On June 27, 2013, the Federal Communications Commission issued a Declaratory Ruling clarifying that telecommunications carriers have a duty to protect customer proprietary network information (CPNI) that carriers cause to be stored on their customers’ mobile devices when carriers or their designees have access to or control over that information. The Commission did not adopt nor propose any new rules related to CPNI, but clarified the applicability of existing rules to information stored on mobile devices.
Section 222 of the Communications Act of 1934, as amended, requires communications providers to protect consumers’ sensitive personal information to which they have access as a result of their unique position as network operators. The most specific obligations concern CPNI, which includes information about a customer’s use of the service that is made available to the carrier by virtue of the carrier-customer relationship. The Commission has previously explained that CPNI includes information such as the phone numbers called by a consumer, the frequency, duration, and timing of such calls, and any related services purchased or used by the consumer, such as call waiting. The location of a customer’s use of a telecommunications service also qualifies as CPNI.
The Declaratory Ruling clarifies that section 222 applies to information that fits the statutory definition of CPNI when such information is collected by the subscriber’s mobile device, provided that the collection is undertaken at the carrier’s direction and that the carrier or its designee has access to or control over that information. The Declaratory Ruling does not prohibit the collection of CPNI on mobile devices, but makes clear that carriers are responsible for securing the information and that the Commission will hold carriers responsible for compliance with statutory and regulatory obligations.
A customer’s consent to the collection and use of data to either maintain or improve a carrier’s network does not constitute consent for other use, disclosure, or permission of access, such as storing the information in an insecure manner, nor does it negate the duty under section 222 to protect proprietary information from unauthorized access or disclosure. Further, the FCC Declaratory Ruling provides that CPNI that is on a device and has not yet been transmitted to the carrier’s own servers does not remove the data from the definition of CPNI if the collection of information has been done at the carrier’s direction. Because CPNI is defined as information that is made available to the carrier, even if that information has not yet been transmitted from the mobile device to the carrier, the configuration of the device has made the information available to the carrier. However, Section 222 does not require wireless carriers to protect their customers against all possible privacy and security risks related to non-CPNI on a mobile device, including any risks created by downloaded third-party applications.