On September 3, 2014, Verizon agreed to pay $7.4 million to resolve an investigation into possible misuse of customers’ personal information in a number of tailored marketing campaigns. Prompted by a self-disclosure from the company, the FCC investigated Verizon’s use of customers’ subscription and call information to market new services. Such use is restricted by Section 222 of the Communications Act and the Federal Communications Commission’s CPNI rules. Verizon’s consent decree is notable for more than its size.
Section 222 requires telecommunications providers to protect “customer proprietary network information” (commonly referred to as “CPNI”) which includes call information (such as the location and timing of calls), types of services a customer subscribers to and other information contained on a customer’s bill. Under the Commission’s rules, a telecommunications provider must obtain a customer’s approval to use CPNI in marketing activities, which it can obtain either through affirmative “opt-in” approvals or (in certain instances) through a written notice about how the company intends to use a customer’s CPNI and an opportunity for the customer to “opt-out” of such use.
Like many carriers, Verizon chose to use the opt-out method for obtaining approval. However, between 2006 and 2013, Verizon failed to provide the opt-out notice to nearly two million residential, small business, and medium business customers. Verizon’s procedure was to provide the required CPNI notification language on a customer’s first bill, but in 2012, Verizon personnel discovered that this notice had not been provided in certain customer bills. After investigation, Verizon determined that triggering criteria that generated the opt-out notices were not updated, causing certain bills not to be flagged for the notices. The notification error affected the billing systems used by the incumbent local exchange carriers and interexchange carriers Verizon Long Distance, Verizon Enterprise Solutions LLC, Verizon Select Services Inc., and Verizon Select Services of Virginia Inc. After learning of these CPNI violations, Verizon self-reported the violation, as is required by section 64.2009(f).
Under its Consent Decree with the FCC, Verizon agreed to pay $7.4 million to the U.S. Treasury, and agreed to comply with a number of remedial requirements. As is typical with current FCC settlements, Verizon agreed to implement a Compliance Plan, appoint a Compliance Officer, create a Compliance Manual, implement a Compliance Training Program, and file Compliance Reports with the Commission for the next three years. Three other aspects of the Consent Decree are particularly noteworthy.
First, the Consent Decree contains specific commitments to remedy the CPNI violations that prompted the disclosure. Verizon agreed to automate its “opt-out” process for CPNI consent, and to monitor and test the consent mechanism each month. The company will also notify customers of their right to “opt-out” of any CPNI-related marketing campaigns on every customer bill, for the next three years. Finally, Verizon will implement a CPNI opt-out process review, and identify employees who will be responsible for each step of the process. These provisions go well beyond the FCC’s current rule requirements. It is the first time we’ve seen such detailed remedial measures in a CPNI consent decree.
Second, the Consent Decree contains an assertion that Verizon failed to timely notify the Commission of the CPNI failure. Section 64.2009(f) requires disclosure to the Commission within five business days of discovery of the failure. Verizon provided a notice on January 18, 2013, asserting that “during the week of January 14 …” Verizon discovered the problem. The Consent Decree states, however, that “certain Verizon personnel discovered a potential opt-out problem in late 2012,” several months before Verizon made the disclosure to the Commission. It is not clear whether this factor influenced the amount of the voluntary payment, but we suspect that it had an impact. The fact that the Commission went out of its way to include this statement in the Consent Decree should caution carriers to ensure that they are prompt in their disclosures in the future. It also emphasizes the importance of ensuring that CPNI failures are reported to the legal or regulatory department promptly, so that any potential reporting obligations can be met.
Finally, despite a potential trend we discuss in another recent blog post, Verizon does not admit any violations, and the settlement payment is described in traditional terms as a “voluntary payment.” We will continue watching future consent decrees for more insight into the Commission’s approach to settlements of enforcement investigations.