In a recent order, the FCC has reinstated its customer proprietary network information (“CPNI”) rules governing the privacy obligations of voice service providers under Section 222. This action follows the Congressional repeal of the FCC’s 2016 Privacy Order that had extended CPNI regulations to broadband internet access services. As a result, telecom and VoIP providers must again file CPNI compliance certification at the beginning of each year (beginning again in 2018) in order to certify compliance with these regulations.

While the legislative and administrative history is somewhat complex, the upshot of these developments is not. These actions simply take the industry back to the position of having to comply with the CPNI regulations that were in effect prior to adoption of the 2016 Privacy Order. In practical terms, that means that following publication in the Federal Register providers of interstate telecommunications services or interconnected VoIP services will be required to comply with the FCC’s regulations governing the access, use and disclosure of CPNI.

In addition, in this order the FCC also affirmed that:

  • The reinstated CPNI regulations will not cover broadband internet access services. 
  • Although these regulations do not extend to broadband, broadband service providers remain subject to Section 222 for the time being, until the Commission adopts (as we expect) an order rolling back Title II obligations on broadband. The FCC’s order also reminds providers of the prior Enforcement Bureau guidance offered to broadband providers in May of 2015 explaining how the Commission would enforce the statute absent any effective regulations.
  • This action reinstates the annual compliance certification filing requirement on a prospective basis. Thus, covered providers of telecommunications and VoIP services must file a certification of compliance no later than March 1, 2018 (certifying compliance during calendar year 2017).

As we have advised previously, CPNI certifications must include specific information concerning the provider’s compliance with the regulations, including a written explanation of how the provider’s program ensures compliance, whether the provider has taken action against data brokers, and a summary of all consumer complaints received in the prior year concerning unauthorized release of CPNI, or a clear statement that there were no such complaints.