CPNI (Customer Proprietary Network Information)
- FCC Updates Privacy Rules for Mobile Devices, EPIC Provided Comments: The Federal Communications Commission has ruled telecommunications carriers must follow the safeguards for Consumer Proprietary Network Information for information stored on mobile devices. "When a telecommunications carrier collects CPNI using its control of its customers' mobile devices, and the carrier or its designee has access to or control over the information, the carrier is responsible for safeguarding that information," the Commission wrote. Chairwomen Clyburn wrote that "[p]rotecting consumer privacy is a key component of our mission to serve the public interest," while Commissioner Rosenworcel urged the Commission to take note of the growing "market incentives to keep our data and slice and dice it to inform commercial activity." EPIC participated in the agency review and filed comments urging the Commission to require mobile carriers to implement fair information practices and to adopt techniques for encryption. EPIC has also asked the FCC to investigate Verizon for unlawfully disclosing the telephone records of millions of Americans in response to an invalid order from the Foreign Intelligence Surveillance Court. For more information, see EPIC: Customer Proprietary Network Information. (Jun. 28, 2013)
- Rep. Markey Introduces Mobile Privacy Act: Representative Edward Markey (D-MA) introduced "The Mobile Device Privacy Act," a bill that would require companies disclose the existence of monitoring software to consumers and obtain consent before using this software to collect personal information. The bill, H.R. 6337, would also direct the Federal Trade Commission and the Federal Communications Commission to develop rules implementing the act’s provisions. Recently, EPIC filed comments with the FCC urging the Commission to require mobile carriers to implement comprehensive fair information practices. For more information, see EPIC: Customer Proprietary Network Information and EPIC: Location Privacy. (Sep. 12, 2012)
- EPIC Calls on FCC to Require Mobile Phone Carriers to Protect Privacy: EPIC, joined by Consumer Watchdog, submitted comments to the Federal Communications Commission on the privacy and security of information stored on mobile phones. The comments discussed the various privacy risks created by the business practices of many carriers, and recommended that the FCC require mobile carriers to implement comprehensive privacy and security protections based on Fair Information Practices. EPIC previously wrote to the FCC in 2007 to call for increased protections for customers' Customer Proprietary Network Information, and in 2001 to urge the FCC to establish fair location information practices. For more information, see EPIC: Customer Proprietary Network Information and EPIC: Location Privacy. (Jul. 17, 2012)
- EPIC Urges Congress to Reform ECPA, Safeguard Locational Data: EPIC has filed a statement for the record in a hearing on the Electronic Communications Privacy Act, (ECPA) "ECPA Reform and the Revolution in Location Based Technologies and Services" before the House Committee on the Judiciary. EPIC recommends that Congress consider the need to protect locational data for users of new communications services. The statement calls attention to several recent developments, including Apple's iOS 4. EPIC had previously recommended that the FCC establish guidelines for the protection of users' locational privacy. For more information, see EPIC: CPNI. (Jun. 23, 2010)
- EPIC Urges Congress to Adopt Privacy Safeguards for Locational Data: Today, EPIC submitted comments for an upcoming joint hearing on "The Collection and Use of Location Information for Commercial Purposes." EPIC cited the growing uses of location data for advertising and tracking purposes, typically without any legal protections, and noted widespread support among US and European consumer organizations for clear protections. EPIC recommended that Congress establish strong rules, similar to those in the European Union Eprivacy Directive, that would give users meaningful control over their locational data. EPIC had previously recommended that the F.C.C. establish guidelines for the protection of users' locational privacy. For more information, see EPIC: CPNI. (Feb. 23, 2010)
- Trade Commission Prohibits Robocalls: The Federal Trade Commission is prohibiting commercial telemarketing calls to consumers after September 1, 2009. The agency amended the Telemarketing Sales Rule, which imposes a penalty of $16,000 per call, to cover sellers and telemarketers who transmit prerecorded messages to consumers who have not agreed in writing to accept such messages. The Telemarketing Rule is authorized under the Telemarketing and Consumer Fraud and Abuse Prevention Act. The new rule does not prohibit informational messages or calls by politicians, banks, telephone carriers, and charities. EPIC has urged the FCC to require strong privacy safeguards for telephone customers' personal information, and protect wireless subscribers from telemarketing. See also EPIC Telemarketing and Telephone Consumer Protection Act. (Aug. 28, 2009)
