Customer Proprietary Network Information (CPNI)
- Computer Inquiries
CPNI originated as a Computer Inquiry safeguard of competition in the information services market. The safeguard acknowledged that telephone company (monopolies), upon which information services depended for telecommunications, possessed certain sensitive customer information that could be used for unfair commercial benefit. The knowledge of what telecommunications a customer might be consuming gave the telephone companies an opportunity to market new products to customers. If the telephone company knew that a customer was ordering DSL, but not getting internet service from the telephone company, the telephone company (frequently through the guy who showed up at the door of the customer with a truck in order to install the service) could market the telephone company's service over the independent ISPs. The FCC concluded that this was anticompetitive, and indicated that telephone companies could use information acquired from the sale of telephone service only for the purpose of marketing telephone service; the telephone company could not use that information to market non-regulated information services.
CPNI was codified by the Telecommunications Act of 1996, but as with many things, not exactly as it had been in the Computer Inquiries. CPNI became privacy regulation - not for the benefit of competitive services - but for the benefit of the customer.
CPNI rules have been applied to VoIP.
Customer Information / Privacy
47 CFR Part 64
Note This information is out of date A significant concern is the situation where non-affiliated ISPs order services from their telecommunications supplier BOC (Bell Operating Company) and, in the same act, provide sensitive proprietary customer information to their competitor BOC. The Computer Inquiries recognized the problem that BOCs can use information gathered as a supplier to unfairly compete with ESP competitors. Thus, the Commission created restrictions on the ability of the BOC to use that information. In Computer III, the Commission required BOCs and GTE
to (1) make CPNI available, upon customer request, to unaffiliated enhanced service vendors, on the same terms and conditions that are available to their own enhanced services personnel; (2) limit their enhanced services personnel from obtaining access to a customer's CPNI if the customer so requests; and (3) notify multi-line business customers annually of their CPNI rights.
In addition, the Commission prohibited BOCs and GTE from providing to its affiliated ESP "any customer proprietary information unless such information is available to any member of the public on the same terms and conditions." 47 C.F.R. § 64.702(d)(3).
In 1996, Congress passed the new Privacy of Customer Information provision, codified as Section 222 of the Communications Act. 47 U.S.C. § 222. Section 222 contains the restrictions on the use of customer information by all carriers, not just BOCs. This includes Customer Proprietary Network Information and Carrier Information.
The FCC concluded that Section 222 replaced "the Computer III CPNI framework in all material respects," however, the Order where the FCC made that conclusion was vacated by a federal appeals court.
Section 222 defines Customer Proprietary Network Information (CPNI) as
(A) information that relates to the quantity, technical configuration, type, destination, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the customer-carrier relationship; and
(B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier.
Except that such term does not include subscriber list information.
47 U.S.C. § 222(f)(1).
Compare "subscriber list information" to WHOIS and ECPA "Basic Subscriber Information."
Subscriber list information (aka PII), essentially the information listed in a phone book, is defined as
(A) identifying the listed names of subscribers of a carrier and such subscribers' telephone numbers, addresses, or primary advertising classifications (as such classification are assigned at the time of the establishment of such service), or any combination of such listed names, numbers, addresses, or classifications; and
(B) that the carrier or an affiliate has published, caused to be published, or accepted for publication in any directory format.
47 U.S.C. § 222(f)(3). According to Section 222,
Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.
47 U.S.C. § 222(c)(1). In other words, information gathered in order to provide telecommunications service can be used only for the provision of that service. A carrier could not use the information it has gathered from providing telephone service in order to market Internet services. The key exception is whether the carrier has the approval of the customer to use that information for other purposes.
It is important to understand that these rules only apply where information is derived from the provision of telecommunications services; it does not apply where the LEC is providing non-telecommunications services such as Internet services.
Many ISPs are also Competitive Local Exchange Carriers (CLECs). Another portion of Section 222 addresses customer information in the context of intercarrier relations. It states
A telecommunications carrier that receives or obtains proprietary information from another carrier for purposes of providing any telecommunications service shall use such information only for such purpose, and shall not use such information for its own marketing efforts.
47 U.S.C. § 222(b). In 1998, the Commission promulgated rules implementing Section 222 of the Communication Act. See 47 C.F.R. § 64.2005. U.S. West filed an appeal concerning the FCC rules with the Tenth Circuit Court of Appeals, which vacated the FCC rules as violating the First Amendment. U S WEST, Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999), cert. denied, 120 S.Ct. 2215 (2000).
Where does this leave CPNI? The FCC rules implementing Section 222 have been vacated; Section 222 has not been vacated and remains binding. Furthermore, since the FCC's Section 222 rules were vacated, the previous FCC's Computer III CPNI rules remain in place.
 Joint Petition, ¶ 46. See also Ameritech's CEI Plan, ¶ 41; GTE ONA, Bell Atlantic's CEI Plan;ONA Review, ¶ 25, 398-447.
 In re Implementation of the Telecommunications Act of 1996; Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, Second Report And Order And Further Notice Of Proposed Rulemaking, 180 (February 19, 1998) (hereinafter CPNI)
 US West v. FCC, Docket 98-9518, 182 F.3d 1224 (10th Cir. Aug 18, 1999), cert. denied sub. nom Competition Policy Institute v. U.S. West, Docket 99-1427, 120 S. Ct. 2215 (S.Ct. June 2000).
