Broadband Privacy Rules Nullified; Previous Privacy Rules Remain in Effect
On April 3, 2017, President Trump signed a Joint Resolution of congressional disapproval of the broadband privacy rules adopted late last year by the FCC in its Broadband Privacy Order (“Order”). As a result, the broadband privacy rules were nullified and no longer have any force or effect.
Broadband Internet Access Service (“BIAS”) providers are no longer required to comply with the Order’s data security, customer notice and choice, and data breach notification requirements, nor are voice and VoIP providers subject to the revised privacy rules from the Order.
BIAS providers are now only subject to the customer privacy provisions in Section 222 of the Communications Act and voice and VoIP providers remain subject to existing privacy rules under Section 222, which includes rules addressing protection of customer proprietary network information (“CPNI”). However, the FCC eliminated the requirements for recordkeeping and annual certification in the Order. It is not yet clear whether the FCC will reinstate certification and recordkeeping requirements, but we will keep you apprised of any developments in this regard.
As a reminder, the CPNI rules applicable to voice and VoIP providers require providers to: 1) have safeguards to protect the use of, disclosure of, and access to CPNI, which includes, among other things, training personnel on when they are and are not authorized to use CPNI, and having a system for obtaining customer approval to use their CPNI; 2) comply with notice and approval provisions for use, disclosure, and access to CPNI, which includes written notification to customers and obtaining customer approval for the use of their CPNI; and 3) notify law enforcement of breaches of customers’ CPNI.