Subscriber Privacy

PROTECTION of
CABLE SUBSCRIBER PRIVACY AND INFORMATION

The MHCRC held a public hearing on June 19, 2006 to consider the need for proposed amendments to existing MHCRC cable customer service standards. Following the hearing, the MHCRC asked staff to draft proposed language for further MHCRC consideration. The MHCRC asked staff to gather information on other privacy laws and policies, including laws applicable to telecommunications providers such as Qwest and Verizon. At its December 11, 2006 meeting, the MHCRC considered whether or not the MHCRC should proceed with developing stronger privacy protections under the existing customer service standards and, if yes, what the protections would include. The MHCRC concluded that staff should discontinue further work on drafting privacy policy amendments to the customer service standards at this time. For a complete history of the discussion click here.

Why did the MHCRC solicit public comment?

Although cable subscribers have certain privacy protections under federal law (47 U.S.C. 551), the 1984 cable privacy law is now more than twenty years old and was written prior to the advent of the Internet. With identity thefts on the rise — and public concern continuing over unauthorized disclosure and use of personal information, the issue of privacy continues to be intensely debated. In light of these circumstances as well as the public interest issues at stake, the MHCRC was considering recommending a higher level of privacy protection for cable subscribers’ personally identifiable information. The MHCRC sought input on the following specific privacy topics, as well as general comments, in relation to Comcast’s existing Privacy Policy. Comcast's 2006 Cable Television Privacy Policy (View en espanol). The MHCRC held the Hearing record on this matter open through close of business Friday, June 30.

What are the specific privacy topics?

Should the circumstances under which the cable operator can disclose personal subscriber information to outside 3rd parties be defined?
Background: Under current federal law, the cable operator can disclose personal subscriber information to 3rd parties without advance subscriber authorization “if necessary to render or conduct a legitimate business activity related to a cable service or other service provided by the cable operator to the subscriber.” Business activities that are “necessary” or “legitimate” are undefined.

Should the “opt out” procedure be strengthened or made easier or more visible?
Background: The cable operator’s “opt-out” procedure enables subscribers (by calling a 1-800 number) to act to limit or prevent disclosure of only their name and mailing address to direct mail and marketing lists.

Should prior notice to subscribers be required before private information is disclosed to 3rd parties for any reason?
Background: Currently, the cable operator can release, without notice to subscribers, personal information to 3rd parties for the purposes of “legitimate business activity” related to the cable service or related services. Business activities that are “necessary” or “legitimate” are undefined.

Should subscribers be notified subsequent to any release of their private information to 3rd parties?
Background: There is no current requirement for such subsequent notification.

Should there be a fixed time limit on when the cable operator must destroy personal subscriber data which is no longer necessary?
Background: There is currently no specific time limit on how long a cable operator can retain personal subscriber data which may no longer be necessary.

Should the cable operator be required to provide periodic reports regarding the timing and nature of any disclosure of personal subscriber information to third parties?
Background: There is no current requirement that the cable operator provide periodic public reports on its disclosure of personal subscriber information to 3rd parties, to whom the disclosure was made, when, and for what purpose.

Should the cable operator be required to give subscribers access to their personal information (on file with the cable operator) within a set period of time and at a location within the franchise area?
Background: Current law requires the cable operator to provide its subscribers access to their private information at reasonable times and places, and the opportunity to correct errors, but the circumstances of the access are entirely defined by the cable operator.

Should violation of local privacy provisions be actionable by individual citizens?
Background: Current Federal law allows an individual citizen to bring a court action if aggrieved by a violation of the federal privacy provisions. There is no parallel requirement for violation of local privacy protections.

What is the history of MHCRC involvement on this issue?

The MHCRC strenuously objected to Comcast's privacy policy sent to local cable subscribers in April 2003. The MHCRC identified that the policy as revised (from the prior AT&T Broadband policy) appeared to enlarge, rather than limit, the ability of the company to share personally identifiable information ("PII") with third parties outside the company.

Reasons for MHCRC/subscriber concern:

The use of vague language such "as otherwise necessary" and the enlargement of the list of potential third parties appeared to expand the intended scope of Comcast's use of PII outside the company beyond anything stated or understood in the prior AT&T policy.
The "opt-out" provision, which is limited only to release of a subscriber's name and address to third parties, and does not limit Comcast's release to third parties of other highly sensitive PII (such as email address, telephone number, social security number, bank account and credit card information, etc.) is set forth in the revised privacy policy in a confusing and internally contradictory manner. As such, it is not likely, in the MHCRC's opinion, to be understood by the average subscriber.
The MHCRC, on behalf of concerned citizens, remains concerned that the policy may not be consistent with applicable MHCRC franchise privacy requirements.
On an operational level, the MHCRC received numerous complaints and concerns about the policy from alarmed subscribers, many of whom report an inability on the part of Comcast to adequately respond to their concerns when the subscriber contacted the 1-800-COMCAST telephone number listed in the revised notice.

2003-2004 Correspondence and advocacy history:
MHCRC Letter to Comcast June 25, 2003 (.pdf)
Comcast Reply Letter July 25, 2003 (.pdf)
Comcast Letter - September 29, 2003 (.pdf)
MHCRC letter to Comcast October 20, 2003 (.pdf)
Comcast Letter - January 20, 2004 (.pdf)
Comcast 2004 Privacy Policy (.pdf)

Based largely on the MHCRC’s objections and its efforts to protect subscribers’ personal information, Comcast revised the format of its policy to improve readability of its policy. The MHCRC participated in a national committee to advocate changes to Comcast’s policy.

The MHCRC continues to engage in discussions regarding the drafting of a local privacy policy narrower than the current federal policy, with a particular view toward narrowing the cable business activity exception (in a manner similar to, e.g., the approach taken by the City of Seattle) and with a view to closing any possible loopholes that may exist in the federal statute (which was written long before the Internet phenomenon).

2005 The MHCRC checks in with Comcast on the continued protection of subscriber privacy:

MHCRC Letter to Comcast June 15, 2005 (.pdf)
Comcast Reply Letter (.pdf)

2006 The MHCRC proposes amendments to customer service policy re: cable subscriber privacy

MHCRC proposed amendments DRAFT (.pdf)
Comcast 2006 Privacy Policy (.pdf)