Comcast Corporation 
300 New Jersey Avenue, NW 
Suite 700 
Washington, DC 20001

August 1, 2016
VIA ECFS
Marlene H. Dortch
Secretary
Federal Communications Commission
445 12th Street, S.W.
Washington, D.C. 20554
Re:

Protecting the Privacy of Customers of Broadband and Other
Telecommunications Services, WC Docket No. 16-106

Dear Ms. Dortch:
On July 28, 2016, Rebecca Arbogast, Rob Holmes, Gerard Lewis, Rudy Brioché, and the
undersigned of Comcast Corporation (“Comcast”) met in person with Matthew DelNero, Lisa
Hone, Daniel Kahn, and Brian Hurley of the Wireline Competition Bureau, and over the phone
with Melissa Kirkel of the Wireline Competition Bureau and Kathy Berthot of the Media
Bureau. The purpose of the meeting was to discuss Comcast’s comments and reply comments in
response to the above-captioned Notice of Proposed Rulemaking, including our proposals to
adopt a regime that would protect consumers without harming innovation, competition, and
investment by Internet service providers (“ISPs”).
First, we expressed our agreement with the Federal Trade Commission’s (“FTC’s”)
comments in this proceeding that the FCC should adopt a sensitivity-based approach to consent.1
Under such an approach, opt-in consent would be required only with respect to the use or
disclosure of sensitive information (financial, health, and children’s information, Social Security
numbers, and precise geolocation information), while the use and disclosure of non-sensitive
information would be subject to opt-out consent in most instances and implied consent for an ISP
to market its products and services to its customers. This approach would be consistent with:

1

See FTC Comments at 22-23 (“[The FCC’s] approach does not reflect the different expectations and
concerns that consumers have for sensitive and non-sensitive data. … FTC staff recommends that the FCC consider
the FTC’s longstanding approach, which calls for the level of choice to be tied to the sensitivity of data and the
highly personalized nature of consumers’ communications in determining the best way to protect consumers.”); id.
at 35 (“Opt-out is sufficient for use and sharing of non-sensitive data.”).

 Ms. Marlene H. Dortch
August 1, 2016
Page 2


The consent regime that has been in place and enforced by the FTC for ISPs and the
rest of the Internet since the inception of the Internet, and that has been endorsed by
the Obama Administration in its 2012 Consumer Privacy Bill of Rights report and
subsequent draft legislation;2 and



Unequivocally expressed consumer expectations and preferences for a privacy regime
over the entire Internet that applies the same rules to all entities and that protects their
privacy based on the sensitivity of their online data rather than by the type of Internet
company that uses their data.3

We explained that Comcast and other companies in the Internet ecosystem have been complying
with the Administration’s and FTC’s sensitivity-based consent approach for many years through
a series of commonly-used administrative and operational controls that guide our internal
practices.
We noted that the record reflects that all parties appreciate that any rules the Commission
adopts should not cover data collected by an ISP’s affiliate that is providing a non-ISP service or
data acquired by an ISP from a third-party.4 As Comcast has explained, expanding the ambit of
Section 222 to cover such data would be both bad law and bad policy.5
We also urged that the Commission allow business models offering discounts or other
value to consumers in exchange for allowing ISPs to use their data. As Comcast and others have
argued, the FCC has no authority to prohibit or limit these types of programs.6 Moreover, such a
2

See Comcast Comments at 16 (“Under both the FTC’s approach to online privacy and the Administration’s
Consumer Privacy Bill of Rights, consumer information should be protected based on the sensitivity of the
information and how the information is used, not on the type of business that collects and uses the data.”).

3

See Progressive Policy Institute Comments at 1 (“By an overwhelming margin, 94% v 5%, internet users
agree that “All companies collecting data online should follow the same consumer privacy rules so that consumers
can be assured that their personal data is protected regardless of the company that collects or uses it,” including 82%
of Internet users who say they “strongly” agree with that statement.”).
4

See, e.g., Consumers Union Reply Comments at 3 (“To the extent that BIAS providers are seeking to
compete with other companies in providing other services over the Internet, they are free to establish separate,
independent affiliates that collect and use consumer information in the same manner as those other companies,
subject to the same rules that already apply.”); Public Knowledge et al. Reply Comments at 17 (“Additionally,
nothing in the Proposed Rules would prevent ISPs or their affiliates from using other lawful sources of customer
data, not acquired through their own provision of broadband service, for marketing or any other activity. For
example, an online advertising service owned and/or operated by an ISP could still make use of customer data
obtained from edge providers to the same extent as a third party advertising service.”).

5

6

See, e.g. Comcast Reply Comments at 58-60.

See, e.g., Comcast Comments at 57 (“If the customer is providing her consent to take the lower price in
exchange for allowing the ISP greater flexibility to use and share her data, then the statutory requirements are
satisfied.”).

 Ms. Marlene H. Dortch
August 1, 2016
Page 3
prohibition would harm consumers by, among other things, depriving them of lower-priced
offerings, and as FTC Commissioner Ohlhausen points out, “such a ban may prohibit adsupported broadband services and thereby eliminate a way to increase broadband adoption.”7 A
bargained-for exchange of information for service is a perfectly acceptable and widely used
model throughout the U.S. economy, including the Internet ecosystem, and is consistent with
decades of legal precedent and policy goals related to consumer protection and privacy.8
Finally, we discussed how Comcast has partnered with vendors who have helped to
enhance consumer data privacy, and that the Commission should be clear that any rules it adopts
do not prevent ISPs from providing CPNI to a vendor based on implied consent, provided the
ISP has an agreement with the vendor requiring it to safeguard the CPNI and to use it solely on
behalf of and as directed by the ISP, and not for the vendor’s own purposes. We explained that
Comcast ensures through contractual provisions that vendors who handle customer-related data
have strong measures in place to protect that customer-related data, and that the vendors are
prohibited from using that data for any purposes other than as directed by Comcast.
Please direct any questions to the undersigned.

Respectfully submitted,
/s/ Francis M. Buono
Senior Vice President, Legal Regulatory Affairs &
Senior Deputy General Counsel
Comcast Corporation

cc (via email):
Kathy Berthot
Matthew DelNero
Lisa Hone
Brian Hurley
Daniel Kahn
Melissa Kirkel

7

FTC Commissioner Ohlhausen Comments at 3.

8

See Comcast Reply Comments at 18-20.