CJ!initro ~mtrs ~rnatr 
WASHINGTON, DC 20510 
The Honorable Tom Wheeler 
Chairman 
Federal Communications Commission 
445 121h Street SW 
Washington, DC 20554 
Dear Chairman Wheeler: 
July 7, 2016 
The FCC has nearly thirty years of experience protecting the privacy of telecommunications 
customers who have no choice but to share highly personal information about themselves in 
order to obtain essential telecommunications services. Against the backdrop of the privacy 
framework that the FCC developed in the 1980s, Congress passed the bipartisan 
Telecommunications Act of 1996 and granted the FCC expansive authority to adopt enforceable 
rules that require common carriers to protect the proprietary information of customers. 
Current rules ensure that consumers' personal information cannot be sold to the highest bidder 
without consumer consent. These rules honor Americans' expectation of privacy in personal 
communications and foster trust in essential networks that promote unhindered speech and 
association. The rules also help prevent companies with few competitors from abusing the 
personal information of consumers to gain an anticompetitive advantage in other markets. 
These rules must be extended to broadband. In 2016, broadband access is no longer a luxury; it 
is now as essential as phone service. Like the phone companies of the twentieth century, internet 
service providers (ISPs) are gatekeepers that control the infrastructure that Americans depend on 
to access vital applications and services. They provide a critical service that allows consumers to 
access information and communicate across town and around the globe. An ISP has a duty to 
protect the privacy of consumers who use the company's wired and wireless infrastructure to 
connect to the world. 
Last year, the FCC reclassified broadband as a telecommunications service under Title II of the 
Communications Act and adopted rules to protect the open internet, and last month the D.C. 
Circuit Court of Appeals upheld this reclassification. As part of reclassification, the Commission 
wisely chose to apply Section 222 of Title II to broadband, extending the duty to protect the 
privacy of information that ISPs collect about their customers by virtue of the carrier-customer 
relationship. 
In March, the FCC voted to advance a rulemaking to extend privacy rules to broadband. We 
strongly support the Commission's Notice of Proposed Rulemaking, and believe that this 
framework will strengthen the privacy protections for consumers' personal information. As the 
FCC finalizes these rules, we urge you to carefully consider the following: 
1. Definition of customer proprietary information (customer Pl) - We are pleased that 
the FCC has proposed privacy protections for a comprehensive definition of customer PI, 
554
July 7, 2016 
Page 2of4 
which includes a vast array of sensitive and private customer information. Every click a 
consumer makes online paints a detailed picture of their personal and professional lives, 
and this sensitive information should be protected by strong privacy standards. We 
support the proposed definition of customer PI, which includes private information such 
as internet usage, online activities, and broadband service payments. 
2. Definition of customer - Private information that consumers have no choice but to share 
with their ISP does not stop being private when they switch ISPs. We applaud the 
Commission for applying protections for current and former broadband subscribers. 
3. Transparency - Consumers ought to be able to know at any time what kind of 
information their ISP is collecting about them and how this information is being used. 
We support the Commission's proposed privacy dashboard and believe that it would 
ensure that ISPs are accurately laying out data collection policies in standardized forms 
that are easy for consumers to access, read and understand. We also agree that privacy 
notices should be prominently displayed at the point-of-sale and through a link on the 
ISP's website. 
4. Consumer consent - ISPs should be required to get affirmative express consent before 
using and sharing their customers' proprietary information. Customer information ought 
not be shared beyond the extent necessary for the ISP to deliver the requested service to 
the consumer. 
• We believe that ISPs should gain affirmative express consent from consumers before 
using or sharing information beyond what is needed to deliver service and manage its 
networks. This includes sharing information with affiliates. Therefore, we support 
requiring ISPs to obtain customers' opt-in approval before giving customer PI to third 
parties or affiliates. We also encourage the Commission to require ISPs to secure 
opt-in approval for activities not instrumental to delivering internet services, 
including marketing. 
• The use of broadband should not be conditioned upon consumer consent for the 
collection, use or sharing of information beyond that which is necessary to deliver 
service. For example, a consumer should not be required to click through a form that 
requires the consumer to forfeit privacy protections as a condition to gaining access to 
a service. We support the Commission's proposal to prohibit ISPs from making 
access to services conditional on a customer agreeing to relinquish their customer Pl. 
• Consumers should not have to pay an ISP an additional amount in order to protect 
their privacy. Not only is a pay-for-privacy standard counter to ou.r nation's core 
principle that all Americans have a fundamental right to privacy, but it also may 
disproportionately harm low-income consumers, the elderly, and other vulnerable 
populations. Privacy is not a luxury, so we encourage you to prevent ISPs from 
charging consumers to keep their proprietary information private. 
5. Data security and timely notification of breaches - Strong data security measures are 
needed to protect consumers' information from external and internal unauthorized access. 
July 7, 2016 
Page 3of 4 
If a network or database is breached in a manner that could compromise the consumer's 
privacy or cause the consumer harm, ISPs must notify consumers about the breach and 
any actions that consumers could take to mitigate potential harm from the breach. Thus, 
we support efforts by the Commission to develop strong and effective data security 
protections and breach notification requirements. 
• Data minimization: ISPs should not only apply strong data security measures to 
protec;t the sensitive customer information they hold, but they should also minimize 
the amount of customer information they collect and only retain that data for limited 
periods of time to help reduce the harms that could be caused by a breach. We urge 
the Commission to require ISPs to minimize data collection and limit data retention. 
• Deep packet inspection: Deep packet inspection (DPI) involves analyzing internet 
traffic beyond the minimum needed to route a specific data packet. DPI could be 
used for marketing purposes and would be a clear violation of consumers' privacy 
rights. We encourage the Commission to prohibit ISPs from using DPI for marketing 
purposes. 
6. Clear complaint processes - We encourage the Commission to ensure that both ISPs 
and the FCC have clear, user-friendly, easily accessible and responsive complaint 
processes for consumers who have evidence or reason to believe their privacy has been 
violated. 
7. Parity between wireless and wireline - Consumers' privacy should be protected 
regardless of whether a consumer uses a cellular network, Wi-Fi, or a wireline connection 
to access the internet. We encourage the Commission to maintain parity between the 
privacy obligations of fixed and mobile broadband. 
8. Prohibition of mandatory arbitration clauses - Mandatory arbitration clauses 
requiring consumers to resolve disputes through arbitration rather than the traditional 
judicial process are both unfair and unreasonable. We encourage the Commission to 
prohibit ISPs from including mandatory arbitration clauses in their contracts. 
Thank you for your attention to this important matter. We encourage you to complete this 
crucial rulemaking without delay. 
Sincerely, 
k?/a ... -.~ 
Richard Blumenthal 
United States Senator 
July 7, 2016 
Page 4 of 4 
Al Franken 
United States Senator 
I 
United States Senator United States Senator