COMMISSIONER MICHAEL J. COPPS,
APPROVING IN PART, DISSENTING IN PART
Re: Implementation of the Telecommunications Act of 1996; Telecommunications Carriers Use of Customer Proprietary Network Information and Other Customer Information; Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, As Amended
Few rights are so fundamental as the right to privacy in our daily lives, yet few are under such frontal assault. Today information technologies can monitor what we do, who we talk with, what we buy, what organizations we belong to, what political activities we undertake, what gods we worship. We may have avoided Orwell's 1984, but the threat of technology intrusion into our private lives is not only real it is growing.
Today we have an opportunity to do something about it. We take a baby step; I think we could have taken a giant stride. Certainly I support that part of the Order that will prohibit the sale or disclosure of personal data to unaffiliated third parties unless consumers give specific approval, the so-called "opt-in" approach, and I am pleased that the decision does not preempt states from adopting more stringent privacy protections than we do today. But our business is communications, and when we are given the chance to decide how communications companies handle personal information within themselves and their affiliates, we retreat to an entirely different "opt-out" policy whereby the company gets an always-on green light to sell personal information about its customer unless the customer specifically takes the initiative to tell the company it may not do so.
Today's decision is cast as pro-consumer and "opt-in" except for what is implied to be the limited and less problematic sale of personal information to "communications-related affiliates," "third party agents," and "joint venture partners," where "opt-out" will be required. But everyone should understand that this decision is neither narrow nor pro-privacy. It does not preclude companies in all instances from selling to the highest bidder personal and detailed information about who Americans call, when they call, and how long they talk, as long as these companies use it for some "communications related" purpose and have some undefined and murky affiliation, agency relationship, or partnership with the phone company. Anyone who has looked at some of the incredibly complex organizational charts submitted in our merger proceedings knows just how confusing and murky these affiliations can be. In that confusion and murkiness I find potentially serious trouble for consumer privacy.
Importance of Privacy Safeguards
Telephone carriers obtain a vast amount of information about each of us. Carriers know not only the phone services we purchase, but also personal information such as who we call, how often, and for how long. And in a converging communications industry, these same companies now, or may soon, also be able to track what Internet sites we visit, who we e-mail, what cable or satellite television programs we watch, what wireless phone calls we place, and even our location as we use our cell phone. Companies can combine this data with other information that they buy from other sources, such as financial data, credit histories, travel habits, and any of the myriad invasive databases that exist in our digital world, to create a profile on each of us.
Companies can use this information, known as CPNI, for a variety of purposes. They rely heavily on this information for marketing. Sometimes these marketing practices are merely annoying, such as telemarketing calls and junk mail. But when this marketing is based on in-depth personal information, it can become dangerous. CPNI could potentially be used to allow a company to market healthcare services to people who call certain doctors or specialists; insurance companies to know who calls AIDS hotlines; fundraisers to identify an individual's political affiliation based on who calls the offices of candidates or political parties; or landlords to monitor the behavior of their tenants. When the stakes for misuse of our personal information are so high the Commission should be extraordinarily vigilant.
Section 222 and the FCC Opt-in Decision
Congress recognized this and instructed the Commission to protect the privacy of telephone consumers in section 222 of the Telecommunications Act. Congress recognized that information about individual communications use requires special privacy safeguards. In particular, section 222 limits the use and disclosure of personal customer information unless a carrier first obtains the "approval of the customer."1
In 1998, the Commission adopted rules to implement Congress' privacy directive. The Commission correctly understood Congress's insistence on a company acquiring the "approval of the customer" to require express approval, also known as "opt-in," for use and disclosure of this sensitive personal information. "Approval" is clearly an active rather than a passive requirement. "Opt-out," which would require a customer to take affirmative action to protect his or her personal information, is a failure to object, and not "approval." These concepts are founded on fundamentally different premises. "Opt-out" strikes me as based on the notion that the company owns the information and can use that information as it chooses unless there is objection from the consumer. "Opt-in" is premised on the consumer being in control of this information and grants to each of us the ability to authorize a company to share it with somebody else should we so choose.
