Cybertelecom
Cybertelecom
Federal Internet Law & Policy
An Educational Project
Notes: CPNI Dont be a FOOL; The Law is Not DIY
Notes > Privacy > CPNI Regulatory Page These notes are not complete and there is no guarantee that they are accurate. They are presented simply as notes. Feel free to use them but as with all material on the Internet Telecom Project, you should consider them a beginning to your research and not an end.
Privacy
CPNI
Definition
CPNI
Subscriber List Information
FCC Implementation of Section 222
Appellate Court Vacates FCC Rules
Background
CPNI Clarification Order
Aggregate Information
Subscriber List Information
Purpose
Not Competition
Privacy
Under Computer II: Protect CPE and ESPs
Harm
Total Service Approach
CPE
Info Service
272 Share with Affiliate
254 Rural Excemption?
Opt Out
Opt In
Notice
CPNI Under Computer Inquiries

Privacy

"The right to be left alone -the most comprehensive of rights, and the most valued by a free people."
Olmstead v. U.S., 277 U.S. 438, 1928. Justice Brandeis

Privacy, particularly in the area of communications, is a well established policy and objective of the Communications Act. Thus, any threatened or potential invasion of privacy is cause for concern by the Commission and the industry. In the past, the invasion of information privacy was rendered difficult by the scattered and random nature of individual data. Now the fragmentary nature of information is becoming a relic of the past."
--Notice of Inquiry, In the Matter of Regulatory and Policy Problems Presented by the Interdependence of Computer and Communication Services and Facilities, Docket No. 16979, 8 R.R. 2d 1567, 1572 (1966)

CPNI

47 CFR § 2001 et seq

      Definition

        CPNI

CPNI is defined as "(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier."19 Practically speaking, CPNI includes personal information such as the phone numbers called by a consumer, the length of phone calls, and services purchased by the consumer, such as call waiting.
1947 U.S.C. §  222(f)(1) and 47 U.S.C. §  222(h)(1)(A) (The 911 Act amended the definition of CPNI at section 222(h) to include "location" among a customer's information that carriers are required to protect under the privacy provisions of section 222)
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking, para 7 (July 25, 2002)


 9. On May 21, 1998, in response to a number of requests for clarification of the CPNI Order, the Common Carrier Bureau released a Clarification Order.   This order addressed several issues.  It concluded that independently-derived information regarding customer premises equipment (CPE) and information services is not CPNI and may be used to market CPE and information services to customers in conjunction with bundled offerings.   In addition, it clarified that a customer's name, address, and telephone number are not CPNI.
. . . . .
 159. Section 222(c)(1) prohibits the use of CPNI only where it is derived from the provision of a telecommunications service.  Consequently, we find that information that is not received by a carrier in connection with its provision of telecommunications service can be used by the carrier without customer approval, regardless of whether such information is contained in a bill generated by the carrier.  Therefore, consistent with the Clarification Order, customer information derived from information services that are held not to be  telecommunications services may be used, even if the telephone bill covers charges for such information services.
-- In Re Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, 96-149, Order On Reconsideration And Petitions For Forbearance (September 3, 1999)


Moreover, the Commission expressly noted that "customer information derived from the provision of any non-telecommunications service, such as CPE or information services, is not covered by section 222(c)(1), and thus may be used to provide or market any telecommunications service regardless of telecommunications service categories or customer approval."
 4. The Bureau believes that further clarification of carriers' obligations and rights in the context of bundled offerings will serve to minimize any potential confusion regarding a carrier's ability to use CPNI and other customer information to market new bundled offerings to existing customers.  Accordingly, we make clear that, when a customer purchases CPE or information services from a carrier that are bundled with a telecommunications service, the carrier subsequently may use any customer information independently derived from the carrier's prior sale of CPE to the customer or the customer's subscription to a particular information service offered by the carrier in its marketing of new CPE or a similar information service that is bundled with a telecommunications service.  Neither CPE nor information services constitute "telecommunications services" as defined in the Act.   Therefore, any customer information derived from the carrier's sale of CPE or from the customer's subscription to the carrier's information service would not be "CPNI" because section 222(f) defines CPNI in terms of information related to a "telecommunications service."  As a result, in situations where the bundling of a telecommunications service with CPE, information services, or other non-telecommunications services is permissible, a carrier may use CPNI to target particular customers in a manner consistent with the Second Report and Order, and it also may use the customer information independently derived from the prior sale of the CPE, the customer's subscription to a particular information service, or the carrier's provision of other non-telecommunications offerings to market its bundled offering.
 . . . . .
 9. Although the definition of CPNI includes "information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier," we do not interpret this language to include every item that appears on a customer's bill.   Specifically, we do not consider a customer's name, address, and telephone number to be "information pertaining to telephone exchange service or telephone toll service."   Rather, we consider this information to be part of a carrier's business record or customer list that identifies the customer and indicates how that customer can be contacted by the carrier.  Although such information generally appears on a customer's billing statement, it does not pertain to the "telephone exchange service or toll service" received by the customer, as specified by the statutory definition in section 222(f)(1)(B).  If the definition of CPNI included a customer's name, address, and telephone number, a carrier would be prohibited from using its business records to contact any of its customers to market any new service that falls outside the scope of its existing service relationship with those customers.   In fact, under such an interpretation, a carrier would not even be able to contact a single customer in an effort to obtain permission to use their CPNI for marketing purposes because the carrier's mere use of its customer list to initiate contact with its customers would constitute a violation of section 222.  This anomalous result was clearly not intended by section 222.  Therefore, we clarify that a carrier's use of its customers' name, address, and telephone number for marketing purposes would not be subject to the CPNI restrictions in section 222(c)(1) because such information is not CPNI.  Thus, under section 222 and the Commission's rules, a carrier could contact all of its customers or all of its former customers, for marketing purposes, by using a customer list that contains each customer's name, address, and telephone number, so long as it does not use CPNI to select a subset of customers from that list.
-- In Re Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, Order ¶ 3 (May 21, 1998)
 

Subscriber List Info

Foot Note 25. 47 U.S.C. s 222(f)(3). "The term 'subscriber list information' means any information   (A) identifying the listed names of subscribers of a carrier and such subscribers' telephone numbers, addresses or primary advertising classifications (as such classifications are assigned at the time of the establishment of such service), or any combination of such listed names, numbers, addresses, or classifications; and (B) that the carrier or an affiliate has published, caused to be published, or accepted for publication in any directory format." Id.
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking (July 25, 2002)


 8. We clarify that a customer's name, address, and telephone number do not fall within the definition of CPNI, set forth in section 222(f)(1).  Section 222(f)(1) defines CPNI as:
(A) information that relates to the quantity, technical configuration, type, destination, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier; except that such term does not include subscriber list information.
Subscriber list information includes a customer's name, address, and telephone number so long as they have been published.   Therefore, it is clear that the definition of CPNI does not include a customer's name, address, and telephone number that have been published, in the manner described by section 222(f)(3)(B).  The question remains, however, as to whether such information that has not been published should be considered CPNI.
--In Re Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, Order (May 21, 1998)

    FCC Implementation of Section 222

47 C.F.R. § 64.2000 et seq.

  5. This proceeding was initiated in 1996 to implement section 222 of the Act, which governs carriers' use and disclosure of CPNI.13 Section 222, entitled "Privacy of Customer Information," obligates carriers to protect the confidentiality of certain information. Section 222(a) imposes a general duty on telecommunications carriers to protect the confidentiality of proprietary information.14 Carriers owe this duty to other carriers, equipment manufacturers, and customers.15 Section 222(b) states that a carrier that receives or obtains proprietary information of other carriers in order to provide a telecommunications service can only use that information for that purpose and cannot use that information for its own marketing efforts.16 Finally, section 222(c) protects the confidentiality of customer information and specifically delineates the exceptions to the general principle of confidentiality.17
  6. In section 222, Congress laid out a framework for carriers' use of customer information based on the sensitivity of the information. In particular, the statute allows easier dissemination of information beyond the existing customer carrier relationship where information is not sensitive, or where the customer so directs. Thus, section 222 establishes three categories of customer information to which different privacy protections and carrier obligations apply: (1) individually identifiable CPNI, (2) aggregate customer information, and (3) subscriber list information. The Wireless Communications and Public Safety Act of 1999 (911 Act) amended section 222 with respect to privacy of wireless location information.18
 -- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking, ¶ 8 (July 25, 2002).



