SEATTLE (Legal Newsline) – Broadband internet access providers regulated by the Federal Communications Commission (FCC) should be focused on proposed regulations, as they will have significant impacts on business practices if passed, according to a senior associate at Orrick.
Last month, the FCC closed the comment period for its proposed privacy regulations, raising the question of whether the final regulations would be broader, narrower or stricter. In addition, companies that are subject to the new regulations are preparing themselves for tighter FCC Enforcement Bureau scrutiny of broad data collection and handling practices.
“I think that companies that do business with them, like data analytics companies, ad networks and marketing service providers all need to be aware of the regulations as well so that they can pivot their business models when it comes to these FCC-regulated entities,” Sam Castic, senior associate at Orrick, told Legal Newsline.
“So they can [then] understand the implications of boilerplate contractual language that imposes obligations on them to comply with applicable laws.”
The FCC’s Open Internet order reclassified broadband internet access service as a telecommunications service that is subject to Title II of the Communications Act. Previously, broadband internet access service was not subject to Title II and, therefore, the FCC would not have had the statutory basis it relies on for these regulations.
As proposed, the regulations broadly define personal information to include IP addresses, MAC addresses, cookie information, traffic statistics and application usage information that are typically viewed in the U.S. as non-personally identifying information.
Castic says access to and the use of personal information will have a number of additional requirements such as:
-Mandatory opt-in requirements before the information can be used to help third party market products or services;
-Opt-out requirements before it can be used to market similar communications-related services;
-Robust record-keeping about the use and disclosures of personal information; and
-Restrictions on how aggregate information can be used or shared.
He added there will also be new requirements for data security programs, mandated employee and vendor training and some of the strictest data breach notification obligations in the country.
“The ultimately adopted regulations may differ, but it isn’t a sure thing that they will be weaker,” he said. “In fact, the FCC requested comment on a number of matters, which if addressed in the regulations, could make it even stricter.”
Will there be an increase in class action lawsuits?
With the proposed FCC privacy regulations Castic says organizations should consider the possibility of consumer and class action litigation in evaluating the risk landscape.
Under the Communications Act, there is a provision that sets forth a private right of action for damages sustained from the acts prohibited or declared unlawful under the act or from failures to do things required under the act.
Specifically, Section 206 of the Communications Act provides that common carriers, which also includes broadband providers subject to the FCC’s privacy regulations, could be liable to any person injured for the “full amount of damages sustained.”
“The private right of action also includes an attorney fees provision, and the Supreme Court has already interpreted the provisions to allow for private rights of action for violations of regulations issued by the FCC pursuant to the Act,” Castic said.
A provision of Section 207 allows individuals to “bring suit for the recovery of the damages for which [the] common carrier may be liable” in any federal district court for violations of the chapter.
“As these regulations will include broad new privacy and data protection requirements that did not exist before, and as they will be issued pursuant to an act with a private right of action, it’s likely that lawsuits will be brought for violations of the regulations,” Castic said.