 See CPNI, supra note 2; In re Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, Order on Recon and Petitions for Forbearance, 46-47 (September 3, 1999) (hereinafter CPNI Recon) (concluding that the provision of Internet services is not necessary to the provision of telecommunications service).
See CPNI Recon, supra note 3, ¶ 159; In re Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, Order ¶ 1 (CCB May 21, 1998).
See also EPIC's CPNI Overview
Broadband Privacy CPNI NPRM 2016 - Repealed
- Partisan Vote
- The FCC's Broadband Privacy rules were promulgated in 2016. The FCC's vote was along party lines (3 democrats; 2 republicans).
- The Congressional Resolution repealing the FCC's Broadband Privacy rules was along party lines.
- Jurisdiction / Level Playing Field
- Congress decided that there should be different agencies regulating different segments of the economy.
- The FCC regulates common carriers (Verizon, AT&T, Charter, Sprint, Centurylink, Frontier...) pursuant to the Communications Act of 1934.
- The FTC regulates general firms in the market except for those specifically regulated by other agencies - like common carriers regulated by the FCC.
- The SEC and the FDA regulate other firms.... and so on...
- This means there are different rules for different firms because of the laws and agencies Congress created. The agencies promulgate regulation pursuant to the authority given to them by Congress (they dont create the jurisdictional difference).
- The FCC promulgated Broadband Privacy rules that covered Broadband Internet Access Service providers; other companies like Facebook, Twitter, Microsoft and other Internet companies continue to fall under different FTC authority. Having different rules for different categories of firms is not uncommon, particularly given the different authorities enacted by Congress.
- It is not uncommon to have a government attempt to solve part of a problem even though it cannot solve an entire problem.
- As a result of Congress blocking the FCC's Broadband Privacy rules, no agency currently has jurisdiction over Broadband Internet Access Service provider privacy
- The FCC has jurisdiction over firms acting as common carriers pursuant to Title II and CPNI. The FCC rules that applied to Broadband Internet Access Service providers were blocked by Congress
- The FTC lacks jurisdiction over firms with the status of common carriers. In other words, if a firm has common carriage as some part of its business plan, the FTC lacks jurisdiction, even if that is not the conduct in question. If AT&T is selling hotdogs out of a cart, the FTC lacks jurisdiction because AT&T is a common carrier in some other part of its business plan. Verizon, AT&T, Charter, Sprint, Centurylink, Frontier... are common carriers in other parts of their business plans beyond Broadband Internet Access Service, therefore are outside FTC jursdiction.
- The Broadband Privacy rules did not declare that Broadband Internet Access Service providers were common carriers and did not remove jurisdiction from the FTC.
- The 2015 Open Internet rules did rule that Broadband Internet Access Service providers were telecom services (aka common carriers). However, this did not remove jurisdiction from the FTC. Most Broadband Internet Access Service Providers are also telecom services. Since they have telecom services as some part of their business plan, the FTC lacks jurisdiction over them. The only agency that could exercise jurisdiction over these broadband Internet Access Services is the FCC.
- Congressional Review :: Repealing FCC
House Letter to Ch Pai Asking that he enforce Broadband Privacy Rules pending Repeal of Network Neutrality Title II Authority (April 7, 2017) ("Until such time as the FCC rectifies the Title II reclassification that inappropriately removed ISPs from the FTC's jurisdiction, we urge the FCC to continue to hold ISPs to their privacy promises. The authority vested to the FCC under Sections 201 and 202 of the Communications Act of 1934 charge the FCC with protecting consumers against unjust and unreasonable practices. We believe this language provides the necessary authority to protect consumers in a similar manner to how the FTC protects consumers under its authority to prevent unfair and deceptive acts and practices." )
- SJ Res 34 - Disapproving the FCC's Rule on Privacy of Customers of Broadband Services
- STATEMENT OF FCC CHAIRMAN AJIT PAI ON PRESIDENT TRUMP SIGNING INTO LAW THE CONGRESSIONAL RESOLUTION OF DISAPPROVAL. STMT. News Media OCHAP PDF | DOC ("Those flawed privacy rules, which never went into effect, were designed to benefit one group of favored companies, not online consumers. ")
- White House Press Release March 28, 2017 ("The Administration strongly supports House passage of S.J.Res. 34")
- Sen. Jeff Flake Flake Introduces Resolution to Protect Consumers from Overreaching Internet Regulation, Senate (3/7/17) ("U.S. Sen. Jeff Flake (R-Ariz.), chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, today introduced a resolution to repeal economically harmful broadband regulations issued by the Obama administration. The resolution would not change or lessen existing consumer privacy regulations. It is intended to block an attempt by the Federal Communications Commission (FCC) to expand its regulatory jurisdiction and impose prescriptive data restrictions on internet service providers. These restrictions have the potential to negatively impact consumers and the future of internet innovation.")
Public Law 115-22 115th Congress
Providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Federal Communications Commission relating to ``Protecting the Privacy of Customers of Broadband and Other Telecommunications Services''.
Resolved by the Senate and House of Representatives of the United States of America in Congress assembled, That Congress disapproves the rule submitted by the Federal Communications Commission relating to ``Protecting the Privacy of Customers of Broadband and Other Telecommunications Services'' (81 Fed. Reg. 87274 (December 2, 2016)), and such rule shall have no force or effect.
Approved April 3, 2017.
