The U.S. Federal Communications Commission (FCC) recently adopted a Declaratory Ruling confirming that wireless carriers have an obligation to secure and protect certain information – known as customer proprietary network information or “CPNI” – collected and stored on mobile devices, if the CPNI is collected at the carrier’s direction and the carrier or its designee has access to or control over the information.
Although the decision did not impose any new requirements on third-party app developers, wireless carriers may now seek to impose additional CPNI security requirements on partner equipment manufacturers, operating system developers, and app developers.
What is CPNI?
Under the Communications Act of 1934, as amended, telecommunications service providers (including wireless carriers) and interconnected VoIP providers must protect sensitive consumer information. The most specific carrier obligations with respect to consumer information concern CPNI. Section 222 of the Communications Act defines CPNI to include information about a customer’s use of the service “that is made available to the carrier by virtue of the carrier-customer relationship.” It encompasses information such as the calls placed by a consumer, the frequency and duration of calls, and services purchased by the consumer, as well as any information that appears on a consumer’s telephone bill.
What prompted the Declaratory Ruling?
The FCC’s decision arose from its findings following a Public Notice issued last year seeking comment about wireless service providers’ practice of collecting and storing information on customers’ mobile devices. The FCC found that certain network diagnostics software that carriers install on mobile devices – software used to determine how their network and the devices functioning on their network are operating – could store and transmit CPNI. The FCC realized that there was confusion regarding whether CPNI-type information stored on mobile devices was subject to the CPNI protections. Further, the FCC discovered that software used by some carriers may have contained security vulnerabilities that could result in personal data stored on a mobile device, including sensitive location information, being accessed by and disclosed to third parties without customer authorization.
What does the Declaratory Ruling clarify?
Recognizing the confusion regarding the obligations of wireless carriers to protect CPNI collected on mobile devices, the FCC clarified that wireless carriers are obligated to protect the privacy and security of CPNI they can access or collect from their customers’ mobile devices.
First, the FCC explained that information collected and stored on a customer’s mobile device at the behest of the carrier can be classified as CPNI. The FCC explained that carriers in some instances can and do exercise control over the wireless devices connected to their networks and determine the type of CPNI that the device will collect, how it will be stored, and when the information will be transmitted back to the carrier – without the customer’s knowledge or ability to change those parameters in the device settings. Thus, this information is “made available to the carrier by virtue of the customer-carrier relationship” and is required to be protected under the Communications Act and the FCC’s CPNI rules.
Second, the FCC affirmed that CPNI on a customer’s device remains CPNI regardless of whether it has been transmitted to the carrier. Because the stored CPNI is still available to the carrier, the FCC found that carriers must protect such data.
Third, the Commission made clear that when information collected and stored on a customer’s mobile device is not under the carrier’s control, not intended to be transmitted to the carrier, or otherwise accessible by the carrier, it is not CPNI. According to the FCC, this remains true even if the information would be classified as CPNI if it was made available to the carrier. Additionally, the FCC specifically noted that information collected by user-installed third-party applications is not CPNI.
In clarifying these carrier obligations, the FCC did not adopt or propose new rules governing the protection, use, or disclosure of CPNI. By applying its CPNI rules to information collected and stored on customer mobile devices and accessible to wireless carriers, the Commission reasoned that it was “avoid[ing] a potential gap in consumer’s privacy protections.” Therefore, wireless carriers must provide the same security and protection to CPNI collected and stored on a customer’s mobile device that they provide to other CPNI.