You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

CPNI (Customer Proprietary Network Information)

Latest News

CPNI Overview

In the Telecommunications Act of 1996, Congress provided for the protection of Customer Proprietary Network Information (CPNI) and imposed an affirmative obligation of confidentiality for that information. The law defines CPNI (in 47 U.S.C. § 222(h)(1))as:

(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and

(B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier;

except that such term does not include subscriber list information.

The Federal Communications Commission (FCC) is responsible for implementing and enforcing the Communications Act, including the CPNI provision. The FCC has promulgated several rules and conducted a number of inquiries interpreting and applying the CPNI provisions since the law was passed. The FCC has made clear that both telecommunications carriers and voice over IP carriers can only release customer information to third parties after obtaining opt-in consent from customers. This includes when a carrier shares CPNI information with a joint venture partner or independent contractor for marketing purposes. However, only opt-out consent is required when telecommunications carriers share CPNI with their affiliates for communications-related purposes.

The FCC has also required additional disclosures and certifications. First, carriers are required to contact law enforcement and customers when a customer’s CPNI has been breached. However, law enforcement agencies can delay customer notification. Second, carriers must require password protection for online customer accounts. Customers can get access to their CPNI over the phone with a password, or customers can obtain the information in person with a valid photo ID. Carriers are also required to immediately notify customers of changes to their online account. Finally, carriers are required to provide annual updates that add up the total number of CPNI complaints it receives from customers and any action that carriers have taken against data brokers.

History of CPNI in the FCC’s Rulemakings

The Original Opt-in Rule and US West Decision

Although telecommunications companies were previously able to sell CPNI data to third party companies for marketing purposes, the Telecommunications Act of 1996 required telecommunications companies to obtain customers’ approval prior to disclosing their CPNI to third parties. However, Congress left open the definition of what constitutes "approval of the customer." EPIC and other privacy advocates and consumer rights groups argued that "approval" should require affirmative, express consent from the consumer: that is, the consumer would have to "opt-in" to a disclosure or marketing scheme. Telecommunications companies argued that they could start from a presumption of approval, and allow customers the choice to "opt-out" from disclosure by explicitly withdrawing their consent. In 1998, the Federal Communications Commission (FCC) promulgated a rule requiring that providers obtain "opt-in" consent from consumers before disclosing CPNI to marketing partners.

Local telephone service provider U.S. West challenged the FCC rule in the U.S. Court of Appeals for the 10th Circuit. The provider argued that the opt-in requirement was unduly burdensome and violated their First Amendment rights given the alternative of an opt-out system. The company argued that an opt-out system would permit them to market data they collect on customers, while still allowing consumers the opportunity to opt-out of such marketing arrangements if they did not want to participate. The court found that the FCC had failed to provide adequate evidence to establish that the rule furthered a substantial government interest, that it materially advanced such an interest, and that it was narrowly tailored to serve that interest.

Further Rulemakings on Consumer Approval and CPNI Protection

In September 2001, the FCC issued a clarification of their initial order, permitting carriers to rely on "opt-out" means to secure customer approval to use their CPNI for marketing as an interim measure. The FCC further requested comments from all parties on how it should proceed with the rulemaking proceeding, and to create "a more complete record" on the issues implicated.

In July 2002, the Commission officially adopted rules providing for opt-in (or express consent) customer approval for carriers' release of customer information to third parties, but permitting opt-out consent for release of information to affiliated corporate entities.

In August 2005, EPIC filed a petition with the FCC to require security measures to protect access to CPNI from pretexters and other unauthorized parties. Specifically, EPIC recommended the FCC require consumer-set passwords, security breach notification, audit trails, encryption, and limiting data retention. EPIC and other privacy groups submitted comments to the FCC on April 14, 2006, addressing specific questions the FCC asked in response to EPIC's petition. The FCC's current rules address the first two recommendations in EPIC's petition. The FCC sought comments on the latter three, but the FCC has not acted on them.

