NCTA v. FCC
Concerning Privacy of Customer Proprietary Network Information (CPNI)
- FCC Levies $10 Million Fine Against Carriers for Breach of Consumer Privacy: The Federal Communications Commission announced today its largest privacy fines to date. The agency's first data security case stems from an investigation of TerraCome and YourTel American who "stored Social Security numbers, names, addresses, driver's licenses, and other sensitive information belonging to their customers on unprotected Internet servers that anyone in the world could access." The carriers will be fined $10 million for their breach of consumer privacy. Last month, the FCC reached a $7.4 million settlement with Verizon over privacy violations. EPIC previously urged the FCC to determine whether Verizon violated the Communications Act when it released consumer call detail information to the National Security Agency. Also, in response to a 2005 EPIC petition, the FCC strengthened privacy protections for telephone records, which EPIC defended in a "friend of the court" brief for the DC Circuit, establishing support for opt-in privacy safeguards. For more information, see EPIC: NCTA v. FCC (Concerning privacy of CPNI) and In re EPIC (NSA Telephone Records Surveillance). (Oct. 24, 2014)
- Federal Communications Commission Fines Verizon $7.4 Million for Violating Consumer Privacy: Verizon will pay the Federal Communications Commission $7.4 million to settle claims that the company violated the privacy rights of nearly two million consumers. The FCC found that Verizon failed to inform consumers of their privacy rights, including how to prevent their personal information from being used for marketing purposes. The Verizon payment is the largest consumer privacy settlement in FCC history. In 2013, EPIC urged the FCC to investigate Verizon's disclosure of customer record information to the NSA. Also, in response to a 2005 EPIC petition, the FCC strengthened privacy protections for telephone records, which EPIC defended in a "friend of the court" brief for the DC Circuit, establishing support for opt-in privacy safeguards. For more information, see EPIC: Customer Proprietary Network Information, EPIC: NCTA v. FCC (Concerning privacy of CPNI), EPIC: US West v. FCC (Privacy of Telephone Records), and In re EPIC (NSA Telephone Records Surveillance). (Sep. 4, 2014)
- Trade Commission Prohibits Robocalls: The Federal Trade Commission is prohibiting commercial telemarketing calls to consumers after September 1, 2009. The agency amended the Telemarketing Sales Rule, which imposes a penalty of $16,000 per call, to cover sellers and telemarketers who transmit prerecorded messages to consumers who have not agreed in writing to accept such messages. The Telemarketing Rule is authorized under the Telemarketing and Consumer Fraud and Abuse Prevention Act. The new rule does not prohibit informational messages or calls by politicians, banks, telephone carriers, and charities. EPIC has urged the FCC to require strong privacy safeguards for telephone customers' personal information, and protect wireless subscribers from telemarketing. See also EPIC Telemarketing and Telephone Consumer Protection Act. (Aug. 28, 2009)
- EPIC Urges Congress to Act on Internet Privacy: In testimony before a Congressional Committee, EPIC Director Marc Rotenberg urged lawmakers to address the growing threat to online privacy of new tracking techniques. Mr. Rotenberg said, "From the user perspective, the threats to privacy online are increasing. Unregulated data collection continues. Privacy policies are opaque and ineffective. Users are unable to exercise any meaningful control over the personal information that is obtained by firms when they visit sites, purchase online, or participate in the rapidly growing world of social networking." EPIC warned that these practices also pose a threat to technical standards that are necessary to protect network integrity, as well as the revenue of web publishers. For more information, see EPIC's page on Deep Packet Inspection and NCTA v. FCC. (Apr. 23, 2009)
- Federal Appeals Court Upholds Opt-In Privacy Rule for Telephone Services.Today, a federal court in the District of Columbia upheld telephone privacy regulations that require phone companies to obtain affirmative, opt-in consent from customers before they disclose personal information to outside corporations. The decision rejects an industry challenge to the rule. The Court recognized that "the government has a substantial interest in protecting the privacy of customer information and that requiring customer approval advances that interest," and cited EPIC's 2005 petition as spurring the rulemaking process. In May 2008, EPIC filed a "friend of the court" brief urging support for opt-in safeguards for telephone customers. The brief was filed on behalf of consumer and privacy organizations, technical experts, and legal scholars. For more, see EPIC's page on NCTA v. FCC. (Feb. 13)
- Federal Appeals Court Hears Telephone Privacy Case. On September 10, 2008, a federal court in the District of Columbia heard arguments in a challenge to telephone privacy regulations. At issue is a federal rule (pdf) requiring telephone companies to obtain affirmative, opt-in consent from customers before they disclose personal information to outside corporations. An industry group challenged the privacy rule. In May, EPIC filed a "friend of the court" brief (pdf) urging support for opt-in safeguards for telephone customers. The brief was filed on behalf of consumer and privacy organizations, technical experts, and legal scholars. "Consumers have a legitimate expectation of privacy with respect to sensitive personal information such as whom they call on a telephone," the brief said. "An opt-out policy would provide neither adequate protection for consumer data nor sufficient notice to consumers." See EPIC page on CPNI (Customer Proprietary Network Information). (Sept. 11)
