reasonable likelihood of harm, 
regardless of whether the breached data is encrypted.
    270. With our adoption of a harm-based trigger, we have removed the 
need

[[Page 87313]]

for a separate trigger based on intent. Thus, for purposes of these 
rules, we adopt the definition of breach that we proposed in the NPRM 
and define a breach as any instance in which a person, without 
authorization or exceeding authorization, has gained access to, used, 
or disclosed customer proprietary information. This definition is 
broader than the definition in our existing rules, which includes an 
intent element, and only applies to breaches of CPNI, in recognition 
that the record indicates that the relevant factor for breach reporting 
is not intent, but effect on the customer.
    271. We agree with other commenters that inadvertent breaches can 
be just as severe and harmful for consumers as intentional breaches, 
and consumers are likely to care about serious breaches even when they 
occur by accident or mistake. Moreover, whether or not a breach was 
intentional may not always be immediately apparent. By defining breach 
to include unintentional access, use, or disclosure we ensure that in 
the event of a breach the provider has an incentive to investigate the 
cause and effect of the breach, and the opportunity to respond 
appropriately. Some commenters recommend that the definition of breach 
include an intent element to avoid equating inadvertent disclosure of 
customer PI to an employee or contractor of a provider with intentional 
hacking of customer records. The adoption of a harm-based trigger--in 
lieu of a trigger based on intent--creates a consistent obligation to 
report breaches that may harm consumers, regardless of the source or 
cause of the breach.
    272. Commenters also argue that including an intent element in the 
definition of breach would prevent excessive data breach notifications. 
Commenters making this argument raise the prospect of a flood of 
notifications for breaches that have no impact on the consumer, 
including such good-faith errors as an employee inadvertently accessing 
the wrong database. We share their general concern about the risk of 
over-notification--it is costly to providers, without corresponding 
benefit to consumers, and can lead to notice fatigue and possibly 
consumer de-sensitization. However, in this context the argument is 
misplaced. Identifying a data breach is only the first step towards 
determining whether data breach notification is necessary. The harm-
based trigger that we adopt today relieves a provider from notifying 
its customers and government agencies of breaches that result from 
minor mistakes that create no risk of harm to the affected customers. 
Based on this analysis, we find eliminating the word ``intentionally'' 
from our breach definition equally warranted for all telecommunications 
carriers.
    273. Our adoption of a harm-based trigger also addresses concerns 
about the breadth of our breach definition. For example our definition 
includes incidents where a person gains unauthorized access to customer 
PI but makes no further use of the data. We agree with AAJ that we must 
account for the difficulties a provider faces in determining when 
``access translates to acquisition and when acquisition leads to 
misuse.'' Our rule appropriately requires providers to issue 
notifications in cases where a provider is unable to determine the full 
scope and impact of a breach. However, the definition of breach does 
not create an obligation to notify customers of an unauthorized gain of 
access--such as an employee opening the wrong file--once the provider 
reasonably determines that no harm is reasonably likely to occur. This 
accords with AT&T, which explains that ``not requiring notification 
where a provider determines that there is no reasonable likelihood of 
harm to any customer resulting from the breach'' will ``reduce 
excessive reporting.''
    274. Similarly, our harm-based trigger allays the concern that 
extending breach notification obligations beyond CPNI to customer PI 
more broadly would vastly expand the range of scenarios where 
notification is required. This concern is largely premised on the 
assumption that we would require customer notification of all breaches 
of customer PI, regardless of the severity of the breach or the 
sensitivity of the PI at issue. As explained above, we have instead 
adopted a more targeted obligation that takes into account the 
potential for customer harm. In addition, we observe that many, if not 
all, state data breach notification requirements explicitly include 
sensitive categories of PII within their scope. Under our rule, 
breaches involving such information would presumptively meet our harm 
trigger and thus require notification. We think it is clear that the 
unauthorized exposure of sensitive PII, such as Social Security numbers 
or financial records, is reasonably likely to pose a risk of customer 
harm, and no commenter contends otherwise. We therefore find it 
appropriate for our breach notification rule to apply broadly to 
customer PI, including PII.
2. Notification to the Commission and Federal Law Enforcement
    275. In this section, we describe rules requiring 
telecommunications carriers to notify the Commission and federal law 
enforcement of breaches of customer PI, under the harm-based 
notification trigger discussed above. We also specify the timeframe and 
methods by which providers must provide this information.
    276. Scope. As proposed in the NPRM, we require notification to the 
Commission of all breaches that meet the harm-based trigger and, when 
the breach affects 5,000 or more customers, the FBI and Secret Service. 
We expect that this notification data will facilitate dialogue between 
the Commission and telecommunications carriers, and will prove 
extremely valuable to the Commission in evaluating the efficacy of its 
data security rules, as well as in identifying systemic negative trends 
and vulnerabilities that can be addressed with individual providers or 
the industry as a whole including to further the goal of collaborative 
improvement and refinement of data security practices. Still, we retain 
discretion to take enforcement action to ensure BIAS providers and 
other telecommunications carriers are fulfilling their statutory duties 
to protect customer information.
    277. We adopt an additional trigger of at least 5,000 affected 
customers for notification to the Secret Service and FBI, in order to 
ensure that these agencies are not inundated with notifications that 
are unlikely to have significant law enforcement implications. This 
threshold finds support in the comments of the FBI and Secret Service 
and is also consistent with or similar to provisions in various 
legislative and administration proposals for a federal data breach law. 
We recognize that there may be circumstances under which carriers want 
to share breach information that does not meet the harm trigger we 
adopt today as part of a broader voluntary cybersecurity and threat 
detection program, and we encourage providers to continue these 
voluntary efforts.
    278. Timeframe. The dictates of public safety and emergency 
response may require that the Commission and law enforcement agencies 
be notified of a breach in advance of customers and the general public. 
Thus, for breaches affecting 5,000 or more customers, we require 
carriers to notify the Commission, the FBI, and the Secret Service 
within seven (7) business days of when the carrier reasonably 
determines that a breach has occurred, and at least three (3) business 
days before notifying customers. For breaches affecting fewer than 
5,000 customers, carriers must notify the Commission without 
unreasonable delay and no later than thirty (30) calendar days 
following the carrier's reasonable determination

[[Page 87314]]

that a breach has occurred. Both of these thresholds remain subject to 
the harm-based trigger. We agree with commenters that the timeline for 
data breach notification should not begin when a provider first 
identifies suspicious activity. At the same time, we clarify that 
``reasonably determining'' a breach has occurred does not mean reaching 
a conclusion regarding every fact surrounding a data security incident 
that may constitute a breach. Rather, a carrier will be treated as 
having ``reasonably determined'' that a breach has occurred when the 
carrier has information indicating that it is more likely than not that 
there was a breach. To further clarify, the notification timelines 
discussed herein run from the carrier's reasonable determination that a 
breach has occurred, not from the determination that the breach meets 
the harm-based notification trigger.
    279. We agree with the FBI and the Secret Service that advance 
notification of breaches will enable law enforcement agencies to take 
steps to avoid the destruction of evidence and to assess the need for 
further delays in publicizing the details of a breach. We reject 
arguments that the timeframes for Commission and law enforcement 
notification that we adopt are too burdensome. Rather, we agree with 
AT&T and other commenters in the record that allowing carriers seven 
(7) business days to notify the Commission and law enforcement 
furnishes those providers with sufficient time to adequately 
investigate suspected breaches. Further, to address concerns expressed 
in the record regarding the complexity and costs of data breach 
notification for smaller providers, we relax the notification timeframe 
for breaches affecting fewer than 5,000 customers. Carriers must notify 
the Commission of breaches affecting less than 5,000 customers without 
unreasonable delay and no later than thirty (30) calendar days 
following the carrier's reasonable determination that a breach has 
occurred. We find that a 30-day notification timeframe for breaches 
affecting fewer than 5,000 customers provides the Commission with the 
data necessary to monitor trends and gain meaningful insight from 
breach activity across the country, while at the same time reducing and 
simplifying the requirements for all carriers, particularly smaller 
providers, whose limited resources might be better deployed toward 
remediating and preventing breach activity, particularly in the early 
days of addressing a relatively small breach.
    280. We also recognize that a carrier's understanding of the 
circumstances and impact of a breach may evolve over time. We expect 
carriers to supplement their initial breach notifications to the 
Commission, FBI, and Secret Service, as appropriate. Early notification 
of breaches will improve the Commission's situational awareness and 
enable it to coordinate effectively with other agencies, including with 
the FBI and Secret Service on breaches not reportable directly to these 
agencies that may nevertheless raise law enforcement concerns. 
Furthermore, time is of the essence in a criminal investigation. 
Learning promptly of a significant, large-scale breach gives law 
enforcement agencies an opportunity ``to coordinate their efforts so 
that any law enforcement response can maximize the resources available 
to address and respond to the intrusion.'' Given the vital interests at 
stake in cases where a data breach merits a law enforcement response, 
we find that the seven (7) business day reporting deadline for such 
breaches is necessary as a matter of public safety and national 
security.
    281. To further advance the needs of law enforcement, we permit the 
FBI or Secret Service to direct a provider to delay notifying customers 
and the public at large of a breach for as long as necessary to avoid 
interference with an ongoing criminal or national security 
investigation. This provision replaces the more prescriptive 
requirements in the existing rules specifying the timing and methods 
for law enforcement intervention. Consistent with our overall approach 
in this proceeding, we adopt rules that incorporate flexibility to 
account for changing circumstances. Several commenters agree that this 
provision for law enforcement, which is embodied in the existing rules, 
remains prudent. We also observe that the laws of several states and 
the District of Columbia include similar law enforcement delay 
provisions. We are not persuaded that such a provision unduly 
interferes with the interests of customers in taking informed action to 
protect themselves against breaches. As the FBI and Secret Service 
explain, customer notification delays are not routine but are requested 
as a matter of practice only in ``exceptional circumstances'' involving 
a serious threat of harm to individuals or national security. In 
addition, decisions regarding when to publicly disclose details of a 
criminal investigation are a matter that lies within the expertise of 
law enforcement agencies. We therefore find that the best course is to 
defer to the judgment of the FBI and Secret Service on when the 
benefits of delaying customer notification outweigh the risks.
    282. Method. We will create a centralized portal for reporting 
breaches to the Commission and other federal law enforcement agencies. 
The Commission will issue a public notice with details on how to access 
and use this portal once it is in place. The reporting interface will 
include simple means of indicating whether a breach meets the 5,000-
customer threshold for reporting to the FBI and Secret Service. The 
creation of this reporting facility will streamline the notification 
process, reducing burdens for providers, particularly small providers. 
Any material filed in this reporting facility will be presumed 
confidential and not made routinely available for public inspection.
3. Customer Notification Requirements
    283. In order to ensure that telecommunications customers receive 
timely notification of potentially harmful breaches of their customer 
PI, we adopt rules specifying how quickly BIAS providers and other 
telecommunications carriers must notify their customers of a breach, 
the information that must be included in the breach notification, and 
the appropriate method of notification.
a. Timeline for Notifying Customers
    284. We require BIAS providers and other telecommunications 
carriers to notify affected customers of reportable breaches of their 
customer PI without unreasonable delay, and no later than 30 calendar 
days following the carriers' reasonable determination that a breach has 
occurred, unless the FBI or Secret Service requests a further delay. 
This approach balances affected customers' need to be notified of 
potentially harmful breaches of their confidential information with 
carriers' need to properly determine the scope and impact of the 
breach, and to the extent necessary, to most immediately focus 
resources on preventing further breaches. Also, the specific customer 
notification timeline we adopt has broad record support.
    285. As an initial matter, we agree with commenters that clear and 
straightforward notification deadlines are necessary to ensure that 
customers are timely notified of breaches that affect them. We also 
agree with commenters that providing more time to notify customers than 
the 10 days we initially proposed will enable carriers to conduct a 
more thorough and complete investigation of breaches in advance of the 
notification. This extra time for

[[Page 87315]]

investigation will minimize duplicative and incomplete breach notices, 
avoid customer confusion, allow providers to focus first on stopping 
further breaches, and minimize burdens on providers. The FBI and Secret 
Service, which have extensive experience with data breach notification 
and, more specifically, experience with our existing data breach 
notification rules, generally support a customer notification timeframe 
of between 10 and 30 days. FTC staff recommends that breach 
notifications occur without unreasonable delay, but within an outer 
limit of between 30-60 days. State data breach laws vary, but most 
states do not require notification within a specific time frame and the 
majority of states that do provide 45 days or more to provide notice.
    286. Our adoption of a customer notification period longer than 
that initially proposed also responds to concerns raised by smaller 
carriers. For example, the Rural Wireless Association argues that 
``[s]mall BIAS providers need additional time [beyond ten days] to 
determine the extent of any breach, as well as to consult with counsel 
as to the appropriate next steps.'' The American Cable Association 
similarly argues that compliance with a compressed notification 
timeline would require small providers ``to divert senior and technical 
staff solely to data breach response for the duration of the breach 
response period'' and otherwise incur high compliance costs. We are 
mindful of the compliance burdens that a 10-day period for customer 
notification would impose on small carriers in particular, and 
accordingly adopt a more flexible requirement to notify customers of 
reportable breaches without unreasonable delay and in any event no 
longer than 30 calendar days. These commenters and others proposed 
longer notification periods and, alternatively, an open-ended non-
specific timeframe for small providers. While we are sensitive to these 
concerns, we also note, however, that customer exposure to avoidable or 
mitigable risk continues to grow in the aftermath of a breach. We 
therefore emphasize the value of notifying affected customers as soon 
as possible to allow the customer to undertake time-sensitive 
mitigation activities and encourage carriers to notify consumers as 
soon as practicable.
    287. Requiring carriers to notify affected customers without 
unreasonable delay while adopting a 30 calendar day deadline to do so 
creates a backstop against excessive delays in notifying customers. Of 
course, if a telecommunications carrier conducts a good faith, 
reasonable investigation within 30 calendar days but later determines 
that the scope of affected customers is larger than initially known, we 
expect that provider to notify those additional customers as soon as 
possible. However, based on the record, we find that 30 calendar days 
is ample time to prepare a customer notification that meets our minimum 
content requirements, as discussed below. Our prior rules did not 
specify a precise timeline for customer notice--only that it must occur 
after the carrier completes law enforcement notification--and we find 
adoption of the timeline above warranted to ensure timely notification 
to customers. We recognize that a carrier may identify a breach and 
later learn that the scope of the breach is larger than initially 
determined. Under such circumstances a carrier has a continuing 
obligation to notify without unreasonable delay any additional 
customers it identifies as having been affected by the breach, to the 
extent the carrier cannot reasonably determine that no harm is 
reasonably likely to occur to the newly identified affected customers 
as a result of the breach.
b. Information Provided as Part of Customer Breach Notifications
    288. To be a useful tool for consumers, breach notifications should 
include information that helps the customer understand the scope of the 
breach, the harm that might result, and whether the customer should 
take any action in response. In the NPRM we proposed that providers 
include certain types of basic information in their data breach 
notifications to affected customers, and based on the record, we adopt 
those same basic requirements, which include the following elements:
     The date, estimated date, or estimated date range of the 
breach;
     A description of the customer PI that was used, disclosed, 
or accessed, or reasonably believed to have been used, disclosed, or 
accessed, by a person without authorization or exceeding authorization 
as a part of the breach of security;
     Information the customer can use to contact the 
telecommunications carrier to inquire about the breach of security and 
the customer PI that the carrier maintains about the customer;
     Information about how to contact the Federal 
Communications Commission and any state regulatory agencies relevant to 
the customer and the service; and
     If the breach creates a risk of financial harm, 
information about national credit-reporting agencies and the steps 
customers can take to guard against identity theft, including any 
credit monitoring, credit reporting, or credit freezes the 
telecommunications carrier is offering customers affected by the breach 
of security.
    289. While data breaches are not ``one-size-fits-all,'' creating a 
measure of consistency across customer breach notifications will 
benefit customers and providers, particularly smaller providers, by 
removing any need to reinvent the wheel in the event of a data breach. 
Seventeen states and territories currently mandate that specific 
content be included in breach notifications and the requirements we 
adopt today are generally consistent with those statutes. Much of the 
information we require consists of contact information for the 
Commission, relevant authorities, credit reporting agencies, and the 
carrier itself. Based on the record, we also require customer breach 
notifications to contain information about credit freezes and credit 
monitoring if the breach creates a risk of financial harm. Several 
states currently require data breach notices to contain information 
about both credit monitoring and credit freezes. The foregoing elements 
should be easy for any provider to ascertain and for customers to 
understand. The remaining two elements simply define the basic elements 
of a breach notification--when the breach occurred and what information 
was breached. Additionally, we hold carriers to a reasonable standard 
of accuracy and precision in providing this information. Rather than 
having to provide the exact moment a breach occurred, providers are 
tasked with giving an ``estimated'' date or, alternatively, an 
estimated date ``range.'' Moreover, while a description of the customer 
PI involved in the breach should be as detailed, informative, and 
accurate as possible, the rule allows for a description of the data the 
telecommunications carrier ``reasonably believes'' was used, disclosed, 
or accessed.
    290. We encourage providers to supplement these minimum elements 
with additional information that their customers may find useful or 
informative. For example, FTC Staff recommends that notifications 
include contact information for the FTC, and a reference to its 
comprehensive IdentityTheft.gov Web site. In appropriate cases, 
providing such additional information could further empower customers 
to take steps to mitigate their own harm and protect themselves against 
the effects of any future breaches.
c. Notification Methods
    291. As proposed in the NPRM, we require that customer 
notifications occur by means of written notification

[[Page 87316]]

to the customer's address of record or email address, or by contacting 
the customer by other electronic means of active communications agreed 
upon by the customer for contacting that customer for data breach 
notification purposes. For former customers, we require carriers to 
issue notification to the customer's last known postal address that can 
be determined using commonly available sources. These options create 
flexibility for providers to notify customers in a manner they choose 
to be contacted by their provider, and they are consistent with methods 
permitted under other data breach notification frameworks. One of the 
few commenters to address this issue supports the NPRM proposal, while 
also suggesting that providers post ``substitute breach notifications'' 
on their Web sites. While some other breach notification frameworks do 
include such a requirement, we are not persuaded it is necessary for 
our purposes. Telecommunications carriers have direct relationships 
with their customers through which they are likely to have ready means 
of contacting them. We believe the options discussed above for direct 
notification will generally provide a sufficient array of options for 
reaching customers affected by a breach, and we thus decline also to 
require a broader, less targeted public disclosure.
4. Record Retention
    292. We adopt a streamlined version of the record retention 
requirement we proposed in the NPRM. We require only that providers 
keep record of the dates on which they determine that reportable 
breaches have occurred and the dates when customers are notified, and 
that they preserve written copies of all customer notifications. These 
records must be kept for two years from the date a breach was 
reasonably determined to have occurred. The purpose of this limited 
requirement is to enable Commission oversight of the customer breach 
notifications our rule requires. This minor recordkeeping requirement 
will not impose any significant administrative burden on providers. On 
the contrary, the information that must be retained must be collected 
anyway, is of limited quantity, and largely comprises information we 
would expect carriers to retain as a matter of business practice. 
Moreover, shortening the retention period would weaken the utility of 
the requirement as an enforcement tool, while not delivering any 
substantiated cost savings for providers. As a final point, we clarify 
that we do not require carriers to retain records of breaches that do 
not rise to the level of a required Commission notification. A large 
percentage of breaches are therefore likely to be exempted from this 
requirement.
5. Harmonization
    293. In the NPRM, we proposed adoption of a harmonized breach 
notification rule for BIAS and other telecommunications services that 
would replace the existing Part 64 rule. Based on the record, we have 
determined to take this approach. We agree with commenters who argue 
that creating a harmonized rule will enable providers to streamline 
their notification processes and will reduce the potential for customer 
confusion. Moreover, we find that the modifications we have made to the 
proposed rule, particularly the harm trigger we adopt and timeline for 
notifying customers, ameliorate concerns that applying the new rule to 
both BIAS and other telecommunications services will unduly increase 
burdens for voice providers.

G. Particular Practices That Raise Privacy Concerns

    294. In this section we prohibit ``take-it-or-leave-it'' offers in 
which BIAS providers offer broadband service contingent on customers 
surrendering their privacy rights as contrary to the requirements of 
sections 222, 201, and 202 of the Act. We also adopt heightened 
disclosure and affirmative consent requirements for BIAS providers that 
offer customers financial incentives, such as lower monthly rates, in 
exchange for the right to use the customers' confidential information. 
Congress has tasked the Commission with protecting the public interest, 
and we conclude that our two-fold approach to these practices will 
permit innovative and experimental service offerings and encourage and 
promote customer choice, while prohibiting the most egregious offerings 
that would harm the public interest.
1. BIAS Providers May Not Offer Service Contingent on Consumers' 
Surrender of Privacy Rights
    295. We agree with those commenters that argue that BIAS providers 
should not be allowed to condition or effectively condition the 
provision of broadband on consenting to use or sharing of a customer's 
PI over which our rules provide the consumer with a right of approval. 
Consistent with our proposal in the NPRM, we therefore prohibit BIAS 
providers from conditioning the provision of broadband service on a 
customer surrendering his or her privacy rights. We also prohibit BIAS 
providers from terminating service or otherwise refusing to provide 
BIAS due to a customer's refusal to waive any such privacy rights. By 
design, such ``take-it-or-leave-it'' practices offer no choice to 
consumers. The record supports our finding that such practices will 
harm consumers, particularly lower-income customers, and we agree with 
Atomite that there is a difference between offering consumers ``a 
carrot (i.e., consideration in exchange for property rights) and [] a 
stick (e.g., no ISP service unless subscribers relinquish their 
property rights).'' We therefore conclude that prohibiting such 
practices will ensure that consumers will not have to trade their 
privacy for broadband services.
    296. As we discussed above, broadband plays a pivotal role in 
modern life. We find that a ``take-it-or-leave it'' approach to the 
offering of broadband service contingent upon relinquishing customer 
privacy rights is inconsistent with the telecommunications carriers' 
``duty to protect the confidentiality of proprietary information of, 
and related to . . . customers.'' Further, we find that a ``take-it-or-
leave-it'' customer acceptance is not customer ``approval'' within the 
meaning of section 222(c)(1), which prohibits telecommunications 
carriers from using, disclosing, or permitting access to CPNI without 
customer approval.
    297. We also conclude that requiring customers to relinquish all 
privacy rights to their PI to purchase broadband services is an unjust 
and unreasonable practice within the meaning of section 201(b). Thus, 
we disagree with CTIA's assertions that the ``term `approval' must 
reflect the common law contract law principle that neither take-it-or-
leave-it offers nor financial inducements are unconscionable.'' 
Congress directed the Commission to ``execute and enforce'' the 
provisions of the Act, including the prohibition on ``unjust or 
unreasonable'' practices. Requiring customers to relinquish privacy 
rights in order to purchase broadband services, or other 
telecommunications services, would also constitute unjust and 
unreasonable discrimination in violation of section 202(a). A take-it-
or-leave-it offering would discriminate unreasonably by offering the 
service to potential customers willing and able to relinquish privacy 
rights that consumers expect and deserve, and/or that are guaranteed to 
them under sections 222 and 201, and not offering the service to 
others. Consumers should not have to face such a choice. In the 2015 
Open Internet Order, we explained that with respect to BIAS services, 
we will evaluate whether a practice is unjust,

[[Page 87317]]

unreasonable, or unreasonably discriminatory using the no-unreasonable 
interference/disadvantage standard (general conduct rule). Under this 
standard, the Commission can prohibit, on a case-by-case basis, 
practices that unreasonably interfere with or unreasonably disadvantage 
the ability of consumers to reach the Internet content, services, and 
applications of their choosing. In evaluating whether a practice 
satisfies this rule, we consider a totality of the circumstances, 
looking to a non-exhaustive list of factors. Among these factors are 
end-user control, free expression, and consumer protection.
2. Heightened Requirements for Financial Incentive Practices
    298. Unlike the ``take-it-or-leave-it'' offers for BIAS discussed 
above, the record concerning financial incentives practices is more 
mixed. There is strong agreement among BIAS providers, some public 
interest groups, and other Internet ecosystem participants that there 
are benefits to consumers and companies of allowing BIAS providers the 
flexibility to offer innovative financial incentives. The record does, 
however, reflect concerns that these programs may be coercive or 
predatory in persuading consumers to give up their privacy rights. We 
therefore find that that heightened disclosure and affirmative customer 
consent requirements will help to ensure that customers' decisions to 
share their proprietary information in exchange for financial 
incentives are based on informed consent. We limit the heightened 
disclosure and consent requirements discussed herein to financial 
incentive practices offered by BIAS providers. The record reveals 
concerns about these practices specific to BIAS, and as such, we limit 
our requirements to such services.
    299. As we recognized in the Broadband Privacy NPRM, it is not 
unusual for business to give consumers benefits in exchange for their 
personal information. For example, customer loyalty programs that track 
consumer purchasing habits online and in the brick-and-mortar world are 
commonplace. Moreover, the Internet ecosystem continues to innovate in 
ways to obtain consumer information such as earning additional 
broadband capacity, voice minutes, text messages, or even frequent 
flyer airline miles in exchange for personal information. Discount 
service offerings can benefit consumers. As MMTC explains, for example, 
such programs ``significantly drive online usage'' as well as ``help 
financially challenged consumers.''
    300. At the same time, the record includes legitimate concerns that 
financial incentive practices can also be harmful if presented in a 
coercive manner, mislead consumers into surrendering their privacy 
rights, or are otherwise abused. This is particularly true, because as 
CFC has explained, ``consumers have difficulty placing a monetary value 
on privacy'' and often ``have little knowledge of the details or extent 
of the personally identifiable data that is collected or shared by 
their BIAS providers and others.'' Commenters also raise concerns about 
the potential disproportionate effect on low income individuals. 
Thirty-eight public interest organizations expressed concern that 
financial incentives can result in consumers paying up to $800 per 
year--$62 per month--for plans that protect their privacy.
    301. Mindful of the potential benefits and harms associated with 
financial incentive practices, we adopt heightened disclosure and 
choice requirements, which will help ensure consumers receive the 
information they need to fully understand the implications of any such 
practices and make informed decisions about exchanging their privacy 
rights for whatever benefits a provider is offering. We therefore 
require BIAS providers offering financial incentives in exchange for 
consent to use, disclose, and/or permit access to customer PI to 
provide a clear and conspicuous notice of the terms of any financial 
incentive program that is explained in a way that is comprehensible and 
not misleading. Notices that contain material misrepresentations or 
omissions will not be considered accurate. That explanation must 
include information about what customer PI the provider will collect, 
how it will be used, with what types of entities it will be shared and 
for what purposes. The notice must be provided both at the time the 
program is offered and at the time a customer elects to participate in 
the program. BIAS providers must make financial incentive notices 
easily accessible and separate from any other privacy notifications and 
translate such notices into a language other than English if they 
transact business with customers in that language. When a BIAS provider 
markets a service plan that involves an exchange of personal 
information for reduced pricing or other benefits, it must also provide 
at least as prominent information to customers about the equivalent 
plan without exchanging personal information.
    302. BIAS providers must also comply with all notice requirements 
in Section 64.2003 of our rules when providing a financial incentive 
notice. Because of the potential for customer confusion and in keeping 
with our overarching goal of giving customers control over the use and 
sharing of their personal information, we further require BIAS 
providers to obtain customer opt-in consent for participation in any 
financial incentive program that requires a customer to give consent to 
use of customer PI. Consistent with the choice framework we adopt 
today, once customer approval is given, BIAS providers must provide a 
simple and easy-to-use mechanism that enables customers to change their 
participation in such programs at any time. This mechanism, which may 
be the same choice mechanism as the one in Part III.D.4, must be clear 
and conspicuous and in language that is comprehensible and not 
misleading. The mechanism must also be persistently available on or 
through the carrier's Web site; the carrier's application, if it 
provides one for account management purposes; and any functional 
equivalent of either. If a carrier does not have a Web site, it must 
provide its customers with a persistently available mechanism by 
another means such as a toll-free telephone number. We find that the 
protections outlined herein will encourage consumer choice in 
evaluating whether to take advantage of financial incentive programs.
    303. We will closely monitor the development of financial incentive 
practices, particularly if allegations arise that service prices are 
inflated such that customers are essentially compelled to choose 
between protecting their personal information and very high prices. We 
caution that we reserve the right to take action, on a case-by-case 
basis, under sections 201 and 222 against BIAS providers engaged in 
financial incentive practices that are unjust, unreasonable, 
unreasonably discriminatory, or contrary to section 222. The approach 
we take today enables BIAS providers the flexibility to experiment with 
innovative financial incentive practices while ensuring that such 
practices are neither predatory nor coercive.