- EPIC Calls on FCC to Continue Privacy Commitments for Broadband Deployment : In response to a request from the Federal Communication Commission concerning the future of the US Broadband Infrastructure, EPIC urged the FCC to secure the privacy interests of consumers and Internet users. EPIC recommended the Commission desist from collecting personal information, adopt robust privacy safeguards, avoid use of Deep Packet Inspection, and require protections for electronic medical records. EPIC noted the long tradition of establishing privacy protections as new communications technologies emerged in the United States. EPIC previously advocated for the FCC to require strong privacy safeguards for telephone customers' personal information, and protect wireless subscribers from telemarketing. See EPIC's page on CPNI and Deep Packet Inspection and Privacy. (Jun. 9, 2009)
- Federal Appeals Court Upholds Opt-In Privacy Rule for Telephone Services.Today, a federal court in the District of Columbia upheld telephone privacy regulations that require phone companies to obtain affirmative, opt-in consent from customers before they disclose personal information to outside corporations. The decision rejects an industry challenge to the rule. The Court recognized that "the government has a substantial interest in protecting the privacy of customer information and that requiring customer approval advances that interest," and cited EPIC's 2005 petition as spurring the rulemaking process. In May 2008, EPIC filed a "friend of the court" brief urging support for opt-in safeguards for telephone customers. The brief was filed on behalf of consumer and privacy organizations, technical experts, and legal scholars. For more, see EPIC's page on NCTA v. FCC. (Feb. 13)
- Federal Appeals Court Hears Telephone Privacy Case On September 10, 2008, a federal court in the District of Columbia heard arguments in a challenge to telephone privacy regulations. At issue is a federal rule (pdf) requiring telephone companies to obtain affirmative, opt-in consent from customers before they disclose personal information to outside corporations. An industry group challenged the privacy rule. In May, EPIC filed a "friend of the court" brief (pdf) urging support for opt-in safeguards for telephone customers. The brief was filed on behalf of consumer and privacy organizations, technical experts, and legal scholars. "Consumers have a legitimate expectation of privacy with respect to sensitive personal information such as whom they call on a telephone," the brief said. "An opt-out policy would provide neither adequate protection for consumer data nor sufficient notice to consumers." See EPIC page on NCTA v. FCC. (Sept. 11)
- EPIC, Privacy Groups, Technical Experts, and Legal Scholars Support Opt-In for Telephone Services. EPIC filed a "friend of the court" brief (pdf) today in federal appellate court urging support for opt-in safeguards for telephone customers. The brief was filed on behalf of consumer and privacy organizations, technical experts, and legal scholars. At issue is the Federal Communications Commission's Order (pdf) that protects consumers' telephone record information, which the National Cable and Telecommunications Association has challenged. "Consumers have a legitimate expectation of privacy with respect to sensitive personal information such as whom they call on a telephone," the brief said. "An opt-out policy would provide neither adequate protection for consumer data nor sufficient notice to consumers." See EPIC page on NCTA v. FCC. (May 6)
- Cable Industry Opposes Consumer Privacy Safeguards. The National Cable and Telecommunications Association has filed a complaint with a federal appeals court challenging the FCC's rule (pdf) that would protect the protect of consumers telephone record information. EPIC petitioned the FCC to establish these safeguards after mounting evidence of "pretexting" and identity theft, based on the misuse of telephone records. The industry groups claim a First Amendment right to disclose customer information. Courts have typically rejected that argument. (Aug. 8, 2007)
- EPIC and Consumer Coalition Urge FCC to Adopt Stronger Privacy Safeguards for Telephone Records. In comments (pdf) filed with the Federal Communications Commission, EPIC and a coalition of nine other privacy and consumer groups called for stronger safeguards for customers' telephone records. The Consumer Coalition recommended that the FCC establish comprehensive privacy rules that would require telephone companies to limit access to and retention of consumer call data, safeguard the data stored in mobile phones, and curtail delays of customer notification of security breaches. In response to a 2005 EPIC petition, the FCC earlier this month adopted new rules to strengthen the security of consumers' phone records and requested comments on additional security proposals. (July 9, 2007)
- New Privacy Safeguards for Telephone Customers. In response to a petition filed by EPIC, the Federal Communications Commission issued new rules (pdf) to protect the privacy of consumers' telephone records. The new safeguards prohibit unauthorized access to phone records, require passwords for customer accounts, require notice of any changes to account information, and establish opt-in consent before disclosing customer information. The FCC also announced a new rulemaking (pdf) to consider such issues as audit trails, data retention, and safeguards for information stored in cell phones. Comments are due July 9, 2007. (Apr. 2, 2007)
- Comments of EPIC and nine other privacy and consumer groups (pdf) (July 9, 2007)
- FCC Press Release (pdf) (April 2007)
- Statement of Chairman Martin (pdf) (April 2007): "The 'opt-in' approach adopted in this Order clearly is supported by the record, is consistent with applicable law, and directly advances our interest in protecting customer privacy."