On May 17, 1996, the Commission initiated a rulemaking, in response to various formal requests for guidance from the telecommunications industry, regarding the obligation of carriers under section 222 and related issues. The Commission subsequently released the CPNI Order on February 26, 1998. The CPNI Order addressed the scope and meaning of section 222, and promulgated regulations to implement that section. It concluded, among other things, as follows: (a) carriers are permitted to use CPNI, without customer approval, to market offerings that are related to, but limited by, the customers' existing service relationship; (b) before carriers may use CPNI to market outside the customer's existing service relationship, carriers must obtain express written, oral, or electronic customer approval; (c) prior to soliciting customer approval, carriers must provide a one-time notification to customers of their CPNI rights; (d) in light of the comprehensive regulatory scheme established in section 222, the Computer III CPNI framework is unnecessary; and (e) sections 272 and 274 impose no additional CPNI requirements on the Bell Operating Companies (BOCs) beyond those imposed by section 222. -- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, Order on Recon and Petitions for Forebearance, ¶ 8 (September 3, 1999).


158. In the Common Carrier Bureau's Clarification Order, the Bureau said that Acustomer information derived from the provision of any non-telecommunications service, such as CPE or information services . . . may be used to provide or market any telecommunications service . . . .@ Omnipoint asks the Commission to clarify that section 222 does not prohibit the use of customer information derived from non-telecommunications services bundled with telecommunications services merely because charges for those services appeared on a customer's telephone bill. Omnipoint contends that its position logically follows from the statement in the Clarification Order. U S WEST agrees with Omnipoint's position, but contends that the statute is clear, and no clarification is required.
Section 222(c)(1) prohibits the use of CPNI only where it is derived from the provision of a telecommunications service. Consequently, we find that information that is not received by a carrier in connection with its provision of telecommunications service can be used by the carrier without customer approval, regardless of whether such information is contained in a bill generated by the carrier. Therefore, consistent with the Clarification Order, customer information derived from information services that are held not to be telecommunications services may be used, even if the telephone bill covers charges for such information services. -- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, Order on Recon and Petitions for Forebearance, ¶ 159 (September 3, 1999).
We agree with the Bureau that carriers that have complied with the Computer III notification and prior written approval requirements in order to market enhanced services to certain large business customers should be deemed in compliance with section 222 and the Commission's rules. For the reasons stated in the Clarification Order, we agree that the Computer III framework required carriers to provide these large business customers with adequate notice and obtain express, affirmative approval in material compliance with the form and content of those required by section 222 and the Commission's rules. Although it is true that the Computer III consents were given prior to the advent of local competition, we believe that the detailed notice and express, affirmative consent required under that regime compensate for this deficiency. Moreover, we are not persuaded by CompTel's assertion that the BOCs warnings that they may have to change the customer's account representatives put undue pressure on these business customers to relent. Finally, we also conclude that although some of the Computer III annual notifications may not have been "proximate to" the carrier solicitations as required by section 222, the Computer III regime's annual notification requirement and limitation to business customers with more than 20 access linesCrequirements that we note are more stringent than required by section 222Cmaterially satisfy the concerns we intended to address by the proximate notification requirement promulgated in the CPNI Order. As such, we agree with the Bureau that the Computer III notifications are in material compliance with section 222 and the Commission's rules, and adopt the reasoning and conclusions of the Clarification Order as our own. -- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, Order on Recon and Petitions for Forebearance, ¶ 98 (September 3, 1999).

46. We continue to exclude from this list, as the Commission did in the CPNI Order, Internet access services. Despite contrary claims from some petitioners, there is no convincing new evidence on the record that shows that such services are necessary to, or used in, the making of a call, even in the broadest sense. There is also no evidence, currently, that customers expect to receive such services from their wireline provider, or that they expect to use such services in the way that they expect to receive or use the above-listed services.

47. We will, however, add protocol conversions to the list of services that carriers may market using CPNI without customer approval. In its petition, Bell Atlantic requests that we redefine protocol conversion as a telecommunications service. A protocol conversion assists terminals or networks operating with different protocols to communicate with each other. Bell Atlantic asserts that protocol conversions that do not alter the underlying information sent and received should not be defined as information services. We do not believe that protocol conversions should be redefined as a telecommunications service but because protocol conversions are necessary to the provision of the telecommunications service, in the instances where they are used, protocol conversions should be included in the group of information services listed above. Accordingly, we grant Bell Atlantic's request to use CPNI to market, without customer approval, protocol conversions. -- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, Order on Recon and Petitions for Forebearance, ¶¶ 46-47 (September 3, 1999).

We grant, in part, the petitions for reconsideration which request that we allow all carriers to use CPNI to market customer premises equipment (CPE) and information services under section 222(c)(1) without customer approval. We conclude that all carriers may use CPNI, without customer approval, to market CPE. We further conclude that CMRS carriers may use CPNI, without customer approval, to market all information services, while wireline carriers may do so for certain information services. We deny the petitions for forbearance on these issues. -- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, Order on Recon and Petitions for Forebearance, ¶ 7 (September 3, 1999).

On May 21, 1998, in response to a number of requests for clarification of the CPNI Order, the Common Carrier Bureau released a Clarification Order. This order addressed several issues. It concluded that independently-derived information regarding customer premises equipment (CPE) and information services is not CPNI and may be used to market CPE and information services to customers in conjunction with bundled offerings. In addition, it clarified that a customer's name, address, and telephone number are not CPNI. -- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, Order on Recon and Petitions for Forebearance, ¶ 9 (September 3, 1999).
 
 

On February 26, 1998, the Commission released a Second Report and Order and Further Notice of Proposed Rulemaking (Second Report and Order) interpreting and implementing, among other things, the portions of section 222 of the Communications Act of 1934, as amended, that govern the use and disclosure of, and access to, customer proprietary network information (CPNI) by telecommunications carriers. Since the release of the Second Report and Order, a number of parties have requested that the Commission clarify various issues pertaining to that order. In response to these requests, the Common Carrier Bureau issues this order clarifying the Second Report and Order as follows:

(a) Independently-derived information regarding customer premises equipment (CPE) and information services is not CPNI and may be used to market CPE and information services to customers in conjunction with bundled offerings.

(b) A customer's name, address, and telephone number are not CPNI.

(c) A carrier has met the requirements for notice and approval under section 222 and the Commission's rules where it has both provided annual notification to, and obtained prior written authorization from, customers with more than 20 access lines in accordance with the Commission's former CPNI rules.

(d) Although a carrier must ensure that its certification of corporate compliance with the Commission's CPNI rules is made publicly available, it is not required to file this certification with the Commission.

--In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, ¶ 1 (CCB May 21, 1998).

Accordingly, we make clear that, when a customer purchases CPE or information services from a carrier that are bundled with a telecommunications service, the carrier subsequently may use any customer information independently derived from the carrier's prior sale of CPE to the customer or the customer's subscription to a particular information service offered by the carrier in its marketing of new CPE or a similar information service that is bundled with a telecommunications service. Neither CPE nor information services constitute "telecommunications services" as defined in the Act. Therefore, any customer information derived from the carrier's sale of CPE or from the customer's subscription to the carrier's information service would not be "CPNI" because section 222(f) defines CPNI in terms of information related to a "telecommunications service." As a result, in situations where the bundling of a telecommunications service with CPE, information services, or other non-telecommunications services is permissible, a carrier may use CPNI to target particular customers in a manner consistent with the Second Report and Order, and it also may use the customer information independently derived from the prior sale of the CPE, the customer's subscription to a particular information service, or the carrier's provision of other non-telecommunications offerings to market its bundled offering. --In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, ¶ 4 (CCB May 21, 1998).
 
 

Prior to the adoption of the Telecommunications Act of 1996, the framework established under the Commission's Computer III regime governed the use of CPNI by the BOCs, AT&T, and GTE to market CPE and enhanced services. Two important components of this Computer III framework were: (1) a carrier's obligation to provide an annual notification of CPNI rights to multi-line customers regarding enhanced services, as well as a similar notification requirement regarding CPE that applied only to the BOCs, and (2) a carrier's obligation to obtain prior written authorization from business customers with more than 20 access lines to use CPNI to market enhanced services. We clarify that in circumstances where a carrier has provided annual notification and received prior written authorization from customers with more than twenty access lines, the requirements for notice and approval under section 222, and the associated Commission rules, are satisfied for those customers. --In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, ¶ 10 (CCB May 21, 1998).

