CPNI
(Customer Proprietary Network Information)
(Customer Proprietary Network Information)
Latest News
- Federal Appeals Court Hears Telephone Privacy Case On September 10, 2008, a federal court in the District of Columbia heard arguments in a challenge to telephone privacy regulations. At issue is a federal rule (pdf) requiring telephone companies to obtain affirmative, opt-in consent from customers before they disclose personal information to outside corporations. An industry group challenged the privacy rule. In May, EPIC filed a “friend of the court” brief (pdf) urging support for opt-in safeguards for telephone customers. The brief was filed on behalf of consumer and privacy organizations, technical experts, and legal scholars. “Consumers have a legitimate expectation of privacy with respect to sensitive personal information such as whom they call on a telephone,” the brief said. “An opt-out policy would provide neither adequate protection for consumer data nor sufficient notice to consumers.” See EPIC page on NCTA v. FCC. (Sept. 11)
- EPIC, Privacy Groups, Technical Experts, and Legal Scholars Support Opt-In for Telephone Services. EPIC filed a “friend of the court” brief (pdf) today in federal appellate court urging support for opt-in safeguards for telephone customers. The brief was filed on behalf of consumer and privacy organizations, technical experts, and legal scholars. At issue is the Federal Communications Commission’s Order (pdf) that protects consumers’
telephone record information, which the National Cable and Telecommunications Association has challenged. “Consumers have a legitimate expectation of privacy with respect to sensitive personal information such as whom they call on a telephone,” the brief said. “An opt-out policy would provide neither adequate protection for consumer data nor sufficient notice to consumers.” See EPIC page on NCTA v. FCC. (May 6)
- Cable Industry Opposes Consumer Privacy Safeguards. The National Cable and Telecommunications Association has filed a complaint with a federal appeals court challenging the FCC's rule (pdf) that would protect the protect of consumers telephone record information. EPIC petitioned the FCC to establish these safeguards after mounting evidence of "pretexting" and identity theft, based on the misuse of telephone records. The industry groups claim a First Amendment right to disclose customer information. Courts have typically rejected that argument. (Aug. 8, 2007)
- EPIC and Consumer Coalition Urge FCC to Adopt Stronger Privacy
Safeguards for Telephone Records.
In comments (pdf)
filed with the Federal Communications Commission, EPIC and a coalition of nine
other privacy and consumer groups called for stronger safeguards for customers'
telephone records. The Consumer Coalition recommended that the FCC establish
comprehensive privacy rules that would require telephone companies to limit access
to and retention of consumer call data, safeguard the data stored in mobile phones,
and curtail delays of customer notification of security breaches. In response
to a 2005 EPIC petition,
the FCC earlier this month adopted
new rules to strengthen the security of consumers' phone records and requested
comments on
additional security proposals. (July 9, 2007)
- New Privacy Safeguards for Telephone Customers. In response to a petition filed by EPIC, the Federal Communications Commission issued new rules (pdf) to protect the privacy of consumers' telephone records. The new safeguards prohibit unauthorized access to phone records, require passwords for customer accounts, require notice of any changes to account information, and establish opt-in consent before disclosing customer information. The FCC also announced a new rulemaking (pdf) to consider such issues as audit trails, data retention, and safeguards for information stored in cell phones. Comments are due July 9, 2007. (Apr. 2, 2007)
- Comments of EPIC and nine other privacy and consumer groups (pdf) (July 9, 2007)
- FCC Press Release (pdf) (April 2007)
- Statement of Chairman Martin (pdf) (April 2007): "The 'opt-in' approach adopted in this Order clearly is supported by the record, is consistent with applicable law, and directly advances our interest in protecting customer privacy."
- Statement of Commissioner Copps (pdf) (April 2007): "The Commission adopts a process by which customers could be left totally uninformed of unauthorized access to their CPNI for 14 days . . as some have described it, it is akin to not telling victims of a burglary that their home has been broken into because law enforcement needs to continue dusting for fingerprints."
- Statement of Commissioner Tate (pdf) (April 2007): "Indeed the law places a duty on telecommunications providers to protect this information and today, we take important steps to better secure private telephone records."
- Statement of Commissioner Adelstein (pdf) (April 2007): "[T]his order set up a process which can result in the unnecessary and even indefinite delay of consumer notification without any accountability."
- Statement of Commissioner McDowell (April 2007): "[O]ur rules should strike a careful balance . . . the Further Notice seeks comment on [finding this balance]."
CPNI Overview
Customer proprietary network information (CPNI) is the data collected by telecommunications corporations about a consumer's telephone calls. It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer's telephone bill.