H. Other Issues

1. Dispute Resolution
    304. In the Broadband Privacy NPRM we sought comment on whether our 
current informal complaint resolution process is sufficient to address 
customer concerns or complaints with respect to our proposed privacy 
and data security rules. At present, customers who experience 
violations of any of our rules may file informal complaints through

[[Page 87318]]

the Consumer Inquiries and Complaints Division of the Consumer & 
Governmental Affairs Bureau, and carriers may not require customers to 
waive, or otherwise restrict their ability to file complaints with or 
otherwise contact the Commission regarding violations of their privacy 
rights. The record does not demonstrate a need to modify our complaint 
process for purpose of the rules we adopt today.
    305. On the question of whether BIAS providers should adopt 
specific dispute resolution processes, we received significant feedback 
both in support of and in opposition to limitations on mandatory 
arbitration agreements. Based on that record, we continue to have 
serious concerns about the impact on consumers from the inclusion of 
mandatory arbitration requirements as a standard part of many contracts 
for communications services. The time has come to address this 
important consumer protection issue in a comprehensive way. Therefore, 
we will initiate a rulemaking on the use of mandatory arbitration 
requirements in consumer contracts for broadband and other 
communications services, acting on a notice of proposed rulemaking in 
February 2017. We observe that the Consumer Financial Protection Bureau 
(CFPB)--which has extensive experience with consumer arbitration 
agreements and dispute resolution mechanisms--issued a report last year 
on mandatory arbitration clauses and is currently engaged in a 
rulemaking on the subject in the consumer finance context. We expect 
that many of the lessons the CFPB learns and the conclusions it draws 
in its rulemaking will be informative and useful.
2. Privacy and Data Security Exemption for Enterprise Voice Customers
    306. Having harmonized the current rules for voice services with 
the rules we adopt today for BIAS, we revisit and broaden the existing 
exemption from our Section 222 rules for enterprise voice customers, 
where certain conditions are met. Specifically, we find that a carrier 
that contracts with an enterprise customer for telecommunications 
services other than BIAS need not comply with the other privacy and 
data security rules under part 64, Subpart U of our rules if the 
carrier's contract with that customer specifically addresses the issues 
of transparency, choice, data security, and data breach; and provides a 
mechanism for the customer to communicate with the carrier about 
privacy and data security concerns. As with the existing, more limited 
business customer exemption from our existing authentication rules, 
carriers will continue to be subject to the statutory requirements of 
section 222 even where this exemption applies.
    307. Our existing voice rules include customer authentication 
obligations as a required data security practice, but allow business 
customers to bind themselves to authentication schemes that are 
different than otherwise provided for by our rules. In adopting an 
alternative data security option for authenticating business customers, 
the Commission recognized that the privacy concerns of 
telecommunications customers are greatest ``when using personal 
telecommunications service,'' and ``businesses are typically able to 
negotiate the appropriate protection of CPNI in their service 
agreements.'' As Level 3 argues in this rulemaking, business customers 
have the ``knowledge and bargaining power necessary to contract for 
privacy and data security protections that are tailored to meet their 
needs.'' Moreover, business customers may have different privacy and 
security needs and therefore different expectations. For example, 
Verizon explains that ``many businesses may want their CPNI used in 
different ways than a typical consumer.'' Allowing sophisticated 
enterprise customers to negotiate their own privacy and data security 
protections with their carriers will ``allow businesses to tailor how a 
telecommunications service provider protects their privacy and data 
specifically to their individual needs'' and allow carriers ``to 
compete by offering innovative pro-customer options and contracts that 
meet business customers' privacy and data security expectations.'' 
Although the Commission previously limited the enterprise exemption to 
authentication, for the reasons above we are convinced to broaden the 
exemption to encompass all privacy and data security rules under 
section 222 for the provision of telecommunications services other than 
BIAS to enterprise customers.
    308. To ensure that business customers have identifiable 
protections under section 222, we limit the business customer exemption 
to circumstances in which the parties' contract addresses the subject 
matter of the exemption and provides a mechanism for the customer to 
communicate with the carriers about privacy and data security concerns. 
The existing exemption applies only if the parties' contract addresses 
authentication; in light of the broader scope of the exemption we adopt 
today, we now limit the exemption to circumstances in which the 
parties' contract addresses transparency, choice, data security, and 
breach notification. We reject the contention that we should exempt 
enterprise services from our rules entirely with regard to the two 
limitations above. The existence of contractual terms between two 
businesses addressing privacy ensures that the enterprise customer's 
privacy is in fact protected without the need for our rules. We clarify 
that the contract at issue need not be a fully negotiated agreement, 
but can take the shape of standard order forms. In this regard, as XO 
observes, an enterprise carrier would ``face significant liability if 
it violated contractual terms governing privacy and data security.'' We 
do not provide a business exemption for BIAS services purchased by 
enterprise customers, because BIAS services by definition are ``mass 
market retail service[s],'' and as such we do not anticipate that it 
will be typical for purchasers to negotiate the terms of their 
contracts.
    309. Regardless of whether the exemption applies, we observe that 
carriers remain subject to the statutory requirements of section 222. 
This exemption in our rules is thus not tantamount to forbearance from 
the statute. We agree with commenters that section 222 provides a solid 
legal foundation for carriers and sophisticated business customers to 
negotiate adequate and effective service terms on matters of privacy 
and data security.

I. Implementation

    310. To provide certainty to customers and carriers alike, in this 
section we establish a timeline by which carriers must implement the 
privacy rules we adopt today. Until these rules become effective, 
section 222 applies to all telecommunications services, including BIAS, 
and our current implementing rules continue to apply to 
telecommunications services other than BIAS and to interconnected VoIP. 
Below, we explain when the rules we adopt will be effective, and 
address how carriers should treat customer approvals to use and share 
customer PI received before the new rules are effective. Finally, we 
establish an extended implementation period for small providers with 
respect to the transparency and choice requirements we adopt today.
1. Effective Dates and Implementation Schedule for Privacy Rules
    311. Swift implementation of the new privacy rules will benefit 
consumers. Moreover, carriers that have complied with FTC and industry 
best practices will be well-positioned to achieve

[[Page 87319]]

prompt compliance with the privacy rules we adopt today. We recognize, 
however, that carriers will need some time to update their internal 
business processes as well as their customer-facing privacy policies 
and choice mechanisms in order to come into compliance with some of our 
new rules. Additionally, some of the new rules will require revised 
information collection approval from the Office of Management and 
Budget pursuant to the Paperwork Reduction Act (PRA approval), and it 
is difficult to predict the exact timeline for PRA approval. PRA 
approval, as defined herein, is not complete until the Commission 
publishes notice of OMB approval in the Federal Register. We therefore 
adopt a set of effective dates for the new rules that is calibrated to 
the changes carriers will need to make to come into compliance--
providing a minimum timeframe before which the rules could come into 
effect. In order to provide certainty about effective dates, we also 
direct the Wireline Competition Bureau (Bureau) to provide advance 
notice to the public of the precise date after PRA approval when the 
Commission will begin to enforce compliance with each of the new rules.
    312. Notice and Choice. The notice and choice rules we adopt today 
will become effective the later of (1) PRA approval, or (2) twelve 
months after the Commission publishes a summary of the Order in the 
Federal Register. This implementation schedule also applies to the 
disclosure and consent requirements for financial incentive practices. 
We acknowledge that our new notice and choice rules may ``represent a 
significant shift in the status quo'' for carriers. Carriers will need 
to analyze the new, harmonized privacy rules as well as coordinate with 
various business segments and vendors, and update programs and 
policies. Carriers will also need to engage in consumer outreach and 
education. These implementation steps will take time and we find, as 
supported in the record, that twelve months after publication of the 
Order in the Federal Register is an adequate minimum implementation 
period to implement the new notice and approval rules. In order to 
provide certainty, we also direct the Bureau to release a public notice 
after PRA approval of the notice and choice rules, indicating that the 
rules are effective, and giving carriers a time period to come into 
compliance with those rules that is the later of (1) eight weeks from 
the date of the public notice, or (2) twelve months after the 
Commission publishes a summary of the Order in the Federal Register.
    313. Breach Notification Procedures. The data breach notification 
rule we adopt today will become effective the later of (1) PRA 
approval, or (2) six months after the Commission publishes a summary of 
the Order in the Federal Register. We find that six months is an 
appropriate minimum implementation period for data breach 
implementation. Although providers of telecommunications services other 
than BIAS are subject to our current breach notification rule and we 
are confident that carriers are cognizant of the importance of data 
breach notification in the appropriate circumstances, we recognize that 
carriers may have to modify practices and policies to implement our new 
rule, we find the harm trigger we adopt and timeline for notifying 
customers lessen the implementation requirements. Moreover, 
harmonization of our data breach rule for BIAS and voice services 
enable providers to streamline their notification processes, which 
should also lessen carriers' need for implementation time. Given these 
steps to minimize compliance burdens, we find six months is an adequate 
minimum timeframe. We also direct the Bureau to release a public notice 
after PRA approval of the data breach rule, indicating that the rule is 
effective, and giving carriers a time period to come into compliance 
with the rule that is the later of (1) eight weeks from the date of the 
public notice, or (2) six months after the Commission publishes a 
summary of the Order in the Federal Register.
    314. Data Security. The specific data security requirements we 
adopt today will become effective 90 days after publication of a 
summary of the Order in the Federal Register. We find this to be an 
appropriate implementation period for the data security requirements 
because as discussed above, carriers should already be largely in 
compliance with these requirements because the reasonableness standard 
adopted in this Order provides carriers flexibility in how to approach 
data security and resembles the obligation to which they were 
previously subject pursuant to section 5 of the FTC Act. We therefore 
do not think the numerous steps outlined by commenters that would have 
been necessary to comply with the data security proposals in the NPRM 
apply to the data security rule that we adopt. Nevertheless, we 
encourage providers, particularly small providers, to use the adoption 
of the Order as an opportunity to revisit their data security practices 
and therefore provide an additional 90 days subsequent to Federal 
Register publication in which carriers can revisit their practices to 
ensure that they are reasonable, as provided for in this Order.
    315. Prohibition on Conditioning Broadband Service on Giving up 
Privacy. The prohibition on conditioning offers to provide BIAS on a 
customer's agreement to waive privacy rights will become effective 30 
days after publication of a summary of this Order in the Federal 
Register. We find that unlike the other privacy rules, consumers should 
benefit from this prohibition promptly. As discussed above, we find 
that these ``take-it-or-leave-it'' offers give consumers no choice and 
require them to trade their privacy for access to the Internet. As 
supported in the record, these practices would harm consumers, 
particularly lower-income customers. We therefore find no basis for any 
delay in the effective date of this important protection. Further, 
prompt implementation will not create any burdens for carriers that are 
committed to providing their customers with privacy choices. All other 
privacy rules adopted in the Order will be effective 30 days after 
publication of a summary of the Order in the Federal Register.
2. Uniform Timeline for BIAS and Voice Services
    316. We adopt a uniform implementation timetable for both BIAS and 
other telecommunications services. Implementing our rules for all 
telecommunications services simultaneously will help alleviate 
potential customer confusion from disparate practices between services 
or carriers. This approach will support the benefits of harmonization 
discussed throughout this Order and is strongly supported in the 
record. We emphasize that until the new privacy rules are effective and 
implemented with respect to voice services, the existing rules remain 
in place. Further, we make clear that all carriers, including BIAS 
providers, remain subject to section 222 during the implementation 
period that we establish and beyond.
3. Treatment of Customer Consent Obtained Prior to the Effective and 
Implementation Date of New Rule
    317. We recognize that our new customer approval rule requires 
carriers to modify the way they obtain consent for BIAS and voice 
services based on our sensitivity-based framework discussed above. We 
seek to minimize disruption to carriers' business practices and 
therefore do not require carriers to obtain new consent from all their 
customers. Rather, for BIAS, we treat as valid or ``grandfather'' any 
consumer consent that was obtained prior to the

[[Page 87320]]

effective date of our rules and that is consistent with our new 
requirements. For example, if a BIAS provider obtained a customer's 
opt-in consent to use that individual's location data to provide 
coupons for nearby restaurants and provided adequate notice regarding 
his or her privacy rights, then the customer's consent would be treated 
as valid. The consent would not be invalidated simply because it 
occurred before the new customer approval rule became effective. 
However, if the customer consent was not obtained in the manner 
contemplated by our new rule, a new opportunity for choice is required. 
We recognize that consumers whose opt-in or opt-out consent is 
grandfathered may not be aware of our persistent choice requirement, 
and therefore we direct the Consumer and Governmental Affairs Bureau to 
work with the industry to engage in a voluntary consumer education 
campaign.
    318. We decline to more broadly grandfather preexisting consents 
obtained by small BIAS providers. WTA argues that the Commission should 
permit ``small BIAS providers to grandfather existing opt-out approvals 
as it has done in the past'' citing the Commission's 2002 CPNI Order, 
in which the Commission allowed carriers to use preexisting opt-out 
approval with the limitation that such approval only be used for 
marketing of communications-related services by carriers, their 
affiliates that provide communications-related services, and carriers' 
agents, joint venture partners and independent contractors. We find 
that the parameters set forth above create the appropriate balance to 
limit compliance costs with our new notice and customer approval rules 
while providing consumers the privacy protections they need. As we 
explain above, BIAS providers are in a unique position as gateways to 
the Internet and we need to ensure consumers are aware of their privacy 
rights and have the ability to choose how their personal information is 
used and shared.
    319. As with BIAS services, customer consent obtained by providers 
of other telecommunications services subject to the legacy rules 
remains valid for the time during which it would have remained valid 
under the legacy rules. As such, opt-out consent obtained before the 
release date of this order remains valid for two years after it was 
obtained, after which a carrier must conform to the new rules. Opt-in 
consent that is valid under the legacy rules remains valid. This 
approach is consistent with established customer expectations at the 
time the consent was solicited, and should reduce notice fatigue. 
Maintaining the validity of customer consent for voice services will 
also help reduce the up-front cost of compliance of the new rules. We 
reiterate that a customer's preexisting consent is valid only within 
its original scope. For instance, if a carrier previously received a 
customer's opt-in consent to use information about the characteristics 
of the customer's service to market home alarm services, the carrier 
could not claim that same consent applies to use of different customer 
PI (e.g., a Social Security Number) or a different use or form of 
sharing (e.g., selling to a data aggregator). Similarly, opt-out 
consent to use and share CPNI to market communications-related services 
could not be used to support use of different customer PI or different 
forms of use or sharing (e.g., marketing non-communications-related 
services).
4. Limited Extension of Implementation Period for Small Carriers
    320. In the NPRM we sought comment on ways to minimize the burden 
of our proposed privacy framework on small providers, and throughout 
this Order we have identified numerous ways to reduce burdens and 
compliance costs while providing robust privacy protections to their 
customers. To further address the concerns raised by small providers in 
the record, we provide small carriers an additional twelve months to 
implement the notice and customer approval rules we adopt today. CCA 
asserts that ``any compliance burdens produced by privacy rules will be 
compounded by many additional regulations including Title II 
regulation, enhanced transparency rules, and outage reporting 
requirements.'' Consideration of the effect of separate requirements 
was taken into account in developing this implementation plan.
    321. We find that an additional one-year phase-in will allow small 
carriers--both broadband providers and voice providers--time to make 
the necessary investments to implement these rules. The record reflects 
that small providers have comparatively limited resources and rely 
extensively on vendors over which they have limited leverage to compel 
adoption of new requirements. We recognize our notice and choice 
framework may entail up-front costs for small providers. We also agree 
with NTCA that small providers will ``be aided by observing and 
learning from the experience of larger firms who by virtue of their 
size and scale are better position to absorb the learning curve.'' As 
such, we find that this limited extension is appropriate.
    322. For purposes of this extension, we define small BIAS providers 
as providers with 100,000 or fewer broadband connections and small 
voice providers with 100,000 or fewer subscriber lines as reported on 
their most recent Form 477, aggregated over all the providers' 
affiliates. In the NPRM we sought comment on whether we should exempt 
carriers that collect data from fewer than 5,000 customers a year 
provided they do not share customer data with third parties. Commenters 
objected that the 5,000 threshold was too narrow to accurately identify 
small providers and that the limitation on information sharing was too 
restrictive. We therefore find that given the limited scope of relief 
granted to small carriers, increasing the numeric scope from the 5,000 
to 100,000 is suitable because it will benefit additional providers 
without excess consumer impact. We also decline to count based on the 
number of customers from whom carriers collect data, as we recognize 
that some data collection is necessary to the provision of service. 
Additionally, we decline to impose any requirement that small providers 
not share their information with third parties to qualify for the 
exception. Moreover, cabining the scope of this limited extension to 
providers serving 100,000 or fewer broadband connections or voice 
subscriber lines is consistent with the 2015 Open Internet Order, in 
which we adopted a temporary exemption from the enhancements to the 
transparency rule for BIAS providers with 100,000 or fewer broadband 
subscribers. Therefore for these reasons, and the critical importance 
of privacy protections to consumers, we decline to adopt CCA's 
recommendation to define small BIAS providers as either companies with 
up to 1,500 employees or serving 250,000 subscribers or less.
    323. We decline to provide any longer or broader extension periods 
or exemptions to our new privacy rules. We find that our 
``reasonableness'' approach to data security mitigates small provider 
concern about specific requirements, such as annual risk assessments 
and requiring specific privacy credentials. Moreover, as advocated by 
small carriers, we adopt a customer choice framework that distinguishes 
between sensitive and non-sensitive customer information, as well as 
decline to mandate a customer-facing dashboard to help manage their 
implementation and compliance costs. Furthermore, we find our data 
breach notification requirements and ``take-it-or-leave-it'' 
prohibition do not require

[[Page 87321]]

an implementation extension as compliance with these protections should 
not be costly for small carriers that generally collect less customer 
information and use customer information for narrower purposes. Also, 
although smaller in company size and market share, small carriers still 
retain the ability to see and collect customer personal information and 
therefore, it is appropriate to extend these important protections to 
all customers on an equal timeframe.

J. Preemption of State Law

    324. In this section, we adopt the proposal in the NPRM and 
announce our intent to preempt state privacy laws, including data 
security and data breach laws, only to the extent that they are 
inconsistent with any rules adopted by the Commission. State law 
includes any statute, regulation, order, interpretation, or other state 
action with the force of law. This limited application of our 
preemption authority is consistent with our precedent in this area. We 
have long appreciated and valued the important role states play in 
upholding the pillars of privacy and protecting customer information. 
As the Office of the New York Attorney General has explained, the State 
AGs are ``active participants in ensuring that [their] citizens have 
robust privacy protections'' and it is critical that they continue that 
work. As such, we further agree with the New York Attorney General's 
Office that ``it is imperative that the FCC and the states maintain 
broad authority for privacy regulation and enforcement.'' We also agree 
with those providers and other commenters that argue that neither 
telecommunications carriers nor customers are well-served by providers 
expending time and effort attempting to comply with conflicting privacy 
requirements. We therefore codify a very limited preemption rule that 
is consistent with our past practice with respect to rules implementing 
section 222. By allowing states to craft and enforce their own laws 
that are not inconsistent with our rules with respect to BIAS 
providers' and other telecommunications carriers' collection, use, and 
sharing of customer information, we recognize and honor the important 
role the states play in protecting the privacy of their customer 
information.
    325. As the Commission has previously explained, we may preempt 
state regulation of intrastate telecommunications matters ``where such 
regulation would negate the Commission's exercise of its lawful 
authority because regulation of the interstate aspects of the matter 
cannot be severed from regulation of the intrastate aspects.'' We 
reject ITTA's argument that we lack authority to preempt inconsistent 
state laws regarding non-CPNI customer PI because its argument is 
premised on the incorrect assumption that our legal authority under 
section 222 is limited to CPNI. In this case, we apply our preemption 
authority to the limited extent necessary to prevent such instances of 
incompatibility. Where state privacy laws do not create a conflict with 
federal requirements, providers must comply with federal law and state 
law.
    326. As we have in the past, we will take a fact-specific approach 
to the question of whether a conflict between our privacy rules and 
state law exists. The Commission reviews petitions for preemption of 
CPNI rules on a case-by-case basis. If a provider believes that it is 
unable to comply simultaneously with the Commission's rules and with 
the laws of another jurisdiction, the provider should bring the matter 
to our attention in an appropriate petition. Examining specific 
conflict issues when they arise will best ensure that consumers receive 
the privacy protections they deserve, whether from a state source or 
from our rules.
    327. The states have enacted many laws aimed at ensuring that their 
citizens have robust privacy protections. We agree with the 
Pennsylvania Attorney General that it is important that we not 
``undermine or override state law providing greater privacy protections 
than federal law,'' or impede the critical privacy protections states 
continue to implement. Rather, as supported in the record, we encourage 
the states to continue their important work in the privacy arena, and 
adopt an approach to preemption that ensures that they are able to do 
so. In so doing, we reaffirm the Commission's limited exercise of our 
preemption authority to allow states to adopt consumer privacy 
protections that are more restrictive than those adopted by the 
Commission provided that regulated entities are able to comply with 
both federal and state laws.
    328. In taking this approach, we reject ACA's suggestion that we 
should ``preempt state data breach notification laws entirely.'' As 
stated above, we continue to provide states the flexibility to craft 
and enforce their own privacy laws, and therefore we only preempt state 
laws to the extent that they impose inconsistent requirements. Our 
privacy rules are designed to promote ``cooperative federalism'' and 
therefore unless providers are unable to comply with both the 
applicable state and Commission requirements, we find it inappropriate 
to categorically preempt these state data breach laws.
    329. Commenters have identified data breach notification as one 
area where conflicts may arise. We agree with commenters that it is 
generally best for carriers to be able to send out one customer data 
breach notification that complies with both state and federal laws, and 
we welcome state agencies to use our data breach notification rules as 
a model. However, we recognize that states law may require differently 
timed notice or additional information than our rules, and we do not 
view such privacy-protective requirements as necessarily inconsistent 
with the rules we adopt today since carriers are capable of sending two 
notices at two different times. However, in the interest of efficiency 
and preventing notice fatigue, we invite carriers that find themselves 
facing requirements to send separate consumer data breach notices to 
fulfill their federal and state obligations to come to the Commission 
with a proposed waiver that will enable them to send a single notice 
that is consistent with the goals of notifying consumers of their data 
breach. Additionally, as explained by CTIA, a situation could arise 
where a state law enforcement agency requests a delay in data breach 
notice due to an ongoing investigation. We encourage both carriers and 
state law enforcement officials to come to the Commission in such a 
situation, as we have authority to waive our rules for good cause and 
recognize the importance of avoiding interference with a state 
investigation.
    330. We clarify that we apply the same preemption standard to all 
aspects of our section 222 rules. Although the Commission, in its 
previous orders, had applied its preemption standard with respect to 
all of the section 222 rules, the preemption requirement is currently 
codified at section 64.2011 of our rules, which addresses notification 
of data breaches. Recognizing that states are enacting privacy laws 
outside of the breach notification context, and consistent with 
historical Commission precedent, we conclude that the preemption 
standard should clearly apply in the context of all of the rules we 
adopt today implementing section 222. Therefore, as we proposed in the 
NPRM, we remove the preemption provision from that section of our 
rules, and adopt a new preemption section that will clearly apply to 
all of our new rules for the privacy of customer proprietary 
information. In doing so, we enable states to continue their important 
role in privacy protection.