 Appellate Court Vacates FCC Rules

20. On August 18, 1999, the Tenth Circuit issued an opinion vacating a portion of the CPNI Order in U S WEST. 49 U S WEST (now Qwest) contended that the opt in approach adopted by the Commission violated the First and Fifth Amendments of the Constitution. 50 The Tenth Circuit struck down the Commission's original customer approval rules, finding that the CPNI rules impermissibly regulated protected commercial speech and thus violated the First Amendment. 51 Specifically, the court found that the opt in regime was not narrowly tailored because the Commission had failed to adequately consider an opt out option. 52
. . . .
  29. Importantly, the court did not find section 222 of the Act unconstitutional. 86 As noted, U S WEST did not even challenge the constitutionality of section 222. 87 Therefore, the task before the Commission remains the same: to implement regulations that satisfy Congress' goal of protecting consumer privacy by requiring carriers to obtain customer consent for certain uses of CPNI. As required by the Tenth Circuit, any new regulations adopted by the Commission in the instant proceeding must meet the standard articulated by the Supreme Court in Central Hudson.
. . . . .
  79. We affirm our previous determinations that the "Tenth Circuit vacated only the specific portion of our CPNI rules relating to the opt in mechanism." 173 As the Commission noted in seeking comment in the Clarification Order Further NRPM, the Tenth Circuit's order was subject to interpretation as to whether it vacated the entirety of the CPNI rules or just those related to the opt in requirement. 174 However, as we have twice previously held, substantial portions of the Commission's CPNI rules were not relevant to the issue before the court and were beyond the scope of the court's constitutional analysis. 175
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking, para 20 f(July 25, 2002)


"After the Commission adopted the Order on Reconsideration, but prior to its release, the Court of Appeals for the Tenth Circuit issued its opinion vacating the Commission's CPNI rules. (U S WEST, Inc. v. FCC, 10th Circuit No. 98-9518 (filed August 18, 1999)). The Court held that the Commission's CPNI rules "must fall under the First Amendment." The Court's mandate has not yet issued and further litigation remains a possibility. Once the Court's mandate issues, the Commission will take appropriate steps to implement the Court's final decision." -- Welcome To The FCC, Common Carrier Bureau's Homepage For The CPNI Proceeding Last Updated 9/9/99 (accessed February 15, 2000) http://www.fcc.gov/ccb/ppp/Cpni/welcome.html

US West v. FCC, Docket 98-9518 (10th Cir. Aug 18, 1999), cert. denied sub. Nom Competitive Policy Institute v. U.S. West Docket 99-1427 (S.Ct. June 2000) http://www.kscourts.org/ca10/cases/1999/08/98-9518.htm

We vacate the FCC's CPNI Order, concluding that the FCC failed to adequately consider the constitutional ramifications of the regulations interpreting § 222 and that the regulations violate the First Amendment.

. . . . .

The FCC failed to adequately consider the constitutional implications of its CPNI regulations. Even if we accept the government's proffered interests and assume those interests are substantial, the FCC still insufficiently justified its choice to adopt an opt-in regime. Consequently, its CPNI regulations must fall under the First Amendment. At the very least, the foregoing analysis shows that the CPNI regulations clearly raise a serious constitutional question, invoking the rule of constitutional doubt. Accordingly, we VACATE the FCC's CPNI Order and the regulations adopted therein.(15)

        Background:  Procedural History

  10. On May 17, 1996, the Commission initiated a rulemaking in response to requests for guidance from the telecommunications industry regarding the obligations of telecommunications carriers under section 222 of the Act and related issues. 29 The Commission released the CPNI Order on February 26, 1998, in which it addressed the scope and meaning of section 222 and promulgated implementing regulations.30
. . . .
  15. On August 16, 1999, the Commission adopted the CPNI Reconsideration Order in response to a number of petitions for reconsideration, forbearance, and clarification of the CPNI Order.34 The CPNI Reconsideration Order was adopted "to preserve the consumer protections mandated by Congress while more narrowly tailoring [the CPNI] rules, where necessary, to enable telecommunications carriers to comply with the law in a more flexible and less costly manner."35f
. . . . .
  23. On August 28, 2001, the Commission adopted an order (CPNI Clarification Order) clarifying the status of its CPNI rules in light of the Tenth Circuit order and issuing a Further Notice of Proposed Rulemaking (Clarification Order Further NPRM). 58 The Commission affirmed its previous determination that the Tenth Circuit invalidated only the opt in rule, not the entire CPNI Order. 59 The Commission sought comment on its interpretation of the scope of the Tenth Circuit order, and on what type of approval (opt in or opt out) would best serve the government's goals while respecting constitutional limits. 60 In addition, the Commission noted that "the consent mechanism that we eventually adopt in response to the Tenth Circuit's Order could impact our previous findings regarding the interplay between [sections 222 and 272, and we therefore find it necessary to raise the relevant issues here." 61
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking, para 10 (July 25, 2002)


  2. On May 17, 1996, the Commission initiated a rulemaking, in response to various informal requests for guidance from the telecommunications industry, regarding the obligation of telecommunications carriers under Section 222 of the Act and related issues. 5 The Commission subsequently released the CPNI Order, on February 26, 198, which addressed the scope and meaning of Section 222, and promulgated regulations to implement that section. In the CPNI Order, the Commission determined that 'with Section 222, Congress expressly directs a balance of 'both competitive and consumer privacy interests with respect to CPNI." 6 It found this conclusion to be supported by the comprehensive statutory design, which expressly recognizes the duty of all telecommunications carriers to protect customer information, and embodies the principle that customers must be able to control information they view as sensitive and personal from unauthorized use, disclosure, and access by carriers. Where information is not sensitive, it found that Section 222 permits the free flow of information beyond the customer-carrier relationship, because in this situation, the customer's interest rests more in choosing service with respect to a variety of competitors, thus necessitating competitive access to the information. 7
   3. In the CPNI Order, the Commission stated that Section 222(c)(1) of the Act allows a carrier to use, without the customer's prior approval, the customer's CPNI derived from the complete service that the customer subscribes to from that carrier and its affiliates, for marketing purposes within the existing service relationship. 8 This is known as the 'total service approach.' The Commission also concluded that carriers must notify the customer of the customer's rights under Section 222 and then obtain express written, oral or electronic customer approval -- a 'notice and opt-in' approach -- before a carrier may use CPNI to market services outside the customer's existing service relationship with that carrier. 9 U S West appealed this order to the Tenth Circuit. On August 16, 1999, the Commission adopted the  CPNI Reconsideration Order 10 in response to a number of petitions for reconsideration, forbearance, and clarification of the CPNI Order. The CPNI Reconsideration Order, among other things, further clarified the total service approach. 11 It also retained the opt-in approach. 12
  4. After the Commission adopted the CPNI Reconsideration Order, the Tenth Circuit issued its decision in U S WEST v. FCC, vacating a portion of the CPNI Order 'and the regulations adopted therein. 13 In U S WEST V. FCC, U S WEST contended that the opt-in approach for customer approval in the CPNI Order violated the First and Fifth Amendments of the Constitution. 14 The court declined to review the Commission's opt-in approach under the traditional administrative law standards of *16509 Chevron, 15 in light of what it perceived as the 'serious constitutional questions' raised by the approach, and determined that it must be reviewed under the constitutional standards applicable to regulations of commercial speech in Central Hudson Gas & Elec. Corp. v. Public Service Commission. 16
    5. Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' use of Customer Proprietary Network Information and Other Customer Information, Notice of Proposed Rulemaking, CC Docket No. 96-115, 11 FCC Rcd 12513 (1996) (NPRM).
    6. CPNI Order, 13 FCC Rcd 8065, para. 3 (citing the Joint statement of Mangers, S. Conf. Rep. No. 104-230, 104th Cong., 2d Sess., 1 (1996).
    7. CPNI Order,13 FCC Rcd at 8066, para. 3 ('Indeed, in provisions governing use of aggregate customer and subscriber list information, Sections 222(c)(3) and 222(e) respectively, where privacy of sensitive information is by definition not at stake, Congress expressly required carriers to provide such information to third parties on nondiscriminatory terms and conditions.').
    8. CPNI Order,13 FCC Rcd at 8080, 8083-84, 8087-88, paras. 23-24, 30, 35.
    9. Id. at 8127-45, paras. 86-107: see also U S WEST v. FCC, 182 F. 3d at 1230. This approach is distinguished from an 'opt-out' or negative option approach 'in shich approval would be inferred from the customer-carrier relationship unless the customer specifically requested that his or her CPNI be restricted.' U S WEST v. FCC, 182 F. 3d at 1230.
    10. Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' use of Customer Proprietary Network Information and Other Customer Information and Implementaiton of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, as amended, CC Docket Nos. 96-115 and 96-149, Order on Reconsideration and Petitions for Forbearance, 14 FCC Rcd 14409 (1999) (CPNI Reconsideration Order.). On November 1, 1999, MCI Communications Corp. filed a Petition for Further Reconsideration. We will Address MCI's Petition in a separate order.
    11. CPNI Reconsideration Order, 14 FCC Rcd at 14464, paras. 109-110. In particular, the Order expanded Section 64.2005 of the Commission's rules, 47 C.F.R.§  64.2005, which codifies the total service approach, to include customer premises equipment and some information services.
    12. Only one carrier, Omnipoint Communications, Inc., requested that we reconsider that the Commission 'opt-in' approach, and limited its request ro CMRS carriers only. CPNI Reconsideration Order, 14 FCC Rcd at 14463-64, paras. 107-08. The Commission denied to reconsider its original finding that 'the requirement of affirmative consent is consistent with Congressional intent, as well as principles of customer control and convenience.' Id.
    13. U S West, Inc. v. FCC, 182 F. 3d 1240.
    14. Id. at 1231.
    15. See Chevron USA Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837 (1984) (Chevron).
    16. 447 U.S. 557 (1980) (Central Hudson).
---In Re Implementation Of The Telecommunications Act Of 1996; Telecommunications Carriers' Use Of Customer Proprietary Network Information And Other Customer Information; Implementation Of The Non-Accounting Safeguards Of Sections 271 And 272 Of The Communications Act Of 1934, As Amended CC Docket No. 96-149, CC Docket No. 96-115, Order (September 7, 2001)