Although telecommunications companies were previously able to sell this data to third party companies for marketing purposes, the Telecommunications Act of 1996 required telecommunications companies to obtain customers' approval prior to sharing their CPNI with third parties. However, there was a difference of opinion on the interpretation of "approval." EPIC and other privacy advocates and consumer rights groups argued that "approval" implied that a consumer had to give positive, express consent to the sharing of information: that is, to "opt-in" to the marketing scheme. Telecommunications companies argued that they could start from a presumption of approval, and allow customers the choice to "opt-out" of the marketing program by explicitly withdrawing their consent. In 1998, the Federal Communications Commission (FCC) instituted a rule requiring that customers "opt-in" to the marketing program for personal information contained in their CPNI to be shared or used for marketing purposes.
Local telephone service provider U.S. West Inc. challenged the FCC rule in the Federal Court of Appeals for the 10th Circuit. They argued for an opt-out approach, which they suggested would protect their commercial free speech right to market data they collect on customers, while allowing consumers the opportunity to opt-out of such marketing arrangements if they did not want to participate. The court found that the FCC had failed to provide adequate evidence to establish that the rule furthered a substantial government interest, that it materially advanced such an interest, and that it was narrowly tailored to serve that interest.
In September 2001, the FCC issued a clarification of their initial order, permitting carriers to rely on "opt-out" means to secure customer approval to use their CPNI for marketing as an interim measure. The FCC further requested comments from all parties on how it should proceed with the rulemaking proceeding, and to create "a more complete record" on the issues implicated.
In July 2002, the Commission officially adopted rules providing for opt-in--or express consent--customer approval for carriers' release of customer information to third parties, but permitting opt-out consent for release of information to affiliated parties.
Current Status
On April 2, 2007, the Federal Communications Committee issued a Final Order (pdf) regulating access to CPNI records. These rules were published in the Federal Register on June 8, 2007. At the same time, the FCC released a further notice of proposed rulemaking, seeking comments on whether it should expand its rules to protect privacy even more. Comments are due July 9, 2007, and reply comments are due August 7, 2007.
The new FCC rules require customers to provide a password when customers contact a carrier before the carrier can release call-detail CPNI. Carriers must also password protect online CPNI access. In addition, the new rules require carriers to notify customers of account changes, such as if the customer's password or address changes, and to notify customers of unauthorized disclosure of CPNI. However, law enforcement agencies can delay customer notification. The rules further require carriers to obtain opt-in consent from customers before disclosing their CPNI to a carrier's joint venture partner or independent contractor for marketing purposes, whereas the older rules only required opt-in consent for disclosure of call detail information to third parties.
The new rules are in response to a petition filed by EPIC in August 2005, in which EPIC urged the FCC to require security measures to protect access to CPNI from pretexters and other unauthorized parties. Specifically, EPIC recommended the FCC require consumer-set passwords, security breach notification, audit trails, encryption, and limiting data retention. EPIC and other privacy groups submitted comments to the FCC on April 14, 2006, addressing specific questions the FCC asked in response to EPIC's petition. The FCC's new rules address the first two recommendations in EPIC's petition, and the FCC now seeks comments on the latter three.
How to Opt Out
Following is a list of numbers available for customers choosing to opt-out of their telecommunications carriers' information-sharing programs:
- Verizon customers wishing to opt-out may call (866) 483-9600. View Verizon's opt-out notice.
- SBC-Ameritech customers wishing to opt-out may call (800) 303-7260. View Ameritech's opt-out notice.
Previous Top News
- Washington State Adopts Customer-Privacy Rules. Washington State adopted the nation's strongest
rules
protecting telephone customer privacy, more protective of customer privacy than those adopted in July by the Federal Communications
Commission. (The FCC's July Order specifically left
open the possibility of more protective state regulation.) The Washington rules mandate opt-in--express approval--for all "call detail" information,
and permit information sharing only within companies under common ownership. EPIC and WashPIRG submitted comments in the Washington proceeding,
urging the state to adopt opt-in for all calling data.
(Nov. 7, 2002)
- FCC Adopts Modified Opt-In Plan for Customer Information. The Federal Communications Commission adopted rules (pdf) designed to protect sensitive personal information of customers of telecommunications carriers. The Order provides for opt-in--or express consent--customer approval for carriers' release of customer information to third parties, but permits opt-out consent for release of information to affiliated parties. The Order specifically states that the Commission will not block or preempt state efforts to further protect CPNI. EPIC, other consumer groups, and 39 state Attorneys General filed comments (PDF) with the Federal Communications Commission in 2001, urging the FCC to adopt opt-in for all customer calling data. (July 17, 2002)
- "Opt-In" CPNI Bill Introduced in Senate. Senator
Paul Wellstone (D-MN) introduced S.
1928, a bill that would amend the 1996
Communications Act to require affirmative written consent
by a customer to the release of customer proprietary network
information. The bill has been referred to the Senate Commerce
Committee. In related news, the Maryland
Office of the People's Counsel--an independent state agency
that represents residential customers in utility matters--sent
a letter
to the Public Service Commission of Maryland, requesting that
the Commission take action to investigate Verizon's recently
implemented opt-out marketing plan for customer data.