- Statement of Commissioner Copps (pdf) (April 2007): "The Commission adopts a process by which customers could be left totally uninformed of unauthorized access to their CPNI for 14 days . . as some have described it, it is akin to not telling victims of a burglary that their home has been broken into because law enforcement needs to continue dusting for fingerprints."
- Statement of Commissioner Tate (pdf) (April 2007): "Indeed the law places a duty on telecommunications providers to protect this information and today, we take important steps to better secure private telephone records."
- Statement of Commissioner Adelstein (pdf) (April 2007): "[T]his order set up a process which can result in the unnecessary and even indefinite delay of consumer notification without any accountability."
- Statement of Commissioner McDowell (April 2007): "[O]ur rules should strike a careful balance . . . the Further Notice seeks comment on [finding this balance]."
Customer proprietary network information (CPNI) is the data collected by telecommunications corporations about a consumer's telephone calls. It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer's telephone bill.
Although telecommunications companies were previously able to sell this data to third party companies for marketing purposes, the Telecommunications Act of 1996 required telecommunications companies to obtain customers' approval prior to sharing their CPNI with third parties. However, there was a difference of opinion on the interpretation of "approval." EPIC and other privacy advocates and consumer rights groups argued that "approval" implied that a consumer had to give positive, express consent to the sharing of information: that is, to "opt-in" to the marketing scheme. Telecommunications companies argued that they could start from a presumption of approval, and allow customers the choice to "opt-out" of the marketing program by explicitly withdrawing their consent. In 1998, the Federal Communications Commission (FCC) instituted a rule requiring that customers "opt-in" to the marketing program for personal information contained in their CPNI to be shared or used for marketing purposes.
Local telephone service provider U.S. West Inc. challenged the FCC rule in the Federal Court of Appeals for the 10th Circuit. They argued for an opt-out approach, which they suggested would protect their commercial free speech right to market data they collect on customers, while allowing consumers the opportunity to opt-out of such marketing arrangements if they did not want to participate. The court found that the FCC had failed to provide adequate evidence to establish that the rule furthered a substantial government interest, that it materially advanced such an interest, and that it was narrowly tailored to serve that interest.
In September 2001, the FCC issued a clarification of their initial order, permitting carriers to rely on "opt-out" means to secure customer approval to use their CPNI for marketing as an interim measure. The FCC further requested comments from all parties on how it should proceed with the rulemaking proceeding, and to create "a more complete record" on the issues implicated.
In July 2002, the Commission officially adopted rules providing for opt-in--or express consent--customer approval for carriers' release of customer information to third parties, but permitting opt-out consent for release of information to affiliated parties.
On April 2, 2007, the Federal Communications Committee issued a Final Order (pdf) regulating access to CPNI records. These rules were published in the Federal Register on June 8, 2007. At the same time, the FCC released a further notice of proposed rulemaking, seeking comments on whether it should expand its rules to protect privacy even more. Comments are due July 9, 2007, and reply comments are due August 7, 2007.