On April 2, 2007 in response to EPIC’s petition, the Federal Communications Committee issued a Final Order (pdf) regulating access to CPNI records. These rules were published in the Federal Register on June 8, 2007. At the same time, the FCC released a further notice of proposed rulemaking, seeking comments on whether it should expand its rules to protect privacy even more, though the FCC has not acted on those comments.

The FCC rules require customers to provide a password when customers contact a carrier before the carrier can release call-detail CPNI. Carriers must also password protect online CPNI access. In addition, the new rules require carriers to notify customers of account changes, such as if the customer's password or address changes, and to notify customers of unauthorized disclosure of CPNI. However, law enforcement agencies can delay customer notification. The rules further require carriers to obtain opt-in consent from customers before disclosing their CPNI to a carrier's joint venture partner or independent contractor for marketing purposes, whereas the older rules only required opt-in consent for disclosure of call detail information to third parties.

In August 2007, the National Cable and Telecommunications Association (NCTA) filed a Petition for Review of the FCC's new CPNI rules. The NCTA argued that: 1) "The CPNI opt-in rule violates the First Amendment," and 2) "The CPNI opt-in rule is arbitrary and capricious under the Administrative Procedure Act."

In May 2008, EPIC filed a "friend of the court" brief urging support for opt-in safeguards for telephone customers. The brief was filed on behalf of consumer and privacy organizations, technical experts, and legal scholars. The D.C. Circuit subsequently upheld the FCC’s opt-in rules and rejected the challenge brought by an industry association. The court upheld telephone privacy regulations that require phone companies to obtain affirmative, opt-in consent from customers before they disclose personal information to outside corporations. The court recognized that "the government has a substantial interest in protecting the privacy of customer information and that requiring customer approval advances that interest," and cited EPIC's 2005 petition as spurring the rulemaking process. For more, see EPIC's page on NCTA v. FCC.

The 2013 Declaratory Ruling on Mobile Location Data

In 2013, the FCC issued a declaratory ruling clarifying that CPNI protections apply to information collected from a mobile device. The FCC ruled that mobile carriers must safeguard consumers’ sensitive information when that information is both collected by the mobile carrier and controlled by the mobile carrier or the mobile carrier’s agent. In the ruling, the FCC also clarified that “the location of a customer’s use of a telecommunications service also clearly qualifies as CPNI.”

The Commission established in the Order that CPNI includes information about a consumer’s location “at the time” a call is made or received. However, the Commission has not yet determined whether CPNI also includes location information generated when a consumer is not making or receiving a phone call—for example, when a customer’s mobile phone is downloading data or passively connecting to a tower. The FCC acknowledged in the 2013 Order that “location information in particular can be very sensitive.”

Impact of the 2015 Open Internet Order (and subsequent repeal) on the CPNI Rule

Several years after the Telecommunications Act was passed, the Commission initiated a proceeding to determine the classification of Internet access services offered by cable providers (“cable modem” service). In 2002 the FCC issued a declaratory ruling that cable modem service was an “information service” and thus not subject to common carriage regulations under Title II of the Act. The Commission issued similar orders in 2005 classifying wireline broadband internet access service as an information service, and again in 2007 classifying wireless broadband access service as an information service or “private mobile service” not subject to Title II. Then in 2015, the FCC passed its Open Internet Order, reclassifying wireline broadband Internet access service as a “telecommunications service” subject to Title II. The Commission also reclassified mobile broadband Internet access service as a commercial mobile service subject to Title II. As a result of the 2015 Order, both fixed and mobile broadband services were subject to the CPNI rules.

Following the Open Internet Order, the FCC initiated a rulemaking to address consumer privacy for broadband services. These rules, finalized in 2016, would have clarified how the CPNI provisions applied to broadband providers. However, Congress and the president overturned those rules under the Congressional Review Act on April 3, 2017. In December of 2017, the FCC also reversed its decision to reclassify broadband Internet access services (the new order took full effect on June 11, 2018). The 2017 Order reclassified fixed and mobile broadband services again as “information services.” As a result of the reclassification, broadband providers are no longer subject to the CPNI rules.