Faced with the new CPNI restrictions, various telecommunications companies and trade associations sought FCC guidance regarding their obligations under § 222. See id. ¶ 6 & n.25. These requests, along with a petition for a declaratory ruling regarding the interpretation of the term "telecommunication service" under § 222(c)(1), prompted the FCC to commence a rulemaking on May 17, 1996. See id. ¶ 6; In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunication Carriers' Use of Customer Proprietary Network Information and Other Customer Information, Notice of Proposed Rulemaking, 61 Fed. Reg. 26,483 (1996) ("CPNI NPRM"). The CPNI NPRM sought comment on, among other things: "(1) the scope of the phrase 'telecommunications service,' as it is used in section 222(c)(1) . . . ; (2) the requirements for customer approval; and (3) whether the Commission's existing CPNI requirements should be amended in light of section 222." CPNI Order ¶ 6 (citing CPNI NPRM ¶¶ 20-33, 38-42). On February 26, 1998, the FCC released the CPNI Order we now review. The CPNI Order addresses the meaning and scope of § 222 and adopts regulations to implement the statute's CPNI requirements. See 47 C.F.R. pt. 64, subpt. U (1998).

The regulations adopted by the CPNI Order interpret § 222(c)(1) through a framework known as the "total service approach." That approach divides the term "telecommunications service" into three service categories: (1) local; (2) interexchange (which includes most long-distance toll service); and (3) commercial mobile radio service ("CMRS") (which includes mobile or cellular service). See 47 C.F.R. § 64.2005(a). Broadly stated, the regulations permit a telecommunications carrier to use, disclose, or share CPNI for the purpose of marketing products within a category of service to customers, provided the customer already subscribes to that category of service. See id. However, the carrier may not, without customer approval, use, disclose, or permit access to CPNI for the purpose of marketing categories of service to which the customer does not already subscribe. See id. § 64.2005(b).(2) For example, petitioner could use CPNI obtained through the provision of local service to market other local service products, but not cellular services. Moreover, if the customer subscribes to both local and long-distance services, petitioner could use the CPNI to market either service and could exchange the CPNI between affiliates that provide such services, but petitioner could still not use the CPNI to market cellular services. In addition, the regulations prevent telecommunications carriers from using, without customer approval, CPNI gained from any of the three categories described above to: (1) market customer premises equipment ("CPE") or information services (such as call answering, voice mail, or Internet access services); (2) identify or track customers that call competitors; and (3) regain the business of customers who have switched to another carrier. See id. § 64.2005(b)(1)-(3). The regulations also set forth some additional narrow exceptions to the CPNI requirements, other than those stated in § 222(d). See id. § 64.2005(c).

The regulations also describe the means by which a carrier must obtain customer approval. Section 222(c)(1) did not elaborate as to what form that approval should take. The FCC decided to require an "opt-in" approach, in which a carrier must obtain prior express approval from a customer through written, oral, or electronic means before using the customer's CPNI. See 47 C.F.R. § 64.2007(b). The government acknowledged that the means of approval could have taken numerous other forms, including an "opt-out" approach, in which approval would be inferred from the customer-carrier relationship unless the customer specifically requested that his or her CPNI be restricted.

Petitioner challenges the FCC's chosen approval process, claiming it violates the First Amendment by restricting its ability to engage in commercial speech with customers. In addition, petitioner argues that the CPNI regulations raise serious Fifth Amendment Takings Clause concerns because CPNI represents valuable property that belongs to the carriers and the regulations greatly diminish its value. The respondents assert that the FCC's CPNI regulations raise no constitutional concerns, are reasonable, and are entitled to deference under the Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837 (1984).
. . . . .

 CPNI Clarification Order 2001

  23. On August 28, 2001, the Commission adopted an order (CPNI Clarification Order) clarifying the status of its CPNI rules in light of the Tenth Circuit order and issuing a Further Notice of Proposed Rulemaking (Clarification Order Further NPRM). 58 The Commission affirmed its previous determination that the Tenth Circuit invalidated only the opt in rule, not the entire CPNI Order. 59 The Commission sought comment on its interpretation of the scope of the Tenth Circuit order, and on what type of approval (opt in or opt out) would best serve the government's goals while respecting constitutional limits. 60 In addition, the Commission noted that "the consent mechanism that we eventually adopt in response to the Tenth Circuit's Order could impact our previous findings regarding the interplay between [sections 222 and 272, and we therefore find it necessary to raise the relevant issues here." 61
  24. In the CPNI Clarification Order, the Commission sought to obtain a more complete record on ways in which consumers can consent to a carrier's use of their CPNI. 62 Taking into account the Tenth Circuit's opinion, the Commission sought comment on what methods of approval would serve the governmental interests at issue and afford informed consent, while also satisfying the First Amendment's requirement that any restrictions on speech be narrowly tailored. 63 Specifically, the Commission sought comment on the interests and policies underlying section 222 that are relevant to formulating an approval requirement, including an analysis of the privacy interests that are at issue, and on the extent to which we should take competitive concerns into account. 64 To the extent that promoting competition is also a legitimate government interest under section 222, the Commission sought comment on the likely difference in competitive harms under opt in and opt out approvals.
25. In the CPNI Clarification Order, the Commission also sought comment on whether adoption of an opt out mechanism is consistent with the rationale for the total service approach set forth in the CPNI Order. 65 Additionally, in the CPNI Reconsideration Order, the Commission determined that carriers may use CPNI derived from the provision of a telecommunications service to market CPE necessary to, or used in, the provision of that telecommunications service in accordance with section 222(c)(1). 66 In a separate proceeding, the Commission modified and clarified its bundling rules promulgated under Computer II 67 to allow carriers to bundle CPE and enhanced services with telecommunications services. 68 The Commission sought comment on whether the issues raised in that proceeding should affect our interpretation of section 222(c)(1) and the total service approach. 69 The Commission received extensive comments and replies from commenters representing a broad cross section of the industry and consumer interest groups in this proceeding. 70
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking, para 25 (July 25, 2002)
 