- Brian Fung, Trump has signed repeal of the FCC Privacy Rules, WAPO April, 4, 2017 ("The Obama-backed rules — which would have taken effect later this year — would have banned Internet providers from collecting, storing, sharing and selling certain types of customer information without user consent. Data such as a consumer's Web browsing history, app usage history, location details and more would have required a customer's explicit permission before companies such as Verizon and Comcast could mine the information for advertising purposes.")
- Coalition Letter to Congress Opposing the Use of the Congressional Review Act to Overturn the FCC's Broadband Privacy Rules, ACLU 1/26/17
- HARPER NEIDIG New fight erupts over internet privacy, The Hill (3/6/17) ("The FCC under new Republican Chairman Ajit Pai on Wednesday moved to block a rule requiring internet service providers to take stronger steps to protect customers' data")
- GOP takes aim at internet privacy rules, The Hill (3/15/17) ("In recent days, lawmakers in both the House and Senate have offered legislation to roll back the Obama-era measures, with bills from Sen. Jeff Flake (R-Ariz.) and Rep. Marsha Blackburn (R-Tenn.), the chairwoman of the House Commerce subpanel on communication and technology.")
- JON BRODKIN Advertisers look forward to buying your Web browsing history from ISPs, Ars Technica (3/15/17) ("Ad groups thank Republican lawmakers for move to kill ISP privacy rules.")
- Jon Brodkin How ISPs can sell your Web history—and how to stop them, Ars Technica (3/23/17) ("The Senate vote was 50-48, with every Republican senator voting to kill privacy rules and every Democratic senator voting to preserve them.")
- Senate Acts on Broadband Privacy, NTCA (3/23/17) ("Today the Senate passed the Congressional Review Act resolution to overturn the FCC’s recently adopted broadband privacy rules for Internet service providers. Throughout the development of the FCC’s broadband privacy rules, NTCA has championed consumer-centric principles of notice, choice and security. At the same time, NTCA has cautioned against regulations that would treat ISPs differently than other firms in the broadband market – and frankly, some of them have far more consumer information and metrics and should be of significantly more concern than ISP operations.")
- ACA Applauds Senate Passage Of Flake Resolution Voiding FCC's Broadband Privacy Rules, ACA (3/23/17) ("ACA is very pleased the Senate voted to use the Congressional Review Act (CRA) to nullify the FCC's broadband privacy regulations. ACA thanks Sen. Jeff Flake (R-Ariz.) and his many Senate co-sponsors of the CRA resolution for their leadership role in eliminating regulations that as applied to smaller broadband providers would impose unwarranted and burdensome regulations, harmful both to small businesses and their customers.")
- Shiva Stella Senate Leaves Consumers Vulnerable in Rush to Destroy Americans’ Online Privacy, PK (3/23/17) ("With less than 10 hours of ‘consideration,’ the Senate took the first step to eliminating a rule that put consumers in control of their data online. This vote is a clear sign that American interests ")
- ACA Pleased Broadband Privacy Repeal Headed To White House, ACA (3/28/17) ("ACA strongly supported Congress' intervention to reverse the harms associated with the FCC's unwarranted and burdensome broadband privacy regulations that singled out ISPs while exempting giant Internet edge providers, who have as much, if not more, access to similar consumer data.")
- BRIAN X. CHEN What the Repeal of Online Privacy Protections Means for You, NYT (3/29/17) ("The new F.C.C. rules would have given consumers stronger privacy protections — without such restrictions, internet providers may decide to become more aggressive with data collection and retention. Expect more targeted advertising to come your way.")
Stay of Data Security Rules
- FCC TAKES STEP TOWARDS ENSURING CONSUMERS HAVE UNIFORM ONLINE PRIVACY PROTECTIONS.
- JOINT STATEMENT OF FCC CHAIRMAN AJIT PAI AND ACTING FTC CHAIRMAN MAUREEN K. OHLHAUSEN ON PROTECTING AMERICANS' ONLINE PRIVACY by Statement. OCHAP
- PROTECTING THE PRIVACY OF CUSTOMERS OF BROADBAND AND OTHER TELECOMMUNICATIONS SERVICES/FCC GRANTS TEMPORARY STAY OF DATA SECURITY REGULATION FROM BROADBAND PRIVACY ORDER. Grants the Stay Petition in part, and stays on an interim basis one aspect of the requirements adopted in the 2016 Privacy Order related to data security. (Dkt No. 16-106 ). Action by: the Commission. Adopted: 03/01/2017 by ORDER. (FCC No. 17-19).
- JOINT STATEMENT OF FCC COMMISSIONER MIGNON CLYBURN AND FTC COMMISSIONER TERRELL MCSWEENY ON INDEFINITE SUSPENSION OF DATA SECURITY RULES by Statement. OCMC
- STATEMENT ON NEED FOR COMPREHENSIVE AND UNIFORM FRAMEWORK TO PROTECT AMERICANS' ONLINE PRIVACY. STMT. News Media OMR
- Jon Brodkin, FCC to Halt Rule that protections your privacy data from security breaches, ars technica 2/24/17 ("Pai has said that ISPs shouldn't face stricter rules than online providers like Google and Facebook, which are regulated separately by the Federal Trade Commission. Pai wants a "technology-neutral privacy framework for the online world" based on the FTC's standards. According to today's FCC statement, the data security rule "is not consistent with the FTC's privacy standards."")