Under the FCC’s now-defunct 2016 Privacy Order, the FCC would have required voice service providers and internet providers to obtain opt-in consent from consumers before using and disclosing “sensitive” customer proprietary information. This sensitive information included the traditional CPNI call detail information, as well as information about a consumer’s finances, health, precise location, IP addresses, social security numbers, web and app history, the content of communications, and information about children.

Mobile Location Data as CPNI

The FCC has defined CPNI to include information about a consumer’s location “at the time” a call is made or received. However, the FCC has not ruled whether CPNI also includes location information collected when a consumer is not making or receiving a phone call—for example, cell phone location data generated during data transfers, cell phone tower data collected during routine ‘pings,’ and GPS data generated by the devices themselves. However, the commission has stated that “location information in particular can be very sensitive customer information.”

The relevant statute, 47 U.S.C. 222, defines CPNI as information that “relates to” the location of the use of a telecommunications service. The statute includes an exception that allows telecommunications carriers to provide “call location information” in emergency situations like 911 calls, but it limits the sharing of that location information outside of emergencies.

In the FCC’s 2013 CPNI Declaratory Ruling the Commission ruled information that telecommunications providers collect from a consumer’s mobile phone can be CPNI. The commission noted that “the location of a customer’s use of a telecommunications service also clearly qualifies as CPNI.” The 2013 Order makes equally clear that the definition of CPNI does not include information that a carrier collects when it is not acting as a telecommunications carrier. For example, information about a customer’s use of a broadband data network, including web browsing history or app data, is not CPNI under the current rules. However, the FCC can still impose similar rules on non-telecommunications carriers under its ancillary authority. For example, in a 2007 CPNI Order, the FCC used its ancillary authority to apply CPNI obligations to voice over IP providers.

The FCC’s 2016 Privacy Order classified location information as CPNI regardless of the technology used to obtain it, but Congress and the President rolled back those regulations in 2017.

EPIC Interest

EPIC has advocated for the protection of CPNI since the provision was enacted in the Telecommunications Act. EPIC filed the original 2005 petition urging the FCC to increase its CPNI privacy protections. EPIC also advocated for uniform privacy standards for both telecommunications and information service providers in the 2016 Privacy Order. EPIC also filed a new petition in 2014 asking the FCC to repeal its data retention mandate for call history information. That petition was docketed in 2017 and is currently pending before the agency.

Campaign Against Qwest Opt-Out Proposal

In a billing statement sent out in early January 2002, Qwest (previously U.S. West) informed its customers about the calling information collected and marketed by Qwest and gave the customers the option of opting out of the marketing agreement. This notice sparked a public outcry as consumers were taken by surprise that their personal data could be marketed in this manner. Shortly thereafter, SBC Ameritech and Verizon introduced similar marketing plans.

In response to a national campaign led by EPIC, with the support of state Attorneys General and consumers nationwide, in late January Qwest withdrew its plan to implement opt-out marketing of CPNI. Citing numerous customer concerns, the company stated that it would wait until the Federal Communications Commission (FCC) proposed a final rule on the issue.

Related Work on the Opt-in Campaign

The Washington State Utilities and Transportation Commission issued proposed rules concerning treatment of CPNI information by telecommunications carriers. The rules distinguish between sensitive customer information such as call records, and non-sensitive, such as services subscribed to. Telecommunications carriers must allow customers to "opt-in" to use of sensitive information, but can apply the lower "opt-out" standard where non-sensitive information is at issue.

EPIC filed comments and reply comments (with WashPIRG) in this rulemaking, arguing that opt-in is constitutional, and in fact should apply to all customer information. The comments referenced the decision by Qwest to withdraw from its opt-out marketing plan, as well as the referendum in North Dakota which passed by 72 percent to reestablish opt-in privacy protections for financial information, the first time citizens have had the opportunity to vote directly on opt-in. Qwest filed comments and reply comments in the rulemaking as well, stating that "the government cannot depress the communication of lawful speech to potentially interested persons in order to protect uneducated, inattentive adults."

In November 2002, the Commission adopted a modified version of the proposed rules, in light of the FCC's July Order. The rules mandate opt-in--express approval--for all "call detail" information, and permit information sharing only within companies under common ownership.