- EPIC, Privacy Groups, Technical Experts, and Legal Scholars Support Opt-In for Telephone Services. EPIC filed a "friend of the court" brief (pdf) today in federal appellate court urging support for opt-in safeguards for telephone customers. The brief was filed on behalf of consumer and privacy organizations, technical experts, and legal scholars. At issue is the Federal Communications Commission's Order (pdf) that protects consumers' telephone record information, which the National Cable and Telecommunications Association has challenged. "Consumers have a legitimate expectation of privacy with respect to sensitive personal information such as whom they call on a telephone," the brief said. "An opt-out policy would provide neither adequate protection for consumer data nor sufficient notice to consumers." See EPIC page on CPNI (Customer Proprietary Network Information). (May 6)
- Cable Industry Opposes Consumer Privacy Safeguards. The National Cable and Telecommunications Association has filed a complaint with a federal appeals court challenging the FCC's rule (pdf) that would protect the protect of consumers telephone record information. EPIC petitioned the FCC to establish these safeguards after mounting evidence of "pretexting" and identity theft, based on the misuse of telephone records. The industry groups claim a First Amendment right to disclose customer information. Courts have typically rejected that argument. (Aug. 8, 2007)
- EPIC and Consumer Coalition Urge FCC to Adopt Stronger Privacy Safeguards for Telephone Records. In comments (pdf) filed with the Federal Communications Commission, EPIC and a coalition of nine other privacy and consumer groups called for stronger safeguards for customers' telephone records. The Consumer Coalition recommended that the FCC establish comprehensive privacy rules that would require telephone companies to limit access to and retention of consumer call data, safeguard the data stored in mobile phones, and curtail delays of customer notification of security breaches. In response to a 2005 EPIC petition, the FCC earlier this month adopted new rules to strengthen the security of consumers' phone records and requested comments on additional security proposals. (July 9, 2007)
- New Privacy Safeguards for Telephone Customers. In response to a petition filed by EPIC, the Federal Communications Commission issued new rules (pdf) to protect the privacy of consumers' telephone records. The new safeguards prohibit unauthorized access to phone records, require passwords for customer accounts, require notice of any changes to account information, and establish opt-in consent before disclosing customer information. The FCC also announced a new rulemaking (pdf) to consider such issues as audit trails, data retention, and safeguards for information stored in cell phones. Comments are due July 9, 2007. (Apr. 2, 2007)
Customer proprietary network information (CPNI) is the data collected by telecommunications corporations about a consumer's telephone calls. It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer's telephone bill.
Although telecommunications companies were previously able to sell this data to third party companies for marketing purposes, the Telecommunications Act of 1996 required telecommunications companies to obtain customers' approval prior to sharing their CPNI with third parties. However, there was a difference of opinion on the interpretation of "approval." EPIC and other privacy advocates and consumer rights groups argued that "approval" implied that a consumer had to give positive, express consent to the sharing of information: that is, to "opt-in" to the marketing scheme. Telecommunications companies argued that they could start from a presumption of approval, and allow customers the choice to "opt-out" of the marketing program by explicitly withdrawing their consent.
In August 2005, EPIC filed a petition urging the Federal Communications Commission (FCC) to require security measures to protect access to CPNI from pretexters and other unauthorized parties. Specifically, EPIC recommended the FCC require consumer-set passwords, security breach notification, audit trails, encryption, and limiting data retention. EPIC and other privacy groups submitted comments to the FCC on April 14, 2006, addressing specific questions the FCC asked in response to EPIC's petition.
On April 2, 2007, the FCC issued a Final Order (pdf) regulating access to CPNI records. These rules were published in the Federal Register on June 8, 2007. At the same time, the FCC released a further notice of proposed rulemaking, seeking comments on whether it should expand its rules to protect privacy even more. The rules were issued in response to EPIC's August 2005 petition. The FCC's new rules address the first two recommendations in EPIC's petition, and the FCC sought comments on the latter three.
In July 2007 comments (pdf) filed with the Federal Communications Commission, EPIC and a coalition of nine other privacy and consumer groups called for stronger safeguards for customers' telephone records. The Consumer Coalition recommended that the FCC establish comprehensive privacy rules that would require telephone companies to limit access to and retention of consumer call data, safeguard the data stored in mobile phones, and curtail delays of customer notification of security breaches.
The new FCC rules issued in April 2007 require customers to provide a password when customers contact a carrier before the carrier can release call-detail CPNI. Carriers must also password protect online CPNI access. In addition, the new rules require carriers to notify customers of account changes, such as if the customer's password or address changes, and to notify customers of unauthorized disclosure of CPNI. However, law enforcement agencies can delay customer notification. The rules further require carriers to obtain opt-in consent from customers before disclosing their CPNI to a carrier's joint venture partner or independent contractor for marketing purposes, whereas the older rules only required opt-in consent for disclosure of call detail information to third parties.
In August 2007, the National Cable and Telecommunications Association (NCTA) filed a complaint with a federal appeals court challenging the FCC's new rules, which would protect consumers' telephone record information. The industry groups claim a First Amendment right to disclose customer information.