(Feb. 13, 2002)
- EPIC Recommends Phone Companies to Drop Marketing
Plan. In letters to Ameritech
President Gail Torreano and Verizon
President Ivan Seidenberg, EPIC urged the companies to follow
Qwest's example by suspending their plans to use records of
telephone calls for marketing purposes. Both phone companies
sent opt-out notice to customers in the most recent billing
statement. The notices, which required customers to telephone a
toll-free number to opt-out of the sale of their calling data,
have sparked controversy as customers attempting to use the
toll-free number experienced numerous difficulties.
(Feb. 7, 2002)
- Qwest Backs Down from Marketing Plan. In response to
a national campaign led by EPIC, with the support of state
Attorneys General and consumers nationwide, Qwest
Communications announced
today that it is withdrawing plans for opt-out marketing with
customer telephone records, or "CPNI." Citing numerous customer
concerns, the company has stated that it will wait until the
Federal Communications Commission (FCC) has proposed a final
rule on the issue. EPIC initiated the campaign for opt-in at
the FCC last November. (Jan. 28, 2002)
- Qwest Responds to Attorney General's Concerns. In a
letter
to Washington State Attorney General Christine Gregoire, Qwest
Vice President Kirk Nelson responded to the Attorney General's
concerns expressed in her January 14 letter
to the company. (Jan. 25, 2002)
- Arizona Commissioners Take Action on Qwest Plan.
Arizona Corporation Commissioners say they are willing to sue
Qwest to stop it from sharing its customers' personal
information. The commissioners' statement came during a special
open meeting held regarding Qwest's recently issued opt-out
notice. Commissioner Marc Spitzer commented, "The right to
privacy is a fundamental American value. In Arizona, our state
constitution specifically recognizes and guarantees that
right." The Commissioners have directed their legal staff to
open a rulemaking that would stop the company from implementing
an opt-out policy. (Jan. 22, 2002)
- States Question Bells' Plan to Exploit Customer
Information. Michigan Attorney General Jennifer Granholm
wrote a letter
to SBC/Ameritech asking the company for more information about
its plan to sell customer information. Granholm said the
opt-out notice included in customers' January bill was vague,
unclear, and not designed to be brought to customers'
attention. Granholm was one of the 30 state attorneys general
who filed comments with the FCC in December calling for
affimative consent of customers before cpni could be sold.
Also, the Arizona Corporation Commission said it would seek a
federal court injunction if necessary to block Qwest from
sharing data about customer calling habits under an "opt-out"
provision until the Federal Communications Commission settles
the issue. (Jan. 16, 2002)
- State Attorney General, U.S. Senator Question Qwest
Plan. In a letter
to Qwest Vice President Kirk Nelson, Washington State Attorney
General Christine Gregoire urged Qwest to suspend its recently
implemented opt-out marketing plan. The letter states that
Qwest's opt-out letter, contained within the last billing
statement, "was not written in clear and conspicious terms or
designed in a way to alert customers to the important decision
they should make." The letter also mentions numerous customer
complaints -- such as disconnects and inability to reach
an operator -- following attempts to opt-out. Senator
Paul Wellstone (D-MN) sent a letter
to FCC Chairman Powell today on the same matter, urging the FCC
to protect consumer privacy by adopting an opt-in approach.
Wellstone also gave a press
conference in Minnesota today, urging Qwest to truly obtain
customer consent by adopting an opt-in approach.
(Jan. 14, 2002)
- FCC Still Seeking Comments for Calling Data
Rulemaking. Following Qwest's initiation of an opt-out
marketing plan for calling data, the FCC announced that they
will continue to accept comments from consumers wishing to
express their opinion in this ongoing debate. Consumers wishing
to do so can comment by e-mail, at fccinfo@fcc.gov or by
regular mail, FCC, 445 12th St. S.W., Washington, D.C. 20554,
attn: Consumer Information Bureau. Reference Docket No. 96-115.
Customers in 14
states are affected by Qwest's marketing plan. The Seattle
Times reports
that customers attempting to opt-out continue to express
frustration and to question Qwest's sincerity about its offer
to protect privacy. (Jan. 9, 2002)
- EPIC Urges Qwest to Drop Marketing Plan for Calling
Data. In a letter
to Qwest President Afshin Mohebbi, EPIC is urging Qwest to
suspend the plan to use records of telephone calls for
marketing purposes based only upon the opt-out notice provided
to Qwest customers in the most recent billing statement. The
notices, which required customers to telephone a toll-free
number to opt-out of the sale of their calling data, have
sparked controversy as customers attempting to use the
toll-free number experienced numerous difficulties.
