The Federal Communications Commission has issued new privacy regulations for Internet service providers (ISPs) such as Comcast, Time Warner Cable, Cox and Optimum. FCC Chairman Tom Wheeler noted that most people do not realize that ISPs collect information on the websites they visit and the applications they use. Internet providers use this data for targeted advertising.
The proposed rules define three ways in which ISPs can use a customer’s personal data. Some data may be used to provide broadband services and public safety, following assumed consent in the contract for broadband services. Broadband providers would also be allowed to use customer data for marketing other communications-related services, and to share customer data with their affiliates if the subscribers don’t opt out of this form of sharing. Opt-in would be required for all other uses and sharing of consumer data, requiring express consent from customers.
This action is unprecedented because the Federal Trade Commission (FTC) was the agency considered to be the government’s top watchdog on privacy issues. Now, the FCC is acting because it has broader leverage to create binding obligations on ISPs compared to the more limited ability of the FTC.
While most enterprises will also not be directly impacted by these FCC rules, they still matter. Enterprises may benefit from reduced tracking of employees’ online activity, and these new rules require notification if the ISPs experience a security breach. Most importantly, these rules establish new expectations that the enterprises must abide by.
In terms of those expectations, the FCC proposal will require ISPs to provide customers with “clear, conspicuous and persistent notice” about what information they “collect, use and share with third parties.” Enterprises need to apply the same approach to mobile policy, data that resides on mobile devices, and employee usage. Employees should be provided with “clear, conspicuous and persistent notice” of these three areas.
New employees should gain their first exposure to enterprise mobile policy as part of the onboarding experience. Employees need to understand who owns the data on corporate devices and how that data is managed. They also need to understand that usage management will include tracking of mobile data usage and voice calls, with some privacy protections for specific phone numbers that are called. As policies evolve, employees should also receive information as they put in new device or change in service requests.
Finally, sending periodic intranet or email tips that address policy and cost avoidance techniques can help ensure that the enterprise provides “clear, conspicuous and persistent notice.” This will go a long way to managing employee expectations and avoiding misunderstandings that can lead to lawsuits.