Aggregate Information

 Aggregate customer information and subscriber list information, in contrast, do not involve personal, individually identifiable information, but nevertheless are valuable to competitors.23 Aggregate customer information means "collective data that relates to a group or category of services or customers, from which individual customer identities and characteristics have been removed." 24 Subscriber list information generally includes subscribers' names, addresses and telephone numbers.25 Accordingly, under sections 222(c)(3) and 222(e), aggregate customer information and subscriber list information receive less protection from use and disclosure in order to promote competition. In particular, aggregate customer information   which by definition has been stripped of individually identifiable information   may be used beyond the purposes identified in section 222(c)(1) for CPNI, but local exchange carriers (LECs) must make aggregate customer information available to competitors on reasonable and nondiscriminatory terms and conditions.26
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking, para 9 (July 25, 2002)
 

Subscriber List Information

Subscriber list information   which is generally publicly available   must be provided to third parties for the purpose of publishing directories on a timely and unbundled basis, under nondiscriminatory and reasonable rates, terms, and conditions.27 In addition, subscriber listed and unlisted information must be disclosed to providers of emergency service and emergency support services under the circumstances set forth in section 222(g).28
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking, para 9 (July 25, 2002)
 

Purpose / Govt Interest

        Not Competition

Section 222 is not the first time the government has placed restrictions on telecommunications carriers' use or disclosure of CPNI. Prior to the enactment of § 222, the FCC had imposed CPNI requirements on the enhanced service operations of several major telecommunications carriers. See CPNI Order ¶ 7. The FCC imposed these CPNI requirements primarily to prevent large carriers from gaining a competitive advantage in the unregulated enhanced services markets through the use of CPNI, thereby protecting smaller carriers. See id. In contrast, Congress made § 222, which is much broader in scope than previous CPNI requirements, applicable to all carriers, not just the dominant ones. This suggests that Congress enacted § 222 for a substantially different purpose than previous FCC CPNI requirements.
. . . . .
We harbor different reservations about the government's asserted interest in competition. While we afford agencies broad deference in interpreting a statute they are charged to administer, they must obey the dictates of Congress and administer the statute true to Congress' intent. See Ernst & Ernst v. Hochfelder, 425 U.S. 185, 213-14 (1976). We are not satisfied that the interest in promoting competition was a significant consideration in the enactment of § 222.
       While the broad purpose of the Telecommunications Act of 1996 is to foster increased competition in the telecommunications industry,(9) the language of § 222 reveals no such concern.(10) Rather, the specific and dominant purpose of § 222 is the protection of customer privacy. Indeed, the FCC and members of Congress characterize § 222 as "striv[ing] to balance both the competitive and consumer privacy interests with respect to CPNI," Joint Statement of Managers, S. Conf. Rep. No. 104-230, at 205 (1996) (emphasis added), which suggests that § 222's purpose in fostering privacy may even run counter to the broad pro-competition purpose of the Telecommunications Act. In any event, three other considerations persuade us that Congress did not intend for competition to be a significant purpose of § 222. First, and most important, the plain language of the section deals almost exclusively with privacy. Section 222 is entitled "Privacy of customer information" and is replete with references to privacy and confidentiality of customer information. In contrast, § 222 contains no explicit mention of competition. Although § 222(c)(3) and § 222(e) impose nondiscrimination requirements with respect to disclosure of aggregate customer and subscriber list information which could be construed as pro-competition measures, we find that these do not sufficiently indicate that increasing competition was a purpose of § 222. Moreover, the provisions of § 222 relating to CPNI which the challenged regulations interpret contain no reference to nondiscrimination requirements and reflect solely a concern for customer privacy. See 47 U.S.C. § 222(c)(1)-(2), (d). Second, § 222 differs from previous CPNI restrictions designed to foster competition because it applies to all telecommunications carriers, not just the dominant ones. This indicates a different purpose for the new restriction. Finally, § 222 contains measures that will allow full use, disclosure, and access to CPNI if customer approval is obtained. Assuming that a carrier is able to obtain a high rate of customer approval, the alleged competitive effect of § 222's CPNI restrictions is minimal and can perhaps even be nullified. Consequently, we find that Congress' primary purpose in enacting § 222 was concern for customer privacy, not the broader purpose of increasing competition.

 Privacy

  33. Government's Substantial Interest. The customer approval requirement in section 222(c)(1) is designed to protect the interest of telecommunications consumers in limiting unexpected and unwanted use and disclosure of their personal information by carriers who must collect such information in order to render bills and perform other services. Section 222(c)(1) thus assumes a minimum level of customer concern regarding certain uses of CPNI by a carrier and its affiliates. This assumption has been borne out by evidence in the record, including surveys indicating consumers' desires regarding dissemination of CPNI and other personal information. Notably, in one study, 55.5 percent of Cincinnati Bell Telephone (CBT) customers expressed some level of concern with use of CPNI by CBT for targeted marketing, including 17.2 percent that were "extremely concerned." 92 Likewise, the Westin Study submitted by Pacific Telesis in the original CPNI proceeding indicated that 36 percent of customers found it "not acceptable" for their local telephone company to use CPNI for targeted marketing. 93 These concerns show a sensitivity to use of CPNI, consistent with the very private nature of the information collected by a telecommunications carrier, which includes, at a minimum, the telephone numbers a subscriber calls, and the times, dates, destinations and duration of those calls. 94 CPNI also includes services that a subscriber purchases, the equipment and facilities used, and it may also include personal/household usage patterns, among other things. 95 Based on the record before us, we conclude that the government's interest in limiting unexpected disclosure and use of consumers' CPNI is a substantial one.
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking, para 33 (July 25, 2002)


Congress recognized, however, that the new competitive market forces and technology ushered in by the 1996 Act had the potential to threaten consumer privacy interests.  Congress, therefore, enacted section 222 to prevent consumer privacy protections from being inadvertently swept away along with the prior limits on competition. 3  Section 222 establishes a new statutory framework governing carrier use and disclosure of customer proprietary network information (CPNI) and other customer information obtained by carriers in their provision of telecommunications services.
. . . . .
  3.  In contrast to other provisions of the 1996 Act that seek primarily to  "[open all telecommunications markets to competition," 8 and mandate competitive access to facilities and services, the CPNI regulations in section 222 are largely consumer protection provisions that establish restrictions on carrier use and disclosure of personal customer information.  With section 222, Congress expressly directs a balance of "both competitive and consumer privacy interests with respect to CPNI." 9  Congress' new balance, and privacy concern, are evidenced by the comprehensive statutory design, which expressly recognizes the duty of all carriers to protect customer information, 10 and embodies the principle that customers must be able to control information they view as sensitive and personal from use, disclosure, and access by carriers. 11 Where information is not sensitive, 12 or where the customer so directs, 13 the statute permits the free flow or dissemination of information beyond the existing customer-carrier relationship.  Indeed, in the provisions governing use of aggregate customer and subscriber list information, sections 222(c)(3) and 222(e) respectively, where privacy of sensitive information is by definition not at stake, Congress expressly required carriers to provide such information to third parties on nondiscriminatory terms and conditions. 14  Thus, although privacy and competitive concerns can be at odds, the balance struck by Congress aligns these interests for the benefit of the consumer.  This is so because, where customer information is not sensitive, the customer's interest rests more in choosing service with respect to a variety of competitors, thus necessitating competitive access to the information, than in prohibiting the sharing of information.
-- In Re In The Matter Of Implementation Of The Telecommunications Act Of 1996, CC Docket No. 96-115, Second Report and Order and Further Notice of Proposed Rulemaking ¶ 1 (February 26, 1998)

