On April 2, 2007, the Federal Communications Commission (“FCC”) released a Report and Order and Further Notice of Proposed Rulemaking concerning the privacy of consumer telephone records. The Order’s provisions include the following:
- Use for Marketing Purposes. Telecommunications carriers must obtain opt-in consent from customers before disclosing their customer proprietary network information (“CPNI”) to a carrier’s joint venture partners or independent contractors for marketing purposes.
- Authentication. Carriers may not disclose a customer’s phone records to him when he calls the carrier unless the customer provides a password. Without the password, the carrier may only send the data to the address of record or provide it to the customer by calling the telephone number of record.
- Notice of Account Changes. Carriers must notify consumers immediately if any of the following are created or changed: 1) password; 2) back-up for forgotten passwords; 3) an online account; or 4) the address of record.
- Notice of Unauthorized Disclosure. The Order establishes a notification process for both law enforcement and customers if there is a CPNI breach.
- Annual Certification. Carriers are required to file with the FCC an annual certification that includes information concerning any actions taken against data brokers and all consumer complaints about unauthorized disclosure of CPNI.
- VoIP Included. All CPNI rules will now cover providers of voice over Internet Protocol services.
- Business Customers. In certain situations, carriers may agree contractually to other authentication measures for services provided to business customers.
The Further Notice of Proposed Rulemaking seeks comments on what, if any, additional steps the FCC should take to further protect consumer data. Comments are due 30 days from publication in the Federal Register, which had yet to occur at press time.