 |
 |
|
|
Background | NCTA's Arguments | US West and other cases | EPIC's Interest | Legal Documents | Related Resources
Customer proprietary network information (CPNI) is the data collected by telecommunications corporations about a consumer's telephone calls. It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer's telephone bill.
Although telecommunications companies were previously able to sell this data to third party companies for marketing purposes, the Telecommunications Act of 1996 required telecommunications companies to obtain customers' approval prior to sharing their CPNI with third parties. However, there was a difference of opinion on the interpretation of "approval." EPIC and other privacy advocates and consumer rights groups argued that "approval" implied that a consumer had to give positive, express consent to the sharing of information: that is, to "opt-in" to the marketing scheme. Telecommunications companies argued that they could start from a presumption of approval, and allow customers the choice to "opt-out" of the marketing program by explicitly withdrawing their consent.
In August 2005, EPIC filed a petition urging the Federal Communications Commission (FCC) to require security measures to protect access to CPNI from pretexters and other unauthorized parties. Specifically, EPIC recommended the FCC require consumer-set passwords, security breach notification, audit trails, encryption, and limiting data retention. EPIC and other privacy groups submitted comments to the FCC on April 14, 2006, addressing specific questions the FCC asked in response to EPIC's petition.
On April 2, 2007, the FCC issued a Final Order (pdf) regulating access to CPNI records. These rules were published in the Federal Register on June 8, 2007. At the same time, the FCC released a further notice of proposed rulemaking, seeking comments on whether it should expand its rules to protect privacy even more. The rules were issued in response to EPIC's August 2005 petition. The FCC's new rules address the first two recommendations in EPIC's petition, and the FCC sought comments on the latter three.
In July 2007 comments (pdf) filed with the Federal Communications Commission, EPIC and a coalition of nine other privacy and consumer groups called for stronger safeguards for customers' telephone records. The Consumer Coalition recommended that the FCC establish comprehensive privacy rules that would require telephone companies to limit access to and retention of consumer call data, safeguard the data stored in mobile phones, and curtail delays of customer notification of security breaches.
The new FCC rules issued in April 2007 require customers to provide a password when customers contact a carrier before the carrier can release call-detail CPNI. Carriers must also password protect online CPNI access. In addition, the new rules require carriers to notify customers of account changes, such as if the customer's password or address changes, and to notify customers of unauthorized disclosure of CPNI. However, law enforcement agencies can delay customer notification. The rules further require carriers to obtain opt-in consent from customers before disclosing their CPNI to a carrier's joint venture partner or independent contractor for marketing purposes, whereas the older rules only required opt-in consent for disclosure of call detail information to third parties.
In August 2007, the National Cable and Telecommunications Association (NCTA) filed a complaint with a federal appeals court challenging the FCC's new rules, which would protect consumers' telephone record information. The industry groups claim a First Amendment right to disclose customer information.
In its March 14 filing to the DC Circuit Court of Appeals, the National Cable and Telecommunications Association (NCTA) made two arguments: 1) "The CPNI opt-in rule violates the First Amendment," and 2) "The CPNI opt-in rule is arbitrary and capricious under the Administrative Procedure Act."
Under the argument that the FCC is violating the First Amendment, the NCTA claims that the rule should be reviewed under the "intermediate scrutiny" test. The NCTA claims the FCC rule fails this test because, the NCTA argues, the rule "restricts protected speech without directly and materially advancing the identified state interest" and is "not narrowly tailored to the governmental interests."
Under the argument that the FCC is violating the Administrative Procedure Act, the NCTA claims, "The Commission has not provide a satisfactory explanation," for choosing the opt-in rule over an opt-out regime. The NCTA also claims that the Commission "failed to consider competitive harms" and that there is "no rational connection between the facts found and the decision to require opt-in."
In its argument that the CPNI opt-in rule violates the First Amendment, the NCTA points to US West v. FCC, 182 F.3d 1224 (10th Cir. 1999). In a split decision, the Tenth Circuit Court of Appeals invalidated the Federal Communications Commission’s February 1998 Order requiring telecommunications carriers to obtain express customer approval before they can disclose CPNI they collect as a result of providing their services. The majority's opinion vacated the FCC's CPNI Order, finding it inconsistent with protected "speech" interests of the telephone company.
However, since US West, courts have found that legislation protecting personal information does not unlawfully impinge upon commercial free speech. Two such cases are: Trans Union v. FTC and IRSG v. FTC.
In Trans Union v. FTC, 245 F.3d 809 (D.C. Cir. 2001), the D.C. Circuit upheld the Fair Credit Reporting Act against First Amendment challenges to restrictions on marketing use of credit files. The court found that the government’s interest in keeping personally identifiable information private was substantial and upheld the FTC’s ban on the sale of target marketing lists.
In IRSG v. FTC, 145 F. Supp. 2d 6, No. 00-1828 (D.D.C. 2001), the D.C. District Court upheld Federal Trade Commission regulations that required information brokers to give notice and an opportunity to opt-out to individuals before selling the individuals’ "credit header" information (including: name, address, Social Security number). On summary judgment, the court rejected IRSG's First and Fifth Amendment claims, stating:
"The speech does not involve any matter of public concern, but consists of information of interest solely to the speaker and the client audience. Thus, restriction on the dissemination of this nonpublic personal information does not impinge upon any public debate."
This decision was affirmed in Trans Union v. FTC, No. 01-5202 (D.C. Cir. 2002).
The new rules at issue in this case, NCTA v. FCC, were issued by the Federal Communications Commission in response to EPIC's August 2005 petition to the agency. EPIC believes these safeguards are necessary in light of mounting evidence of "pretexting" and identity theft, based on the misuse of telephone records. A decision against the FCC would have jeopardize an individual's right to privacy, because individuals have a significant interest in controlling distribution of their personal information. EPIC does not believe the NCTA can support its claim of a First Amendment right to disclose consumer information.
In its amicus, EPIC will explain: (1) individuals have a significant interest in controlling distribution of their personal information and in preventing others from profiting by its use; (2) the FCC's Order does not restrict NCTA's right to communicate with its customers; (3) the FCC order is like many state and federal laws that limit the disclosure of personal information by private entities without implicating the First Amendment; and (4) the FCC properly interpreted the intent of the Congress by choosing the most effective means for protecting the privacy interests of consumers, which is the opt-in process.
Last Updated: May 6, 2008
Page URL: http://www.epic.org/privacy/nctafcc/default.html