The new FCC rules require customers to provide a password when customers contact a carrier before the carrier can release call-detail CPNI. Carriers must also password protect online CPNI access. In addition, the new rules require carriers to notify customers of account changes, such as if the customer's password or address changes, and to notify customers of unauthorized disclosure of CPNI. However, law enforcement agencies can delay customer notification. The rules further require carriers to obtain opt-in consent from customers before disclosing their CPNI to a carrier's joint venture partner or independent contractor for marketing purposes, whereas the older rules only required opt-in consent for disclosure of call detail information to third parties.
The new rules are in response to a petition filed by EPIC in August 2005, in which EPIC urged the FCC to require security measures to protect access to CPNI from pretexters and other unauthorized parties. Specifically, EPIC recommended the FCC require consumer-set passwords, security breach notification, audit trails, encryption, and limiting data retention. EPIC and other privacy groups submitted comments to the FCC on April 14, 2006, addressing specific questions the FCC asked in response to EPIC's petition. The FCC's new rules address the first two recommendations in EPIC's petition, and the FCC now seeks comments on the latter three.
Following is a list of numbers available for customers choosing to opt-out of their telecommunications carriers' information-sharing programs:
- Verizon customers wishing to opt-out may call (866) 483-9600. View Verizon's opt-out notice.
- SBC-Ameritech customers wishing to opt-out may call (800) 303-7260. View Ameritech's opt-out notice.
- Washington State Adopts Customer-Privacy Rules. Washington State adopted the nation's strongest rules protecting telephone customer privacy, more protective of customer privacy than those adopted in July by the Federal Communications Commission. (The FCC's July Order specifically left open the possibility of more protective state regulation.) The Washington rules mandate opt-in--express approval--for all "call detail" information, and permit information sharing only within companies under common ownership. EPIC and WashPIRG submitted comments in the Washington proceeding, urging the state to adopt opt-in for all calling data. (Nov. 7, 2002)
- FCC Adopts Modified Opt-In Plan for Customer Information. The Federal Communications Commission adopted rules (pdf) designed to protect sensitive personal information of customers of telecommunications carriers. The Order provides for opt-in--or express consent--customer approval for carriers' release of customer information to third parties, but permits opt-out consent for release of information to affiliated parties. The Order specifically states that the Commission will not block or preempt state efforts to further protect CPNI. EPIC, other consumer groups, and 39 state Attorneys General filed comments (PDF) with the Federal Communications Commission in 2001, urging the FCC to adopt opt-in for all customer calling data. (July 17, 2002)
- "Opt-In" CPNI Bill Introduced in Senate. Senator Paul Wellstone (D-MN) introduced S. 1928, a bill that would amend the 1996 Communications Act to require affirmative written consent by a customer to the release of customer proprietary network information. The bill has been referred to the Senate Commerce Committee. In related news, the Maryland Office of the People's Counsel--an independent state agency that represents residential customers in utility matters--sent a letter to the Public Service Commission of Maryland, requesting that the Commission take action to investigate Verizon's recently implemented opt-out marketing plan for customer data. (Feb. 13, 2002)
- EPIC Recommends Phone Companies to Drop Marketing Plan. In letters to Ameritech President Gail Torreano and Verizon President Ivan Seidenberg, EPIC urged the companies to follow Qwest's example by suspending their plans to use records of telephone calls for marketing purposes. Both phone companies sent opt-out notice to customers in the most recent billing statement. The notices, which required customers to telephone a toll-free number to opt-out of the sale of their calling data, have sparked controversy as customers attempting to use the toll-free number experienced numerous difficulties. (Feb. 7, 2002)
- Qwest Backs Down from Marketing Plan. In response to a national campaign led by EPIC, with the support of state Attorneys General and consumers nationwide, Qwest Communications announced today that it is withdrawing plans for opt-out marketing with customer telephone records, or "CPNI." Citing numerous customer concerns, the company has stated that it will wait until the Federal Communications Commission (FCC) has proposed a final rule on the issue. EPIC initiated the campaign for opt-in at the FCC last November. (Jan. 28, 2002)
- Qwest Responds to Attorney General's Concerns. In a letter to Washington State Attorney General Christine Gregoire, Qwest Vice President Kirk Nelson responded to the Attorney General's concerns expressed in her January 14 letter to the company. (Jan. 25, 2002)