On policy grounds, the Commission explained why Congress's insistence on approval had been correct, by determining that "even assuming that an opt-out approach can be appropriate for less sensitive customer information, such an approach would not be appropriate for the disclosure of personal CPNI."2 The Commission concluded that an express approval requirement was necessary for both privacy and competitive concerns. It reasoned that "an express approval requirement provides superior protection for privacy interests because, unlike under an opt-out approach, when customers must affirmatively act before their CPNI is used or disclosed, the confidentiality of CPNI is preserved until the customer is actually informed of its statutory protections. This ensures that customers' privacy rights are protected against unknowing and unintended CPNI disclosure."3 In addition, the Commission recognized that the limitations were designed to eliminate restraints on competition, by "limiting the ability of incumbent carriers to leverage their control over monopoly-derived CPNI into emerging telecommunications markets."4
On appeal, the Tenth Circuit struck down the express approval requirement because the Commission had not built an adequate record to demonstrate that the regulations would materially and directly alleviate privacy harms and that the regulations were narrowly tailored so as to avoid a First Amendment violation. In particular, the court determined that the Commission had failed adequately to consider the less restrictive "opt-out" alternative. Importantly, the court did not hold that the express approval requirement could not be justified or that opt-out was the only way to read section 222. It held only that the Commission had failed to adequately justify its decision. So I think we are being overly cautious here.
The Legal and Policy Inadequacy of Today's Order
In response to the Tenth Circuit's decision, the Commission today requires approval only for disclosure to third parties and non-communications-related affiliates. Contrary to law, and without policy justification, the Commission allows mere notice and "opt-out," an absence of complaint rather than the statutorily required approval, for a company to use, disclose, and permit access to sensitive personal information within a company, to "communications-related affiliates," to "third party agents," and to "joint venture partners." These activities represent the most common of all uses of CPNI.
The majority does not adequately narrow the definition of "communications related," "affiliates," "third party agents," or "joint venture partners." Without careful definitions the restrictions leave dangerous loopholes. I appreciate the majority's willingness to respond to some of my concerns by stating that a carrier cannot sell such information to a pure content provider such as the operator of a Web site, a telemarketer, or a junk e-mailer. The definitions, however, remain unreasonably imprecise. According to my understanding, a carrier could still market personal consumer information to, for example, an ISP who also happens to provide content over its Internet system. Thus a telephone company could, without the permission of its customers, sell CPNI to any company that owns an ISP. I say this is my understanding because, even as late as this morning, the definitions and explanations are in flux. Trying to administer a regime whose exact parameters we, its designers, cannot pin-point creates problems. That's not good for privacy.
The majority seems to believe that they can go no further than "opt-out" for fear of litigation. We can be certain there will be challenges to this order no matter what decision is made. The fear of litigation should not unduly constrain us we will be in court on this matter. I prefer to go there with our best foot forward, with a Commission decision that is more securely grounded in statute and one that accomplishes the will of Congress.
Let us be clear: the court did not require "opt-out" nor did it invalidate "opt-in." It demanded better justification for what the previous Commission did. I do not wish to minimize the showing we would have to make to the court, but neither do I want it to become an obstacle for moving proactively ahead. My understanding is that to satisfy court review, the Commission would need to provide more empirical explanation and justification for the government's asserted interest; to demonstrate that "opt-in" materially advances that interest; and that "opt-in" is narrowly tailored and balanced as to its costs and benefits. I believe the Commission can effectively and convincingly meet these tests. There is an abundance of contemporary empirical data, including consumer surveys demonstrating consumer preferences, a state referendum in North Dakota with easy-to-understand results, and at least one company's unhappy experiences with an "opt-out" program. There is new case-law altogether relevant to and supportive of "opt-in." And, as explained below, "opt-in" is both narrowly tailored and balanced.
We must always be at pains to ensure that our decisions do not violate the First Amendment. Part of our responsibility in this instance involves adequately explaining how our rule is necessary to protect privacy, as well as investigating whether less restrictive alternatives exist. Some, including the dissenting judge in U S WEST, take issue with whether the Commission's previous order implicated constitutionally protected "speech"; whether it violated the First Amendment; and whether the Commission's statutory construction was reasonable and thereby entitled to deference. But, even under the test applied by the Tenth Circuit, I believe that express approval is justified, necessary, and most clearly comports with the statute.