(Jan. 8, 2002)
- Groups Urge FCC to Protect Phone Privacy. EPIC and
other consumer groups have filed reply
comments with the Federal Communications Commission with
detailed arguments in support of an opt-in standard for
customer calling data. Telecommunications companies wish to
sell customer calling data, known as Customer Proprietary
Network Information (CPNI), for marketing and profiling
purposes. This information includes subscribers' names,
addresses, calling records, and service options.
(Nov. 16, 2001)
- Consumer Groups Urge FCC to Protect Phone Privacy. On November 1, EPIC and 17 civil liberties and consumer groups filed comments with the Federal Communications Commission urging the FCC to adopt opt-in for customer calling data. The FCC's request for comments followed a federal court decision that the FCC's original opt-in proposal violated the First Amendment because there was not adequate evidence that opt-in would protect customer privacy interests. The new comments note that 86 percent of consumers favor opt-in for communications services. (Nov. 6, 2001)
Qwest Opt-Out Notice
In a billing statement sent out in early January 2002, Qwest (previously U.S. West) informed its customers about the calling information collected and marketed by Qwest and gave the customers the option of opting out of the marketing agreement. This notice sparked a public outcry as consumers were taken by surprise that their personal data could be marketed in this manner. Shortly thereafter, SBC Ameritech and Verizon introduced similar marketing plans.
In response to a national campaign led by EPIC, with the support of state Attorneys General and consumers nationwide, in late January Qwest withdrew its plan to implement opt-out marketing of CPNI. Citing numerous customer concerns, the company stated that it would wait until the Federal Communications Commission (FCC) proposed a final rule on the issue, expected during the summer of 2002.
Related Proceedings
The Washington State Utilities and Transportation Commision issued proposed rules concerning treatment of CPNI information by telecommunications carriers. The rules distinguish between sensitive customer information such as call records, and non-sensitiive, such as services subscribed to. Telecommunications carriers must allow customers to "opt-in" to use of sensitive information, but can apply the lower "opt-out" standard where non-sensitive information is at issue.
EPIC filed comments and reply comments (with WashPIRG) in this rulemaking, arguing that opt-in is constitutional, and in fact should apply to all customer information. The comments referenced the decision by Qwest to withdraw from its opt-out marketing plan, as well as the referendum in North Dakota which passed by 72 percent to reestablish opt-in privacy protections for financial information, the first time citizens have had the opportunity to vote directly on opt-in. Qwest filed comments and reply comments in the rulemaking as well, stating that "the government cannot depress the communication of lawful speech to potentially interested persons in order to protect uneducated, inattentive adults."
In November 2002, the Commission adopted a modified version of the proposed rules, in light of the FCC's July Order. The rules mandate opt-in--express approval--for all "call detail" information, and permit information sharing only within companies under common ownership.
Following the implementation of the new rules for Washington State, Verizon filed litigation against the Washington Utilities and Transportation Commission challenging the legality of the opt-in provisions. As of December 2002, WUTC reports that Verizon was denied a suspension in order to prevent the implementation of the new rules before January 1, 2003. Verizon and its affiliates argue that the Washington regulations are unconstitutional due to vagueness under the Due Process Clause as well as violating the commercial free speech of the telecommunication companies under the First Amendment. They also allege violations of the Commerce Clause, illegal property confiscation under the Fifth Amendment, and infringements upon the companies' rights guaranteed by the FCC rules under the color of state law. The WUTC responded in federal court to Verizon's challenges. On December 23, 2002, the WUTC also filed comments to the FCC in response to Verizon's petition for reconsideration. Judge Barbara Rothstein will decide upon the preliminary injunction at the end of January, 2003.
Resources
- FCC CPNI Order, released in July 2002.
- WUTC response to Verizon's request for preliminary injuction in federal court, filed in December 2002.
- WUTC comments in response to Verizon's challenge to CPNI rules, filed in December 2002.
- Washington State CPNI rules, released in November 2002.
- Comments (PDF) of EPIC and others to the FCC, filed in November 2001.
- Reply comments (PDF) of EPIC and others to the FCC, filed in November 2001.
- Decision (PDF) in U.S. West, Inc. v. FCC.
- FCC's petition for rehearing en banc of U.S. West, Inc. v. FCC
- EPIC's Amici Curiae (PDF) in support of FCC's petition for rehearing en banc of U.S. West, Inc. v. FCC.
- FCC Filings: Text of documents related to the proceeding on customer proprietary network information are available by doing a search for the proceeding number "96-115" in the Electronic Comments Filing System at the Web site of the Federal Communications Commission.
- NARUC Resolutions and Policy Positions 2000, urging Congressional action on CPNI protection following the U.S. West decision.
Last Updated:
September 11, 2008
Page URL: http://www.epic.org/privacy/cpni/default.html