In its March 14 filing to the DC Circuit Court of Appeals, the National Cable and Telecommunications Association (NCTA) made two arguments: 1) "The CPNI opt-in rule violates the First Amendment," and 2) "The CPNI opt-in rule is arbitrary and capricious under the Administrative Procedure Act."
Under the argument that the FCC is violating the First Amendment, the NCTA claims that the rule should be reviewed under the "intermediate scrutiny" test. The NCTA claims the FCC rule fails this test because, the NCTA argues, the rule "restricts protected speech without directly and materially advancing the identified state interest" and is "not narrowly tailored to the governmental interests."
Under the argument that the FCC is violating the Administrative Procedure Act, the NCTA claims, "The Commission has not provide a satisfactory explanation," for choosing the opt-in rule over an opt-out regime. The NCTA also claims that the Commission "failed to consider competitive harms" and that there is "no rational connection between the facts found and the decision to require opt-in."
In its argument that the CPNI opt-in rule violates the First Amendment, the NCTA points to US West v. FCC, 182 F.3d 1224 (10th Cir. 1999). In a split decision, the Tenth Circuit Court of Appeals invalidated the Federal Communications Commission's February 1998 Order requiring telecommunications carriers to obtain express customer approval before they can disclose CPNI they collect as a result of providing their services. The majority's opinion vacated the FCC's CPNI Order, finding it inconsistent with protected "speech" interests of the telephone company.
However, since US West, courts have found that legislation protecting personal information does not unlawfully impinge upon commercial free speech. Two such cases are: Trans Union v. FTC and IRSG v. FTC.
In Trans Union v. FTC, 245 F.3d 809 (D.C. Cir. 2001), the D.C. Circuit upheld the Fair Credit Reporting Act against First Amendment challenges to restrictions on marketing use of credit files. The court found that the government's interest in keeping personally identifiable information private was substantial and upheld the FTC's ban on the sale of target marketing lists.
In IRSG v. FTC, 145 F. Supp. 2d 6, No. 00-1828 (D.D.C. 2001), the D.C. District Court upheld Federal Trade Commission regulations that required information brokers to give notice and an opportunity to opt-out to individuals before selling the individuals' "credit header" information (including: name, address, Social Security number). On summary judgment, the court rejected IRSG's First and Fifth Amendment claims, stating:
"The speech does not involve any matter of public concern, but consists of information of interest solely to the speaker and the client audience. Thus, restriction on the dissemination of this nonpublic personal information does not impinge upon any public debate."
The new rules at issue in this case, NCTA v. FCC, were issued by the Federal Communications Commission in response to EPIC's August 2005 petition to the agency. EPIC believes these safeguards are necessary in light of mounting evidence of "pretexting" and identity theft, based on the misuse of telephone records. A decision against the FCC would have jeopardize an individual's right to privacy, because individuals have a significant interest in controlling distribution of their personal information. EPIC does not believe the NCTA can support its claim of a First Amendment right to disclose consumer information.
In its amicus, EPIC explains: (1) individuals have a significant interest in controlling distribution of their personal information and in preventing others from profiting by its use; (2) the FCC's Order does not restrict NCTA's right to communicate with its customers; (3) the FCC order is like many state and federal laws that limit the disclosure of personal information by private entities without implicating the First Amendment; and (4) the FCC properly interpreted the intent of the Congress by choosing the most effective means for protecting the privacy interests of consumers, which is the opt-in process.
- D.C. Circuit Opinion: NCTA v. FCC, 555 F.3d 996 (D.C. Cir. 2009)
- EPIC, Privacy Groups, Technical Experts, and Legal Scholars' Amici Brief to the DC Circuit Court of Appeals (pdf) (May 6, 2008)
- FCC's Brief for Respondents to the DC Circuit Court of Appeals (pdf) (April 30, 2008)
- NCTA's Principal Brief to the DC Circuit Court of Appeals (pdf) (March 14, 2008)
- Comments of EPIC and nine other privacy and consumer groups on FCC's CPNI Rules (pdf) (July 9, 2007)
- FCC Press Release detailing new CPNI rules (pdf) (April 2007)
- EPIC's page on CPNI: (Customer Proprietary Network Information) (including information on EPIC's 2005 petition)
- EPIC's page on US West v FCC (concerning the privacy of telephone records)
- Academic Articles citing NTCA v. FCC:
- David Orentlicher, Prescription Data Mining and the Protection of Patients' Interests, 38 J.L. Med. & Ethics 74, 79 n63 (2010)
- Danielle Keats Citron & Leslie Meltzer Henry, Visionary Pragmatism and the Value of Privacy in the Twenty-First Century, 108 Mich. L. Rev. 1107, 1116 n26 (2010)
- Patrick P. Garlinger, Privacy, Free Speech, and the Patriot Act: First and Fourth Amendment Limits on National Security Letters, 84 N.Y.U. L. Rev. 1105, 1144 n211 (2009)
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a by-monthly newsletter highlighting emerging privacy issues.