Under Computer II: Protect CPE and ESPs

  7.  Prior to the 1996 Act, the Commission had established CPNI requirements applicable to the enhanced services 30 operations of AT&T, the BOCs, and GTE, and the CPE operations of AT&T and the BOCs, in the Computer II, 31 Computer III, 32 GTE ONA, 33 and BOC CPE Relief 34 proceedings.  The Commission recognized in the Notice that it had adopted these CPNI requirements, together with other nonstructural safeguards, to protect independent enhanced services providers and CPE suppliers from discrimination by AT&T, the BOCs, and GTE.35  The Notice stated that the Commission's existing CPNI requirements were intended to prohibit AT&T, the BOCs, and GTE from using CPNI obtained from their provision of regulated services to gain a competitive advantage in the unregulated CPE and enhanced services markets. 36 The Notice further stated that the existing CPNI requirements also were intended to protect legitimate customer expectations of confidentiality regarding individually identifiable information. 37  The Commission concluded in the Notice that existing CPNI requirements would remain in effect, pending the outcome of this rulemaking, to the extent that they do not conflict with section 222. 38  On November 13, 1996, the Common Carrier Bureau (Bureau) waived the annual CPNI notification requirement for multi-line business customers that had been imposed on AT&T, the BOCs, and GTE under our pre-existing CPNI framework, pending our action in this proceeding. 39
35. Notice at 12516,   4.
36. Notice at 12516, 12530,     4, 40.
37. Notice at 12516,   4.
38. Notice at 12515-16, 12529,     3, 38.
39. Petition for Exemption from Customer Proprietary Network Information Notification Requirements, Order, CCB Pol 96-20, DA 96-1878, 12 FCC Rcd 15134.  On December 16, 1997, the Policy and Program Planning Division waived this requirement for 1997.  In the Matter of Waiver from Customer Proprietary Network Information Notification Requirements, CCB Pol 97-13, DA 97-2599 (rel. Dec. 16, 1997).
  174.  In the Computer III, 595 GTE ONA, 596 and BOC CPE Relief 597 proceedings, the Commission established a framework of CPNI requirements applicable to the enhanced services operations of AT&T, the BOCs, and GTE and the CPE operations of AT&T and the BOCs (Computer III CPNI framework).598  As we observed in the Notice, the Commission adopted the Computer III CPNI framework, together with other nonstructural safeguards, to protect independent enhanced services providers and CPE suppliers from discrimination by AT&T, the BOCs, and GTE. 599  The framework prohibited these carriers' use of CPNI to gain an anticompetitive advantage in the unregulated CPE and enhanced services markets, while protecting legitimate customer expectations of confidentiality regarding individually identifiable information. 600  Alternatively, for those carriers that maintain structurally separate affiliates in connection with their CPE and enhanced services operations, our Computer II 601 rule 64.702(d)(3) prohibits carriers from sharing CPNI with those affiliates unless it is made publicly available. 602  We likewise prohibit the BOCs from providing CPNI to their cellular affiliates unless they make the CPNI publicly available on the same terms and conditions. 603
-- In Re In The Matter Of Implementation Of The Telecommunications Act Of 1996, CC Docket No. 96-115, Second Report and Order and Further Notice of Proposed Rulemaking ¶ 3 (February 26, 1998)

        Harm

The government presents no evidence showing the harm to either privacy or competition is real. Instead, the government relies on speculation that harm to privacy and competition for new services will result if carriers use CPNI. In Edenfield, the Supreme Court struck down a Florida ban on CPA in-person solicitation because the state had presented no evidence -- anecdotal or empirical -- that such solicitation created the dangers of "fraud, overreaching, or compromised independence" that the state sought to combat. See 507 U.S. at 771; cf. Florida Bar v. Went For It, Inc., 515 U.S. 618, 626-27 (1995) (upholding restriction on solicitation of accident victims within thirty days of accident, based on two-year study and written report analyzing statistically and anecdotally the impacts of such solicitation). The FCC faces the same problem here. While protecting against disclosure of sensitive and potentially embarrassing personal information may be important in the abstract, we have no indication of how it may occur in reality with respect to CPNI. Indeed, we do not even have indication that the disclosure might actually occur. The government presents no evidence regarding how and to whom carriers would disclose CPNI. By its own admission, the government is not concerned about the disclosure of CPNI within a firm. See CPNI Order at ¶ 55, n.203 ("[W]e agree . . . that sharing of CPNI within one integrated firm does not raise significant privacy concerns because customers would not be concerned with having their CPNI disclosed within a firm in order to receive increased competitive offerings."). Yet the government has not explained how or why a carrier would disclose CPNI to outside parties, especially when the government claims CPNI is information that would give one firm a competitive advantage over another. This leaves us unsure exactly who would potentially receive the sensitive information.

Similarly, the FCC can theorize that allowing existing carriers to market new services with CPNI will impede competition for those services, but it provides no analysis of how or if this might actually occur. Beyond its own speculation, the best the government can offer is that "[t]he vigor of US West's protests against the rules . . . indicates that US West also believes that this restriction will be effective in promoting Congress's competitive interest." Appellees Br. at 30. This is simply additional conjecture, and it is inadequate to justify restrictions under the First Amendment. See Edenfield, 507 U.S. at 770-71.

        Total Service Approach

  12. At the same time, the Commission adopted what is called the "total service approach" allowing carriers and their affiliates to use customers' CPNI, without notice or approval, to market services within the package of services to which the customer already subscribes.32 The total service approach recognized existing customer relationships for local, interexchange, and wireless services. Under the total service approach, a carrier that provides local service to a customer may use that customer's local service CPNI to sell that customer other product offerings within the existing local service relationship (e.g., caller ID) without customer approval of the use of the CPNI. As service relationships expanded (e.g., the customer selected both local and wireless service), so too did the parameters of the permissible use of CPNI to market new product offerings. This approach recognizes that the customer may be fairly considered to have given implied consent to the carrier's use of CPNI within the total service package to which the customer subscribes.
  13. Such sharing was intended to allow carriers with a pre existing relationship with the customer to develop "packages" of services best tailored to their customers' needs. The Commission noted that customers would reasonably expect carriers with whom they dealt to review their CPNI to fashion service packages tailored to their needs, and thus would not object to inter affiliate sharing if each affiliate already has a relationship with the customer. Because the order required express consent for any type of disclosures beyond those permitted by section 222(c)(1), the order did not distinguish between disclosure to an affiliate or other carrier for telecommunications marketing purposes or disclosure to an unrelated third party for non telecommunications purposes (e.g., divorce actions, insurance reviews, or random product marketing).
. . . . . .
  83. We affirm the continued use of the total service approach to define what carriers may do under section 222(c)(1) without notice to customers. 184 Based on the language of section 222(c)(1), Congress intended that a carrier could use CPNI without customer approval, but could only do so depending on the service(s) to which the customer subscribes. 185 The total service approach defines the parameters of those services and thus defines what carriers may do without the approval of the customer.
  84. In reaching our conclusion, we note that every commenter that addressed this issue save one 186 supports retaining the total service approach, 187 largely because the original justification for its adoption remains valid even if an opt out system is applied to some uses of CPNI. Accordingly, today, as when we originally adopted it, the total service approach is a reasonable implementation of section 222(c)(1) and remains reasonable regardless of the mechanism we adopt in this Order to provide for customer approval of other uses of CPNI. We also note that no better alternative has been proposed. The sole commenter to question the approach, CenturyTel, basically requests that we abandon the total service approach and instead adopt the "single category approach." 188 The single category approach was considered and rejected in the CPNI Order and again rejected in the CPNI Reconsideration Order. 189 We again decline to adopt such an approach because that would vitiate the total service approach and attendant protection of customers' personal information. As the Commission has stated, "[the hallmark of the total service approach is that the customer, whose privacy is at issue, establishes the bounds of his or her relationship with the carrier." 190 CenturyTel has provided no new evidence to convince us to reconsider the total service approach and the benefits and protections it affords to consumers and carriers alike. Finally, in the absence of comments indicating that the total service approach is undermined by our CPE bundling rules, we find no reason to modify our interpretation of section 222(c)(1) or the total service approach at this time. 191
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking, para12 (July 25, 2002)


 17. After considering the record, statutory language, history, and structure of section 222, we concluded that Congress intended that a carrier's use of CPNI without customer approval should depend on the service subscribed to by the customer.  Accordingly, the Commission adopted the "total service approach" which allows carriers to use a customer's entire record, derived from complete service subscribed to from that carrier, to market improved services within the parameters of the existing customer-carrier relationship.   The total service approach permits carriers to use CPNI to market offerings related to the customer's existing service to which the customer presently subscribes.  Under the total service approach, the customer retains ultimate control over the permissible marketing use of CPNI, a balance which best protects customer privacy interests while furthering fair competition.  Presented with the opportunity to permit or prevent a carrier from accessing CPNI for marketing purposes, the customer has the ability to determine the bounds of the carrier's use of CPNI.
-- In Re Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, 96-149, Order On Reconsideration And Petitions For Forbearance (September 3, 1999)