[[Page 87322]]

    331. Further, we find that the same preemption standard should 
apply in both the voice and BIAS contexts to help provide certainty and 
consistency to the industry. Accordingly, we adopt a harmonized 
preemption standard across BIAS and other telecommunications services. 
By applying the same preemption standard to BIAS providers and to other 
telecommunications carriers, we ensure that states continue to serve a 
role in tandem with the Commission, regardless of the specific service 
at issue.

IV. Legal Authority

    332. In this Report and Order, we implement Congress's mandate to 
ensure that telecommunications carriers protect the confidentiality of 
proprietary information of and relating to customers. As explained in 
detail below, the privacy and security rules that we adopt are well-
grounded in our statutory authority, including but not limited to 
section 222 of the Act.

A. Section 222 of the Act Provides Authority for the Rules

    333. Section 222 of the Act governs telecommunications carriers in 
their use, disclosure, and protection of proprietary information that 
they obtain in their provision of telecommunications services. The 
fundamental duty this section imposes on each carrier, as stated in 
section 222(a), is to ``protect the confidentiality of proprietary 
information of, and relating to'' customers, fellow carriers, and 
equipment manufacturers. Section 222(c) imposes more specific 
requirements with regard to a subset of customers' proprietary 
information, namely customer proprietary network information. This 
Report and Order implements section 222 as to customer PI, a category 
that includes individually identifiable CPNI and other proprietary 
information that is ``of, and relating to'' customers of 
telecommunications services. As explained below, the rules we adopt 
today are faithful to the text, structure, and purpose of section 222.
1. Section 222 Applies to BIAS Providers Along With Other 
Telecommunications Carriers
    334. We begin by reaffirming our conclusion in the 2015 Open 
Internet Order that section 222 applies to BIAS providers. In so doing, 
we reject the view that Section 222 applies only to voice telephony. 
The 2015 Open Internet Order reclassified BIAS as a telecommunications 
service, making BIAS providers ``telecommunications carriers'' insofar 
as they are providing such service. Section 222(a) imparts a general 
duty on ``[e]very telecommunications carrier,'' while other subsections 
specify the duties of ``a telecommunications carrier'' in particular 
situations. The term ``telecommunications carrier'' has long included 
providers of services distinct from telephony, including at the time of 
section 222's enactment. Thus, in construing the term for purposes of 
Section 222, we see no reason to depart from the definition of 
``telecommunications carrier'' in Section 3 of the Act. To the 
contrary, deviating from this definition without a clear textual basis 
in section 222 would create uncertainty as to the scope of numerous 
provisions in the Act, regulatory imbalance between various 
telecommunications carriers, and a gap in Congress's multi-statute 
privacy regime. Moreover, commenters cite no evidence that the term 
``telecommunications carrier'' is used more restrictively in section 
222 than elsewhere in the Act.
    335. We similarly reject the claim that in reclassifying BIAS we 
have improperly exercised our ``definitional authority'' to expand the 
scope section 222. The relevant term that defines the scope of section 
222 is ``telecommunications carrier,'' and we simply are applying the 
holding of the 2015 Open Internet Order that this statutory term 
encompasses BIAS. Nor does the fact that Section 230 of the Act uses 
the term Internet, while Section 222 does not, compel us to disregard 
the clear uses of ``telecommunications carrier'' in Section 222.
    336. We also reject arguments that ``telephone-specific 
references'' contained in Section 222 serve to limit the scope of the 
entire section to voice telephony or related services. This argument 
misconstrues the structure of Section 222. As explained in more detail 
below, Section 222(a) imposes a broad general duty to protect 
proprietary information while other provisions impose more-specific 
duties. Some of these more-specific duties concerning CPNI are indeed 
relevant only in the context of voice telephony. But their purpose is 
to specify duties that apply in that limited context, not to define the 
outer bounds of Section 222. The definition of CPNI found in section 
222(h)(1) illustrates this point. We need not and do not construe BIAS 
as a ``local exchange service,'' ``telephone exchange service,'' or 
``telephone toll service'' in order to bring it within the reach of 
section 222. Provisions of the statute that apply only to such limited 
categories, or to carriers that provide services in such categories, 
are not part of the statutory basis for any rules we adopt in this 
Report and Order as to BIAS. Rather, the rules we adopt for BIAS are 
rooted only in those aspects of section 222 that govern 
``telecommunications carriers'' and ``telecommunications services'' 
writ large. While the term is defined in section 222(h)(1)(B) to 
include ``the information contained in the bills pertaining to 
telephone exchange service or telephone toll service'' and to exclude 
``subscriber list information''--categories that have no relevance for 
BIAS--pursuant to section 222(h)(1)(A) the term CPNI also includes a 
broader category of information that carriers obtain by virtue of 
providing a telecommunications service. This broader category 
articulated in section 222(h)(1)(A) pertains to ``telecommunications 
service[s]'' in general, not only to telephony. As we have explained 
above, BIAS providers collect significant amounts of information that 
qualifies as CPNI under the broad, functional definition articulated in 
Section 222(h)(1)(A). Whether BIAS providers also issue telephone bills 
or publish directories makes no difference. The reference to 
``call[s]'' in Section 222(d)(3) is similarly inapposite as to the 
scope of Section 222 as a whole. The ``call[s]'' at issue in this 
provision are customer service calls initiated by the customer; a 
customer of any service, including BIAS, can make such a call.
    337. If anything, the placement of references to telephony in 
section 222 supports our reading of that section as reaching beyond 
telephony. Such terms are used to define narrow provisions or 
exceptions, but not the outer contours of major components of the 
statute. Most significantly, the broad term ``telecommunications 
carrier'' is used in defining the general duty under subsection (a); 
the obligation to seek customer approval for use, disclosure, or 
permission of access to individually identifiable CPNI under paragraph 
(c)(1); the obligation to disclose CPNI upon request under paragraph 
(c)(2); and the grant of permission to use and disclose ``aggregate 
customer information'' under paragraph (c)(3).
    338. Where a component of section 222 applies only to a subset of 
telecommunications carriers, Congress used a term to apply such a 
limit. For instance, section 222(c)(3) permits all telecommunications 
carriers to use and disclose aggregate customer information, but 
``local exchange carrier[s]'' can do so only on the condition that they 
make the information available to others on reasonable and 
nondiscriminatory

[[Page 87323]]

terms. The inclusion of a pro-competitive condition in Section 
222(c)(3) that applies only to local exchange carriers is consistent 
with other provisions of the 1996 Act directed at opening local 
telephone markets to competition. But the limited scope of this 
condition does not serve to limit the applicability of Section 222 as a 
whole. Indeed, not even section 222(c)(3) itself is limited in scope to 
providers of local exchange service. Rather, its primary purpose is to 
clarify that telecommunications carriers may use and disclose customer 
information when it takes the form of ``aggregate customer 
information.'' BIAS providers commenting in this proceeding have 
expressed a strong interest in being able to use and disclose such 
information. As telecommunications carriers, their ability to do so is 
made clear under section 222(c)(3).
    339. Similarly, the limited scope of providers covered by the duty 
to share ``subscriber list information'' under section 222(e) is 
commensurate with the scope of the problem being addressed, namely in 
the publication of telephone directories. In particular, the 
``telephone exchange service'' providers subject to unbundling and 
nondiscrimination requirements by the provision are those that would 
have the ``subscriber list information'' needed to produce these 
directories. The fact that section 222 includes provisions to address 
such telephone-specific concerns does not change its overall character 
as a privacy protection statute for telecommunications, one that has as 
much relevance for BIAS as it does for telephone service.
    340. We disagree with the view that Congress confirmed section 222 
as a telephone-specific statute when it amended subsections 222(d)(4), 
(f)(1) and (g) as part of the New and Emerging Technologies 911 
Improvement Act of 2008 (NET 911 Act). These provisions of section 222 
establish rights and obligations regarding carrier disclosure of 
customer information to assist in the delivery of emergency services. 
The NET 911 Act brought ``IP-enabled voice service[s]'' within their 
scope. Amending section 222 in this manner addressed a narrow but 
critical public safety concern: IP-enabled voice services were emerging 
as a platform for delivery of 911 service, yet providers of these 
services were not classified as ``telecommunications carriers'' subject 
to section 222. The NET 911 Act amendments ensure that all IP-enabled 
voice services, even to the extent they are not telecommunications 
services, are treated under section 222 much the same as traditional 
telephony services for purposes related to E911 service. This treatment 
has nothing to do with the extent to which telecommunications services 
that are not voice services are subject to section 222. We have 
exercised our ancillary jurisdiction to apply rules adopted under 
section 222 to providers of interconnected VoIP services.
    341. In addition, we observe that none of the references to 
telephone-specific services in section 222 that commenters identify are 
found in section 222(a). As explained below, we construe section 222(a) 
as a broad privacy protection mandate that extends beyond the specific 
duties articulated in sections 222(b) and (c). Thus, even if commenters 
could establish that these more specific parts of section 222 are 
qualified in ways that limit their scope to voice telephony or related 
services, or that exclude BIAS from their scope, we would still find 
that a BIAS provider--like ``[e]very telecommunications carrier''--has 
customer privacy obligations under section 222(a). And if we accept 
commenters' view that the role of section 222(a) in the statute is to 
identify ``which entities'' have duties thereunder, it follows that 
subsections (b) and (c) apply not only to telephony or voice providers 
but to ``every telecommunications carrier.''
    342. Finally, we dismiss efforts to conflate section 222 with its 
implementing rules. When we forbore from application of the existing 
implementing rules to BIAS, we made clear that the statute itself still 
applies. Commenters do not present any compelling reason to revisit 
this decision.
2. Section 222(a) Provides Authority for the Rules as to Customer PI
    343. We next conclude that section 222(a) provides legal authority 
for our rules. As explained below, section 222(a) imposes an 
enforceable duty on telecommunications carriers that is more expansive 
than the combination of duties set forth subsections (b) and (c). We 
interpret these subsections as defining the contours of a carrier's 
general duty under section 222(a) as it applies in particular contexts, 
but not as coterminous with the broader duty under section 222(a). On 
the contrary, we construe section 222(a) as imposing a broad duty on 
carriers to protect customer PI that extends beyond the narrower scope 
of information specified in section 222(c). We also find that the rules 
adopted in this Report and Order to ensure the protection of customer 
PI soundly implement section 222(a).
a. Section 222(a) Imposes on Telecommunications Carriers an Enforceable 
Duty To ``Protect the Confidentiality'' of ``Proprietary Information''
    344. Section 222(a) states that ``[e]very telecommunications 
carrier has a duty to protect the confidentiality of proprietary 
information of, and relating to'' customers, fellow carriers, and 
equipment manufacturers. In this Report and Order we adopt the most 
straightforward interpretation of this text by finding that section 
222(a) imposes a ``duty,'' on ``every telecommunications carrier.'' A 
``duty'' is commonly understood to mean an enforceable obligation. It 
is well-established that the Commission may adopt rules to implement 
and enforce an obligation imposed by the Act, including section 222(a). 
The substance of the duty is to ``protect the confidentiality of 
proprietary information''--all ``proprietary information'' that is 
``of, and relating to,'' the specified entities, namely ``other 
telecommunications carriers, equipment manufacturers, and customers.'' 
This Report and Order implements section 222(a) with respect to 
``customers,'' defining the term ``customer PI'' to mean that which is 
``proprietary information of, and relating to . . . customers.'' The 
term is thus firmly rooted in the language of section 222(a).
    345. The duty set forth in section 222(a) concerns information 
``of, and relating to'' customers and other covered entities. The 
Supreme Court has held that ``the ordinary meaning of [the phrase 
`relat[ing] to'] is a broad one,'' and in certain contexts it has 
described the phrase as ``deliberately expansive'' and ``conspicuous 
for its breadth.'' The record contains no evidence that Congress 
intended the phrase ``relating to'' to be construed more narrowly for 
purposes of section 222(a) than it would be ordinarily. Thus, the most 
natural reading of section 222(a) is that it imposes a broad duty on 
telecommunications carriers to protect proprietary information, one 
that is informed by but not necessarily limited to the more specific 
duties laid out in subsections (b) and (c).
    346. The treatment of ``equipment manufacturers'' under section 222 
provides further evidence for this interpretation. This term is used 
only once: section 222(a) includes ``equipment manufacturers'' among 
the classes of entities owed confidentiality protections as part of a 
carrier's ``general'' duty. While Sections 222(b) and (c) specify in 
greater detail how this

[[Page 87324]]

duty applies with respect to customers and fellow carriers--the other 
entities protected under section 222(a)--there is no further statutory 
guidance on what carriers must do to protect the proprietary 
information of equipment manufacturers. Thus, the duty imposed on 
carriers under section 222 with regard to equipment manufacturers must 
have its sole basis in section 222(a). This would not be possible 
unless section 222(a) were read to confer enforceable obligations that 
are independent of, and that exceed, the requirements of subsections 
(b) and (c). We reject any argument that the reference in section 
222(a) to equipment manufacturers is nothing more than a cross-
reference to obligations contained in Section 273. Such an 
interpretation would give no independent meaning to section 222(a), and 
therefore would be inconsistent with established principles of 
statutory construction. It would also be contrary to the plain meaning 
of section 222(a), which contains no reference to and is plainly 
broader than Section 273; nothing in section 273 applies broadly to 
every telecommunications carrier, as section 222(a) clearly does.
    347. Nothing in the statutory text or structure of section 222 
contradicts this interpretation. To the contrary, this plain language 
interpretation is further supported by the structure of section 222 and 
consistent with approaches used in other parts of the Act. Section 
222(a)'s heading ``In General'' suggests a general ``duty,'' to be 
followed by specifics as to particular situations. Section 222(a) is 
not given a heading such as ``Purpose'' or ``Preamble'' that would 
indicate that the ``duty'' it announces is merely precatory or an inert 
``statement of purpose.'' Section 251 of the Act is structured 
similarly in this regard, and there is no argument that the duty 
announced in Section 251(a) is merely precatory. Also, like in section 
222, the ``general duty'' announced in subsection (a) of section 251 is 
accompanied by more specific duties announced in the subsections that 
follow. In addition, there is no textual indication that sections 
222(b) and (c) define the outer bounds of section 222(a)'s scope. For 
instance, section 222(a) does not include language such as ``as set 
forth below'' or ``as set forth in subsections (b) and (c).'' We also 
dismiss as irrelevant CTIA's observation that some provisions of the 
1996 Act ``can be interpreted as general statements of policy, rather 
than as grants of additional authority.'' That fact alone would have no 
bearing on how to interpret section 222(a), which employs ``regulatory 
terminology'' in imparting a general ``duty'' on telecommunications 
carriers. Finally, our interpretation of subsection (a) does not render 
subsection (b) or (c) superfluous. The latter subsections directly 
impose specific requirements on telecommunications carriers to address 
concerns that were particularly pressing at the time of section 222's 
enactment. Our reading of section 222(a) preserves the role of each of 
these provisions within the statute, while also allowing the Commission 
to adopt broader privacy protections to keep pace with the evolution of 
telecommunications services.
    348. As Public Knowledge argues, the breadth of the duty announced 
in section 222(a) is consistent with a broad understanding of the 
purpose of section 222. We agree that this subsection endows the 
Commission with a continuing responsibility to protect the privacy 
customer information as telecommunications services evolve. Congress's 
inclusion in section 222 of more specific provisions to address issues 
that were ``front-and-center'' at the time of the 1996 Act's enactment 
in no way detracts from this broader purpose.
    349. Our interpretation of section 222(a) is far from novel. Other 
provisions of the Act set forth a general rule along with specific 
instructions for applying the rule in particular contexts. CTIA 
attempts to distinguish other such provisions by arguing that they do 
not ``define in their subsequent subsections the duties of different 
regulated entities identified in their initial subsections.'' In fact, 
section 251 does define specific duties of different regulatees in 
subsections (b) (all local exchange carriers) and (c) (incumbent local 
exchange carriers), and section 628 does apply specific duties to cable 
operators, satellite cable programming vendors, and common carriers. In 
any event, CTIA does not explain what it believes to be the 
significance of this distinction. We agree with Public Knowledge that, 
in addition to section 251, another provision that bears a particularly 
close resemblance to Section 222 in this regard is section 628. 
Subsection (b) of this provision imposes a general ``prohibition'' on 
cable operators from interfering with competitors' ability to provide 
satellite cable or satellite broadcast programming. Subsection (c) in 
turn directs the Commission to adopt rules to implement this 
prohibition and specifies their ``minimum contents.'' As a general 
matter, the ``minimum'' regulations required under section 628(c) are 
aimed at preventing cable operators from denying their competitors 
access to programming. In 2009, the D.C. Circuit upheld Commission 
rules adopted under section 628(b) that prevented cable operators from 
entering exclusivity agreements with owners of multi-unit buildings, an 
anti-competitive practice that is only tenuously related to the 
``minimum'' regulations implemented under section 628(c). Taking note 
of section 628(b)'s ``broad and sweeping terms,'' the court ruled that 
``nothing in the statute unambiguously limits the Commission to 
regulating practices'' related to the ``principal evil that Congress 
had in mind'' when enacting Section 628, as expressed in subsection 
(c). Rather, it held that the Commission's ``remedial powers'' to 
enforce subsection (b) reached beyond circumstances that Congress 
``specifically foresaw.'' Similarly, we agree with OTI that the 
``principal'' focus of section 222 on regulating CPNI to promote 
competition and consumer protection in emerging telecommunications 
markets must be read in harmony with the ``broad and sweeping'' mandate 
of section 222(a). In construing the latter we must give effect to the 
``actual words'' of the provision. These words plainly impose a 
``duty'' on ``every telecommunications carrier.''
    350. Even if there were some ambiguity in the text, commenters that 
oppose our interpretation of section 222(a) have failed to offer a 
compelling alternative interpretation. One proposed alternative is that 
section 222(a) merely confirms Congress's intent that the newly enacted 
section 222 would apply to ``every telecommunications carrier,'' 
including not only the legacy carriers subject to then-existing CPNI 
requirements but also ``the new entrants that the 1996 Act 
envisioned.'' Verizon argues that both the House bill and the Senate 
bill originally would have protected a category of customer information 
broader than the eventual definition of CPNI, but that ``Congress 
ultimately rejected both approaches.'' There is no evidence that 
Congress would have, without explanation, adopted an approach that is 
narrower than either chamber's bill. And, in fact, the Senate bill 
(which, as Verizon points out, was intended to apply broadly to 
``customer-specific proprietary information,'' S. Rep. No. 104-23 at 
24), contained in its text language almost identical to what Congress 
ultimately enacted, creating ``a duty to protect the confidentiality of 
proprietary information relating to other common carriers, to equipment 
manufacturers, and to customers.'' Similar arguments in the record are 
that section 222(a)

[[Page 87325]]

``identifies which entities have responsibility to protect information, 
and informs the reading of subsequent subsections, which articulate how 
these entities must protect information,'' or that the provision 
``merely identifies the categories of information to which section 222 
applies.'' These arguments are unconvincing. First, subsections (b) and 
(c) themselves are written broadly to apply to ``telecommunications 
carrier[s].'' There is no textual basis for interpreting either 
provision as applying only to a legacy subset of carriers, such as the 
Bell Operating Companies, AT&T, and GTE. Subsections (b) and (c) also 
specify the categories of information to which each applies, without 
reference to subsection (a). Thus, commenters' proposals for 
interpreting section 222(a) would render that provision superfluous, 
contrary to the canon against such interpretations. Moreover, the 
statute does not expressly link the duty announced in section 222(a) 
with the subsections that follow. That is, the statute does not direct 
``every telecommunications carrier'' to protect proprietary information 
``in accordance with subsections (b) and (c)'' or anything similar.
    351. Nor does our interpretation of section 222(a) vitiate any 
other elements of Section 222. On the contrary, we read section 222(a) 
as imposing a broad duty that can and must be read in harmony with the 
more specific mandates set forth elsewhere in the statute. Accordingly, 
we need not and do not construe section 222(a) so broadly as to 
prohibit any sharing of subscriber information that subsection (e) or 
(g) would otherwise require. That is, subsection (a)'s duty to protect 
the confidentiality of customer PI is in no way inconsistent with 
subsection (e)'s duty to share SLI, which by definition is published 
and therefore is not confidential. Nor is it inconsistent with 
subsection (g)'s duty to share subscriber information ``solely for 
purposes of delivering or assisting in the delivery of emergency 
services.'' Indeed, far from ``render[ing] null'' subsections (e) and 
(g), our reasoned interpretation of section 222(a) preserves the full 
effect of both of these provisions. We thus reject the argument that 
subsection (a)'s absence from the ``notwithstanding'' clauses of 
subsections (e) and (g) should be taken as evidence that the former 
provision confers no ``substantive regulatory authority.'' Rather, 
there was simply no need for Congress to have included subsection (a) 
in these clauses. Also, the mere omission of section 222(a) from the 
these clauses would have been an exceedingly oblique and indirect way 
of settling upon an interpretation of section 222(a) that runs counter 
to its plain meaning. Relatedly, there is no conflict because our 
understanding of section 222(a) does not override any of the exceptions 
to section 222(c) set forth in section 222(d). For example, a carrier 
need not fear that its disclosure of CPNI ``to initiate, render, bill 
[or] collect for telecommunications services'' as subsection (d) 
permits might independently violate section 222(a), because such 
disclosure is not inconsistent with the carrier's duty to protect the 
confidentiality of such information. Nor do we construe section 222(a) 
as negating a carrier's right under section 222(c)(1) to use, disclose 
or permit access to CPNI for the specific purposes set forth in 
subclauses (A) and (B).
    352. We also disagree with the argument that our construction of 
Section 222(a) enlists a ``vague or ancillary'' provision of the 
statute to ``alter [its] fundamental details.'' Section 222(a) appears, 
of course, at the beginning of Section 222. The first thirteen words of 
Section 222(a)--and thus, of Section 222--read: ``Every 
telecommunications carrier has a duty to protect the confidentiality of 
proprietary information. . . .'' Congress could not have featured this 
language any more prominently within the statute, nor could the duty it 
propounds be any more clearly and directly expressed. As discussed 
above, a statutory structure of establishing a general duty and then 
addressing subsets of that duty in greater detail is not unique, even 
within the Communications Act.
    353. Finally, we reject the view that our interpretation of section 
222(a) locates in ``a long-extant statute an unheralded power to 
regulate a significant portion of the American economy.'' The 
Commission has exercised regulatory authority under section 222(c) for 
approximately two decades and oversaw certain carriers' handling of 
customer PI for over two decades before that. Even assuming a contrary 
reading of section 222(a), subsection (c) would still invest the 
Commission with substantial regulatory authority over personal 
information that BIAS providers and other telecommunications carriers 
collect from their customers, and sections 201 and 202 would apply to 
carriers' practices in handling customers' information. Thus, our 
interpretation of section 222(a) is a far cry from the 
``transformative'' act of statutory interpretation struck down in 
Utility Air Regulatory Group v. EPA. There, the agency's broad 
construction of the term ``air pollutant'' would have completely 
upended the ``structure and design'' of a permitting scheme established 
by statute and extended that regime to broad swaths of the economy. By 
contrast, the net effect of our interpreting Section 222(a) as 
governing all customer PI is to make clear the Commission's authority 
over carriers' treatment of customer proprietary information that may 
not qualify as CPNI, such as Social Security numbers or financial 
records. This represents a modest but critical recognition of our 
regulatory purview beyond CPNI to cover additional ``proprietary'' 
information that section 222(a) plainly reaches. Moreover, BIAS 
providers' treatment of such information fell squarely within the 
jurisdiction of the FTC prior to the Commission's reclassification of 
BIAS. The scope of regulatory authority we are asserting under section 
222(a) is thus far from novel or ``unheralded.''
b. The Broad Duty of Section 222(a) Extends to All ``Proprietary 
Information'' That Is ``Of'' or ``Relating to'' Customers
    354. Having determined that section 222(a) imposes on carriers an 
enforceable duty, we also conclude that this duty extends to all 
``proprietary information'' that is ``of, or relating to'' customers, 
regardless of whether the information qualifies as CPNI. That is, we 
reject the argument that section 222(c) exhausts the duty set forth in 
section 222(a) as it applies with respect to customers.
    355. Once again, our interpretation follows from the plain language 
of section 222. While subsection (c) establishes obligations with 
respect to ``customer proprietary network information,'' subsection (a) 
omits the word ``network.'' The concept of the ``network'' lies at the 
heart of CPNI: The information defined as CPNI in section 222(h)(1) is 
of the sort that carriers obtain by virtue providing service over their 
networks. However, as we have explained above, this sort of information 
is not the only ``proprietary information'' that telecommunications 
carriers can and do obtain from their customers by virtue of the 
carrier-customer relationship. We therefore find that ``proprietary 
information of, and relating to . . . customers'' is best read as 
broader than CPNI. Moreover, we are convinced that the term ``network'' 
should not be read into section 222(a), contrary to what some 
commenters appear to argue. We dismiss the idea that the syntax of 
section 222(a) would have made it awkward to include the term 
``network'' as an express limitation

