In a declaratory ruling, the Federal Communications Commission called upon mobile carriers to protect the information collected about mobile consumers, including the phone numbers a customer has called and received calls from, the duration of the calls, and the location at the beginning and end of each call.

While carriers are allowed to collect such information – and use it to improve their own networks or provide customer support – the data is vulnerable to acquisition by others, the FCC said. Absent the adoption of adequate security safeguards, such personal information “can be disclosed to third parties without consumers’ knowledge or consent,” the agency cautioned.

The ruling clarified the agency’s position about whether Section 222 of the Communications Act applies to customer proprietary network information (“CPNI”) on mobile devices; the provision already applies to consumers’ landline data and VOIP. Section 222 contains “three fundamental principles to protect all consumers,” according to the ruling: “(1) the right of consumers to know the specific information that is being collected about them; (2) the right of consumers to have proper notice that such information is being used for other purposes; and (3) the right of consumers to stop the reuse or sale of that information.”

The FCC concluded that data collected by mobile carriers may constitute CPNI, and therefore, the existing requirements of Section 222 apply. The ruling emphasized that no new obligations were imposed on carriers.

“For example, Section 222(a) of the Act provides that ‘Every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to…customers,’ Section 222(c)(1)’s restriction on ‘disclos[ure]’ of ‘individually identifiable’ CPNI would appear to make carriers liable for inadvertent disclosures,” the agency wrote. “Such obligations apply equally to CPNI that carriers collect via their customers’ devices.”

The agency dismissed concerns from carriers that Section 222 was “too rigid or outdated” to apply to mobile devices, and shot down an argument that the defense of location data would be a burden on carriers because it warrants different protections.

Carriers also lost their fight to be governed by industry-developed best practices or codes of conduct. The FCC stated that it must fulfill its statutory responsibilities to enforce the Communications Act. According to the ruling, “Although we welcome these other complementary initiatives, none of them is a substitute for the Commission.”

Non carrier, third-party app developers escaped coverage under the ruling, which was limited strictly to mobile carriers. And the agency’s oversight does not appear to extend to other data transmitted by carriers, like text messages and e-mail.

To read the FCC’s declaratory ruling, click here.

Why it matters: The FCC’s declaratory ruling demonstrates the interest of yet another federal agency focused on mobile privacy issues, following the Federal Trade Commission and the Commerce Department’s National Telecommunications and Information Administration. Mobile carriers should take note of the ruling, which included a warning from the FCC that enforcement action is possible in the event a carrier fails to take reasonable precautions and causes a compromise of personal information on a device.