 2. Section 222(c)(1) establishes the limited circumstances in which carriers can use, disclose, or permit access to CPNI without first obtaining customer approval.  In interpreting section 222(c)(1) in the Second Report and Order, the Commission adopted an approach that allows carriers to use CPNI, without first obtaining customer approval, to market improvements or enhancements to the package of telecommunications services the carrier already provides to a particular customer, which it referred to as the "total service approach."  The Commission determined, however, that carriers may not use CPNI, without first obtaining customer approval, to market offerings that fall outside the scope of the customer's existing service relationship with the carrier.  The Commission also concluded that, as required by section 222(c)(1), carriers may not use CPNI, without first obtaining customer approval, to market non-telecommunications offerings, including CPE and information services.  More specifically, the Commission concluded that CPE and information services are not "telecommunications services," and thus do not fall within the scope of section 222(c)(1)(A).   In addition, the Commission concluded that neither CPE nor most information services fall within the meaning of "services necessary to, or used in" the provision of telecommunications service under section 222(c)(1)(B).
-- In Re Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, Order (May 21, 1998)


  24.  The language also suggests, however, that the carrier's right under section 222(c)(1)(A) and (B) is a limited one, in that the carrier "shall only " use, disclose, or permit access to CPNI "in the provision of" the telecommunications service from which such CPNI is derived or services necessary to, or used in, such telecommunications service. 97  Indeed, insofar as the customer consent in sections 222(c)(1)(A) and (B) is inferred rather than based on express customer direction, we conclude that Congress intended that implied customer approval be restricted solely to what customers reasonably understand their telecommunications service to include.  This customer understanding, in turn, is manifested in the complete service offering to which the customer subscribes from a carrier.  We are persuaded that customers expect that CPNI generated from their entire service will be used by their carrier to market improved service within the parameters of the customer- carrier relationship. 98  Although most customers presently obtain their service from different carriers in terms of traditional categories of offerings -- local, interexchange, and commercial mobile radio services (CMRS) -- with the likely advent of integrated and bundled service packages, the "total service approach" accommodates any future changes in customer subscriptions to integrated service. 99
  25.  For the reasons described below, we believe that the total service approach best represents the scope of "the telecommunications service from which the CPNI is derived."  Under the total service approach, the customer's implied approval is limited to the parameters of the customer's existing service, and is neither extended to permit CPNI use in marketing all of a carrier's telecommunications services regardless of whether subscribed to by the customer, nor narrowed to permit use only in providing a discrete service feature.  In this way, the total service approach appropriately furthers Congress' intent to balance privacy and competitive concerns, and maximize customer control over carrier use of CPNI.
. . . . .
  32.  The statutory language makes clear that Congress did not intend for the implied customer approval to use, disclose, or permit access to CPNI under section 222(c)(1)(A) to extend to all of the categories of telecommunications services offered by the carrier, as proposed by advocates of the single category approach.  First, Congress' repeated use of the singular "telecommunications service" must be given meaning.  Section 222(c)(1) prohibits a carrier from using CPNI obtained from the provision of "a telecommunications service" for any purpose other than to provide "the telecommunications service from which such information is derived" or services necessary to, or used in, provision of "such telecommunications service. " 110 We agree with many commenters that this language plainly indicates that Congress both contemplated the possible existence of more than one carrier service and made a deliberate decision that section 222(c)(1)(A) not extend to all. 111  Indeed, Congress' reference to plural "telecommunications services" in sections 222(a) and 222(d)(1) demonstrates a clear distinction between the singular and plural forms of the term. 112  Under well- established principles of statutory construction, "where Congress has chosen different language in proximate subsections of the same statute," we are "obligated to give that choice effect." 113  Consistent with this, section 222(c)(1)'s explicit restriction of a carrier's "use" of CPNI "in the provision of" service further evidences Congress' intent that carriers' own use of CPNI be limited to the service provided to the particular customer, and not be expanded to all the categories of telecommunications services available from the carrier. 114
  33.  We therefore reject the single category approach as contrary to the statutory language.  In particular, we do not agree with several parties' claim that the general definition of "telecommunications service" found in Title I of the Act, which focuses on the offering of "telecommunications ... regardless of the facilities used," 115 indicates that Congress did not intend to differentiate among telecommunications technologies or services in section 222(c)(1)(A). 116  We likewise find U S WEST's reliance on the general plural reference included in the definition of "telecommunications" misplaced. 117 Rather, we agree with the California Commission, CompTel, MCI, and TRA that the single category interpretation would render the specific limiting language in section 222(c)(1)(A) meaningless. 118  Approval would be necessary, if at all, only if a carrier wished to use CPNI to market non- telecommunications services. 119  Like Sprint, we conclude that, had Congress intended such a result, the text could have been drafted much more simply by stating that carriers may use CPNI, without customer approval, only for telecommunications-related purposes, instead of the language of section 222(c)(1)(A), which expressly limits carrier use to the "provision of the service from which [the CPNI is derived." 120
. . . . .
  37.  The legislative history confirms our view that in section 222 Congress intended neither to allow carriers unlimited use of CPNI for marketing purposes as they moved into new service avenues opened through the 1996 Act, nor to restrict carrier use of CPNI for marketing purposes altogether.  Specifically, although the general purpose of the 1996 Act was to expand markets available to both new and established carriers, the legislative history makes clear that Congress specifically intended section 222 to ensure that customers retained control over CPNI in the face of the powerful carrier incentives to use such CPNI to gain a foothold in new markets.  The Conference Report states that, through section 222, Congress sought to "balance both competitive and consumer privacy interests with respect to CPNI." 137  Congress further admonishes that "[in new subsection 222(c) the use of CPNI by telecommunications carriers is limited, except as provided by law or with the approval of the customer." 138 Contrary to Congressional intent as expressed in the legislative history, the single category approach asserts a broad carrier right, affording customers virtually no control over intra-company use of their CPNI.  This approach would undermine section 222's focus on balancing customer privacy interests, 139 and likewise would potentially harm competition.  Carriers already in possession of CPNI could leverage their control of CPNI in one market to perpetuate their dominance as they enter other service markets. 140 In these respects, therefore, the legislative history wholly fails to support the single category approach.  On the other hand, the legislative history makes no mention of any need or intention to restrict the carrier's use of CPNI to market discrete offerings within the service subscribed to by the customer.  In this regard, therefore, the legislative history likewise does not support the discrete offering approach.
-- In Re In The Matter Of Implementation Of The Telecommunications Act Of 1996, CC Docket No. 96-115, Second Report and Order and Further Notice of Proposed Rulemaking (February 26, 1998)

CPE

  17. The Commission granted, in part, petitions for reconsideration requesting that all carriers be allowed to use CPNI to market customer premises equipment ("CPE") and information services under section 222(c)(1) without customer approval. In particular, the Commission allowed all carriers to use CPNI, without customer approval, to market CPE. 41
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking (July 25, 2002)
 

Info Service

The Commission also allowed CMRS carriers to use, without customer approval, CPNI to market all information services, while allowing wireline carriers to do so for most information services. 42
42. Id. The Commission found that CMRS providers historically have bundled CPE and information services with the underlying telecommunications service, and therefore, due primarily to customer expectations, those services fell within the meaning of "necessary to, or used in" the provision of service. Id. While wireline carriers traditionally have bundled CPE with wireline services, wireline carriers had not bundled Internet access services with wireline services. As a result, the Commission found that Internet access services are not "necessary to, or used in" the provision of service. Id. at 14434, para. 46.
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking, para 17 (July 25, 2002)