[[Page 87326]]

on the general duty as it applies with regard to customer proprietary 
information. Congress is not bound to any particular formula when 
drafting legislation. Section 222(a) could easily have been written to 
include the term ``customer proprietary network information'' in full, 
had Congress chosen to do so. For instance, the subsection could have 
read: ``Every telecommunications carrier has a duty to protect the 
confidentiality of customer proprietary network information, and of 
proprietary information of, and relating to, other telecommunication 
carriers and equipment manufacturers, including telecommunication 
carriers reselling telecommunications services provided by a 
telecommunications carrier.''
    356. Even if there were some ambiguity in the text of the statute, 
we would conclude that the best interpretation is that section 222(a) 
applies to customer proprietary information that is not CPNI. Some 
argue that the legislative history of section 222 precludes this 
interpretation because of a statement from the Conference Report that 
attended passage of the 1996 Act, which reads: ``In general, section 
222 strives to balance both competitive and consumer privacy interests 
with respect to CPNI.'' Commenters appear to interpret this statement 
as evidence that Section 222 was intended to apply only to CPNI. But 
this is clearly not so. Section 222(a) concerns not only customer 
information but also information ``of, and relating to'' fellow 
carriers and equipment manufacturers. Section 222(b) in turn is focused 
exclusively on ``carrier information.'' Furthermore, subsections (e) 
and (g) impose affirmative obligations on carriers in certain 
circumstances to share SLI, which by definition is not CPNI. Therefore, 
section 222 in general cannot be concerned solely with CPNI. We are 
similarly unmoved by evidence that Congress considered but ultimately 
rejected a more expansive definition of CPNI than that which is 
codified in section 222(h)(1). Such evidence cannot decide the question 
whether section 222(a) governs a category of customer information that 
is broader than CPNI. As explained above, our interpretation follows 
from the plain language of the provision, and the legislative history 
of Section 222 is not to the contrary. At the very least, any contrary 
evidence that may be derived from the legislative history is far from 
sufficient to override our reasoned interpretation of the provision.
    357. We acknowledge that prior Commission orders implementing 
section 222 have focused largely on CPNI rather than customer PI more 
broadly. Yet we do not believe this precedent should constrain our 
efforts in this proceeding to develop robust privacy protections for 
consumers under section 222(a). In fact, the Commission made clear as 
early as 2007 that section 222(a) requires carriers to ``take every 
reasonable precaution to protect the confidentiality of proprietary or 
personal customer information.'' Our express determination in the 
TerraCom proceeding that subsection (a) covers customer proprietary 
information beyond CPNI merely ``affirm[ed]'' what the Commission had 
strongly implied seven years earlier. Moreover, earlier orders adopting 
and revising rules under Section 222 were focused so narrowly on the 
protection of individually identifiable CPNI that the question whether 
Section 222(a) covers additional customer information was never 
squarely addressed. This early focus on CPNI makes sense: Section 222 
was adopted against the background of existing Commission regulations 
concerning CPNI, and the first section 222 proceeding was instituted in 
response to a petition from industry seeking clarity about the use of 
CPNI. However, the Commission has never expressly endorsed the view 
that section 222(a) fails to reach customer information beyond CPNI. We 
expressly disavow any prior Commission statement that could be read as 
endorsing such a view. We therefore disagree that interpreting the 
provision in a contrary manner will have the effect of unsettling ``18 
years'' of Commission precedent in this area.
    358. Finally, construing section 222(a) as reaching customer 
information other than CPNI avoids the creation of a regulatory gap 
that Congress could not reasonably have intended. While the FTC has 
broad statutory authority to protect against ``unfair or deceptive'' 
commercial practices, its enabling statute includes a provision that 
exempts common carriers subject to the Communications Act. This leaves 
the Federal Communications Commission as the only federal agency with 
robust authority to regulate BIAS providers and other 
telecommunications carriers in their treatment of sensitive customer 
information obtained through the provision of BIAS and other 
telecommunications services. If that authority failed to reach customer 
PI other than CPNI, substantial quantities of highly sensitive 
information that carriers routinely collect and use would fall outside 
of the purview of either this Commission or the FTC. The facts of 
TerraCom make clear the dangers of this outcome. In that proceeding we 
enforced Section 222(a) against a carrier that neglected to take even 
minimal security measures to protect Social Security numbers and other 
sensitive customer data from exposure on the public Internet. 
Commenters that advocate a narrow construction of section 222(a) would 
have us divest ourselves of authority to take action in circumstances 
such as these. We need not and will not leave consumers without the 
authority to decide under what circumstances, if any, their BIAS 
providers are allowed to use and share their Social Security numbers, 
financial and health information, and other personal information.
c. The Rules We Adopt as to ``Customer PI'' Reasonably Implement the 
Mandate of Section 222(a) That Carriers ``Protect the Confidentiality'' 
of Such Information
    359. The rules we adopt in this Report and Order apply with respect 
to customer PI, which we have defined to include three overlapping 
categories of information: Individually identifiable CPNI; personally 
identifiable information (PII); and the content of communications. As 
explained above, the information we define as customer PI is 
``proprietary information of, [or] relating to . . . customers'' for 
purposes of section 222(a). The rules we adopt in this Report and Order 
faithfully implement this statutory provision. As a general matter, we 
are adopting a uniform regulatory scheme to govern all customer PI, 
regardless of whether the information qualifies as CPNI. We have 
achieved this unity by replicating the basic structure of section 
222(c), including the exceptions set forth in section 222(d), under 
section 222(a). In doing so, we uphold the specific statutory terms 
that govern CPNI, while adapting these to the broader category of 
customer PI. This approach is lawful under the statute and well-
supported as a matter of policy.
    360. As discussed above, we understand section 222(a) to impose a 
broad duty on carriers to protect customer PI that extends beyond the 
narrower scope of information specified in section 222(c). Section 
222(c) sets forth binding rules regarding application of the general 
duty to carriers' handling of CPNI. In support of this view, we note 
the common focus of these subsections on ``confidentiality.'' While 
subsection (a) directs carriers to ``protect the confidentiality of 
proprietary information'' in general, subsection (c) concerns the 
confidentiality of ``individually

[[Page 87327]]

identifiable customer proprietary network information'' in particular. 
Under our interpretation, subsection (c) provides one possible way of 
implementing the broad duty set forth in subsection (a). That is, 
subsection (c) settles what it means for a carrier to ``protect the 
confidentiality of proprietary information'' when the information at 
issue is individually identifiable CPNI. Given this reading of the two 
provisions, we find no reason that the basic scheme set forth in 
section 222(c) to govern individually identifiable CPNI cannot not be 
replicated under section 222(a) to govern customer PI more broadly. In 
adopting section 222(c), Congress identified a scheme for ``protecting 
the confidentiality of proprietary information'' that it deemed valid 
at least in the context of CPNI. The statute is silent on the 
implementation of this general duty as it applies to customer PI more 
broadly. In the absence of clear statutory guidance on the matter, we 
must exercise our judgment to determine a regulatory scheme that is 
appropriate for customer PI other than individually identifiable CPNI.
    361. We have good reason to adopt a single set of rules for all 
customer PI under section 222(a) that is based on the scheme set forth 
for individually identifiable CPNI in sections 222(c) and (d). First, 
the record indicates that customer expectations about the use and 
handling of their personal information do not typically depend on 
whether the information at issue is CPNI or some other kind of 
proprietary information. Rather, customers are far more likely to 
recognize distinctions based on the sensitivity of the data. The rules 
we adopt today uphold this widespread customer expectation. In 
addition, a common set of rules for all customer PI subject to 222(a) 
will be easier for customers to understand and for providers to 
implement than two distinct sets of rules. These considerations go to 
the very heart of section 222: The ability of customers to make 
informed decisions and of providers to apply a harmonized regime to all 
customer data will each contribute to the protection of 
``confidentiality'' that the statute requires. Moreover, equalizing 
treatment of CPNI and other customer PI more closely aligns our rules 
with the FTC's time-tested privacy approach.
    362. We agree with Comcast that ``protect[ing] confidentiality'' of 
proprietary information involves, among other things, ``preventing 
[such information] from being exposed without authorization.'' This is 
among the core purposes of our rules. The requirement to obtain 
customer approval before using, disclosing, or permitting access to 
customer PI directly ensures that such information is not ``expose[d]'' 
without the ``authorization'' of the customer. The notice requirement 
advances this purpose further by providing customers the information 
they need to make informed choices regarding such use, disclosure, and 
access. As for the data security rule we adopt, its essential purpose 
is to safeguard customer PI from inadvertent or malicious 
``expos[ure].'' The data breach notification rule reinforces these 
other requirements by providing customers, the Commission, and law 
enforcement agencies with notice of instances in which customer PI was 
``exposed without authorization.'' Finally, we uphold customers' 
ability to make decisions about the ``expos[ure]'' of their data by 
prohibiting carriers from conditioning service on the surrender of 
privacy rights.
    363. Yet ``protecting the confidentiality'' of customer PI involves 
more than protecting it from unauthorized exposure. AT&T draws a false 
distinction in arguing that certain aspects of the rules ``have nothing 
to do with confidentiality concerns and instead address only the uses 
of information within an ISP's possession.'' On the contrary, upholding 
customer expectations and choices regarding the use of their 
proprietary information is an integral part of ``protecting the 
confidentiality of'' that information for purposes of section 222. In 
support of this view, we note that restrictions on the use of 
individually identifiable CPNI are part of the scheme enacted under 
section 222(c) to address the ``confidentiality of [CPNI],'' and use is 
the sole conduct regulated to address the ``confidentiality of carrier 
information'' under subsection (b). We thus believe the most natural 
reading of the term ``confidentiality'' as used in section 222 is that 
it encompasses the use of information, not only ``disclos[ure]'' and 
permissions of ``access.'' As a coalition of consumer advocacy groups 
explain, in creating section 222 ``Congress most explicitly directed 
the Commission to ensure that users are not merely protected from 
exposure to third parties, but can actively control how the 
telecommunications provider itself uses the information'' it collects. 
We agree with Verizon that `` `protect' and `use' are different words 
[that] must have different meanings'' within the statute, but our view 
is that these meanings differ in terms of breadth. The ``protect[ion] 
of confidentiality'' is a concept that is broad enough to cover the 
different kinds of conduct regulated under section 222(c): Use, 
disclosure, and permission of access. A carrier that uses, discloses, 
or permits access to individually identifiable CPNI without customer 
approval violates its duty under section 222(c) to protect the 
``confidentiality'' of that CPNI. The same analysis applies under 
section 222(a) with regard to customer PI more broadly. Accordingly, we 
find section 222(a)'s duty to ``protect the confidentiality'' of 
proprietary information supports our rules in full.
3. Section 222(c) Provides Authority for the Rules as to CPNI
    364. In addition to our section 222(a) authority discussed above, 
we have authority under section 222(c) to adopt the rules articulated 
in this Order as to individually identifiable CPNI. Subsection (c) 
obligates carriers to obtain customer approval for any use or 
disclosure of individually identifiable CPNI, except to provide the 
underlying telecommunications service or related services. Our rules 
implement this mandate.
    365. First, our rules establish three methods for obtaining the 
customer approval required under section 222(c): Inferred consent, opt-
in and opt-out. There exists longstanding Commission precedent for 
requiring the use of these methods, and commenters generally support 
some combination of the three. Under the rules we adopt in this Order, 
whether a carrier must seek an affirmative ``opt-in'' depends primarily 
on whether the information at issue is sensitive. This distinction is 
permissible under section 222(c), which requires customer approval in 
general for most uses and disclosures of individually identifiable CPNI 
but does not specify the form this approval must take in any particular 
circumstance. Second, we require carriers to provide their customers 
with notice of their privacy policies, both at the point of sale and 
through posting on their Web sites and in mobile apps. This is an 
essential part of customer approval, as only informed customers can 
make meaningful decisions about whether and how extensively to permit 
use or disclosure of their information. The need for this notice to be 
given at the point of sale is particularly acute in circumstances where 
approval may take the form of an ``opt-out.'' In such cases, the notice 
itself is integral to the ``approval'': customers are presumed to 
approve of the use or disclosure unless and until they affirmatively 
``opt out'' of such activity. We also prohibit carriers from

[[Page 87328]]

conditioning the provision of service on consent to the use or 
disclosure of information protected under section 222. We believe that 
this prohibition is necessary to give effect to the customer approval 
that subsection (c) requires.
    366. We next require carriers to take reasonable measures to secure 
the individually identifiable CPNI they collect, possess, use and 
share. Such a requirement is necessary to uphold customer decisions 
regarding use and disclosure of their information and to give effect to 
the terms of carriers' privacy policies. These other privacy 
protections would be vitiated if customers lacked any assurance that 
their information would be secured against unauthorized or inadvertent 
disclosures, cyber incidents, or other threats to the confidentiality 
of the information. Finally, we require carriers to report data 
breaches to their customers, the Commission, and law enforcement, 
except when a carrier reasonably determines that there is no reasonable 
likelihood of harm to customers. The Commission has long required such 
reporting as part of a carrier's duty to protect the confidentiality of 
its customers' information. Among other purposes, data breach 
notifications can meaningfully inform customer decisions regarding 
whether to give, withhold, or retract their approval to use or disclose 
their information.
    367. In adopting these rules, we are respectful of other parts of 
the statute that limit or condition the scope of section 222(c). For 
instance, our rules preserve the statutory distinction between 
individually identifiable ``CPNI'' and ``aggregate customer 
information.'' As explained above, we have not modified the definition 
of either of these terms in a way that would impermissibly narrow the 
scope of section 222(c)(3). In addition, our rules include provisions 
that implement the exceptions to Section 222(c) that are set forth in 
section 222(d). Finally, our rules are consistent with and pose no 
obstacle to compliance with the requirements of sections 222(e) and (g) 
that subscriber information be disclosed in certain defined 
circumstances.

B. Sections 201(b) and 202(a) Provide Additional Authority To Protect 
Against Privacy Practices That Are ``Unjust or Unreasonable'' or 
``Unjustly or Unreasonably Discriminatory''

    368. While section 222 provides sufficient authority for the 
entirety of the rules we adopt in this Order, we conclude that sections 
201(b) and 202(a) also independently support the rules, because they 
authorize the Commission to prescribe rules to implement carriers' 
statutory duties not to engage in conduct that is ``unjust or 
unreasonable'' or ``unjustly or unreasonably discriminatory.'' Our 
enforcement of sections 201(b) and 202(a) in the context of BIAS finds 
expression in the ``no unreasonable interference/disadvantage'' 
standard adopted in the 2015 Open Internet Order. As we explained in 
the 2015 Open Internet Order, ``practices that fail to protect the 
confidentiality of end users' proprietary information'' are among the 
potential carrier practices that are ``unlawful if they unreasonably 
interfere with or disadvantage end-user consumers' ability to select, 
access, or use broadband services, applications, or content.'' Above, 
we noted that financial incentives to surrender privacy rights in 
connection with BIAS are one sort of practice that could potentially 
run afoul of this standard, and we will accordingly monitor such 
practices closely. Yet, aside from prohibiting ``take-it-or-leave-it'' 
offerings, we do not engage in any ex ante prohibition of such 
practices.
    369. In addition, sections 201(b) and 202(a) provide backstop 
authority to ensure that no gaps are formed in Congress's multi-statute 
regulatory framework governing commercial privacy and data security 
practices. As explained above, the FTC's enabling statute grants the 
agency broad authority with respect to such practices, but denies it 
authority over common carrier activities of common carriers. That 
leaves this Commission as the sole federal agency with authority to 
regulate telecommunications carriers' treatment of personal and 
proprietary customer data obtained in the provision of BIAS and other 
telecommunications services. While we believe section 222 endows the 
Commission with ample authority for the rules we adopt today to protect 
such data, both as to CPNI and other customer PI, sections 201(b) and 
202(a) provide an independent legal basis for the rules. Indeed, both 
this Commission and the FTC have long recognized that similar conduct 
would tend to run afoul of section 201(b) and of Section 5 of the FTC 
Act, the statutory linchpin of the FTC's privacy and data security 
enforcement work. Thus, asserting sections 201(b) and 202(a) as a basis 
for our rules merely preserves consistent treatment of companies that 
collect sensitive customer information--including Social Security 
numbers and financial records--regardless of whether the company 
operates under the FCC's or FTC's authority.
    370. Accordingly, for these reasons and others discussed throughout 
this Report and Order, we find that Sections 201(b) and 202(a) by their 
own terms, consistent the 2015 Open Internet Order's interpretation of 
those provisions in the context of BIAS, provide authority for the 
adoption of these rules. Also, while we recognize that 
telecommunications services other than BIAS are beyond the reach of the 
open Internet rules, providers of such services remain subject to 
enforcement directly under sections 201(b) and 202(a), and those 
provisions authorize adoption of these rules.

C. Title III of the Communications Act Provides Independent Authority

    371. With respect to mobile BIAS and other mobile 
telecommunications services, the rules we adopt in this Order are also 
independently supported by our authority under Title III of the Act to 
protect the public interest through spectrum licensing. Section 303(b) 
directs the Commission, consistent with the public interest, to 
``[p]rescribe the nature of the service to be rendered by each class of 
licensed stations and each station within any class.'' These rules do 
so. They lay down rules about ``the nature of the service to be 
rendered'' by licensed entities providing mobile telecommunications 
service; making clear that this service may not be offered in ways that 
harm the interests of consumers is protecting the confidentiality of 
their personal information. Today's rules specify the form this service 
must take for those who offer it pursuant to license. In providing such 
licensed service, carriers must adhere to the rules we adopt today. 
Section 303(r) also supplements the Commission's authority to carry out 
its mandates through rulemaking, and section 316 authorizes the 
Commission to adopt new conditions on existing licenses if it 
determines that such action ``will promote the public interest, 
convenience, and necessity.'' Throughout this Order, we determine that 
the rules adopted here will promote the public interest.

D. The Rules Are Also Consistent With the Purposes of Section 706 of 
the 1996 Act

    372. We also believe that our rules are consistent with section 706 
of the 1996 Act and will help advance its objective of promoting ``the 
deployment on a reasonable and timely basis of advanced 
telecommunications capability to all Americans.'' We agree with 
commenters that strong broadband privacy and data security practices 
tend to promote consumer trust and confidence, which can increase 
demand for broadband and

[[Page 87329]]

ultimately spur additional facilities deployment. Moreover, we have 
adopted a flexible set of rules that are largely consistent with the 
FTC's approach to privacy regulation, creating a measure of consistency 
across the telecommunications ecosystem. We thus reject any argument 
that the rules will impose novel costs or burdens on BIAS providers and 
other telecommunications carriers that would discourage further 
deployment of advanced services.

E. We Have Authority To Apply the Rules to Interconnected VoIP Services

    373. In 2007, the Commission exercised ancillary jurisdiction to 
extend its Part 64 CPNI rules to interconnected VoIP services. Since 
then, interconnected VoIP providers have operated under these rules. 
Today, we exercise the same authority to apply to interconnected VoIP 
services the harmonized set of rules we are adopting for BIAS and other 
telecommunications services. We make no decisions in this Order on the 
regulatory classification of interconnected VoIP services. 
Interconnected VoIP services remain within the Commission's subject 
matter jurisdiction, and we continue to find that the application of 
customer privacy requirements to these services is ``reasonably 
ancillary to the effective performance'' of our statutory 
responsibilities. We conclude that our jurisdiction to apply the rules 
in this Order to interconnected VoIP providers is just as strong as it 
was in 2007. In addition to the analysis in the 2007 CPNI Order, we 
observe that applying these obligations to interconnected VoIP 
providers is necessary to protect the privacy of customers of BIAS 
providers and other telecommunications services. Given the growth in 
interconnected VoIP and the extent to which it increasingly is viewed 
as a substitute for traditional telephone service, telecommunications 
carriers could be disadvantaged if they were subject to these 
requirements but other interconnected VoIP providers were not. 
Consumers' privacy interests could benefit to the extent that providers 
of competitive services are subject to the same obligations. 
Furthermore, in light of Congress's amendment of the Act, including 
section 222, to apply E-911 obligations to interconnected VoIP, the 911 
system could be disrupted to the extent that our harmonized section 222 
regime were no longer to apply to interconnected VoIP. As the 
Commission explained in 2007, ``American consumers [can reasonably] 
expect that their telephone calls are private irrespective of whether 
the call is made using the service of a wireline carrier, a wireless 
carrier, or an interconnected VoIP provider.'' Furthermore, ``extending 
section 222's protections to interconnected VoIP service customers is 
necessary to protect the privacy of wireline or wireless customers that 
place calls to or receive calls from interconnected VoIP providers.'' 
These rationales hold equally true today. In addition, in 2008, 
Congress ratified the Commission's decision to apply section 222's 
requirements to interconnected VoIP by adding language to section 222 
that expressly covers ``IP-enabled voice service,'' defined expressly 
to incorporate the Commission's definition of ``interconnected VoIP 
service.''
    374. We believe that the rules we adopt today are no less suitable 
for interconnected VoIP service, and are in fact better tailored to 
that service, than the rules adopted in 2007. As explained above, we 
have adopted a harmonized set of rules for voice services and BIAS. 
There is considerable flexibility built into these rules to permit 
providers of different services and with different business models to 
adopt privacy practices appropriate for their businesses. Moreover, 
while the Order expands on existing obligations in some respects, it 
also streamlines or removes several of the more prescriptive 
requirements codified in the existing rules. We have also broadened the 
enterprise customer exemption and taken measures to address the 
potential for disproportionate impacts on smaller providers, including 
those that provide interconnected VoIP service. We therefore are not 
persuaded that our rules will overburden interconnected VoIP providers 
in particular with ``expand[ed] privacy obligations'' that would 
``forestall competition.''

