On Wednesday, the Federal Communications Commission announced that it reached a $7.4 million settlement with Verizon over the company’s misuse of its customers’ private information (“customer proprietary network information,” or “CPNI”) for internal marketing, which violated longstanding federal privacy rules.
This is big news, and hopefully a sign that the FCC is looking more closely at ways to crack down on its existing privacy rules, because we think carriers are violating CPNI rules in other ways, too. As we noted in a Petition for Declaratory Ruling we filed with the Commission in December, we believe that many telecommunications carriers regularly share CPNI with third parties in a way that violates the same rules. And the rules that protect CPNI are important, because to receive phone service, subscribers must share a large volume of very private information with their carriers about where they go, how long they stay there, who they call, and when.
The settlement announced this week was particularly notable for a few reasons:
the Communications Act already includes some of the strongest protections on the books. 47 U.S.C. § 222, “Privacy of Customer Information,” accomplishes the following regarding customer proprietary network information (“CPNI”):
- Greatly restricts the circumstances in which a carrier may use CPNI for marketing purposes
- Requires opt-in consent before carriers may use, disclose, or permit access to CPNI
- Affords customers the right to inspect their own information
- Grants the Federal Communications Commission rulemaking authority over CPNI
And the FCC’s rules regarding CPNI detail:
- When carriers may use CPNI without customer consent
- What type of consent is sufficient when consent is required
- Standards for maintenance of CPNI (including an annual compliance certificate)
- Standards for disclosure of CPNI, when it is allowed
- What to do in the event of a CPNI security breach
The strength and particularity of these rules are comparable to those of the HIPAA Rules, which govern health information, and the COPPA Rule, which governs the protection of private information about children.
Second, this settlement wouldn’t have happened if not for Title II. The CPNI rules are authorized by a section of the Communications Act that falls under Title II. So if Verizon’s customers weren’t Title II customers (if, for example, they were broadband customers, since broadband isn’t currently classified as a Title II service), this settlement would not have happened.
Similarly, all the wonderfully strong and detailed privacy rules detailed above would not apply if these weren’t Title II customers. In fact, AT&T’s head of lobbying, Jim Cicconi, has been candid about the fact that one of the reasons they don’t want broadband reclassified as a Title II service is because then the CPNI protections would apply to more private customer information.
Third, this is a prime example of why we oppose industry’s efforts to eliminate the FCC’s privacy jurisdiction. A lobbying group deceptively called the “21st Century Privacy Coalition”—backed by telecommunications industry giants including Verizon, Comcast, and AT&T— has been making the rounds on the Hill trying to get Congress to eliminate the FCC’s jurisdiction over all things privacy-related. They claim to want “harmonization” of different privacy laws that apply to different sectors, but what they really want is to do away with those pesky CPNI rules. If they succeed, enforcement actions like this one would no longer be possible.
Image Credit: Flickr user Yuri Yu. Samoilov