See also FTC Common Carrier Jurisdiction Exemption (under a 9th Cir. ruling, the FTC has no jurisdiction over companies that are common carriers (as opposed to companies when they are providing common carrier service - difference between status and action). It has been argued that this means that if the FCC rescinds the broadband privacy rules, neither the FCC nor the FTC will have regulatory authority over this area
- Petitions for Reconsideration, Public Notice Jan. 17, 2017 Comments due 15 days; replies due 10 days
- Jon Brodkin, ISPs Seek to end privacy rules just in time for Trumps Inauguration, ars technica Jan. 17, 2017 ("on January 3, trade groups representing ISPs filed petitions asking the FCC to reconsider the rulemaking")
- Report and Order (Nov. 2, 2016): Docx Pdf Txt
- Fed Reg: Protecting the Privacy of Customers of Broadband and Other Telecommunications Services Fed. Reg. Dec. 2, 2016
- Released: 12/14/2016. Wireline Competition Bureau Announces Effective Dates of Broadband Privacy Rules (DA No. 16-1387). (Dkt No 16-106 ). WCB . https://apps.fcc.gov/edocs_public/attachmatch/DA-16-1387A1.docx
- News Release: Docx Pdf Txt
- Fact Sheet: Docx Pdf Txt
- Wheeler Statement: Docx Pdf Txt
- Clyburn Statement: Docx Pdf Txt
- Rosenworcel Statement: Docx Pdf Txt
- Pai Statement: Docx Pdf Txt
- O'Reilly Statement: Docx Pdf Txt
- Petition to Stay
- petition to stay
- Public Knowledge Moves to Preserve FCC’s Online Privacy Rules PK Feb. 7, 2017 ("Recently, Public Knowledge filed an Opposition to Petitions for a Stay of the Federal Communications Commission’s Broadband Privacy rules adopted in 2016.")
- Statement on Petition to Stay FCC Privacy Rules Tech Knowledge Jan 30, 2017 (“The previous FCC’s decision to adopt a discriminatory approach to broadband privacy was driven by its desire to protect particular industry players, not consumers. The agency’s biased rules inhibit the ability of ISPs to compete with edge providers in the internet data market without providing any meaningful privacy protection.")
- NCTA, ACA join ISP groups in asking for stay on FCC privacy rules by Daniel Frankel | Jan 30, 2017 12:51pm FierceTelecom ("“Today, associations representing virtually all of the leading U.S. internet service providers filed a petition asking the FCC to stay unnecessarily restrictive and destructive broadband privacy rules recently adopted by the FCC, while at the same time releasing detailed and comprehensive principles reiterating ISPs’ commitment to protecting their customers’ privacy online,” read a statement released Friday by the group.")
- Protecting Privacy for Broadband Consumers, Tom Wheeler, FCC, 10/6/16
- FCC PROPOSES TO GIVE BROADBAND CONSUMERS INCREASED CHOICE, TRANSPARENCY AND SECURITY FOR THEIR PERSONAL DATA. Proposal would empower consumers to decide how data is used and shared by broadband providers. News Release. Adopted: 03/31/2016. News WTB WCB https://apps.fcc.gov/edocs_public/attachmatch/DOC-338679A1.docx
PROTECTING THE PRIVACY OF CUSTOMERS OF BROADBAND AND OTHER TELECOMMUNICATIONS SERVICES. Seeks comment on a proposed framework for ensuring that consumers have the tools they need to make informed choices about how their data is used and when it is shared by their broadband providers. (Dkt No. 16-106 ). Action by: the Commission. Comments Due: 05/27/2016. Reply Comments Due: 06/27/2016. Adopted: 03/31/2016 by NPRM. (FCC No. 16-39). WCB https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-39A1.docx
- Fed Reg Notice 5/27/16
- Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, Notice of Proposed Rulemaking, 31 FCC Rcd 2500 (2016)
- THE WIRELINE COMPETITION AND CONSUMER AND GOVERNMENTAL AFFAIRS BUREAUS SCHEDULE PUBLIC WORKSHOP ON BROADBAND CONSUMER PRIVACY. News Release.