F. Constitutional Considerations

1. Our Sensitivity-Based Choice Framework Is Supported by the 
Constitution
    375. In adopting section 222, Congress identified a substantial 
government interest in protecting the privacy of customers of 
telecommunications services. In adopting and revising rules pursuant to 
section 222 we have recognized and honored that same substantial 
interest. Nonetheless, because our rules require carries to provide 
their customers with tools to grant or deny the carriers approval to 
use customer information for marketing and other purposes, they can be 
said to restrict certain types of commercial speech by 
telecommunications carriers, and therefore must be narrowly tailored to 
further that substantial government interest. In the Central Hudson 
case, the Supreme Court found that in order to meet the requirement 
that rules implicating commercial speech are narrowly tailored to meet 
a substantial government interest, the government must conduct a 
threshold inquiry regarding whether the commercial speech concerns 
lawful activity and is not misleading. If this threshold requirement is 
met, as it is here, the government may restrict the speech only if (1) 
the government interest advanced by the regulation is substantial; (2) 
the regulation directly and materially advances that interest; and (3) 
the regulation is not more extensive than necessary to serve the 
interest. By adopting a sensitivity-based framework for giving 
customers tools to make decisions about their telecommunications 
carriers' use and sharing of their information, the rules we adopt 
today meet that three part test.
a. Substantial Government Interest
    376. We agree with the D.C. Circuit that section 222 seeks to 
promote a substantial public interest in protecting consumer privacy. 
The record indicates broad agreement on this point, which is further 
reinforced by the wealth of case law reiterating the substantial state 
interest in protecting privacy. Section 222 is designed to protect the 
interest of telecommunications consumers in limiting unexpected and 
unwanted use and disclosure of their personal information by carriers 
that must collect such information in order to provide the 
telecommunications service, and the record further indicates that 
customers' ability to know and control the information gathered by 
virtue of their relationships with their telecommunications providers 
also comprises a substantial government interest.
    377. The failure to adequately protect customer PI can have myriad 
negative consequences for customers and society at large. Revelations 
of private facts have been recognized as harms since at least the time 
of Justices Warren and Brandeis. Failure to protect the privacy of 
consumer information can, of course create a risk of financial harm, 
identity theft and physical threat. The Commission has also found that 
emotional and dignitary harms are privacy harms, in other contexts. In 
implementing the Truth in Caller ID Act, the Commission found that 
``harm'' was a broad concept encompassing financial, physical, and 
emotional harm. The FTC similarly recognized that harms beyond the 
economic, physical, and intrusive are nonetheless real and cognizable, 
and the Administration's

[[Page 87330]]

CPBR defines ``privacy risk'' to include the potential to cause 
``emotional distress, or physical, financial, professional, or other 
harm to an individual.''
    378. Some commenters argue that the Commission can only demonstrate 
an interest in addressing the disclosure of customer PI and not in how 
carriers' use customer PI. We disagree. The Supreme Court has 
recognized that an important part of privacy is the right to know and 
have an effective voice in how one's information is being used, holding 
that ``both the common law and the literal understandings of privacy 
encompass the individual's control of information concerning his or her 
person.'' The D.C. Circuit has similarly held that ``it is widely 
accepted that privacy deals with determining for oneself when, how, and 
to whom personal information will be disclosed to others.'' This 
conception of privacy is embedded within the history of the Fair 
Information Practice Principles (which form the broadly-supported basis 
for our privacy rules), and within the long history of communications 
privacy as well. From their inception, FIPPs have recognized privacy as 
an individual's right to control uses of information about him--not 
merely to control their disclosures. The Federal Radio Act of 1927, and 
the original language of the Communications Act of 1934, prohibited 
carriers not only from publishing or divulging information relevant to 
communications, but also from making uses of the information solely to 
benefit themselves. Scholarly literature on privacy also finds that 
misuse by the collecting entity can harm individuals' privacy, even 
apart from disclosure.
    379. Direct surveys confirm consumers' recognition of these harms. 
According to the 2016 Consumer Privacy Index by TRUSTe and the National 
Cybersecurity Alliance, 68 percent of consumers were more concerned 
about not knowing how personal information was collected online than 
losing their principal income. The Consumer Privacy Index also 
indicated that large numbers of consumers want control over who has 
access to personal information (45 percent), how that information is 
used (42 percent), and the type of information collected (41 percent). 
Consumers also object to their data being used, and not only disclosed, 
in the service of targeted advertising. These studies demonstrate 
empirically that consumers find loss of control over their information 
harmful, even apart from potential monetary loss.
    380. The risk of privacy harms directly affects behavior and 
activity by eroding trust in and use of communications networks. As the 
Commission has found, if ``consumers have concerns about the privacy of 
their personal information, such concerns may restrain them from making 
full use of broadband Internet access services and the Internet, 
thereby lowering the likelihood of broadband adoption and decreasing 
consumer demand.'' There is evidence that unexpected uses of private 
customer information can increase fear, uncertainty, powerlessness, and 
vulnerability. This is not a purely academic concern; the National 
Telecommunications and Information Administration (NTIA) recently found 
that fear of privacy violations chills online activity, to the point 
where privacy concerns prevented 45 percent of online households from 
conducting financial transactions, buying goods or services, or posting 
on social networks. The Consumer Privacy Index found that 74 percent of 
respondents limited their activity in the past year due to privacy 
concerns, including 36 percent who stopped using certain Web sites and 
29 percent stopped using an app. In contrast, when companies protect 
consumers' privacy, consumers' adoption of their products, services, 
and technologies increases.
    381. We therefore conclude that the government's interest in 
protecting customer privacy is a substantial one--a fact recognized 
widely by consumers, the courts, and the Communications Act.
b. Direct and Material Advancement
    382. The choice framework that we adopt directly and materially 
advances the substantial government interests discussed above. We find 
that requiring customer approval for use and disclosure of customer PI 
prevents information uniquely collected and collated by 
telecommunications carriers from being used or disclosed against a 
customer's wishes, consistent with customer expectations, and as such 
directly and materially advances the government's substantial 
government interest in protecting customers' privacy. While we 
recognize that adopting these rules cannot protect customers from 
privacy violations that originate from entities that are not 
telecommunications providers, the fact that the rules do not create 
universal privacy protection does not mean that customers' privacy 
interests are not advanced. Customers have an important interest in 
ensuring that their personal information is not used by their BIAS 
providers or other telecommunications carrier without their prior 
approval in a way that the customers do not or cannot reasonably 
expect.
    383. In addition, requiring telecommunications carriers to obtain 
opt-in approval for the use and sharing of sensitive customer PI 
materially advances the government's interest in protecting 
telecommunications customers' privacy and in enabling customer to avoid 
unwanted and unexpected use and disclosure of sensitive customer PI. 
The opt-in requirements we adopt today provide telecommunications 
customers control over how their sensitive customer PI can be used for 
purposes besides those essential to the delivery of service. Likewise, 
we conclude that opt-out directly and materially advances the 
government's interest that a customer be given an opportunity to 
approve (or disapprove) uses of his non-sensitive customer PI by 
mandating that carriers provide prior notice to customers along with an 
opportunity to decline the carriers' requested use.
c. The Rules Are No More Burdensome Than Necessary To Advance the 
Government's Substantial Interest
    384. Central Hudson requires that regulations on commercial speech 
be no more extensive than necessary to advance the substantial 
interest. This does not mean that a regulation must be as narrow as 
possible, however. The Supreme Court has held that ``[t]he government 
is not required to employ the least restrictive means conceivable . . . 
a fit that is not necessarily perfect, but reasonable; that represents 
not necessarily the single best disposition but one whose scope is in 
proportion to the interest served.'' As explained below, our framework 
satisfies this test.
    385. Non-Sensitive Customer PI. In most cases involving what we 
categorize as non-sensitive customer PI, we find opt-in approval 
unnecessary to ensure adequate customer choice. We therefore find that 
the opt-out framework for use and sharing of non-sensitive customer PI 
is a narrowly tailored means to directly and materially advance the 
government's interest in protecting consumers from unapproved use of 
non-sensitive customer PI by telecommunications carriers. The record 
reflects that non-sensitive information naturally generates fewer 
privacy concerns for customers, and as such does not require the same 
level of customer approval as for sensitive customer PI. Further, the 
record reflects that customers expect their providers to use their non-
sensitive information to market improved services, lower-priced service 
offerings, promotional discounts for new services, and other offers of

[[Page 87331]]

value from telecommunications carriers and their affiliates. The record 
also demonstrates that customers can reap significant benefits in the 
form of more personalized service offerings and possible cost saving 
from their carriers providing services based on the non-sensitive 
customer PI that carriers collect. The Commission has previously found, 
in the context of its voice CPNI rules, that ``telecommunications 
consumers expect to receive targeted notices from their carriers about 
innovative telecommunications offerings that may bundle desired 
telecommunications services and/or products, save the consumer money, 
and provide other consumer benefits.'' Requiring carriers to obtain 
opt-out consent from customers to use and share their non-sensitive 
information grants carriers flexibility to make improvements and 
innovations based on customer PI, while still ensuring that customers 
can control the use and sharing of their non-sensitive customer PI.
    386. Sensitive Customer PI. We require opt-in approval only for the 
most important information to customers--sensitive customer PI. We find 
that requiring opt-in approval for the use and sharing of sensitive 
customer PI is a narrowly-tailored means of advancing the Commission's 
interests in protecting the privacy of sensitive customer PI, and in 
enabling customers meaningful choice on the use and sharing of such 
sensitive customer PI. As discussed above in detail, the record 
reflects that customers reasonably expect that their sensitive 
information will not be shared without their affirmative consent. 
Furthermore, it has been our experience implementing section 222 that 
sensitive information, being more likely to lead to more serious 
customer harm, requires additional protection, and the record here 
supports that view . Commenters nearly unanimously argue that use and 
sharing of sensitive customer information be subject to customer opt-in 
approval. Although we recognize that opt-in imposes additional costs, 
we find that opt-in is warranted to maximize opportunities for informed 
choice about sensitive information.
    387. In contrast, we find that opt-out consent would be 
insufficient to protect the privacy of sensitive customer PI. As a 
functional matter, while opt-out consent has been described as the 
least restrictive form of obtaining customer approval, it is only 
``marginally less intrusive than opt-in for First Amendment purposes.'' 
As we explain above, research has shown that default choices can be 
``sticky,'' meaning that consumers will remain in the default position, 
even if they would not have actively chosen it. From this, we conclude 
that an opt-out regime for use and sharing of sensitive customer PI 
would not materially and directly advance the government's interest in 
protecting customer privacy because it would not adequately address 
customers' expectations that their sensitive customer PI is not used 
without their affirmative consent.
2. Other First Amendment Arguments
    388. Strict Scrutiny Under Sorrell. The customer choice rules we 
adopt today do not impermissibly target particular speech or speakers, 
and thus a strict scrutiny analysis under Sorrell v. IMS Health Inc. is 
unwarranted. In Sorrell, the state of Vermont specifically targeted 
``drug detailers'' and their marketing speech, which the state 
disfavored, in a framework that otherwise permitted communications 
about medical prescriptions. By contrast, the rules adopted here do not 
disfavor any particular activity. While a large number of commenters 
are particularly concerned with the limitations that the rules may 
place upon marketing, customers' privacy interests reach far beyond 
targeted marketing, to include for instance risk of identity theft or 
other fraud, stalking, and revelations of private communications, as 
well as the harms inherent in lacking control over the uses of their 
proprietary information.
    389. The fact that section 222 and our rules thereunder apply to 
certain types of information and certain providers is a function of 
their tailoring, not indications that they are content-based. As 
explained above, our rules are tailored to address unique 
characteristics of telecommunications services and of the relationship 
between telecommunications carriers and their customers. Were we to 
interpret Sorrell to hold sector-specific privacy laws such as section 
222 and our rules to be content-based simply because they do not apply 
to all entities equally, it would stand to invalidate nearly every 
federal privacy law, considering the sectoral nature of our federal 
privacy statutes. Indeed, if laws impacting expression were considered 
content-based for not being universal, nearly every privacy and 
intellectual property law would need to pass strict scrutiny. However, 
Sorrell stands for no such thing, itself citing HIPAA--limited to 
covering certain specific entities and types of information--as an 
example of a constitutionally sound privacy protection. Similarly, use-
based exceptions to section 222 and our rules do not render the statute 
or rules content-based any more than purpose-based exceptions in HIPAA.
    390. Compelled Speech. Some commenters argue that the notice 
requirements unconstitutionally compel speech from carriers. We 
disagree. Requirements to include purely factual and uncontroversial 
information in commercial speech are constitutional so long as they are 
reasonably related to the government's substantial interest in 
protecting consumers. The notice requirements we adopt here, just like 
the notice requirements in the CPNI rules before them and like numerous 
notice and labeling requirements before, require only that companies 
provide factual and uncontroversial information to consumers.
    391. Constitutional Avoidance. Some commenters raise arguments 
citing the canon of constitutional avoidance. We do not believe this is 
applicable. Constitutional avoidance is a canon of statutory 
interpretation that states that a court should not resolve a case ``by 
deciding a constitutional question if it can be resolved in some other 
fashion.'' As the Supreme Court has held, ``[t]he so-called canon of 
constitutional avoidance is an interpretive tool, counseling that 
ambiguous statutory language be construed to avoid serious 
constitutional doubts.'' The Court further found ``no precedent for 
applying it to limit the scope of authorized executive action.'' The 
canon of constitutional avoidance therefore does not apply to this 
proceeding, does not require that we adopt an opt-out framework, and 
does not mandate that we avoid regulating in this space.
    392. Finally, to the extent that parties argue that today's rules 
deny carriers a First Amendment right of editorial control or impose 
prior restraints that implicate the First Amendment, we note that it is 
well established that common carriers transmitting speech through 
communications networks are not speakers for First Amendment purposes.

G. Severability

    393. In this Report and Order, we adopt a unified scheme of privacy 
protections for customers of BIAS and other telecommunications 
services. While the unity and comprehensiveness of this scheme 
maximizes its utility, we clarify that its constituent elements each 
operate independently to protect consumers. Were any element of this 
scheme stayed or invalidated by a reviewing court, the elements that 
remained in effect would continue to provide vital consumer 
protections. For instance, telecommunications customers have long 
benefitted from Commission

[[Page 87332]]

rules governing the treatment CPNI. The rules we adopt today would 
continue to ensure that such information is protected even if they did 
not extend to all of the information we define as customer PI. 
Similarly, the different forms of conduct regulated under section 222--
use, disclosure, and permission of access--each pose distinct threats 
to the confidentiality of customer PI. Finally, the benefit of the 
rules for customers of any particular telecommunications service does 
not hinge on the same rules applying to other telecommunications 
services. Accordingly, we consider each of the rules adopted in this 
Report and Order to be severable, both internally and from the 
remaining rules. In the event of a stay or invalidation of any part of 
any rule, or of any rule as it applies as to certain services, 
providers, forms of conduct, or categories of information, the 
Commission's intent is to otherwise preserve the rule to the fullest 
possible extent.

V. Procedural Matters

A. Regulatory Flexibility Analysis

    394. As required by the Regulatory Flexibility Act of 1980 (RFA), 
an Initial Regulatory Flexibility Analysis (IRFA) was incorporated into 
the Broadband Privacy NPRM. The Commission sought written public 
comment on the possible significant economic impact on small entities 
regarding the proposals address in the 2016 Broadband Privacy NPRM, 
including comments on the IRFA. Pursuant to the RFA, a Final Regulatory 
Flexibility Analysis is set forth in Appendix B.

B. Paperwork Reduction Act

    395. This document contains new information collection requirements 
subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104-
13. It will be submitted to the Office of Management and Budget (OMB) 
for review under Section 3507(d) of the PRA. OMB, the general public, 
and other federal agencies are invited to comment on the new 
information collection requirements contained in this proceeding. In 
addition, we note that pursuant to the Small Business Paperwork Relief 
Act of 2002, Public Law 107-198, see 44 U.S.C. 3506(c)(4), we 
previously sought specific comment on how the Commission might further 
reduce the information collection burden for small business concerns 
with fewer than 25 employees.
    396. In this present document, we require telecommunications 
carriers to: (1) Disclose their privacy practices to customers; (2) 
provide customers a mechanism for opting in or out of the use or 
sharing of their customer PI; (3) notify customers of any unauthorized 
disclosure or use of their customer PI; and (4) provide customers clear 
and conspicuous notice regarding any financial incentive programs 
related to the use or disclosure of their customer PI. We have assessed 
the effects of these changes and find that the burdens on small 
businesses will be addressed through the implementation plan adopted in 
this Order, as well as accommodations made in response to small 
carriers concerns on the record. The privacy policy notice rules, for 
example, afford carriers significant flexibility on how to comply with 
the notice requirement. They mandate neither a specific format nor 
specific content to be contained in the notice. We have also directed 
the Commission's Consumer Advisory Committee to develop a standardized 
notice format that will serve as a safe harbor once adopted. Similarly, 
the choice rules do not prescribe a specific format for accepting a 
customer's privacy choices. The choice rules are also significantly 
harmonized with existing rules, with which most small providers 
currently comply. Additionally, the heightened requirements for 
financial incentive programs allow all providers considerable latitude 
to develop their programs within the parameters of the rule. Finally, 
the data breach notification rules incorporate both a harm trigger and 
notification timeline that significantly lessen the implementation 
requirements for small providers.

C. Congressional Review Act

    397. The Commission will send a copy of this Report and Order in a 
report to be sent to Congress and the Government Accountability Office 
pursuant to the Congressional Review Act (CRA), see 5 U.S.C. 
801(a)(1)(A).

D. Accessible Formats

    398. To request materials in accessible formats for people with 
disabilities (braille, large print, electronic files, audio format), 
send an email to fcc.gov">fcc504@fcc.gov or call the Consumer & Governmental 
Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (tty).

VI. Final Regulatory Flexibility Analysis

    399. As required by the Regulatory Flexibility Act of 1980, as 
amended (RFA), an Initial Regulatory Flexibility Analysis (IRFA) was 
incorporated into the Broadband Privacy NPRM for this proceeding. The 
Commission sought written public comment on the proposals in the 
Broadband Privacy NPRM, including comment on the IRFA. The Commission 
received comments on the IRFA, which are discussed below. This present 
Final Regulatory Flexibility Analysis (FRFA) conforms to the RFA.

A. Need for, and Objectives of, the Rules

    400. In the Order, we adopt privacy requirements for providers of 
broadband Internet access service (BIAS) and other telecommunications 
services. In doing so, we build upon the Commission's long history of 
protecting customer privacy in the telecommunications sector. Section 
222 of the Communications Act provides statutory protections to the 
privacy of the data that all telecommunications carriers collect from 
their customers. Section 222(a) imposes a duty on all 
telecommunications carriers to protect the confidentiality of their 
customers' ``proprietary information,'' or PI. Section 222(c) imposes 
restrictions on telecommunications carriers' use and sharing of 
customer proprietary network information (CPNI) without customer 
approval, subject to certain exceptions, including as necessary to 
provide the telecommunications service (or services necessary to or 
used in providing that telecommunications service), and as required by 
law.
    401. Over the last two decades, the Commission has promulgated, 
revised, and enforced privacy rules for telecommunications carriers 
that are focused on implementing the CPNI requirements of section 222. 
As practices have changed, the Commission has refined its section 222 
rules. The current section 222 rules focus on transparency, choice, 
data security, and data breach notification.
    402. Prior to 2015, BIAS was classified as an information service, 
which excluded such services from the ambit of Title II of the Act, 
including section 222, and the Commission's CPNI rules. Instead, 
broadband providers were subject to the FTC's unfair and deceptive acts 
and practices authority. In the 2015 Open Internet Order, we 
reclassified BIAS as a telecommunications service subject to Title II 
of the Act, an action upheld by the D.C. Circuit in United States 
Telecom Ass'n v. FCC. While we granted BIAS forbearance from many Title 
II provisions, we concluded that application and enforcement of the 
privacy protections in section 222 to BIAS is in the public interest 
and necessary for the protection of consumers. However, we questioned 
``whether the Commission's current rules implementing section 222 
necessarily would be well suited to

[[Page 87333]]

broadband Internet access service,'' and forbore from the application 
of these rules to broadband service, ``pending the adoption of rules to 
govern broadband Internet access service in a separate rulemaking 
proceeding.''
    403. In March 2016, we adopted the Broadband Privacy NPRM, which 
proposed a framework for applying the longstanding privacy requirements 
of the Act to BIAS. In the NPRM, we proposed rules protecting customer 
privacy using the three foundations of privacy--transparency, choice, 
and security--and also sought comment on, among other things, whether 
we should update rules that govern the application of section 222 to 
traditional telephone service and interconnected VoIP service in order 
to harmonize them with the results of this proceeding.
    404. Based on the record gathered in this proceeding, today we 
adopt a harmonized set of rules applicable to BIAS providers and other 
telecommunications carriers. The privacy framework we adopt focuses on 
transparency, choice, and data security, and provides heighted 
protection for sensitive customer information, consistent with customer 
expectations. Our need to extend such privacy requirements to BIAS 
providers is based, in part, on their particular role as network 
providers and the context of the consumer/BIAS provider relationship. 
Based on our review of the record, we reaffirm our earlier finding that 
a broadband provider ``sits at a privileged place in the network, the 
bottleneck between the customer and the rest of the Internet''--a 
position that we have referred to as a gatekeeper. As such, BIAS 
providers can collect ``an unprecedented breadth'' of electronic 
personal information.
    405. In adopting these rules we honor customers' privacy rights and 
implement the statutory requirement that carriers protect the 
confidentiality of customer proprietary information. These rules do not 
prohibit carriers from using or sharing customer information, but 
rather are designed to protect consumer choice while giving carriers 
the flexibility they need to continue to innovate. By bolstering 
customer confidence in carriers' treatment of confidential customer 
information, we also promote the virtuous cycle of innovation in which 
new uses of the network lead to increased end-user demand for 
broadband, which drives network improvements, which in turn lead to 
further innovative network uses, business growth and innovation.

B. Summary of Significant Issues Raised by Public Comments in Response 
to the IRFA

    406. In response to the Broadband Privacy NPRM, five entities filed 
comments, reply comments, and/or ex parte letters that specifically 
addressed the IRFA to some degree: Alaska Telephone Association, 
Competitive Carriers Association, NTCA, Rural Wireless Association, and 
Wireless Internet Service Providers Association (WISPA). Some of these, 
as well as other entities, filed comments, reply comments, and/or ex 
parte letters that more generally considered the small business impact 
of our proposals.
    407. Some commenters recommend that the Commission adopt specific 
exemptions or provisions to alleviate burdens on small carriers. In 
particular, commenters recommend that the Commission (1) exempt small 
carriers from some or all of the rules based on their size and/or 
practices; (2) give small carriers additional time to comply with the 
rules; (3) harmonize notice and choice requirements with the 
preexisting voice CPNI rules; (4) exempt small carriers from any 
privacy dashboard requirements and otherwise give them flexibility in 
the structure of their privacy notices; (5) grandfather existing 
customer approvals for use and disclosure of customer information; (6) 
exempt small carriers from any opt-in approval requirements; (6) not 
impose specific data security requirements on small providers; (7) not 
impose specific data breach reporting deadlines on small providers, and 
instead allow them to report breaches as soon as practicable; and (8) 
not hold small carriers liable for misuse of customer PI by third 
parties with whom they share the information. We considered these 
proposals and concerns when composing the Order and the accompanying 
rules.

C. Response to Comments by the Chief Counsel for Advocacy of the Small 
Business Administration

    408. Pursuant to the Small Business Jobs Act of 2010, which amended 
the RFA, the Commission is required to respond to any comments filed by 
the Chief Counsel for Advocacy of the Small Business Administration 
(SBA), and to provide a detailed statement of any change made to the 
proposed rules as a result of those comments.
    409. The SBA filed comments in response to the IRFA encouraging the 
Commission to examine measures, exemptions, and alternatives that would 
ease compliance by small telecommunications carriers with our rules. 
SBA observed that compliance costs to small providers may include 
``consulting fees, attorney's fees, hiring or training in-house privacy 
personnel, customer notification costs, and opportunity costs.'' In 
particular, SBA recommends giving small providers more time to comply 
with the rules and it supports granting small providers an exemption 
from the rules ``wherever practicable.''
    410. As explained in detail below, we have taken numerous measures 
in this Order to alleviate burdens for small providers, consistent with 
the comments of the SBA. In particular, we have adopted SBA's proposal 
that we give small providers additional time to comply. Also, while we 
do not exempt small providers from any of our rules, we have taken 
alternative measures to address several of the concerns with specific 
rule proposals that the SBA identifies. For instance, the data security 
rule we adopt focuses on the ``reasonableness'' of a carrier's security 
practices and does not prescribe any minimum required practices a 
provider must undertake to achieve compliance. The rule also 
specifically recognizes that the size of the provider is one of the 
factors to be considered in determining whether a provider has engaged 
in reasonable data security practices. By formulating the rule in this 
way, we have addressed small provider concerns regarding the costs of 
implementing prescriptive requirements. We also note that among other 
accommodations directly responsive to small provider concerns, we 
decline to require a consumer-facing dashboard.

