The FCC voted today to order new privacy rules impacting regulated ISPs. FCC Chairman Tom Wheeler heralded the new rules as empowering consumers. “What this item does is to say that the consumer has the right to make a decision about how her or his information is used, “ Wheeler said, later adding, “before today, there were no protections.”
The rules, expected to be released publicly after the FCC finalizes outstanding revisions, will require ISPs to protect and secure personal information of customers through a variety of new ongoing compliance requirements. In particular, ISPs will be required to obtain opt-in consent for using or sharing sensitive data, including precise geolocation, children’s information, health information, financial information, social security numbers, web browsing history, app usage history, and the content of communications.
Businesses impacted by the new FCC privacy rules have a number of tasks before them:
- Analyze FCC privacy order to develop a long term compliance plan
- Scrutinize past contracts and vendor agreements for compliance of data flows with new privacy rules
- Revise internal privacy practices and rewrite public privacy policies
- Review preparation for potential data breaches and readiness for data breach remediation
- Review products and services for adherence to best practices on privacy engineering / privacy by design
- Consider appointing a privacy officer, which can include an outside or internal appointee
- Conduct privacy impact assessments and other operational tasks to determine and reduce risk
Today’s FCC rules apply uniquely to FCC regulated entities. These rules differ from those imposed by the Federal Trade Commission, or sector-specific laws on health privacy (HIPAA) or financial privacy (GLBA). As your business considers its next steps to comply with today’s new FCC rules, consider hiring a privacy lawyer who knows FCC compliance.