- REMARKS OF RUTH MILKMAN, FCC CHIEF OF STAFF, PROTECTING BROADBAND PRIVACY FORUM, NEW AMERICA FOUNDATION, WASHINGTON, D.C.. OCHTW TXT
- Privacy Regulation: Symmetry or Asymmetry , AT&T Blog
- CONSUMER WATCHDOG PETITION FOR RULEMAKING TO REQUIRE EDGE PROVIDERS TO HONOR ?DO NOT TRACK' REQUESTS. Dismisses a petition filed by Consumer Watchdog requesting that the Commission initiate a rulemaking proceeding requiring edge providers to honor "Do Not Track" requests from consumers. Action by: By the Chief, Wireline Competition Bureau. Adopted: 11/06/2015 by ORDER. (DA No. 15-1266). WCB https://apps.fcc.gov/edocs_public/attachmatch/DA-15-1266A1.docx
- IMPLEMENTATION OF THE TELECOMMUNICATIONS ACT OF 1996: TELECOMMUNICATIONS CARRIERS' USE OF CUSTOMER PROPRIETARY NETWORK INFORMATION AND OTHER CUSTOMER INFORMATION. Addressed the real privacy and security risks that consumers face when telecommunications carriers use their control of customers' mobile devices to collect information about their customers' use of the network. (Dkt No. 96-115 ). Action by: the Commission. Adopted: 06/27/2013 by Declaratory Ruling. (FCC No. 13-89). OGC http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-13-89A1.docx
CPNI Proceeding History:
- ANNUAL CPNI CERTIFICATION/OMNIBUS NOTICE OF APPARENT LIABILITY FOR FORFEITURE AND ORDER. Notified each of the listed companies of their Apparent Liability For Forfeiture in the amount of $29,000 for failure to submit an annual CPNI compliance certificates, et al. Action by: Chief, Enforcement Bureau. Adopted: 02/25/2011 by NALF. (DA No. 11-371). EB TXT
- IMPLEMENTATION OF THE TELECOMMUNICATIONS ACT OF 1996: TELECOMMUNICATIONS CARRIERS' USE OF CUSTOMER PROPRIETARY NETWORK INFORMATION AND OTHER CUSTOMER INFORMATION. Clarified that section 222 of the Communications Act of 1934, as amended, does not prevent a telecommunications carrier from complying with the obligation (18 USC 2258A - Child Pornography Reporting). (Dkt No. 96-115 ). Action by: Chief, Wireline Competition Bureau. Adopted: 10/12/2010 by Declaratory Ruling. (DA No. 10-1956). WCB TXT
- Customer Proprietary Network Information, Fed Reg 12/18/2007
- 05/03/05 ORDER ON RECONSIDERATION: Implementation of the Telecommunications Act of 1996; Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; Implementation of the Local Competition Provisions of the Telecom Act of 1996; In this Order, the Commission addresses petitions seeking reconsideration of clarification of certain conclusions made by the Commission in the SLI/DA First Report and Order. FCC-05-93. Dkt. Nos. 96-115, 96-98, 99-273. Word | Acrobat
- IMPLEMENTATION OF THE TELECOMMUNICATIONS ACT OF 1996; TELECOMMUNICATIONS CARRIERS' USE OF CUSTOMER PROPRIETARY NETWORK INFORMATION AND OTHER CUSTOMER INFORMATION; IMPLEMENTATION OF THE LOCAL COMPETITION PROVISIONS OF THE TELECOM ACT OF 1996; ET AL. The FCC upheld and clarified its rules governing the duty of local exchange carriers to grant competing carriers access to directory assistance information. (Dkt No. 96-115 , 96-98). Action by: the Commission. Adopted: 04/29/2005 by Order on Reconsideration. (FCC No. 05-93). WCB, FCC 5/6/2005
- Telecommunications carriers’ use of customer proprietary network and other information,, Fed Reg 10/29/2004
- IMPLEMENTATION OF THE TELECOMMUNICATIONS ACT OF 1996: TELECOMMUNICATIONS CARRIERS' USE OF CUSTOMER PROPRIETARY NETWORK INFORMATION AND OTHER CUSTOMER INFORMATION. Affirmed other aspects of the Subscriber List Information Order that were subject to petitions for reconsideration. (Dkt No. 96-115). Action by: the Commission. Adopted: 08/25/2004 by MO&OR. (FCC No. 04-206). WCB, FCC 9/17/2004
- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking (July 25, 2002) Text | Acrobat
FCC Adopts Rules Resolving How Phone Companies Share and Market Customer Information
News Release: Word | Text | Acrobat
Chairman Powell's Statement: Word | Text | Acrobat
Commissioner Abernathy's Statement: Word | Text | Acrobat
Commissioner Martin's Statement: Word | Text | Acrobat
Commissioner Copps's Statement: Word | Text | Acrobat
1. We resolve in this Order several issues in connection with carriers' use of customer proprietary network information ("CPNI") pursuant to section 222 of the Telecommunications Act of 1996.1 Through section 222, Congress recognized both that telecommunications carriers are in a unique position to collect sensitive personal information including to whom, where and when their customers call and that customers maintain an important privacy interest in protecting this information from disclosure and dissemination. The rules we adopt today focus on the nature of the customer approval needed before a carrier can use, disclose or permit access to CPNI. In formulating the required approval mechanism described below, we carefully balance carriers' First Amendment rights and consumers' privacy interests so as to permit carriers flexibility in their communications with their customers while providing the level of protection to consumers' privacy interests that Congress envisioned under section 222.
2. More specifically, we adopt an approach that comports with the decision2 of the United States Court of Appeals for the Tenth Circuit ("Tenth Circuit") vacating the Commission's requirement that carriers obtain express customer consent for all sharing between a carrier and its affiliates, as well as unaffiliated entities.3 We adopt today an approach that is derived from a careful balancing of harms, benefits, and governmental interests. First, use of CPNI by carriers or disclosure to their affiliated entities providing communications related services4, as well as third party agents and joint venture partners providing communications related services, requires a customer's knowing consent in the form of notice and "opt out" approval.5 Second, disclosure of CPNI to unrelated third parties or to carrier affiliates that do not provide communications related services requires express customer consent, described as "opt in" approval.6 Finally, this Order affirms the finding that the Tenth Circuit vacated only those CPNI rules related to opt in and left intact the remainder of the Commission's rules, 7 including the "total service approach," which permits the carrier to use CPNI to market new product offerings within the carrier customer service relationship, on the basis of the customer's implied consent.8
3. In this Order, we also further refine the rules governing the process by which carriers provide notification to customers of their CPNI rights. Specifically, we clarify the form, content and frequency of carrier notices.9 In addition, although we decline to reconsider our conclusion that customers' preferred carrier (PC) freeze information constitutes CPNI and thereby continue to accord it privacy protection pursuant to section 222, we choose to forbear from imposing the express consent requirements announced in this Order with respect to PC freezes. Through our limited exercise of forbearance, we balance customers' privacy concerns with carriers' meaningful commercial interests, resulting in PC freeze information being made more readily available among competing carriers, consistent with the public interest.10 We also affirm our previous determination that the word "information" in section 272 does not include CPNI, which is governed instead by section 222 of the Act.11
4. Finally, we accompany this Order with a Further Notice of Proposed Rulemaking ("Further NPRM") to refresh the record on two issues raised in the CPNI Order Further NPRM: foreign storage of and access to domestic CPNI, and CPNI safeguards and enforcement mechanisms. We additionally request comment on what, if any, appropriate regulations should govern the CPNI held by carriers that go out of business, sell all or part of their customer base, or seek bankruptcy protection.