Section 222 limits the use of sensitive individual information without "approval of the customer." I agree with the Commission's previous order that express approval "is guided by the natural, common sense understanding of the term 'approval,' which we believe generally connotes an informed and deliberate response."5 As the Commission pointed out, it is "difficult to construe a customer's failure to respond to a notice as constituting an informed approval of its contents."6
Since the Tenth Circuit's decision, other courts have addressed express approval provisions and, using the same analysis, found them not to infringe upon First Amendment rights. In Trans Union Corp. v. FTC, the DC Circuit held that "[a]lthough the opt-in scheme may limit more Trans Union speech than would the opt-out scheme the company prefers, intermediate scrutiny does not obligate courts to invalidate a 'remedial scheme because some alternative solution is marginally less intrusive on a speaker's First Amendment interests.'"7
We are left with the issue whether "opt-in" is narrowly tailored and balanced. To decide this question, we must examine the prongs of the test applied by the Tenth Circuit. If the speech concerns lawful activity, we must determine whether there is a substantial state interest in regulating the speech, whether the regulation materially and directly advances that interest, and whether the regulation is no more extensive than necessary to alleviate the harm.
The majority agrees that the first two prongs are met for both "opt-out" and "opt-in." Thus, the relevant question at issue is whether "opt-in" is narrowly drawn or whether some lesser alternative such as "opt-out" would serve the government's interest. We have seen in several contexts that "opt-out" does not adequately protect consumers' privacy interests. As today's order details, significant concerns have been raised about the effectiveness of "opt-out" requirements in the banking and financial sectors. Similarly, in the telecommunications sector, we have seen one example after another of instances where notice and "opt-out" have been ineffective in ensuring "that customers maintain control over carrier use of sensitive CPNI, and that those that wish to limit the use and dissemination of their information will know how, and be able to do so."8 Attorneys General from 39 states strongly advocate an express approval requirement because "opt-out" has proven so ineffective. A number of these Attorneys General have expressed concern about "opt-out" notices from telecommunications companies that are unclear and confusing and may therefore have been ignored or misunderstood by consumers.
Even were I to approve the use of "opt-out," I would dissent from the Commission's rules here because these rules do not adequately address the problem at hand. Indeed, to develop an effective "opt-out" mechanism would require more detailed rules to ensure that consumers have a user-friendly, understandable and effective mechanism. Because companies view personal data as so valuable, they do not have an incentive to offer opt-out mechanisms that make it easy for consumers to choose to protect their privacy. Many companies simply do not want customers to take advantage of "opting-out." So companies may reduce the likelihood of customers "opting-out" by providing notices that are lengthy, vague, obscured by other information or confusing. Consumers may not understand the extent of the use of the information, for example, if the company buries the information about sharing with affiliates and joint venture partners in the middle of a long disclosure form.
"Opt-in," on the other hand, provides an incentive to companies to ensure that customers read, understand, and respond to a notice. I fear that today's decision adopting "opt-out" and failure to provide adequate rules -- will lead inevitably to consumer abuses in the marketplace.
Today's decision puts the burden on the competitive marketplace to constrain use of personal information, arguing that carriers will not want to lose their customers due to misuse of information. But it is this same competitive marketplace that will put added pressure on carriers to create customer profiles to enhance their marketing efforts. We've all seen in recent weeks what havoc the pressures of the marketplace can cause. Threats to privacy will become even greater as data processing technology grows increasingly sophisticated and carriers become even more integrated through increasing consolidation. Moreover, "[e]ven if market forces provide carriers with incentives not to abuse their customer's privacy rights . . . these forces would not protect competitors' concerns that CPNI could be used successfully to leverage former monopoly power into other markets."9
In light of the grave privacy and competition harms that this order could cause, I respectfully dissent from those parts of this decision that allow carriers to use sensitive personal information without first obtaining the express approval of the customer.
1. 47 U.S.C. § 222.
2. Implementation of the Telecommunications Act of 1996; Telecommunications Carriers Use of Customer Proprietary Network Information and Other Customer Information; Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, As Amended, Second Report and Order and Further Notice of Proposed Rulemaking, 13 FCC Rcd 8061, 8133 (1998) (CPNI Order).
4. Id. at 8145.
5. Id. at 8130; see also U.S. WEST, Inc. v. FCC, 182 F.3d 1224, 1241 (10th Cir. 1999) (Briscoe, J., dissenting) (Although Congress did not specifically define the term 'approval in the statute, its ordinary and natural meaning clearly 'implies knowledge and exercise of discretion after knowledge.)
6. CPNI Order at 8131.
7. Trans Union Corp. v. FTC, 267 F.3d 1138, 1143 (D.C. Cir. 2001)
8. CPNI Order at 8138.
9. Id. at 8134.