D. Description and Estimate of the Number of Small Entities to Which 
the Rules Will Apply

    411. The RFA directs agencies to provide a description of, and 
where feasible, an estimate of the number of small entities that may be 
affected by the rules. The RFA generally defines the term ``small 
entity'' as having the same meaning as the terms ``small business,'' 
``small organization,'' and ``small governmental jurisdiction.'' In 
addition, the term ``small business'' has the same meaning as the term 
``small business concern'' under the Small Business Act. A ``small 
business concern'' is one which: (1) is independently owned and 
operated; (2) is not dominant in its field of operation; and (3) 
satisfies any additional criteria established by the SBA.
    412. For the purposes of these rules, we define small providers as 
providers with 100,000 or fewer broadband connections as reported on 
their most recent Form 477, aggregated over all the

[[Page 87334]]

providers' affiliates. We decline to count based on the number of 
customers from whom carriers collect data, as we recognize that some 
data collection is necessary to the provisions of service. Cabining the 
scope of small providers to those serving 100,000 or fewer subscribers 
is consistent with the 2015 Open Internet Order.
    413. The rules apply to all telecommunications carriers, including 
providers of BIAS. Below, we describe the types of small entities that 
might provide these services.
1. Total Small Entities
    414. Our rules may, over time, affect small entities that are not 
easily categorized at present. We therefore describe here, at the 
outset, three comprehensive, statutory small entity size standards. 
First, as of 2013, the SBA estimates there are an estimated 28.8 
million small businesses nationwide--comprising some 99.9% of all 
businesses. In addition, a ``small organization'' is generally ``any 
not-for-profit enterprise which is independently owned and operated and 
is not dominant in its field.'' Nationwide, as of 2007, there were 
approximately 1,621,315 small organizations. Finally, the term ``small 
governmental jurisdiction'' is defined generally as ``governments of 
cities, towns, townships, villages, school districts, or special 
districts, with a population of less than fifty thousand.'' Census 
Bureau data for 2011 indicate that there were 90,056 local governmental 
jurisdictions in the United States. We estimate that, of this total, as 
many as 89,327 entities may qualify as ``small governmental 
jurisdictions.'' Thus, we estimate that most governmental jurisdictions 
are small.
2. Broadband Internet Access Service Providers
    415. The Economic Census places BIAS providers, whose services 
might include Voice over Internet Protocol (VoIP), in either of two 
categories, depending on whether the service is provided over the 
provider's own telecommunications facilities (e.g., cable and DSL 
ISPs), or over client-supplied telecommunications connections (e.g., 
dial-up ISPs). The former are within the category of Wired 
Telecommunications Carriers, which has an SBA small business size 
standard of 1,500 or fewer employees. These are also labeled 
``broadband.'' The latter are within the category of All Other 
Telecommunications, which has a size standard of annual receipts of 
$32.5 million or less. These are labeled non-broadband. According to 
Census Bureau data for 2012, there were 3,117 firms in the first 
category, total, that operated for the entire year. Of this total, 
3,083 firms had employment of 999 or fewer employees. For the second 
category, the data show that 1,442 firms operated for the entire year. 
Of those, 1,400 had annual receipts below $25 million per year. 
Consequently, we estimate that the majority of broadband Internet 
access service provider firms are small entities.
    416. The broadband Internet access service provider industry has 
changed since this definition was introduced in 2007. The data cited 
above may therefore include entities that no longer provide broadband 
Internet access service, and may exclude entities that now provide such 
service. To ensure that this FRFA describes the universe of small 
entities that our action affects, we discuss in turn several different 
types of entities that might be providing broadband Internet access 
service, which also overlap with entities providing other 
telecommunications services. We note that, although we have no specific 
information on the number of small entities that provide broadband 
Internet access service over unlicensed spectrum, we include these 
entities in our Final Regulatory Flexibility Analysis.
3. Wireline Providers
    417. Wired Telecommunications Carriers. The U.S. Census Bureau 
defines this industry as ``establishments primarily engaged in 
operating and/or providing access to transmission facilities and 
infrastructure that they own and/or lease for the transmission of 
voice, data, text, sound, and video using wired communications 
networks. Transmission facilities may be based on a single technology 
or a combination of technologies. Establishments in this industry use 
the wired telecommunications network facilities that they operate to 
provide a variety of services, such as wired telephony services, 
including VoIP services, wired (cable) audio and video programming 
distribution, and wired broadband internet services. By exception, 
establishments providing satellite television distribution services 
using facilities and infrastructure that they operate are included in 
this industry.'' The SBA has developed a small business size standard 
for Wired Telecommunications Carriers, which consists of all such 
companies having 1,500 or fewer employees. Census data for 2012 shows 
that there were 3,117 firms that operated that year. Of this total, 
3,083 operated with fewer than 1,000 employees. Thus, under this size 
standard, the majority of firms in this industry can be considered 
small.
    418. Local Exchange Carriers (LECs). Neither the Commission nor the 
SBA has developed a size standard for small businesses specifically 
applicable to local exchange services. The closest applicable NAICS 
Code category is Wired Telecommunications Carriers as defined in this 
FRFA. Under the applicable SBA size standard, such a business is small 
if it has 1,500 or fewer employees. According to Commission data, 
census data for 2012 shows that there were 3,117 firms that operated 
that year. Of this total, 3,083 operated with fewer than 1,000 
employees. The Commission therefore estimates that most providers of 
local exchange carrier service are small entities that may be affected 
by the rules adopted.
    419. Incumbent Local Exchange Carriers (Incumbent LECs). Neither 
the Commission nor the SBA has developed a small business size standard 
specifically for incumbent local exchange services. The closest 
applicable NAICS Code category is Wired Telecommunications Carriers as 
defined in this FRFA. Under that size standard, such a business is 
small if it has 1,500 or fewer employees. According to Commission data, 
3,117 firms operated in that year. Of this total, 3,083 operated with 
fewer than 1,000 employees. Consequently, the Commission estimates that 
most providers of incumbent local exchange service are small businesses 
that may be affected by the rules and policies adopted. Three hundred 
and seven (307) Incumbent Local Exchange Carriers reported that they 
were incumbent local exchange service providers. Of this total, an 
estimated 1,006 have 1,500 or fewer employees.
    420. Competitive Local Exchange Carriers (Competitive LECs), 
Competitive Access Providers (CAPs), Shared-Tenant Service Providers, 
and Other Local Service Providers. Neither the Commission nor the SBA 
has developed a small business size standard specifically for these 
service providers. The appropriate NAICS Code category is Wired 
Telecommunications Carriers, as defined in this FRFA. Under that size 
standard, such a business is small if it has 1,500 or fewer employees. 
U.S. Census data for 2012 indicate that 3,117 firms operated during 
that year. Of that number, 3,083 operated with fewer than 1,000 
employees. Based on this data, the Commission concludes that the 
majority of Competitive LECS, CAPs, Shared-Tenant Service Providers, 
and Other Local Service Providers, are small entities. According to 
Commission data, 1,442 carriers reported that they

[[Page 87335]]

were engaged in the provision of either competitive local exchange 
services or competitive access provider services. Of these 1,442 
carriers, an estimated 1,256 have 1,500 or fewer employees. In 
addition, 17 carriers have reported that they are Shared-Tenant Service 
Providers, and all 17 are estimated to have 1,500 or fewer employees. 
Also, 72 carriers have reported that they are Other Local Service 
Providers. Of this total, 70 have 1,500 or fewer employees. 
Consequently, based on internally researched FCC data, the Commission 
estimates that most providers of competitive local exchange service, 
competitive access providers, Shared-Tenant Service Providers, and 
Other Local Service Providers are small entities.
    421. We have included small incumbent LECs in this present RFA 
analysis. As noted above, a ``small business'' under the RFA is one 
that, inter alia, meets the pertinent small business size standard 
(e.g., a telephone communications business having 1,500 or fewer 
employees), and ``is not dominant in its field of operation.'' The 
SBA's Office of Advocacy contends that, for RFA purposes, small 
incumbent LECs are not dominant in their field of operation because any 
such dominance is not ``national'' in scope. We have therefore included 
small incumbent LECs in this RFA analysis, although we emphasize that 
this RFA action has no effect on Commission analyses and determinations 
in other, non-RFA contexts.
    422. Interexchange Carriers. Neither the Commission nor the SBA has 
developed a definition for Interexchange Carriers. The closest NAICS 
Code category is Wired Telecommunications Carriers as defined in this 
FRFA. The applicable size standard under SBA rules is that such a 
business is small if it has 1,500 or fewer employees. U.S. Census data 
for 2012 indicates that 3,117 firms operated during that year. Of that 
number, 3,083 operated with fewer than 1,000 employees. According to 
internally developed Commission data, 359 companies reported that their 
primary telecommunications service activity was the provision of 
interexchange services. Of this total, an estimated 317 have 1,500 or 
fewer employees. Consequently, the Commission estimates that the 
majority of interexchange service providers are small entities that may 
be affected by the rules adopted.
    423. Operator Service Providers (OSPs). Neither the Commission nor 
the SBA has developed a small business size standard specifically for 
operator service providers. The appropriate size standard under SBA 
rules is for the category Wired Telecommunications Carriers. Under that 
size standard, such a business is small if it has 1,500 or fewer 
employees. According to Commission data, 33 carriers have reported that 
they are engaged in the provision of operator services. Of these, an 
estimated 31 have 1,500 or fewer employees and two have more than 1,500 
employees. Consequently, the Commission estimates that the majority of 
OSPs are small entities that may be affected by these rules.
    424. Prepaid Calling Card Providers. Neither the Commission nor the 
SBA has developed a small business definition specifically for prepaid 
calling card providers. The most appropriate NAICS code-based category 
for defining prepaid calling card providers is Telecommunications 
Resellers. This industry comprises establishments engaged in purchasing 
access and network capacity from owners and operators of 
telecommunications networks and reselling wired and wireless 
telecommunications services (except satellite) to businesses and 
households. Establishments in this industry resell telecommunications; 
they do not operate transmission facilities and infrastructure. Mobile 
virtual networks operators (MVNOs) are included in this industry. Under 
the applicable SBA size standard, such a business is small if it has 
1,500 or fewer employees. U.S. Census data for 2012 show that 1,341 
firms provided resale services during that year. Of that number, 1,341 
operated with fewer than 1,000 employees. Thus, under this category and 
the associated small business size standard, the majority of these 
prepaid calling card providers can be considered small entities. 
According to Commission data, 193 carriers have reported that they are 
engaged in the provision of prepaid calling cards. All 193 carriers 
have 1,500 or fewer employees. Consequently, the Commission estimates 
that the majority of prepaid calling card providers are small entities 
that may be affected by the rules adopted.
    425. Local Resellers. Neither the Commission nor the SBA has 
developed a small business size standard specifically for Local 
Resellers. The SBA has developed a small business size standard for the 
category of Telecommunications Resellers. Under that size standard, 
such a business is small if it has 1,500 or fewer employees. Census 
data for 2012 show that 1,341 firms provided resale services during 
that year. Of that number, 1,341 operated with fewer than 1,000 
employees. Under this category and the associated small business size 
standard, the majority of these local resellers can be considered small 
entities. According to Commission data, 213 carriers have reported that 
they are engaged in the provision of local resale services. Of this 
total, an estimated 211 have 1,500 or fewer employees. Consequently, 
the Commission estimates that the majority of local resellers are small 
entities that may be affected by the rules adopted.
    426. Toll Resellers. The Commission has not developed a definition 
for Toll Resellers. The closest NAICS Code Category is 
Telecommunications Resellers, and the SBA has developed a small 
business size standard for the category of Telecommunications 
Resellers. Under that size standard, such a business is small if it has 
1,500 or fewer employees. Census data for 2012 show that 1,341 firms 
provided resale services during that year. Of that number, 1,341 
operated with fewer than 1,000 employees. Thus, under this category and 
the associated small business size standard, the majority of these 
resellers can be considered small entities. According to Commission 
data, 881 carriers have reported that they are engaged in the provision 
of toll resale services. Of this total, an estimated 857 have 1,500 or 
fewer employees. Consequently, the Commission estimates that the 
majority of toll resellers are small entities.
    427. Other Toll Carriers. Neither the Commission nor the SBA has 
developed a definition for small businesses specifically applicable to 
Other Toll Carriers. This category includes toll carriers that do not 
fall within the categories of interexchange carriers, operator service 
providers, prepaid calling card providers, satellite service carriers, 
or toll resellers. The closest applicable NAICS Code category is for 
Wired Telecommunications Carriers as defined in paragraph 6 of this 
FRFA. Under the applicable SBA size standard, such a business is small 
if it has 1,500 or fewer employees. Census data for 2012 shows that 
there were 3,117 firms that operated that year. Of this total, 3,083 
operated with fewer than 1,000 employees. Thus, under this category and 
the associated small business size standard, the majority of Other Toll 
Carriers can be considered small. According to internally developed 
Commission data, 284 companies reported that their primary 
telecommunications service activity was the provision of other toll 
carriage. Of these, an estimated 279 have 1,500 or fewer employees. 
Consequently, the Commission estimates that most Other Toll Carriers 
are small entities.

[[Page 87336]]

4. Wireless Providers--Fixed and Mobile
    428. The telecommunications services category covered by these 
rules may cover multiple wireless firms and categories of regulated 
wireless services. In addition, for those services subject to auctions, 
we note that, as a general matter, the number of winning bidders that 
claim to qualify as small businesses at the close of an auction does 
not necessarily represent the number of small businesses currently in 
service. Also, the Commission does not generally track subsequent 
business size unless, in the context of assignments and transfers or 
reportable eligibility events, unjust enrichment issues are implicated.
    429. Wireless Telecommunications Carriers (except Satellite). This 
industry comprises establishments engaged in operating and maintaining 
switching and transmission facilities to provide communications via the 
airwaves. Establishments in this industry have spectrum licenses and 
provide services using that spectrum, such as cellular services, paging 
services, wireless internet access, and wireless video services. The 
appropriate size standard under SBA rules is that such a business is 
small if it has 1,500 or fewer employees. For this industry, Census 
data for 2012 show that there were 967 firms that operated for the 
entire year. Of this total, 955 firms had fewer than 1,000 employees. 
Thus under this category and the associated size standard, the 
Commission estimates that the majority of wireless telecommunications 
carriers (except satellite) are small entities. Similarly, according to 
internally developed Commission data, 413 carriers reported that they 
were engaged in the provision of wireless telephony, including cellular 
service, Personal Communications Service (PCS), and Specialized Mobile 
Radio (SMR) services. Of this total, an estimated 261 have 1,500 or 
fewer employees. Thus, using available data, we estimate that the 
majority of wireless firms can be considered small.
    430. Wireless Communications Services. This service can be used for 
fixed, mobile, radiolocation, and digital audio broadcasting satellite 
uses. The Commission defined ``small business'' for the wireless 
communications services (WCS) auction as an entity with average gross 
revenues of $40 million for each of the three preceding years, and a 
``very small business'' as an entity with average gross revenues of $15 
million for each of the three preceding years. The SBA has approved 
these definitions.
    431. 1670-1675 MHz Services. This service can be used for fixed and 
mobile uses, except aeronautical mobile. An auction for one license in 
the 1670-1675 MHz band was conducted in 2003. One license was awarded. 
The winning bidder was not a small entity.
    432. Wireless Telephony. Wireless telephony includes cellular, 
personal communications services, and specialized mobile radio 
telephony carriers. As noted, the SBA has developed a small business 
size standard for Wireless Telecommunications Carriers (except 
Satellite). Under the SBA small business size standard, a business is 
small if it has 1,500 or fewer employees. According to Commission data, 
413 carriers reported that they were engaged in wireless telephony. Of 
these, an estimated 261 have 1,500 or fewer employees and 152 have more 
than 1,500 employees. Therefore, a little less than one third of these 
entities can be considered small.
    433. Broadband Personal Communications Service. The broadband 
personal communications services (PCS) spectrum is divided into six 
frequency blocks designated A through F, and the Commission has held 
auctions for each block. The Commission initially defined a ``small 
business'' for C- and F-Block licenses as an entity that has average 
gross revenues of $40 million or less in the three previous calendar 
years. For F-Block licenses, an additional small business size standard 
for ``very small business'' was added and is defined as an entity that, 
together with its affiliates, has average gross revenues of not more 
than $15 million for the preceding three calendar years. These small 
business size standards, in the context of broadband PCS auctions, have 
been approved by the SBA. No small businesses within the SBA-approved 
small business size standards bid successfully for licenses in Blocks A 
and B. There were 90 winning bidders that claimed small business status 
in the first two C-Block auctions. A total of 93 bidders that claimed 
small business status won approximately 40 percent of the 1,479 
licenses in the first auction for the D, E, and F Blocks. On April 15, 
1999, the Commission completed the reauction of 347 C-, D-, E-, and F-
Block licenses in Auction No. 22. Of the 57 winning bidders in that 
auction, 48 claimed small business status and won 277 licenses.
    434. On January 26, 2001, the Commission completed the auction of 
422 C and F Block Broadband PCS licenses in Auction No. 35. Of the 35 
winning bidders in that auction, 29 claimed small business status. 
Subsequent events concerning Auction 35, including judicial and agency 
determinations, resulted in a total of 163 C and F Block licenses being 
available for grant. On February 15, 2005, the Commission completed an 
auction of 242 C-, D-, E-, and F-Block licenses in Auction No. 58. Of 
the 24 winning bidders in that auction, 16 claimed small business 
status and won 156 licenses. On May 21, 2007, the Commission completed 
an auction of 33 licenses in the A, C, and F Blocks in Auction No. 71. 
Of the 12 winning bidders in that auction, five claimed small business 
status and won 18 licenses. On August 20, 2008, the Commission 
completed the auction of 20 C-, D-, E-, and F-Block Broadband PCS 
licenses in Auction No. 78. Of the eight winning bidders for Broadband 
PCS licenses in that auction, six claimed small business status and won 
14 licenses.
    435. Specialized Mobile Radio Licenses. The Commission awards 
``small entity'' bidding credits in auctions for Specialized Mobile 
Radio (SMR) geographic area licenses in the 800 MHz and 900 MHz bands 
to firms that had revenues of no more than $15 million in each of the 
three previous calendar years. The Commission awards ``very small 
entity'' bidding credits to firms that had revenues of no more than $3 
million in each of the three previous calendar years. The SBA has 
approved these small business size standards for the 900 MHz Service. 
The Commission has held auctions for geographic area licenses in the 
800 MHz and 900 MHz bands. The 900 MHz SMR auction began on December 5, 
1995, and closed on April 15, 1996. Sixty bidders claiming that they 
qualified as small businesses under the $15 million size standard won 
263 geographic area licenses in the 900 MHz SMR band. The 800 MHz SMR 
auction for the upper 200 channels began on October 28, 1997, and was 
completed on December 8, 1997. Ten bidders claiming that they qualified 
as small businesses under the $15 million size standard won 38 
geographic area licenses for the upper 200 channels in the 800 MHz SMR 
band. A second auction for the 800 MHz band was held on January 10, 
2002 and closed on January 17, 2002 and included 23 BEA licenses. One 
bidder claiming small business status won five licenses.
    436. The auction of the 1,053 800 MHz SMR geographic area licenses 
for the General Category channels began on August 16, 2000, and was 
completed on September 1, 2000. Eleven bidders won 108 geographic area 
licenses for the General Category channels in the 800

[[Page 87337]]

MHz SMR band and qualified as small businesses under the $15 million 
size standard. In an auction completed on December 5, 2000, a total of 
2,800 Economic Area licenses in the lower 80 channels of the 800 MHz 
SMR service were awarded. Of the 22 winning bidders, 19 claimed small 
business status and won 129 licenses. Thus, combining all four 
auctions, 41 winning bidders for geographic licenses in the 800 MHz SMR 
band claimed status as small businesses.
    437. In addition, there are numerous incumbent site-by-site SMR 
licenses and licensees with extended implementation authorizations in 
the 800 and 900 MHz bands. We do not know how many firms provide 800 
MHz or 900 MHz geographic area SMR service pursuant to extended 
implementation authorizations, nor how many of these providers have 
annual revenues of no more than $15 million. One firm has over $15 
million in revenues. In addition, we do not know how many of these 
firms have 1,500 or fewer employees, which is the SBA-determined size 
standard. We assume, for purposes of this analysis, that all of the 
remaining extended implementation authorizations are held by small 
entities, as defined by the SBA.
    438. Lower 700 MHz Band Licenses. The Commission previously adopted 
criteria for defining three groups of small businesses for purposes of 
determining their eligibility for special provisions such as bidding 
credits. The Commission defined a ``small business'' as an entity that, 
together with its affiliates and controlling principals, has average 
gross revenues not exceeding $40 million for the preceding three years. 
A ``very small business'' is defined as an entity that, together with 
its affiliates and controlling principals, has average gross revenues 
that are not more than $15 million for the preceding three years. 
Additionally, the lower 700 MHz Service had a third category of small 
business status for Metropolitan/Rural Service Area (MSA/RSA) 
licenses--``entrepreneur''--which is defined as an entity that, 
together with its affiliates and controlling principals, has average 
gross revenues that are not more than $3 million for the preceding 
three years. The SBA approved these small size standards. An auction of 
740 licenses (one license in each of the 734 MSAs/RSAs and one license 
in each of the six Economic Area Groupings (EAGs)) commenced on August 
27, 2002, and closed on September 18, 2002. Of the 740 licenses 
available for auction, 484 licenses were won by 102 winning bidders. 
Seventy-two of the winning bidders claimed small business, very small 
business or entrepreneur status and won a total of 329 licenses. A 
second auction commenced on May 28, 2003, closed on June 13, 2003, and 
included 256 licenses: 5 EAG licenses and 476 Cellular Market Area 
licenses. Seventeen winning bidders claimed small or very small 
business status and won 60 licenses, and nine winning bidders claimed 
entrepreneur status and won 154 licenses. On July 26, 2005, the 
Commission completed an auction of 5 licenses in the Lower 700 MHz band 
(Auction No. 60). There were three winning bidders for five licenses. 
All three winning bidders claimed small business status.
    439. In 2007, the Commission reexamined its rules governing the 700 
MHz band in the 700 MHz Second Report and Order. An auction of 700 MHz 
licenses commenced January 24, 2008 and closed on March 18, 2008, which 
included, 176 Economic Area licenses in the A Block, 734 Cellular 
Market Area licenses in the B Block, and 176 EA licenses in the E 
Block. Twenty winning bidders, claiming small business status (those 
with attributable average annual gross revenues that exceed $15 million 
and do not exceed $40 million for the preceding three years) won 49 
licenses. Thirty three winning bidders claiming very small business 
status (those with attributable average annual gross revenues that do 
not exceed $15 million for the preceding three years) won 325 licenses.
    440. Upper 700 MHz Band Licenses. In the 700 MHz Second Report and 
Order, the Commission revised its rules regarding Upper 700 MHz 
licenses. On January 24, 2008, the Commission commenced Auction 73 in 
which several licenses in the Upper 700 MHz band were available for 
licensing: 12 Regional Economic Area Grouping licenses in the C Block, 
and one nationwide license in the D Block. The auction concluded on 
March 18, 2008, with 3 winning bidders claiming very small business 
status (those with attributable average annual gross revenues that do 
not exceed $15 million for the preceding three years) and winning five 
licenses.
    441. 700 MHz Guard Band Licensees. In 2000, in the 700 MHz Guard 
Band Order, the Commission adopted size standards for ``small 
businesses'' and ``very small businesses'' for purposes of determining 
their eligibility for special provisions such as bidding credits and 
installment payments. A small business in this service is an entity 
that, together with its affiliates and controlling principals, has 
average gross revenues not exceeding $40 million for the preceding 
three years. Additionally, a very small business is an entity that, 
together with its affiliates and controlling principals, has average 
gross revenues that are not more than $15 million for the preceding 
three years. SBA approval of these definitions is not required. An 
auction of 52 Major Economic Area licenses commenced on September 6, 
2000, and closed on September 21, 2000. Of the 104 licenses auctioned, 
96 licenses were sold to nine bidders. Five of these bidders were small 
businesses that won a total of 26 licenses. A second auction of 700 MHz 
Guard Band licenses commenced on February 13, 2001, and closed on 
February 21, 2001. All eight of the licenses auctioned were sold to 
three bidders. One of these bidders was a small business that won a 
total of two licenses.
    442. Air-Ground Radiotelephone Service. The Commission has 
previously used the SBA's small business size standard applicable to 
Wireless Telecommunications Carriers (except Satellite), i.e., an 
entity employing no more than 1,500 persons. There are approximately 
100 licensees in the Air-Ground Radiotelephone Service, and under that 
definition, we estimate that almost all of them qualify as small 
entities under the SBA definition. For purposes of assigning Air-Ground 
Radiotelephone Service licenses through competitive bidding, the 
Commission has defined ``small business'' as an entity that, together 
with controlling interests and affiliates, has average annual gross 
revenues for the preceding three years not exceeding $40 million. A 
``very small business'' is defined as an entity that, together with 
controlling interests and affiliates, has average annual gross revenues 
for the preceding three years not exceeding $15 million. These 
definitions were approved by the SBA. In May 2006, the Commission 
completed an auction of nationwide commercial Air-Ground Radiotelephone 
Service licenses in the 800 MHz band (Auction No. 65). On June 2, 2006, 
the auction closed with two winning bidders winning two Air-Ground 
Radiotelephone Services licenses. Neither of the winning bidders 
claimed small business status.
    443. AWS Services (1710-1755 MHz and 2110-2155 MHz bands (AWS-1); 
1915-1920 MHz, 1995-2000 MHz, 2020-2025 MHz and 2175-2180 MHz bands 
(AWS-2); 2155-2175 MHz band (AWS-3)). For the AWS-1 bands, the 
Commission has defined a ``small business'' as an entity with average 
annual gross revenues for the preceding three years not exceeding $40 
million, and a ``very small business'' as an entity