- Implementation of the Telecommunications Act of 1996; Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; Implementation of the Non Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, as Amended; Clarification Order and Second Further Notice of Proposed Rulemaking 16 FCC Rcd 16506 (2001)
- Clarified the Status of our CPNI rules after the Tenth Circuit's opinion and explained how parties may obtain customer consent for use of their CPNI. Seek comments on what methods of customer consent would serve the governmental interests. Action by: By the Commission. Adopted: 08/28/2001 by NPRM. (FCC No. 01-247) Fed Reg Notice. FCC-01-247A1.d
- US West v. FCC, Docket 98-9518, 182 F.3d 1224 (10th Cir. Aug 18, 1999), cert. denied sub. nom Competitive Policy Institute v. U.S. West Docket 99-1427, 530 U.S. 1213 (S.Ct. June 2000).
- AT&T Petition for Review, AT&T v. FCC, No. 99 1413 (D.C. Cir., July 25, 2000) .
- In June 2000, the Supreme Court denied the Competitive Policy Institutes request to have the Supreme Court review the case. Court Won't Limit Use of Phone Data NYT 6/5 US West v. FCC, Docket 98-9518 (10th Cir. Aug 18, 1999), cert. denied sub. Nom Competitive Policy Institute v. U.S. West Docket 99-1427 (S.Ct. June 2000)
- 9/9/99 THIRD REPORT AND ORDER in CC Docket No. 96-115, SECOND ORDER ON RECONSIDERATION of the Second Report and Order in CC Docket No. 96-98, and NOTICE OF PROPOSED RULEMAKING in CC Docket No. 99-273 [Text Version] [Word Perfect Version]
- 9/3/99 Implementation of the Telecommunications Act of 1996; Telecommunications Carriers' Use of Customer Proprietary Network Information; and Implementation of the Non Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, as amended, Order on Reconsideration and Petitions for Forbearance, 14 FCC Rcd 14409 (1999) [Text Version][Word Perfect Version][PDF Version]
- US West v. FCC, Docket 98-9518, 182 F.3d 1224 (10th Cir. Aug 18, 1999), cert. denied sub. Nom Competitive Policy Institute v. U.S. West Docket 99-1427 (S.Ct. June 2000)
- 5/17/1999 CPNI EXTENSION ORDER -- Text Version ||| Word Perfect Version
- On May 17, 1999, the Common Carrier Bureau issued an Order extending the date on which the petitions requesting forbearance filed shall be granted in absence of a Commission decision that petitions fail to meet the standards for forbearance under section 10(a) of the Act, until 8/16/1999.
- Implementation of the Telecommunications Act of 1996; Telecommunications Carriers' Use of Customer Proprietary Network Information; and Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, as amended, Order on Reconsideration and Petitions for Forbearance, 14 FCC Rcd 14409 (1999) (CPNI Reconsideration Order).| Text | Acrobat
"On September 3, 1999, the Commission released an Order on Reconsideration and Petitions for Forbearance [Text Version][Word Perfect Version] that simplified the rules that telecommunications carriers (both wireline and wireless companies) must follow to use customer proprietary network information (CPNI), while retaining the privacy protections for carriers' customers. CPNI is the information a telecommunications carrier obtains about a customer that relates to the quantity, technical configuration, type, destination, and amount of use of a telecommunications service subscribed to by that customer. In other words, information about whom you call, when you call, how long you talk and how you communicate."Section 222 of the Communications Act of 1934, as amended, establishes CPNI privacy requirements by restricting all telecommunications carriers' use or disclosure of a customer's CPNI. To implement section 222, the FCC adopted regulations in the CPNI Second Report and Order on February 26, 1998. Some companies argued that these regulations were overly burdensome and requested that the FCC reconsider, clarify, and/or forbear from enforcing parts of those regulations. The Commission adopted the Order on Reconsideration to address those arguments.
"The Order on Reconsideration lessened the regulatory burden of various CPNI safeguards, while continuing to require that carriers protect customer privacy. Specifically, the FCC reduced the restriction on telecommunications companies' use of CPNI to market services and equipment to their own customers. For example, telephone companies will be able to use CPNI to market to their customers equipment that is necessary to, or used in, the provision of their telephone service, such as telephones and caller ID units, without first obtaining customer permission. The FCC allowed wireline telephone carriers to use CPNI without customer approval to market related information services. Wireless carriers were awarded broader discretion to use CPNI without customer approval to market all information services that are necessary to, or used in, the provision of their telecommunications services. The FCC also allowed all telecommunications companies to use CPNI in their efforts to "win back" customers lost to competitors, reasoning that "winback" campaigns are good for competition and consistent with the Act.
