Photo of Chelsea Handler

On December 2, 2016, the Federal Communications Commission (“FCC”) published its Report and Order entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (the “Order”) as a final rule in the Federal Register, adopting rules applicable to Internet service providers (“ISPs”) intended to protect the privacy of broadband consumers. Despite the publication of the rules in the Federal Register, uncertainty remains regarding when ISPs must be in compliance with some of these newly established privacy obligations. Although the rules are effective January 3, 2017, the FCC has made exceptions to the January 3, 2017 effective date for provisions which have not yet been approved by the Office of Management and Budget (“OMB”).[1] This includes many of the operative provisions of the new rules regarding ISPs’ data collection and use. Once such provisions are approved by the OMB, notice will be published in the Federal Register announcing their approval and corresponding effective dates.

Despite the uncertainty regarding the effective dates of many sections, the publication of the Order puts ISPs on notice of the new rules, and ISPs should begin revising their practices so that they are able to meet the earliest possible effective dates. Here is what ISPs need to know regarding compliance with the new rules:

On April 23, 2015, Washington State Governor Jay Inslee signed into law a bill strengthening the state’s data breach notification law (amending Wash. Rev. Code §§ 19.255.010 and 42.56.590 and creating a new section). H.B. 1078 makes the following substantial changes to the existing law:

  1. Under the current law, businesses and agencies that own or license computerized data including personal information about a Washington resident must disclose any breach in the security of the system involving such personal information that is unencrypted. H.B. 1078 expands this requirement to include:
    • both computerized and hard copy data that contain personal information that is not “secured;” and
    • encrypted information when the person gaining unauthorized access to the data had access to the encryption key or an alternative means of deciphering the “secured” data. The amendment also provides a standard for encryption.

On January 23, 2015, Senior Attorney Lesley Fair at the Federal Trade Commission (“FTC”) posted on the Agency’s business blog clarifying how the Children’s Online Privacy Protection Act (“COPPA”) applies to schools.  COPPA seeks to protect the privacy of children by allowing parents to control what personal information about their children under the age of thirteen may be collected by “operators” of websites or online services, including apps, that are either directed to children or that knowingly collect personally identifiable information from children.  Subject to certain regulatory exceptions, the entities covered by COPPA must notify parents and obtain consent before collecting, using, or disclosing any personal information from children under thirteen.