[[Page 87338]]

with average annual gross revenues for the preceding three years not 
exceeding $15 million. For AWS-2 and AWS-3, although we do not know for 
certain which entities are likely to apply for these frequencies, we 
note that the AWS-1 bands are comparable to those used for cellular 
service and personal communications service. The Commission has not yet 
adopted size standards for the AWS-2 or AWS-3 bands but proposes to 
treat both AWS-2 and AWS-3 similarly to broadband PCS service and AWS-1 
service due to the comparable capital requirements and other factors, 
such as issues involved in relocating incumbents and developing 
markets, technologies, and services.
    444. 3650-3700 MHz band. In March 2005, the Commission released a 
Report and Order and Memorandum Opinion and Order that provides for 
nationwide, non-exclusive licensing of terrestrial operations, 
utilizing contention-based technologies, in the 3650 MHz band (i.e., 
3650-3700 MHz). As of April 2010, more than 1270 licenses have been 
granted and more than 7433 sites have been registered. The Commission 
has not developed a definition of small entities applicable to 3650-
3700 MHz band nationwide, non-exclusive licensees. However, we estimate 
that the majority of these licensees are Internet Access Service 
Providers (ISPs) and that most of those licensees are small businesses.
    445. Fixed Microwave Services. Microwave services include common 
carrier, private-operational fixed, and broadcast auxiliary radio 
services. They also include the Local Multipoint Distribution Service 
(LMDS), the Digital Electronic Message Service (DEMS), and the 24 GHz 
Service, where licensees can choose between common carrier and non-
common carrier status. At present, there are approximately 36,708 
common carrier fixed licensees and 59,291 private operational-fixed 
licensees and broadcast auxiliary radio licensees in the microwave 
services. There are approximately 135 LMDS licensees, three DEMS 
licensees, and three 24 GHz licensees. The Commission has not yet 
defined a small business with respect to microwave services. For 
purposes of the IRFA, we will use the SBA's definition applicable to 
Wireless Telecommunications Carriers (except satellite)--i.e., an 
entity with no more than 1,500 persons. Under the present and prior 
categories, the SBA has deemed a wireless business to be small if it 
has 1,500 or fewer employees. The Commission does not have data 
specifying the number of these licensees that have more than 1,500 
employees, and thus is unable at this time to estimate with greater 
precision the number of fixed microwave service licensees that would 
qualify as small business concerns under the SBA's small business size 
standard. Consequently, the Commission estimates that there are up to 
36,708 common carrier fixed licensees and up to 59,291 private 
operational-fixed licensees and broadcast auxiliary radio licensees in 
the microwave services that may be small and may be affected by the 
rules and policies adopted herein. We note, however, that the common 
carrier microwave fixed licensee category includes some large entities.
    446. Broadband Radio Service and Educational Broadband Service. 
Broadband Radio Service systems, previously referred to as Multipoint 
Distribution Service (MDS) and Multichannel Multipoint Distribution 
Service (MMDS) systems, and ``wireless cable,'' transmit video 
programming to subscribers and provide two-way high speed data 
operations using the microwave frequencies of the Broadband Radio 
Service (BRS) and Educational Broadband Service (EBS) (previously 
referred to as the Instructional Television Fixed Service (ITFS)). In 
connection with the 1996 BRS auction, the Commission established a 
small business size standard as an entity that had annual average gross 
revenues of no more than $40 million in the previous three calendar 
years. The BRS auctions resulted in 67 successful bidders obtaining 
licensing opportunities for 493 Basic Trading Areas (BTAs). Of the 67 
auction winners, 61 met the definition of a small business. BRS also 
includes licensees of stations authorized prior to the auction. At this 
time, we estimate that of the 61 small business BRS auction winners, 48 
remain small business licensees. In addition to the 48 small businesses 
that hold BTA authorizations, there are approximately 392 incumbent BRS 
licensees that are considered small entities. After adding the number 
of small business auction licensees to the number of incumbent 
licensees not already counted, we find that there are currently 
approximately 440 BRS licensees that are defined as small businesses 
under either the SBA or the Commission's rules.
    447. In 2009, the Commission conducted Auction 86, the sale of 78 
licenses in the BRS areas. The Commission offered three levels of 
bidding credits: (i) A bidder with attributed average annual gross 
revenues that exceed $15 million and do not exceed $40 million for the 
preceding three years (small business) received a 15 percent discount 
on its winning bid; (ii) a bidder with attributed average annual gross 
revenues that exceed $3 million and do not exceed $15 million for the 
preceding three years (very small business) received a 25 percent 
discount on its winning bid; and (iii) a bidder with attributed average 
annual gross revenues that do not exceed $3 million for the preceding 
three years (entrepreneur) received a 35 percent discount on its 
winning bid. Auction 86 concluded in 2009 with the sale of 61 licenses. 
Of the ten winning bidders, two bidders that claimed small business 
status won 4 licenses; one bidder that claimed very small business 
status won three licenses; and two bidders that claimed entrepreneur 
status won six licenses.
    448. In addition, the SBA's Cable Television Distribution Services 
small business size standard is applicable to EBS. There are presently 
2,436 EBS licensees. All but 100 of these licenses are held by 
educational institutions. Educational institutions are included in this 
analysis as small entities. Thus, we estimate that at least 2,336 
licensees are small businesses. Since 2007, Cable Television 
Distribution Services have been defined within the broad economic 
census category of Wired Telecommunications Carriers; that category is 
defined as follows: ``This industry comprises establishments primarily 
engaged in operating and/or providing access to transmission facilities 
and infrastructure that they own and/or lease for the transmission of 
voice, data, text, sound, and video using wired telecommunications 
networks. Transmission facilities may be based on a single technology 
or a combination of technologies.'' The SBA has developed a small 
business size standard for this category, which is: All such firms 
having 1,500 or fewer employees. To gauge small business prevalence for 
these cable services we must, however, use the most current census data 
that are based on the previous category of Cable and Other Program 
Distribution and its associated size standard; that size standard was: 
All such firms having $13.5 million or less in annual receipts. 
According to Census Bureau data for 2007, there were a total of 996 
firms in this category that operated for the entire year. Of this 
total, 948 firms had annual receipts of under $10 million, and 48 firms 
had receipts of $10 million or more but less than $25 million. Thus, 
the majority of these firms can be considered small.
5. Satellite Service Providers
    449. Satellite Telecommunications Providers. Two economic census

[[Page 87339]]

categories address the satellite industry. The first category has a 
small business size standard of $30 million or less in average annual 
receipts, under SBA rules. The second has a size standard of $30 
million or less in annual receipts.
    450. The category of Satellite Telecommunications ``comprises 
establishments primarily engaged in providing telecommunications 
services to other establishments in the telecommunications and 
broadcasting industries by forwarding and receiving communications 
signals via a system of satellites or reselling satellite 
telecommunications.'' For this category, Census Bureau data for 2012 
show that there were a total of 333 firms that operated for the entire 
year. Of this total, 299 firms had annual receipts of under $25 
million. Consequently, we estimate that the majority of Satellite 
Telecommunications firms are small entities that might be affected by 
our action.
    451. The second category of Other Telecommunications comprises, 
inter alia, ``establishments primarily engaged in providing specialized 
telecommunications services, such as satellite tracking, communications 
telemetry, and radar station operation. This industry also includes 
establishments primarily engaged in providing satellite terminal 
stations and associated facilities connected with one or more 
terrestrial systems and capable of transmitting telecommunications to, 
and receiving telecommunications from, satellite systems.'' For this 
category, census data for 2012 show that there were 1,442 firms that 
operated for the entire year. Of these firms, a total of 1,400 had 
gross annual receipts of less than $25 million. Thus, a majority of 
``All Other Telecommunications'' firms potentially affected by the 
rules adopted can be considered small.
6. Cable Service Providers
    452. Cable and Other Program Distributors. Since 2007, these 
services have been defined within the broad economic census category of 
Wired Telecommunications Carriers; that category is defined as follows: 
``This industry comprises establishments primarily engaged in operating 
and/or providing access to transmission facilities and infrastructure 
that they own and/or lease for the transmission of voice, data, text, 
sound, and video using wired telecommunications networks. Transmission 
facilities may be based on a single technology or a combination of 
technologies.'' The SBA has developed a small business size standard 
for this category, which is: All such firms having 1,500 or fewer 
employees. To gauge small business prevalence for these cable services 
we must, however, use current census data that are based on the 
previous category of Cable and Other Program Distribution and its 
associated size standard; that size standard was: All such firms having 
$13.5 million or less in annual receipts. According to Census Bureau 
data for 2007, there were a total of 2,048 firms in this category that 
operated for the entire year. Of this total, 1,393 firms had annual 
receipts of under $10 million, and 655 firms had receipts of $10 
million or more. Thus, the majority of these firms can be considered 
small.
    453. Cable Companies and Systems. The Commission has also developed 
its own small business size standards, for the purpose of cable rate 
regulation. Under the Commission's rules, a ``small cable company'' is 
one serving 400,000 or fewer subscribers, nationwide. Industry data 
shows that there were 1,141 cable companies at the end of June 2012. Of 
this total, all but ten cable operators nationwide are small under this 
size standard. In addition, under the Commission's rules, a ``small 
system'' is a cable system serving 15,000 or fewer subscribers. Current 
Commission records show 4,945 cable systems nationwide. Of this total, 
4,380 cable systems have less than 20,000 subscribers, and 565 systems 
have 20,000 or more subscribers, based on the same records. Thus, under 
this standard, we estimate that most cable systems are small entities.
    454. Cable System Operators. The Communications Act also contains a 
size standard for small cable system operators, which is ``a cable 
operator that, directly or through an affiliate, serves in the 
aggregate fewer than 1 percent of all subscribers in the United States 
and is not affiliated with any entity or entities whose gross annual 
revenues in the aggregate exceed $250,000,000.'' There are 
approximately 52,403,705 cable video subscribers in the United States 
today. Accordingly, an operator serving fewer than 524,037 subscribers 
shall be deemed a small operator if its annual revenues, when combined 
with the total annual revenues of all its affiliates, do not exceed 
$250 million in the aggregate. Based on available data, we find that 
all but nine incumbent cable operators are small entities under this 
size standard. We note that the Commission neither requests nor 
collects information on whether cable system operators are affiliated 
with entities whose gross annual revenues exceed $250 million. Although 
it seems certain that some of these cable system operators are 
affiliated with entities whose gross annual revenues exceed $250 
million, we are unable at this time to estimate with greater precision 
the number of cable system operators that would qualify as small cable 
operators under the definition in the Communications Act.
7. All Other Telecommunications
    455. ``All Other Telecommunications'' is defined as follows: This 
U.S. industry is comprised of establishments that are primarily engaged 
in providing specialized telecommunications services, such as satellite 
tracking, communications telemetry, and radar station operation. This 
industry also includes establishments primarily engaged in providing 
satellite terminal stations and associated facilities connected with 
one or more terrestrial systems and capable of transmitting 
telecommunications to, and receiving telecommunications from, satellite 
systems. Establishments providing Internet services or voice over 
Internet protocol (VoIP) services via client-supplied 
telecommunications connections are also included in this industry. The 
SBA has developed a small business size standard for ``All Other 
Telecommunications,'' which consists of all such firms with gross 
annual receipts of $32.5 million or less. For this category, census 
data for 2012 show that there were 1,442 firms that operated for the 
entire year. Of these firms, a total of 1,400 had gross annual receipts 
of less than $25 million. Thus, a majority of ``All Other 
Telecommunications'' firms potentially affected by the rules adopted 
can be considered small.

E. Description of Projected Reporting, Recordkeeping, and Other 
Compliance Requirements for Small Entities

    456. The Order adopts requirements concerning (1) the provision of 
meaningful notice of privacy policies; (2) customer approval for the 
use and disclosure of customer PI; (3) reasonable data security; (4) 
data breach notification; and (5) particular practices that raise 
privacy concerns. The rules we adopt in the Order will apply to all 
telecommunications carriers, including BIAS and voice service 
providers.
    457. Providing Meaningful Notice of Privacy Policies. We adopt 
privacy policy notice requirements for all telecommunications carriers, 
including small providers. We require telecommunications carriers to 
provide notices of privacy policies at the point of sale prior to the 
purchase of service, and also to make notices clearly, conspicuously, 
and persistently available on carriers' Web sites and via

[[Page 87340]]

carriers' apps that are used to manage service, if any. These notices 
must clearly inform customers about what customer proprietary 
information the providers collect, how they use it, and under what 
circumstances they share it. We also require that providers inform 
their customers about customers' rights to opt in to or out (as the 
case may be) of the use or sharing of their proprietary information. We 
require that privacy notices be clear, conspicuous, comprehensible, and 
not misleading; and written in the language with which the carrier 
transacts business with the customer; but we do not require that they 
be formatted in any specific manner. Finally, we require providers to 
give their customers advance notice of material changes to their 
privacy policies. We have declined to require periodic notice on an 
annual or bi-annual basis, similar to what the preexisting CPNI rules 
require.
    458. Customer Approval Requirements for the Use and Disclosure of 
Customer PI. We require carriers to obtain express, informed customer 
consent (i.e., opt-in approval) for the use and sharing of sensitive 
customer PI. With respect to non-sensitive customer PI, carriers must, 
at a minimum, provide their customers the ability to opt out of the 
carrier's use or sharing of that non-sensitive customer information. 
Carriers must also provide customers with easy access to a choice 
mechanism that is simple, easy-to-use, clearly and conspicuously 
disclosed, persistently available, and made available at no additional 
cost to the customer. We require telecommunications carriers to solicit 
customer approval at the point of sale, and permit further 
solicitations after the point of sale. We also require that carriers 
actively contact their customers in these subsequent solicitations, to 
ensure that customers are adequately informed. Finally, we require the 
solicitations to be clear and conspicuous, comprehensible, not 
misleading, and to contain the information necessary for a customer to 
make an informed choice. This means the solicitations must inform 
customers of the types of customer proprietary information that the 
carrier is seeking to use, disclose, or permit access to, how those 
types of information will be used or shared, and the categories of 
entities with which that information is shared. In order to maintain 
flexibility, we do not require particular formats or methods by which a 
carrier must communicate its solicitation of consent to customers.
    459. Our rules allow providers to use and disclose customer data 
without approval if the data is properly de-identified. This option 
gives providers carriers, including small providers, a way to use 
customer information that avoids both the risks associated with 
identifiable information and any compliance costs associated with 
obtaining customer approval.
    460. Reasonable Data Security. We require telecommunications 
carriers to take reasonable measures to secure customer PI. We decline 
to mandate specific activities that providers must undertake in order 
to meet this reasonableness requirement. We do, however, offer guidance 
on the types of data security practices we recommend carriers strongly 
consider as they seek to comply with our data security requirement, 
while recognizing that what constitutes ``reasonable'' data security is 
an evolving concept. When considering whether a carrier's data security 
practices are reasonable, we will weigh the nature and scope of the 
carrier's activities, the sensitivity of the underlying data, the size 
of the carrier, and technical feasibility. We recognize that the 
resources and data practices of small carriers are likely to be 
different from large carriers, and therefore what constitutes 
``reasonable'' data security for a small carrier and a large carrier 
may differ. The totality of the circumstances, and not any individual 
factor, is determinative of whether a carrier's practices are 
reasonable. By requiring providers to take reasonable data security 
measures, we make clear that providers will not be held strictly liable 
for all data breaches.
    461. Data Breach Notification Requirements. We require BIAS 
providers and other telecommunications carriers to notify affected 
customers, the Commission--and, when a breach affects 5,000 or more 
customers, the FBI and Secret Service--of data breaches that meet a 
harm-based trigger. In particular, a carrier must report the breach 
unless it reasonably determines that no harm to customers is reasonably 
likely to occur. Customer breach notifications must include the date, 
estimated date, or estimated date range of the breach; a description of 
the customer PI that was breached; contact information for the carrier; 
contact information for the FCC and any relevant state agencies; and 
information about credit-reporting agencies and steps customers can 
take to avoid identity theft. We also require providers to keep 
records, for two years, of the dates of breaches and the dates when 
customers are notified.
    462. When a reportable breach affects 5,000 or more customers, a 
provider must notify the Commission and the FBI and Secret Service 
within seven (7) business days of when the carrier reasonably 
determines that such a breach has occurred, and at least three (3) 
business days before notifying customers. The Commission will create a 
centralized portal for reporting breaches to the Commission and other 
federal law enforcement agencies. Carriers must notify affected 
customers without unreasonable delay, and no later than 30 calendar 
days following the carriers' reasonable determination that a breach has 
occurred, unless the FBI or Secret Service requests a further delay. 
When a reportable breach does not meet the 5,000-customer threshold for 
reporting to the FBI and Secret Service, the Commission may be notified 
of the breach within the same no-more-than-30-days timeframe as 
affected customers.
    463. Particular Practices That Raise Privacy Concerns. The Order 
prohibits BIAS providers from conditioning the provision of service on 
a customer's consenting to use or sharing of the customer's proprietary 
information over which our rules provide the consumer with a right of 
approval. However, the Order does not prohibit BIAS providers from 
offering financial incentives to permit the use or disclosure of such 
information. The Order requires BIAS providers offering such incentives 
to provide clear notice explaining the terms of any financial incentive 
program and to obtain opt-in consent. The notice must be clear and 
conspicuous and explained in a way that is comprehensible and not 
misleading. The explanation must include information about what 
customer PI the provider will collect, how it will be used, with what 
types of entities it will be shared, and for what purposes. BIAS 
providers must make financial incentive notices easily accessible and 
separate from any other privacy notifications. When a BIAS provider 
markets a service plan that involves an exchange of personal 
information for reduced pricing or other benefits, it must also provide 
at least as prominent information to customers about an equivalent plan 
that does not include such an exchange. BIAS providers must also comply 
with all notice requirements of our rules when providing a financial 
incentive notice.

F. Steps Take To Minimize the Significant Economic Impact on Small 
Entities and Significant Alternatives Considered

    464. The RFA requires an agency to describe any significant, 
specifically small business, alternatives that it has considered in 
reaching its proposed

[[Page 87341]]

approach, which may include the following four alternatives (among 
others): ``(1) The establishment of differing compliance or reporting 
requirements or timetables that take into account the resources 
available to small entities; (2) the clarification, consolidation, or 
simplification of compliance and reporting requirements under the rule 
for such small entities; (3) the use of performance rather than design 
standards; and (4) an exemption from coverage of the rule, or any part 
thereof, for such small entities.''
    465. The Commission considered the economic impact on small 
providers, as identified in comments filed in response to the NPRM and 
IRFA, in reaching its final conclusions and taking action in this 
proceeding. Moreover, in formulating these rules, we have sought to 
provide flexibility for small providers whenever possible, including by 
avoiding prescription of the specific practices carriers must follow to 
achieve compliance. Additionally, harmonizing our rules across all 
telecommunications services will reduce and streamline compliance costs 
for small carriers. We have also adopted a phased-in implementation 
schedule, under which small providers are given an extra twelve months 
to come into compliance with the notice and approval requirements we 
adopt today. As discussed below, we have designed the rules we adopt 
today with the goal of minimizing burdens on all carriers, and 
particularly on small carriers.
    466. Providing Meaningful Notice of Privacy Policies. Recognizing 
the importance of flexibility in finding successful ways to communicate 
privacy policies to consumers, we decline to adopt any specific form or 
format for privacy notices. We adopt rules that require providers to 
disclose their privacy practices, but decline to be prescriptive about 
either the format or specific content of privacy policy notices in 
order to provide flexibility to providers and to minimize the burden of 
compliance levied by this requirement. In the interest of further 
minimizing the burden of transparency, particularly for small 
providers, we also direct the Consumer Advisory Committee to develop a 
model privacy policy notice that will serve as a safe harbor for our 
notice requirements. We also decline to adopt specific notice 
requirements in mobile formats and we decline to require periodic 
notices of privacy practices.
    467. Customer Approval Requirements for the Use and Disclosure of 
Customer PI. In formulating customer approval requirements we have 
taken specific actions to reduce burdens on small carriers. First, as 
requested by small carriers and other commenters, we harmonize the 
voice and BIAS customer approval regimes into one set of rules. Second, 
we do not require carriers to provide a ``privacy dashboard'' for 
customer approvals; carriers may use any choice mechanism that is easy 
to use, persistently available, and clearly and conspicuously provided. 
This reduces the need for small carriers to develop specific customer 
service architecture. Third, we decline to require a specific format 
for accepting customer privacy choices and therefore allow carriers, 
particularly small carriers, that lack sophisticated Web sites or apps 
to accept customer choices through other means, such as by email or 
phone, so long as these means are persistently available. Fourth, we 
eliminate the periodic compliance documentation and reporting 
requirements that create recordkeeping burdens in our pre-existing CPNI 
rules. To further reduce compliance burdens, we have clarified that 
choice solicitations may be combined a carrier's other privacy policy 
notices.
    468. Reasonable Data Security. In the NPRM we proposed rules that 
included an overarching data security expectation and specified 
particular types of practices that carriers would need to implement to 
comply with that standard, while allowing carriers flexibility in 
implementing the proposed requirements. Based on the record in this 
proceeding, we have modified the overarching data security standard to 
more directly focus on reasonableness of the carriers' data security 
practices based on the particulars of the carrier's situation. Also 
based on the record, we decline to mandate specific activities that 
carriers must undertake in order to meet the reasonable data security 
requirement. We do, however, offer guidance on the types of data 
security practices we recommend carriers strongly consider as they seek 
to comply with our data security requirement--recognizing, of course, 
that what constitutes ``reasonable'' data security is an evolving 
concept. This guidance should be of particular benefit to smaller 
providers that may have less established data security programs. Also, 
our rule directs all providers--including small providers--to adopt 
contextually appropriate security practices. Contextual factors 
specified in the rule include the size of the provider and nature and 
scope of its activities. In including such factors, we take into 
account small providers' concerns that certain security measures that 
may be appropriate for larger carriers, such as having a dedicated 
official to oversee data security implementation, are likely beyond the 
needs and resources of the smallest carriers.
    469. Data Breach Notification Requirements. In formulating our data 
breach rules, we specifically considered their impact on small carriers 
and crafted rules designed to balance the burdens on small carriers 
with the privacy and information security needs of those carriers' 
customers. First, our adoption of a harm-based trigger substantially 
reduces compliance burdens on small carriers by not requiring excessive 
notifications and by granting carriers the flexibility to focus their 
limited resources on preventing and ameliorating breaches, rather than 
issuing notifications for inconsequential events. The record shows that 
because small carriers tend to collect and use customer data far less 
extensively than larger carriers, they are less likely to have breaches 
that would trigger the notification requirements of our rules. Second, 
our customer notification timeline also provides small carriers with 
greater flexibility; allowing up to 30 days to notify customers of a 
breach allows small carriers with fewer resources more time to 
investigate than the 10 days originally proposed. Third, we are 
creating a centralized portal for reporting data breaches to the 
Commission and law enforcement. This will streamline the notification 
process, which particularly reduces burdens on small carriers with 
fewer staff dedicated to breach mitigation. Finally, for breaches 
affecting fewer than 5,000 customers, we extend the Commission 
notification deadline from seven (7) business days to thirty (30) 
calendar days. This provision will significantly reduce compliance 
burdens for small carriers, many of whom have fewer than 5,000 
customers.
    470. Implementation. To provide certainty to customers and carriers 
alike, we establish a timeline by which carriers must implement the 
privacy rules we adopt today. Carriers that have complied with FTC and 
industry best practices will be well-positioned to achieve prompt 
compliance with our privacy rules. We recognize, however, that 
carriers, especially small carriers, will need some time to update 
their internal business processes as well as their customer-facing 
privacy policies and choice mechanisms in order to come into compliance 
with some of our rules.
    471. The notice and choice rules we adopt today will become 
effective the later of (1) eight weeks after

[[Page 87342]]

announcement PRA approval, or (12) twelve months after the Commission 
publishes a summary of the Order in the Federal Register. Carriers will 
need to analyze the new, harmonized privacy rules as well as coordinate 
with various business segments and vendors, and update programs and 
policies. Carriers will also need to engage in consumer outreach and 
education. These implementation steps will take time and we find, as 
supported in the record, that twelve months after publication of the 
Order in the Federal Register is an adequate minimum implementation 
period to implement the new notice and approval rules. In order to 
minimize disruption to carriers' business practices, we do not require 
carriers to obtain new consent from all their customers. Rather, we 
treat as valid or ``grandfather'' any customer consent that was 
obtained prior to the effective date of our rules and thus is 
consistent with our new requirements. We decline to more broadly 
grandfather preexisting consents obtained by small carriers because we 
find that the parameters set forth in our rules create the appropriate 
balance to limit compliance costs while providing customers the privacy 
protections they need.
    472. The data breach rule we adopt today will become effective the 
later of (1) eight weeks after announcement PRA approval, or (2) six 
months after the Commission publishes a summary of the Order in the 
Federal Register. Although we recognize that carriers may have to 
modify practices and policies to implement our new rule, we find the 
harm trigger we adopt and timeline for notifying customers lessen the 
implementation requirements. Moreover, harmonization of our data breach 
rule for BIAS and voice services enable providers to streamline their 
notification processes, which should also lessen carriers' need for 
implementation time. Given these steps to minimize compliance burdens, 
we find six months is an adequate minimum timeframe.
    473. The data security requirements we adopt today will become 
effective 90 days after publication of a summary of the Order in the 
Federal Register. We find this to be an appropriate implementation 
period for the data security requirements because carriers should 
already be largely in compliance with these requirements because the 
reasonableness standard adopted in this Order provides carriers 
flexibility in how to approach data security and resembles the 
obligation to which they were previously subject pursuant to section 5 
of the FTC Act. We therefore do not think the numerous steps outlined 
by commenters that would have been necessary to comply with the data 
security proposals in the NPRM apply to the data security rules we 
adopt.
    474. The prohibition on conditioning offers to provider BIAS on a 
customer's agreement to waive privacy rights will become effective 30 
days after publication of a summary of the Order in the Federal 
Register. We find that unlike other privacy rules, consumers should 
benefit from this prohibition promptly. We find no basis for any delay 
in the effective date of this important protection. All other privacy 
rules adopted in the Order will be effective 30 days after publication 
of a summary of the Order in the Federal Register. We also adopt a 
uniform implementation timetable for both BIAS and other 
telecommunications services.
    475. To provide additional flexibility to small carriers, we give 
small carriers an additional twelve months to implement the notice and 
customer approval rules we adopt today. We find that an additional one-
year phase-in will allow small providers time to make the necessary 
investments to implement these rules. The record reflects that small 
providers have comparatively limited resources and rely extensively on 
vendors over which they have limited leverage to compel adoption of new 
requirements. We recognize our notice and choice framework may entail 
upfront costs for small carriers. As such, we find that this limited 
extension is appropriate.
    476. We have considered, but opt against, providing small providers 
with even longer or broader extension periods, or with exemptions from 
the rules, as some commenters suggest. In part, this is because the 
measures we have taken to reduce burdens for small providers have in 
many cases mitigated commenters' specific concerns. For instance, we 
find that we have addressed small provider concerns about the adoption 
of specific security requirements, such as annual risk assessments, by 
adopting a data security rule that does not prescribe any such 
requirements. Moreover, as advocated by small providers, we adopt a 
customer choice framework that distinguishes between sensitive and non-
sensitive customer information, as well as decline to mandate a 
customer-facing dashboard to help manage their implementation and 
compliance costs. Furthermore, we find that our data breach 
notification requirements and ``take-it-or-leave-it'' prohibition do 
not require implementation extension for small providers as compliance 
with these protections should not be costly for small carriers that 
generally collect less customer information and use customer 
information for narrower purposes.
    Report to Congress: The Commission will send a copy of the Order, 
including this FRFA, in a report to be sent to Congress pursuant to the 
Congressional Review Act. In addition, the Commission will send a copy 
of the Order, including this FRFA, to the Chief Counsel for Advocacy of 
the SBA. A copy of the Order and FRFA (or summaries thereof) will also 
be published in the Federal Register.