"The Commission also modified its requirement that carriers develop and implement software that indicates a customer's CPNI approval status within the first few lines of the first screen of a customer's service record. Now, carriers must clearly establish the status of a customer's CPNI approval prior to the use of CPNI, but the specific details of compliance are l eft to the carriers. In so doing, the FCC allowed the carriers the flexibility to adapt their record keeping systems in a manner most conducive to their individual size, capital resources, culture and technological capabilities. The FCC also eliminated the requirement that carriers maintain an electronic audit mechanism that tracks access to customer accounts. Instead, the FCC required carriers to maintain a record of their sales and marketing campaigns that use CPNI. "The FCC addressed various issues concerning a customer's approval to use CPNI consistent with section 222, including authorizations obtained by carriers from customers prior to the release of the FCC's CPNI rules. The FCC also eliminated that section of its rules that required a carrier's solicitation for approval, if written, to be on the same document as the carrier's notification. Further, the FCC affirmed its decision to exercise its preemption authority on a case-by-case basis for state rules that conflict with the FCC's rules.
"After the Commission adopted the Order on Reconsideration, but prior to its release, the Court of Appeals for the Tenth Circuit issued its opinion vacating the Commission's CPNI rules. (U S WEST, Inc. v. FCC, 10th Circuit No. 98-9518 (filed August 18, 1999)). The Court held that the Commission's CPNI rules "must fall under the First Amendment." The Court's mandate has not yet issued and further litigation remains a possibility. Once the Court's mandate issues, the Commission will take appropriate steps to implement the Court's final decision. " Common Carrier CPNI Page (accessed June 20, 2000)
- 9/24/1998 CPNI EXTENSION ORDER -- Text Version ||| Word Perfect Version
- On September 24, 1998, the Commission extended the deadline for implementation of electronic safeguards to protect against unauthorized access to CPNI until six months after release of a FCC order on reconsideration addressing this issue.
- 5/21/1998 CPNI CLARIFICATION ORDER -- Text Version ||| Word Perfect Version
- On May 21, 1998, the Common Carrier Bureau issued an Order clarifying that (1) independently-derived information regarding customer premises equipment and information services is not CPNI and may be used to market CPE and information services to customers in conjunction with bundled offerings; (2) a customer's name, address and telephone numbers are not CPNI; and (3) a carrier is deemed to have met the notice and approval requirements when it provided annual notification, and obtained prior written authorization, pursuant to the FCC's former CPNI rules.
- 2/26/1998 CPNI SECOND REPORT AND ORDER AND FURTHER NOTICE OF PROPOSED RULEMAKING-- Text Version ||| Word Perfect Version
- In an FNPRM released on February 26, 1998, the Commission asked for additional comment on three issues involving carrier duties and obligations established under sections 222: whether a customer may restrict carrier use of CPNI for all marketing purposes; the appropriate protections for carrier information and additional enforcement mechanisms the Commission may apply; and the foreign storage of, and access to, domestic CPNI. This phase of the proceeding remains pending.
- 2/20/1997 PUBLIC NOTICE SEEKING FURTHER COMMENTS -- Text Version
- Public Notice FCC CLARIFIES CUSTOMER PRIVACY PROVISIONS OF 1996 ACT; Customers To Control Use and Disclosure of Personal Information (CC Docket Nos. 96-115, 96-149) Feb 19, 1998 ("The Computer III CPNI framework, as well as other existing CPNI rules, are superseded by today's comprehensive Order.")
- In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, Notice of Proposed Rulemaking, 11 FCC Rcd 12513 (1996).
Directory Listings Online
- Provision of Directory Listing Information under the Telecommunications Act of 1934 (Sec. 222) CC-Docket No. 99-273
- "In the Order, the Commission also resolved certain issues relating to telephone directory publishing, including extending rights to subscriber list information at nondiscriminatory and reasonable rates to publishers of telephone directories on the Internet. The Commission also concluded that publishers of telephone directories on the Internet should not be restricted in the manner in which they display or allow customers to access the data."
- Press Release Jan 24, 2001 [ Text | MS Word97 | PDF ] 47 USC § 222
- Report and Order Text | Word | PDF
- Amendment of Section 64.702 of the Commission's Rules and Regulations, CC Docket No. 20828, Final Decision, 77 FCC 2d 384 (1980) (Computer II)
- Computer I
- Reg. and Policy Problems Presented by the Interdependence of Computer and Communications Services, Tentative Decision, 28 FCC2d 291, 18 Rad. Reg.2d (P & F) 1713 (1970)
- "Para 6: “The third is whether any measures are required to be taken by the computer industry or common carriers, or both, to protect the privacy of data stored in computers and transmitted over common carrier facilities (Item J)”
- "12. The third remaining issue concerns itself with the privacy and security of data stored in computers that are interconnected with common carrier communications lines. As indicated in our Supplemental Notice of Inquiry, we do not believe that the Commission's concern is coextensive with the entire range of problems which stem from the potential invasion of privacy, where information can be stored and illicitly retrieved from a computer, even though the storage and retrieval through communications facilities (Supplemental Notice of Inquiry, 7 FCC 2d 19, Paragraph 11, at 22 (1967)). The privacy issue in its broadest sense has numerous social and public policy implications which go well beyond the pale of our jurisdiction over communications and which have already been the subject of Congressional studies and hearings, as well as a matter of concern and analysis by social scientists, lawyers and computer engineers. In this connection, we note that the National Academy of Sciences is conducting an investigation of public and private data banks to determine the magnitude of the threat to individual privacy.
