Otherwise FCC Should Adopt Targeted Exemptions And Extensions For Small Providers
PITTSBURGH, May 31, 2016 – Very troubled by the Federal Communications Commission’s proposed privacy and data security rules for broadband Internet access service (BIAS), the American Cable Association is proposing that the FCC base any new privacy and data security rules on the flexible framework that ACA and other industry associations submitted to the FCC in advance of the proceeding. Alternatively, if the FCC moves ahead with its prescriptive ex ante framework, ACA is asking it to adopt a range of targeted exemptions and extensions for small providers to prevent excessive and intrusive regulation.
“ACA members have worked strenuously to preserve the trust of their consumers through reasonable privacy and data security protections, and have achieved an excellent record of compliance under the Federal Trade Commission’s flexible, principles-based privacy regime that has governed all entities operating in the broadband ecosystem for years. Why mess around with something that is not broken?” ACA President and CEO Matthew M. Polka said.
ACA’s policy recommendations came in connection with a sweeping FCC rulemaking designed to apply new layers of regulation upon BIAS providers in a manner that departs dramatically from the FTC’s successful “unfair or deceptive acts or practices” standard of Section 5 of the FTC Act, which governs the rest of the Internet ecosystem.
In the comments, ACA said that as an initial matter, the FCC does not have authority to adopt its proposed BIAS privacy and data security rules. Even if it did, the scope of its authority is not broad enough to adopt all of the rules proposed. ACA called upon the FCC to abandon its proposed rules, and adopt a framework consistent with the proposal that ACA and others submitted to FCC Chairman Tom Wheeler by letter on March 1, 2016.
“The rules proposed by the FCC in its Notice of Proposed Rulemaking would impose onerous, costly, and unnecessary privacy and data security regulations that would harm competition, investment, innovation, and the customer-carrier relationship,” ACA’s Polka said. “These burdens would be particularly onerous for small providers.”
ACA said the burdens of the FCC’s proposed rules would include, but not be limited to:
- Attorney and consultant costs associated with regulatory analysis, contract negotiation, risk management assessments, and preparing required policies, forms, training, and audits;
- Development and implementation costs associated with data security controls, website policies, and customer approval tracking systems;
- Personnel costs associated with dedicated privacy and data security staff;
- Costs associated with all aspects of providing required notices and follow-up;
- Third-party costs associated with modifying contracts and ensuring compliance for call centers, billing software, and others that interface with customer information; and
- Opportunity costs associated with diverting scarce resources from innovation and infrastructure deployment to regulatory compliance.
If the FCC goes forward with a prescriptive ex ante regime, ACA believes the FCC should adopt targeted exemptions and implementation extensions for small providers consistent with similar privacy regimes. The FCC should also rationalize and streamline its proposed rules to ease the burden on small providers. Specifically, ACA called on the FCC to:
- Exempt small providers from the specific “minimum” data security requirements that it sets forth in proposed Section 64.7005(a);
- Exempt small providers from the more onerous elements of its customer approval framework by grandfathering existing customer consents and exempting small providers from the requirement to obtain additional approval where they do not share sensitive personal information with third parties for marketing purposes;
- Exempt small providers from several elements of the FCC’s proposed data breach notification rule (as applied to both voice services and BIAS) by exempting small providers from the specific notification standards in favor of an “as soon as reasonably practicable” standard; and
- Exempt small providers from any customer dashboard requirements that it adopts pursuant to its notice and choice regulations.
Regardless of the exemptions that the FCC adopts, ACA urged the FCC to extend the effective dates for small providers to comply with any new privacy and data security rules by at least one year beyond any general compliance deadline. ACA is also asking the FCC, at the same time it adopts any Order, to issue a further rulemaking that seeks comment on the burdens of its adopted privacy rules on smaller ISPs and whether further deadline extensions or exemptions are necessary.
“Consumers don’t need the FCC to dramatically redesign rules that have well protected consumers. Based on numerous interviews with ACA members, it appears that the most common complaint from customers about privacy and data security is that the existing rules-which require consumers to receive, read, and respond to multiple notices and approval forms based on each service-are too confusing and burdensome, with few if any complaints about the sufficiency of ACA members’ practices,” ACA’s Polka said. “The FCC’s proposed rules will compound this problem.”
About the American Cable Association: Based in Pittsburgh, the American Cable Association is a trade organization representing nearly 750 smaller and medium-sized, independent cable companies who provide broadband services for nearly 7 million cable subscribers primarily located in rural and smaller suburban markets across America. Through active participation in the regulatory and legislative process in Washington, D.C., ACA’s members work together to advance the interests of their customers and ensure the future competitiveness and viability of their business. For more information, visit https://acaconnects.org/.