VII. Ordering Clauses

    477. Accordingly, it is ordered that, pursuant to sections 1, 2, 
4(i)-(j), 201, 202, 222, 303(b), 303(r), 316, 338(i), 631, and 705 of 
the Communications Act of 1934, as amended, and Section 706 of the 
Telecommunications Act of 1996, as amended, 47 U.S.C. 151, 152, 154(i)-
(j), 201, 202, 222, 303(b), 303(r), 316, 338(i), 551, 605, 1302, this 
Report and Order is adopted.
    478. It is further ordered that part 64 of the Commission's rules 
IS AMENDED as set forth in Appendix A.
    479. It is further ordered that the data security requirements set 
forth in new 47 CFR 64.2005 shall be effective 90 days after 
publication in the Federal Register.
    480. It is further ordered that, except as set forth in the prior 
paragraph, this Report and Order shall be effective 30 days after date 
of publication of a summary in the Federal Register, except that the 
amendments to 47 CFR 64.2003, 64.2004, 64.2006, and 64.2011(b), which 
contain new or modified information collection requirements that 
require approval by the Office of Management and Budget under the 
Paperwork Reduction Act, will become effective after the Commission 
publishes a notice in the Federal Register announcing such approval and 
the relevant effective date. It is our intention in adopting the 
foregoing Report and Order that, if any provision of the Report and 
Order or the rules, or the application thereof to any person or 
circumstance, is held to be unlawful, the remaining portions of such 
Report and Order and the rules not deemed unlawful, and the application 
of such Report and Order and the rules to other person or 
circumstances, shall remain in effect to the fullest extent permitted 
by law.
    481. It is further ordered that the Commission's Consumer & 
Governmental Affairs Bureau, Reference Information Center, shall send a 
copy of this Report and Order to Congress and the Government 
Accountability Office pursuant to the Congressional Review Act, see 5 
U.S.C. 801(a)(1)(A).

[[Page 87343]]

    482. It is further ordered that the Commission's Consumer & 
Governmental Affairs Bureau, Reference Information Center, SHALL SEND a 
copy of this Report and Order, including the Final Regulatory 
Flexibility Analysis, to the Chief Counsel for Advocacy of the Small 
Business Administration.

List of Subjects in 47 CFR Part 64

    Claims, Communications common carriers, Computer technology, 
Credit, Foreign relations, Individuals with disabilities, Political 
candidates, Radio, Reporting and recordkeeping requirements, 
Telecommunications, Telegraph, Telephone.

Federal Communications Commission.
Marlene H. Dortch,
Secretary.

Final Rules

    For the reasons discussed in the preamble, the Federal 
Communications Commission amends 47 CFR part 64 as follows:

PART 64--MISCELLANEOUS RULES RELATING TO COMMON CARRIERS

0
1. The authority citation for part 64 is revised to read as follows:

    Authority: 47 U.S.C. 154, 254(k), 403, Pub. L. 104-104, 110 
Stat. 56. Interpret or apply 47 U.S.C. 201, 202, 218, 222, 225, 226, 
227, 228, 254(k), 301, 303, 332, 338, 551, 616, 620, 705, 1302, and 
the Middle Class Tax Relief and Job Creation Act of 2012, Pub. L. 
112-96, unless otherwise noted.

0
2. In part 64, revise subpart U to read as follows:
Subpart U--Protecting Customer Information
Sec.
64.2001 Basis and purpose.
64.2002 Definitions.
64.2003 Notice requirements for telecommunications carriers.
64.2004 Customer approval.
64.2005 Data security.
64.2006 Data breach notification.
64.2010 Business customer exemption for provision of 
telecommunications services other than BIAS.
64.2011 BIAS offers conditioned on waiver of privacy rights.
64.2012 Effect on State law.

Subpart U--Protecting Customer Information


Sec.  64.2001   Basis and purpose.

    (a) Basis. The rules in this subpart are issued pursuant to the 
Communications Act of 1934, as amended.
    (b) Purpose. The purpose of the rules in this subpart is to 
implement section 222 of the Communications Act of 1934, as amended, 47 
U.S.C. 222.


Sec.  64.2002  Definitions.

    The following definitions apply to this subpart.
    (a) Broadband Internet access service (BIAS). The term ``broadband 
Internet access service'' or ``BIAS'' has the same meaning given to 
such term in section 8.2(a) of this chapter.
    (b) Broadband Internet Access service provider. The term 
``broadband Internet access service provider'' or ``BIAS provider'' 
means a person engaged in the provision of BIAS.
    (c) Breach of security. The terms ``breach of security,'' 
``breach,'' or ``data breach,'' mean any instance in which a person, 
without authorization or exceeding authorization, has gained access to, 
used, or disclosed customer proprietary information.
    (d) Call detail information. Any information that pertains to the 
transmission of specific telephone calls, including, for outbound 
calls, the number called, and the time, location, or duration of any 
call and, for inbound calls, the number from which the call was placed, 
and the time, location, or duration of any call.
    (e) Customer. A customer of a telecommunications carrier is:
    (1) A current or former subscriber to a telecommunications service; 
or
    (2) An applicant for a telecommunications service.
    (f) Customer proprietary information. The term ``customer 
proprietary information'' or ``customer PI'' means any of the following 
a carrier acquires in connection with its provision of 
telecommunications service:
    (1) Individually identifiable customer proprietary network 
information (CPNI);
    (2) Personally identifiable information (PII); and
    (3) Content of communications.
    (g) Customer proprietary network information (CPNI). The term 
``customer proprietary network information'' or ``CPNI'' has the same 
meaning given to such term in section 222(h)(1) of the Communications 
Act of 1934, as amended, 47 U.S.C. 222(h)(1).
    (h) Interconnected Voice over Internet Protocol (VoIP) Service. The 
term ``interconnected VoIP service'' has the same meaning given to such 
term in Sec.  9.3 of this chapter.
    (i) Material change. The term ``material change'' means any change 
that a customer, acting reasonably under the circumstances, would 
consider important to his or her decisions regarding his or her 
privacy, including any change to information required by the privacy 
notice described in Sec.  64.2003.
    (j) Opt-in approval. A method for obtaining customer consent to 
use, disclose, or permit access to the customer's proprietary 
information. This approval method requires that the carrier obtain from 
the customer affirmative, express consent allowing the requested usage, 
disclosure, or access to the customer proprietary information after the 
customer is provided appropriate notification of the carrier's request 
consistent with the requirements set forth in this subpart.
    (k) Opt-out approval. A method for obtaining customer consent to 
use, disclose, or permit access to the customer's proprietary 
information. Under this approval method, a customer is deemed to have 
consented to the use, disclosure, or access to the customer's 
proprietary information if the customer has failed to object thereto 
after the customer is provided appropriate notification of the 
carrier's request for consent consistent with the requirements set 
forth in this subpart.
    (l) Person. The term ``person'' has the same meaning given such 
term in section 3 of the Communications Act of 1934, as amended, 47 
U.S.C. 153.
    (m) Personally identifiable information (PII). The term 
``personally identifiable information'' or ``PII'' means any 
information that is linked or reasonably linkable to an individual or 
device.
    (n) Sensitive customer proprietary information. The terms 
``sensitive customer proprietary information'' or ``sensitive customer 
PI'' include:
    (1) Financial information;
    (2) Health information;
    (3) Information pertaining to children;
    (4) Social Security numbers;
    (5) Precise geo-location information;
    (6) Content of communications;
    (7) Call detail information; and
    (8) Web browsing history, application usage history, and the 
functional equivalents of either.
    (o) Telecommunications carrier or carrier. The terms 
``telecommunications carrier'' or ``carrier'' shall have the same 
meaning as set forth in section 3 of the Communications Act of 1934, as 
amended, 47 U.S.C. 153. For the purposes of this subpart, the term 
``telecommunications carrier'' or ``carrier'' shall include a person 
engaged in the provision of interconnected VoIP service, as that term 
is defined in paragraph (h) of this section.
    (p) Telecommunications service. The term ``telecommunications 
service'' has the same meaning given to such term in section 3 of the 
Communications Act of 1934, as amended, 47 U.S.C. 153. For the purposes 
of this subpart, the term ``telecommunications service'' shall include 
interconnected VoIP service, as

[[Page 87344]]

that term is defined in paragraph (h) of this section.


Sec.  64.2003  Notice requirements for telecommunications carriers.

    (a) A telecommunications carrier must notify its customers of its 
privacy policies. Such notice must be clear and conspicuous, and in 
language that is comprehensible and not misleading.
    (b) Contents. A telecommunications carrier's notice of its privacy 
policies under paragraph (a) must:
    (1) Specify and describe the types of customer proprietary 
information that the telecommunications carrier collects by virtue of 
its provision of telecommunications service and how it uses that 
information;
    (2) Specify and describe under what circumstances the 
telecommunications carrier discloses or permits access to each type of 
customer proprietary information that it collects;
    (3) Specify and describe the categories of entities to which the 
carrier discloses or permits access to customer proprietary information 
and the purposes for which the customer proprietary information will be 
used by each category of entities;
    (4) Specify and describe customers' opt-in approval and/or opt-out 
approval rights with respect to their customer proprietary information, 
including:
    (i) That a customer's denial or withdrawal of approval to use, 
disclose, or permit access to customer proprietary information will not 
affect the provision of any telecommunications services of which he or 
she is a customer; and
    (ii) That any grant, denial, or withdrawal of approval for the use, 
disclosure, or permission of access to the customer proprietary 
information is valid until the customer affirmatively revokes such 
grant, denial, or withdrawal, and inform the customer of his or her 
right to deny or withdraw access to such proprietary information at any 
time.
    (5) Provide access to a mechanism for customers to grant, deny, or 
withdraw approval for the telecommunications carrier to use, disclose, 
or provide access to customer proprietary information as required by 
Sec.  64.2004;
    (6) Be completely translated into a language other than English if 
the telecommunications carrier transacts business with the customer in 
that language.
    (c) Timing. Notice required under paragraph (a) of this section 
must:
    (1) Be made available to prospective customers at the point of 
sale, prior to the purchase of service, whether such point of sale is 
in person, online, over the telephone, or via another means; and
    (2) Be made persistently available through: A clear and conspicuous 
link on the telecommunications carrier's homepage; the carrier's 
application (app), if it provides one for account management purposes; 
and any functional equivalent to the carrier's homepage or app. If a 
carrier does not have a Web site, it must provide notice to customers 
in paper form or another format agreed upon by the customer.
    (d) Material changes to a telecommunications carrier's privacy 
policies. A telecommunications carrier must provide existing customers 
with advance notice of one or more material changes to the carrier's 
privacy policies. Such notice must be clear and conspicuous, and in 
language that is comprehensible and not misleading, and must:
    (1) Be provided through email or another means of active 
communication agreed upon by the customer;
    (2) Specify and describe:
    (i) The changes made to the telecommunications carrier's privacy 
policies, including any changes to what customer proprietary 
information the carrier collects, and how it uses, discloses, or 
permits access to such information, the categories of entities to which 
it discloses or permits access to customer proprietary information, and 
which, if any, changes are retroactive; and
    (ii) Customers' opt-in approval and/or opt-out approval rights with 
respect to their customer proprietary information, including the 
material specified in paragraph (b)(4) of this section;
    (3) Provide access to a mechanism for customers to grant, deny, or 
withdraw approval for the telecommunications carrier to use, disclose, 
or permit access to customer proprietary information as required by 
Sec.  64.2004; and
    (4) Be completely translated into a language other than English if 
the telecommunications carrier transacts business with the customer in 
that language.


Sec.  64.2004   Customer approval.

    Except as described in paragraph (a) of this section, a 
telecommunications carrier may not use, disclose, or permit access to 
customer proprietary information except with the opt-out or opt-in 
approval of a customer as described in this section.
    (a) Limitations and exceptions. A telecommunications carrier may 
use, disclose, or permit access to customer proprietary information 
without customer approval for the following purposes:
    (1) In its provision of the telecommunications service from which 
such information is derived, or in its provision of services necessary 
to, or used in, the provision of such service.
    (2) To initiate, render, bill, and collect for telecommunications 
service.
    (3) To protect the rights or property of the telecommunications 
carrier, or to protect users of the telecommunications service and 
other providers from fraudulent, abusive, or unlawful use of the 
service.
    (4) To provide any inbound marketing, referral, or administrative 
services to the customer for the duration of a real-time interaction, 
if such interaction was initiated by the customer.
    (5) To provide location information and/or non-sensitive customer 
proprietary information to:
    (i) A public safety answering point, emergency medical service 
provider or emergency dispatch provider, public safety, fire service, 
or law enforcement official, or hospital emergency or trauma care 
facility, in order to respond to the user's request for emergency 
services;
    (ii) Inform the user's legal guardian or members of the user's 
immediate family of the user's location in an emergency situation that 
involves the risk of death or serious physical harm; or
    (iii) Providers of information or database management services 
solely for purposes of assisting in the delivery of emergency services 
in response to an emergency.
    (6) As otherwise required or authorized by law.
    (b) Opt-out approval required. Except as otherwise provided in this 
section, a telecommunications carrier must obtain opt-out approval from 
a customer to use, disclose, or permit access to any of the customer's 
non-sensitive customer proprietary information. If it so chooses, a 
telecommunications carrier may instead obtain opt-in approval from a 
customer to use, disclose, or permit access to any of the customer's 
non-sensitive customer proprietary information.
    (c) Opt-in approval required. Except as otherwise provided in this 
section, a telecommunications carrier must obtain opt-in approval from 
a customer to:
    (1) Use, disclose, or permit access to any of the customer's 
sensitive customer proprietary information; or
    (2) Make any material retroactive change--i.e., a material change 
that would result in a use, disclosure, or permission of access to any 
of the customer's proprietary information previously collected by the 
carrier for which the customer did not previously grant approval, 
either through opt-in or opt-out consent, as required by paragraphs (b) 
and (c) of this section.

[[Page 87345]]

    (d) Notice and solicitation required. (1) Except as described in 
paragraph (a) of this section, a telecommunications carrier must at a 
minimum solicit customer approval pursuant to paragraph (b) and/or (c), 
as applicable, at the point of sale and when making one or more 
material changes to privacy policies. Such solicitation may be part of, 
or the same communication as, a notice required by Sec.  64.2003.
    (2) A telecommunications carrier's solicitation of customer 
approval must be clear and conspicuous, and in language that is 
comprehensible and not misleading. Such solicitation must disclose:
    (i) The types of customer proprietary information for which the 
carrier is seeking customer approval to use, disclose, or permit access 
to;
    (ii) The purposes for which such customer proprietary information 
will be used;
    (iii) The categories of entities to which the carrier intends to 
disclose or permit access to such customer proprietary information; and
    (iv) A means to easily access the notice required by Sec.  
64.2003(a) and a means to access the mechanism required by paragraph 
(e) of this section.
    (3) A telecommunications carrier's solicitation of customer 
approval must be completely translated into a language other than 
English if the telecommunications carrier transacts business with the 
customer in that language.
    (e) Mechanism for exercising customer approval. A 
telecommunications carrier must make available a simple, easy-to-use 
mechanism for customers to grant, deny, or withdraw opt-in approval 
and/or opt-out approval at any time. Such mechanism must be clear and 
conspicuous, in language that is comprehensible and not misleading, and 
made available at no additional cost to the customer. Such mechanism 
must be persistently available on or through the carrier's Web site; 
the carrier's application (app), if it provides one for account 
management purposes; and any functional equivalent to the carrier's 
homepage or app. If a carrier does not have a Web site, it must provide 
a persistently available mechanism by another means such as a toll-free 
telephone number. The customer's grant, denial, or withdrawal of 
approval must be given effect promptly and remain in effect until the 
customer revokes or limits such grant, denial, or withdrawal of 
approval.


Sec.  64.2005   Data security.

    (a) A telecommunications carrier must take reasonable measures to 
protect customer PI from unauthorized use, disclosure, or access.
    (b) The security measures taken by a telecommunications carrier to 
implement the requirement set forth in this section must appropriately 
take into account each of the following factors:
    (1) The nature and scope of the telecommunications carrier's 
activities;
    (2) The sensitivity of the data it collects;
    (3) The size of the telecommunications carrier; and
    (4) Technical feasibility.
    (c) A telecommunications carrier may employ any lawful security 
measures that allow it to implement the requirement set forth in this 
section.


Sec.  64.2006   Data breach notification.

    (a) Customer notification. A telecommunications carrier shall 
notify affected customers of any breach without unreasonable delay and 
in any event no later than 30 calendar days after the carrier 
reasonably determines that a breach has occurred, subject to law 
enforcement needs, unless the telecommunications carrier can reasonably 
determine that no harm to customers is reasonably likely to occur as a 
result of the breach.
    (1) A telecommunications carrier required to provide notification 
to a customer under this paragraph must provide such notice by one or 
more of the following methods:
    (i) Written notification sent to either the customer's email 
address or the postal address on record of the customer, or, for former 
customers, to the last postal address ascertainable after reasonable 
investigation using commonly available sources; or
    (ii) Other electronic means of active communications agreed upon by 
the customer for contacting that customer for data breach notification 
purposes.
    (2) The customer notification required to be provided under this 
paragraph must include:
    (i) The date, estimated date, or estimated date range of the breach 
of security;
    (ii) A description of the customer PI that was breached or 
reasonably believed to have been breached;
    (iii) Information the customer can use to contact the 
telecommunications carrier to inquire about the breach of security and 
the customer PI that the telecommunications carrier maintains about 
that customer;
    (iv) Information about how to contact the Federal Communications 
Commission and any state regulatory agencies relevant to the customer 
and the service; and
    (v) If the breach creates a risk of financial harm, information 
about the national credit-reporting agencies and the steps customers 
can take to guard against identity theft, including any credit 
monitoring, credit reporting, credit freezes, or other consumer 
protections the telecommunications carrier is offering customers 
affected by the breach of security.
    (b) Commission notification. A telecommunications carrier must 
notify the Commission of any breach affecting 5,000 or more customers 
no later than seven business days after the carrier reasonably 
determines that a breach has occurred and at least three business days 
before notification to the affected customers, unless the 
telecommunications carrier can reasonably determine that no harm to 
customers is reasonably likely to occur as a result of the breach. A 
telecommunications carrier must notify the Commission of any breach 
affecting fewer than 5,000 customers without unreasonable delay and no 
later than thirty (30) calendar days after the carrier reasonably 
determines that a breach has occurred, unless the telecommunications 
carrier can reasonably determine that no harm to customers is 
reasonably likely to occur as a result of the breach. Such notification 
shall be made through a central reporting system made available by the 
Commission.
    (c) Federal law enforcement notification. A telecommunications 
carrier must notify the Federal Bureau of Investigation (FBI) and the 
U.S. Secret Service (Secret Service) of a breach that affects 5,000 or 
more customers no later than seven business days after the carrier 
reasonably determines that such a breach has occurred and at least 
three business days before notification to the affected customers, 
unless the telecommunications carrier can reasonably determine that no 
harm to customers is reasonably likely to occur as a result of the 
breach. Such notification shall be made through a central reporting 
system made available by the Commission.
    (d) Recordkeeping. A telecommunications carrier shall maintain a 
record, electronically or in some other manner, of any breaches and 
notifications made to customers, unless the telecommunications carrier 
can reasonably determine that no harm to customers is reasonably likely 
to occur as a result of the breach. The record must include the dates 
on which the carrier determines that a reportable

[[Page 87346]]

breach has occurred and the dates of customer notification. The record 
must include a written copy of all customer notifications. Carriers 
shall retain the record for a minimum of two years from the date on 
which the carrier determines that a reportable breach has occurred.


Sec.  64.2010   Business customer exemption for provision of 
telecommunications services other than BIAS.

    Telecommunications carriers may bind themselves contractually to 
privacy and data security regimes other than those described in this 
subpart for the provision of telecommunications services other than 
BIAS to enterprise customers if the carrier's contract with that 
customer specifically addresses the issues of transparency, choice, 
data security, and data breach and provides a mechanism for the 
customer to communicate with the carriers about privacy and data 
security concerns.


Sec.  64.2011   BIAS offers conditioned on waiver of privacy rights.

    (a) A BIAS provider must not condition, or effectively condition, 
provision of BIAS on a customer's agreement to waive privacy rights 
guaranteed by law or regulation, including this subpart. A BIAS 
provider must not terminate service or otherwise refuse to provide BIAS 
as a direct or indirect consequence of a customer's refusal to waive 
any such privacy rights.
    (b) A BIAS provider that offers a financial incentive, such as 
lower monthly rates, in exchange for a customer's approval to use, 
disclose, and/or permit access to the customer's proprietary 
information must do all of the following:
    (1) Provide notice explaining the terms of any financial incentive 
program that is clear and conspicuous, and in language that is 
comprehensible and not misleading. Such notice must be provided both at 
the time the program is offered and at the time a customer elects to 
participate in the program. Such notice must:
    (i) Explain that the program requires opt-in approval to use, 
disclose, and/or permit access to customer PI;
    (ii) Include information about what customer PI the provider will 
collect, how it will be used, and with what categories of entities it 
will be shared and for what purposes;
    (iii) Be easily accessible and separate from any other privacy 
notifications, including but not limited to any privacy notifications 
required by this subpart;
    (iv) Be completely translated into a language other than English if 
the BIAS provider transacts business with the customer in that 
language; and
    (v) Provide at least as prominent information to customers about 
the equivalent service plan that does not necessitate the use, 
disclosure, or access to customer PI beyond that required or permitted 
by law or regulation, including under this subpart.
    (2) Obtain customer opt-in approval in accordance with Sec.  
64.2004(c) for participation in any financial incentive program.
    (3) If customer opt-in approval is given, the BIAS provider must 
make available a simple, easy-to-use mechanism for customers to 
withdraw approval for participation in such financial incentive program 
at any time. Such mechanism must be clear and conspicuous, in language 
that is comprehensible and not misleading, and must be persistently 
available on or through the carrier's Web site; the carrier's 
application (app), if it provides one for account management purposes; 
and any functional equivalent to the carrier's homepage or app. If a 
carrier does not have a Web site, it must provide a persistently 
available mechanism by another means such as a toll-free telephone 
number.


Sec.  64.2012   Effect on State law.

    The rules set forth in this subpart shall preempt any State law 
only to the extent that such law is inconsistent with the rules set 
forth herein and only if the Commission has affirmatively determined 
that the State law is preempted on a case-by-case basis. The Commission 
shall not presume that more restrictive State laws are inconsistent 
with the rules set forth herein.
[FR Doc. 2016-28006 Filed 12-1-16; 8:45 am]
 BILLING CODE 6712-01-P