On September 3, 2014, the Federal Communication Commission’s Enforcement Bureau announced a $7.4 million settlement with Verizon following an investigation into the company’s potential violations of the FCC’s privacy rules. This was the largest pure privacy forfeiture in FCC history. The investigation revealed that, starting around 2006, Verizon failed to notify approximately two million new customers of their privacy and optout rights before it used their personal information to market to them, contrary to the requirements of the FCC’s Customer Proprietary Network Information (CPNI) rules. In addition to the multi-million dollar payout, some of the consent decree’s most important terms require Verizon to: (1) notify customers of their opt-out rights on every bill for the next three years; (2) put systems in place to monitor and test its billing and opt-out notice process; and (3) develop and implement a three-year compliance plan, including annual compliance reports. Telecommunications carriers and voice-over-IP providers should take this opportunity to review their CPNI policies and, in particular, check their implementation. Though the FCC has previously pursued CPNI violations, the significant size of this action combined with an active enforcement trend in the FCC and elsewhere may signal future enforcement activity by the FCC.
The FCC protects CPNI by prohibiting telecommunications carriers—and interconnected VoIP providers—from disclosing, allowing access to, or using a customer’s CPNI for marketing purposes without customer approval. This approval can be opt-in or opt-out depending on whether the marketing involves communications-related services and whether it is done by the carrier, an affiliate, or an unrelated third party.1 CPNI includes some personally identifiable information (PII) elements, but its definition differs from those used by other agencies in the consumer privacy sphere. Practically speaking, CPNI includes information such as the phone numbers called by a consumer, the frequency, duration, and timing of such calls, and any voice services or features purchased by the consumer.2 Importantly, CPNI involves only information that the carrier learns by virtue of the carrier-customer relationship. CPNI is different from other privacy definitions in that it focuses strictly on the private information of voice customers and explicitly excludes certain information that falls under the broader definition of PII.
Based on the FCC’s allegations, Verizon collected personal information about its customers’ services and calling habits, such as how many calls a customer makes, what services the customer subscribes to, the destination or numbers called, and the customer’s location at the time of the call. Its standard practice was to provide customers with opt-out notice on their initial bill. Opt-out, rather than opt-in, is acceptable when a carrier intends to use the CPNI to market communications-related services to its own customers or allow its affiliates to do so. However, Verizon discovered that it failed to generate these initial opt-out notices for around two million customers, despite using their PII to market Verizon services to at least some of them. This was compounded by delay: Verizon discovered the oversight months before alerting the FCC, even though the CPNI rules require companies to report problems within five business days.3 The resulting forfeiture took both facts into account, and fits within a larger trend of privacy protection.
FCC Focus on Privacy
Over the past five years, the FCC has steadily exercised its CPNI enforcement authority, although not to the scale of the Verizon fine. Before this case, the largest recent privacy forfeitures involved November and December 2012 consent decrees with TDS Telecommunications Corporation4 and CenturyLink, Inc.5 for $350,000 and $150,000, respectively. Shortly before that, in February 2009, the FCC rolled up more than 600 small carriers with a blanket notice of apparent liability for CPNI violations, imposing more than $13 million in cumulative forfeitures.6 It repeated the performance in 2010 and 2011.7
In June 2013, the FCC issued a declaratory ruling effectively expanding the scope of CPNI into mobile device data.8 Under that ruling, CPNI includes information that telecommunications carriers cause to be stored on their customers’ devices and that those telecommunications carriers or their designees have access to or control. This includes network diagnostic information and information not yet transmitted to a carrier’s servers. In clarifying this definition, the Commission indicated that it hoped that CPNI data protection rules would encourage telecommunication carriers to better safeguard and secure data including PII.
Compared to the Federal Trade Commission, the FCC’s privacy jurisdiction is much more focused. But it has clear enforcement authority over violations in its area, and has shown itself willing to pursue violations while defining new areas relevant to technological developments. The FCC’s development mirrors the growing importance of privacy in other state and federal agencies. We expect the FCC to continue to define its privacy jurisdiction through enforcement, rulings, and other actions, as data including PII becomes more mobile and interconnected and as its fellow agencies also take a more active hand protecting that data.