- "13. The Commission, of course, does have a fixed and continuing responsibility with respect to the privacy and integrity of intelligence traversing the communications networks of this country, as well as with the possible use of such facilities for unlawful purposes. As we indicated in our First Report, we intend to give further consideration to the needs which may exist in this area and to the regulatory actions which may be required. We also recognized the need to obtain more information regarding present and future needs and the technical, operational and economic implications, as a basis for such further consideration. "
- D.A. Dunn, Policy Issues Presented by the Interdependence of Computer and Communications Services, Report No. 7379B-1, Stanford Research Institute (Feb. 1969) (p 8-9: “Users of teleprocessing systems that wish to maintain the privacy of the information that they enter into the system do not presently have very many options open to them to obtain privacy, even though they may be willing to pay extra for this service. The issue before the Commission is whether or not it should attempt to create further incentives for the data processing industry and the carriers to create options for users seeking privacy who are willing to pay for it… In view of Congressional concern for the problem as it affects the data processing industry generally, it appears that the most significant area for Commission concern and for a future FCC study would be in those aspects of the problem unique to teleprocessing and telecommunications, starting with a review of present carrier practices and procedures both with respect to data and voice.”)
- L.I. Krause, Analysis of Policy Issues in the Responses to the FCC Computer Inquiry, Report No. 7379B-2, Stanford Research Institute (Feb. 1969) (p. 15: "Technological and procedural methods for maintaining information privacy are in use and under development. Such methods can raise the costs of invading privacy but will also raise the costs of protected information services.
- “Data privacy in teleprocessing transcends the scope of communications regulation. It is suggested that:
- The FCC require communication link safeguards, licensing, bonding, and insurance of facilities and personnel
- Legislation be enacted to establish criminal sanctions for unauthorized information disclosure or use and for failure to maintain required safeguards.”")
- Bernard Strassburg, October 1966 Speech, Jurimetrics Journal, September 1968, pp. 18 (hereinafter "Strassburg 1966") ("A third problem that has been emerging with computer services relates to the protection of the integrity of information. Privacy is very much in the news lately, and well it might be. Some one recently observed that individual privacy is a function of the fragmentary nature of information. Throughout our lives we deposit a trail of information, beginning with the birth certificate and ending with the death certificate.")
- 47 USC § 222 Privacy of customer information (1998)
- 47 CFR § 64.2005 (1999) (vacated) Use of customer proprietary network information without customer approval.
- 47 USC s 501 Enforcement
- S.92 : A bill amend the Communications Act of 1934 to prohibit the unlawful acquisition and use of confidential customer proprietary network information, and for other purposes. Sponsor: Sen Stevens, Ted [AK] (introduced 1/4/2007), Thomas 1/5/2007
Legal Actions Based on CPNI and Sec. 222
- Conboy v. AT&T Corp., 241 F.3d 242 (2nd Cir. 2001)
Qwest and CPNI
- Qwest Argues for Limit to Privacy in FCC Filing, Wash Tech 2/11/02
- Your phone calls for sale?, CNET 1/30/02
- Qwest Plan Stirs Protest Over Privacy, NYTimes 1/2/02
- EPIC Letter to Qwest Jan 7, 2002
- Wellstone Calls Qwest Announcement Positive First Step January 28, 2002
- Qwest Letter to Washington State Attorney General Jan 25, 2002
- Washington State Attorney General letter to Qwest Jan 14, 2002
- Senator Wellstone Press Release about letter to the FCC on Qwest situation Jan 14, 2002
- FCC Protecting Customer Proprietary Network Information
- SWBT (SBC) CPNI Policy: Your Customer Proprietary Network Information Rights
- SNET's (SBC) CPNI Statement
- Ameritech CPNI Statement
- PacBell CPNI Statement
- Nevada Bell CPNI Statement
- Bell South CPNI, ACI and Wholesale Information Policy
- EPIC CPNI Page (good explanation)
- NARUC Resolutions on CPNI 2000
- Privacy Rights Opt Out of Releasing CPNI
- Jon Brodkin, FCC to Halt Rule that protections your privacy data from security breaches, ars technica 2/24/17
- New FCC Chairman Begins Attacks on Internet Privacy EFF Feb 2017
- 'I Know Who You Called Last Month' (CPNI), MSNBC 10/18/01
- Court Won't Limit Use of Phone Data NYT 6/5
- CPNI Certificate No-Shows Spanked For $20K Each, CommLawBlog 2/26/2009
- Court Tosses Challenge to "Opt-in" Requirement for CPNI Disclosure, CommLawBlog 2/18/2009
- Verizon Staff Fired After Peek at Obama's Calls, Internet News 11/25/2008
- Verizon Letter on Privacy Stirs Debate, NYT 10/18/2007
- Verizon Wireless Comment on CPNI, Verizon 10/18/2007
- NAAG: Press Release 39 Attorneys General, the District of Columbia Corporation Counsel, and the Georgia Governors Office of Consumer Affairs Submit Comments to FCC Urging Better Privacy Protections For Consumers Jan 2002
- State AGs Push Opt-In Rules For Telcos, Newsbytes 1/2/02