- Arizona Commissioners Take Action on Qwest Plan. Arizona Corporation Commissioners say they are willing to sue Qwest to stop it from sharing its customers' personal information. The commissioners' statement came during a special open meeting held regarding Qwest's recently issued opt-out notice. Commissioner Marc Spitzer commented, "The right to privacy is a fundamental American value. In Arizona, our state constitution specifically recognizes and guarantees that right." The Commissioners have directed their legal staff to open a rulemaking that would stop the company from implementing an opt-out policy. (Jan. 22, 2002)
- States Question Bells' Plan to Exploit Customer Information. Michigan Attorney General Jennifer Granholm wrote a letter to SBC/Ameritech asking the company for more information about its plan to sell customer information. Granholm said the opt-out notice included in customers' January bill was vague, unclear, and not designed to be brought to customers' attention. Granholm was one of the 30 state attorneys general who filed comments with the FCC in December calling for affimative consent of customers before cpni could be sold. Also, the Arizona Corporation Commission said it would seek a federal court injunction if necessary to block Qwest from sharing data about customer calling habits under an "opt-out" provision until the Federal Communications Commission settles the issue. (Jan. 16, 2002)
- State Attorney General, U.S. Senator Question Qwest Plan. In a letter to Qwest Vice President Kirk Nelson, Washington State Attorney General Christine Gregoire urged Qwest to suspend its recently implemented opt-out marketing plan. The letter states that Qwest's opt-out letter, contained within the last billing statement, "was not written in clear and conspicious terms or designed in a way to alert customers to the important decision they should make." The letter also mentions numerous customer complaints -- such as disconnects and inability to reach an operator -- following attempts to opt-out. Senator Paul Wellstone (D-MN) sent a letter to FCC Chairman Powell today on the same matter, urging the FCC to protect consumer privacy by adopting an opt-in approach. Wellstone also gave a press conference in Minnesota today, urging Qwest to truly obtain customer consent by adopting an opt-in approach. (Jan. 14, 2002)
- FCC Still Seeking Comments for Calling Data Rulemaking. Following Qwest's initiation of an opt-out marketing plan for calling data, the FCC announced that they will continue to accept comments from consumers wishing to express their opinion in this ongoing debate. Consumers wishing to do so can comment by e-mail, at firstname.lastname@example.org or by regular mail, FCC, 445 12th St. S.W., Washington, D.C. 20554, attn: Consumer Information Bureau. Reference Docket No. 96-115. Customers in 14 states are affected by Qwest's marketing plan. The Seattle Times reports that customers attempting to opt-out continue to express frustration and to question Qwest's sincerity about its offer to protect privacy. (Jan. 9, 2002)
- EPIC Urges Qwest to Drop Marketing Plan for Calling Data. In a letter to Qwest President Afshin Mohebbi, EPIC is urging Qwest to suspend the plan to use records of telephone calls for marketing purposes based only upon the opt-out notice provided to Qwest customers in the most recent billing statement. The notices, which required customers to telephone a toll-free number to opt-out of the sale of their calling data, have sparked controversy as customers attempting to use the toll-free number experienced numerous difficulties. (Jan. 8, 2002)
- Groups Urge FCC to Protect Phone Privacy. EPIC and other consumer groups have filed reply comments with the Federal Communications Commission with detailed arguments in support of an opt-in standard for customer calling data. Telecommunications companies wish to sell customer calling data, known as Customer Proprietary Network Information (CPNI), for marketing and profiling purposes. This information includes subscribers' names, addresses, calling records, and service options. (Nov. 16, 2001)
- Consumer Groups Urge FCC to Protect Phone Privacy. On November 1, EPIC and 17 civil liberties and consumer groups filed comments with the Federal Communications Commission urging the FCC to adopt opt-in for customer calling data. The FCC's request for comments followed a federal court decision that the FCC's original opt-in proposal violated the First Amendment because there was not adequate evidence that opt-in would protect customer privacy interests. The new comments note that 86 percent of consumers favor opt-in for communications services. (Nov. 6, 2001)
Qwest Opt-Out Notice
In a billing statement sent out in early January 2002, Qwest (previously U.S. West) informed its customers about the calling information collected and marketed by Qwest and gave the customers the option of opting out of the marketing agreement. This notice sparked a public outcry as consumers were taken by surprise that their personal data could be marketed in this manner. Shortly thereafter, SBC Ameritech and Verizon introduced similar marketing plans.