Following the implementation of the new rules for Washington State, Verizon filed litigation against the Washington Utilities and Transportation Commission challenging the legality of the opt-in provisions. On December 23, 2002, the WUTC filed comments to the FCC in response to Verizon's petition for reconsideration.

On August 26, 2003, U.S. District Court Judge Barbara Rothstein overturned the state regulations, ruling that the opt-in provision did not comply with the First Amendment because the regulations did not directly advance the state’s interest and there were less burdensome ways to advance the state’s interest. 282 F.Supp.2d 1187. The judge pointed out that the regulations did not directly advance the state’s interest because they only applied to landline phones — and not mobile phones — and that there were so many exceptions to the regulations that they were “dauntingly confusing” for consumers. The court also pointed to the option of a less burdensome opt-out regime. The state eventually adopted CPNI regulations consistent with the FCC.

EPIC’s 2005 Petition

In August 2005, EPIC filed a petition with the FCC to require security measures to protect access to CPNI from pretexters and other unauthorized parties. Specifically, EPIC recommended the FCC require consumer-set passwords, security breach notification, audit trails, encryption, and limiting data retention. EPIC and other privacy groups submitted comments to the FCC on April 14, 2006, addressing specific questions the FCC asked in response to EPIC's petition. The FCC's current rules address the first two recommendations in EPIC's petition. The FCC sought comments on the latter three, but the FCC has not acted on them.

EPIC’s 2007 comments

In July 2007 comments (pdf) filed with the Federal Communications Commission, EPIC and a coalition of nine other privacy and consumer groups called for stronger safeguards for customers' telephone records. The Consumer Coalition recommended that the FCC establish comprehensive privacy rules that would require telephone companies to limit access to and retention of consumer call data, safeguard the data stored in mobile phones, and curtail delays of customer notification of security breaches.

EPIC’s 2007 Amicus Brief in NCTA v. FCC

In August 2007, the National Cable and Telecommunications Association (NCTA) filed a complaint with a federal appeals court challenging rules the FCC implemented in response to EPIC’s petition. Ultimately, a federal court in the District of Columbia upheld that telephone privacy regulations that EPIC helped spur. Read more at EPIC’s page summarizing the arguments.

A decision against the FCC would have jeopardize an individual's right to privacy, because individuals have a significant interest in controlling distribution of their personal information. In its amicus, EPIC explained: (1) individuals have a significant interest in controlling distribution of their personal information and in preventing others from profiting by its use; (2) the FCC's Order does not restrict NCTA's right to communicate with its customers; (3) the FCC order is like many state and federal laws that limit the disclosure of personal information by private entities without implicating the First Amendment; and (4) the FCC properly interpreted the intent of the Congress by choosing the most effective means for protecting the privacy interests of consumers, which is the opt-in process.

EPIC’s FOIA/Comments during FCC’s 2016 privacy rulemaking

In response to a Freedom of Information Act request filed by EPIC, the Federal Communications Commission released communications about the FCC’s broadband privacy rulemaking. One of the key proposals for the privacy rules concerns the scope of consumer data covered by the rule, such as a customer’s IP address. An email exchange between Google’s Vinton Cerf and FCC Chairman Tom Wheeler reveals Google’s backdoor efforts to narrow the scope of the proposed rules to exclude privacy protections for customers’ IP addresses. EPIC repeatedly argued that the FCC’s rules can and should go further.

EPIC’s petition to end FCC’s data retention mandate

EPIC has also led a coalition of privacy groups to petition the FCC to end its data retention mandate, which requires telephone companies to keep the telephone numbers dialed, date, time, and call length of all U.S. telephone customers for an 18-month period. EPIC and a group of advocates filed a petition on August 4, 2015 to end the rules first created in 1986. In its petition, EPIC argued that the retention mandate “violates the fundamental right to privacy. It exposes consumers to data breaches, stifles innovation, and reduces market competition. It is outdated and ineffective. It is not necessary or proportionate for a democratic society.” EPIC launched a public-facing campaign on the issue. EPIC has also been a strong advocate against government data retention mandates around the world. See EPIC’s webpage on the issue.

Related FOIA Work

Resources

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security