In response to a national campaign led by EPIC, with the support of state Attorneys General and consumers nationwide, in late January Qwest withdrew its plan to implement opt-out marketing of CPNI. Citing numerous customer concerns, the company stated that it would wait until the Federal Communications Commission (FCC) proposed a final rule on the issue, expected during the summer of 2002.
The Washington State Utilities and Transportation Commision issued proposed rules concerning treatment of CPNI information by telecommunications carriers. The rules distinguish between sensitive customer information such as call records, and non-sensitiive, such as services subscribed to. Telecommunications carriers must allow customers to "opt-in" to use of sensitive information, but can apply the lower "opt-out" standard where non-sensitive information is at issue.
EPIC filed comments and reply comments (with WashPIRG) in this rulemaking, arguing that opt-in is constitutional, and in fact should apply to all customer information. The comments referenced the decision by Qwest to withdraw from its opt-out marketing plan, as well as the referendum in North Dakota which passed by 72 percent to reestablish opt-in privacy protections for financial information, the first time citizens have had the opportunity to vote directly on opt-in. Qwest filed comments and reply comments in the rulemaking as well, stating that "the government cannot depress the communication of lawful speech to potentially interested persons in order to protect uneducated, inattentive adults."
In November 2002, the Commission adopted a modified version of the proposed rules, in light of the FCC's July Order. The rules mandate opt-in--express approval--for all "call detail" information, and permit information sharing only within companies under common ownership.
Following the implementation of the new rules for Washington State, Verizon filed litigation against the Washington Utilities and Transportation Commission challenging the legality of the opt-in provisions. As of December 2002, WUTC reports that Verizon was denied a suspension in order to prevent the implementation of the new rules before January 1, 2003. Verizon and its affiliates argue that the Washington regulations are unconstitutional due to vagueness under the Due Process Clause as well as violating the commercial free speech of the telecommunication companies under the First Amendment. They also allege violations of the Commerce Clause, illegal property confiscation under the Fifth Amendment, and infringements upon the companies' rights guaranteed by the FCC rules under the color of state law. The WUTC responded in federal court to Verizon's challenges. On December 23, 2002, the WUTC also filed comments to the FCC in response to Verizon's petition for reconsideration. Judge Barbara Rothstein will decide upon the preliminary injunction at the end of January, 2003.
- FCC CPNI Order, released in July 2002.
- WUTC response to Verizon's request for preliminary injuction in federal court, filed in December 2002.
- WUTC comments in response to Verizon's challenge to CPNI rules, filed in December 2002.
- Washington State CPNI rules, released in November 2002.
- Comments (PDF) of EPIC and others to the FCC, filed in November 2001.
- Reply comments (PDF) of EPIC and others to the FCC, filed in November 2001.
- Decision (PDF) in U.S. West, Inc. v. FCC.
- FCC's petition for rehearing en banc of U.S. West, Inc. v. FCC
- EPIC's Amici Curiae (PDF) in support of FCC's petition for rehearing en banc of U.S. West, Inc. v. FCC.
- FCC Filings: Text of documents related to the proceeding on customer proprietary network information are available by doing a search for the proceeding number "96-115" in the Electronic Comments Filing System at the Web site of the Federal Communications Commission.
- NARUC Resolutions and Policy Positions 2000, urging Congressional action on CPNI protection following the U.S. West decision.