      39. Section 222(c)(1) states that, "[e]xcept as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains [CPNI] by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable [CPNI] in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.?   In the CPNI Order, we concluded that Congress intended that section 222(c)(1)(A) govern carriers' use of CPNI for providing telecommunications services and that section 222(c)(1)(B) governs carriers' use of CPNI for non-telecommunications services.   Based upon the language of section 222(c)(1), we further concluded that: (1) inside wiring, CPE, and certain information services do not fall within the scope of section 222(c)(1)(A) because they are not "telecommunications services;"  and (2) CPE and most information services do not fall under section 222(c)(1)(B) because they are not "services necessary to, or used in, the provision of such telecommunications service."   We now find that the phrase "services necessary to, or used in, the provision of such telecommunications service" should be given a broader reading than the one given in the CPNI Order.  The record produced on reconsideration persuades us that a different statutory interpretation is permissible, and importantly, would lead to appropriate policy results consistent with the statutory goals.  Therefore, we conclude that section 222(c)(1)(B) allows carriers to use CPNI, without customer approval, to separately market CPE and many information services to their customers.  We further clarify that the tuning and retuning of CMRS units and repair and maintenance of such units is a service necessary to or used in the provision of CMRS service under section 222(c)(1)(B).  Finally, we deny petitioners' requests that we forbear from applying these restrictions for related CPE and information services.
       40. Customer Premises Equipment and Information Services under Section 222(c)(1).  We grant the petitions for reconsideration that argue that CPE and certain information services are "necessary to, or used in, the provision of" telecommunications services, and therefore use of CPNI derived from the provision of a telecommunications service, without customer approval, to market CPE and information services would be permitted under section 222(c)(1)(B).    Under our previous interpretation, the exception was narrowly construed, resulting in very few services for which CPNI could be shared.   Indeed, we rejected all CPE because it was not a "service" and most information services  because they were not necessary to or used in the carrier's provision of the telecommunications service.   While this interpretation is not inconsistent with the statutory language, we are persuaded that the better interpretation is that the exception includes certain products and services provisioned by the carrier with the underlying telecommunications service to comprise the customer's total service.  This is because those related services and products facilitate the underlying telecommunications service and customers expect that they will be used in the provisioning of that service offering.   Our new interpretation accords with the Commission's stated intention in the CPNI Order to revisit and if necessary revise its conclusions regarding customer expectations as those expectations changed in the marketplace with advancements in technology or as new evidence of the evolution of customer expectations becomes available to the Commission.   Such evidence has now been made available to us by the record developed on reconsideration.
. . . . .
      43. In the wireless context, our regulation of CMRS providers and the history of the industry has allowed the development of bundles of CPE and information services with the underlying telecommunications service.   Thus, information services and CPE offered in connection with CMRS are directly associated and developed together with the service itself.  Indeed, we are persuaded by the record and our observations of the development of the CMRS market generally that the information services and CPE associated with CMRS are reasonably understood by customers as within the existing service relationship with the CMRS provider.    Customers expect to have CPE and information services marketed to them along with their CMRS service by their CMRS provider.   Accordingly, we conclude that such CPE and information services come within the meaning of "necessary to, or used in," the provision of service.  In the CMRS context, carriers should be permitted to use CPNI, without customer approval, to market information services and CPE to their CMRS customers.
      44. The wireline industry has developed somewhat differently from CMRS and, while the analysis is the same, the results concerning how carriers may use CPNI accordingly differ from the wireless industry.  The provision of CPE, like the publishing of directories, is a service which is used in and generally necessary to the provision of the telecommunications service.  For at least the past ten years, all wireline companies have been able to market CPE along with their telecommunications service.   Petitioners argue that by erecting a CPNI approval requirement with respect to CPE, the Commission frustrates customers' one-stop shopping expectations and stymies carriers' abilities to offer complete service solutions that customers want and have come to expect.   Simply put, customers expect their carriers to market CPE to them.   No evidence has been produced on the record which shows that allowing wireline carriers to market CPE to their customers, using CPNI without customer consent, violates customers' expectations.  We are convinced that such usage by carriers would be beneficial to customers as new and advanced products develop.  Therefore, wireline carriers should be permitted to use CPNI, without customer approval, to market CPE to their customers.
      45. Within the broader reading of the statute, we find that certain wireline information services should also be considered necessary to, or used in, the provision of the underlying telecommunications service.  In the CPNI Order, the Commission listed several information services that it believed should not be considered necessary to, or used in, the underlying telecommunications service: call answering, voice mail or messaging, voice storage and retrieval services, and fax storage and retrieval services.   Applying the broader reading of the statute, along with the new evidence on the record, we now believe that all of these services should be considered necessary to, or used in, the provision of the underlying telecommunications service because customers have come to depend on these services to help them make or complete calls.   The record indicates that customers have come to expect that their service provider can and will offer these services along with the underlying telecommunications service.   Therefore, carriers may use CPNI, without customer approval, to market call answering, voice mail or messaging, voice storage and retrieval services, and fax storage and retrieval services.
     46.   We continue to exclude from this list, as the Commission did in the CPNI Order, Internet access services.130   Despite contrary claims from some petitioners,  there is no convincing new evidence on the record that shows that such services are necessary to, or used in, the making of a call, even in the broadest sense.  There is also no evidence, currently, that customers expect to receive such services from their wireline provider, or that they expect to use such services in the way that they expect to receive or use the above-listed services.
     47. We will, however, add protocol conversions to the list of services that carriers may market using CPNI without customer approval.  In its petition, Bell Atlantic requests that we redefine protocol conversion as a telecommunications service.   A protocol conversion assists terminals or networks operating with different protocols to communicate with each other.   Bell Atlantic asserts that protocol conversions that do not alter the underlying information sent and received should not be defined as information services.   We do not believe that protocol conversions should be redefined as a telecommunications service but because protocol conversions are necessary to the provision of the telecommunications service, in the instances where they are used, protocol conversions should be included in the group of information services listed above.    Accordingly, we grant Bell Atlantic's request to use CPNI to market, without customer approval, protocol conversions.
130.  We note that the Internet access services being addressed here are the dial-up services.  We have previously determined that xDSL services are telecommunications services.  In the Matter of Deployment of Wireline Services Offering Advanced Telecommunications Capability, 13 FCC Rcd 24012, 24029-24030 (1998).
--In Re Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, 96-149, Order On Reconsideration And Petitions For Forbearance (September 3, 1999)


 6. In contrast, where a particular customer has not purchased CPE or information services from the carrier that is providing its telecommunications services, the carrier would be subsequently prohibited from using CPNI, without first obtaining customer approval, to market a bundled offering of CPE or information services with telecommunications services to such a customer.  In this situation, absent customer approval, the carrier would be using CPNI in violation of section 222(c)(1) to market CPE or information services to a customer with whom they had no existing relationship derived from the carrier's sale of CPE or the customer's subscription to the carrier's information service.  Similarly, the general knowledge that all wireline customers have a telephone would not permit carriers to use CPNI derived from wireline service to select those individuals to whom to market the carrier's CPE offerings.
 7. We also clarify that, only where CPE or an information service is part of a bundled offering, including a telecommunications service, and the carrier is the existing CPE or information service provider, could the carrier use CPNI to market a new bundled offering that includes new CPE or similar information services.  For example, carriers cannot use CPNI to select certain high usage customers to whom they also sold telephones, and then market only new CPE that is not part of a new bundled plan.   Section 222(c)(1)(A) permits the use of CPNI, without first obtaining customer approval, only "in the provision of the telecommunications service from which such information is derived."  Therefore, when a carrier has identified a customer through the use of CPNI, but is not offering a telecommunications service in conjunction with its marketing of CPE or information services, that carrier would be using CPNI outside the provision of the service from which it is derived, in violation of section 222 and the Commission's rules.
--In Re Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, Order (May 21, 1998)


  45.  Non-Telecommunications Offerings.  Several carriers argue that certain non-telecommunications offerings, in addition to being covered by section 222(c)(1)(B), also should be included within any service distinctions we adopt pursuant to section 222(c)(1)(A), including inside wiring, customer premises equipment (CPE), and certain information services. 168  Based on the statutory language, however, we conclude that inside wiring, CPE, and information services do not fall within the scope of section 222(c)(1)(A) because they are not "telecommunications services." 169  More specifically, section 222(c)(1)(A) refers expressly to carrier use of CPNI in the provision of a "telecommunications service." 170  In contrast, the word "telecommunications" does not precede the word "services" in section 222(c)(1)(B)'s phrase "services necessary to, or used in." 171  The varying use of the terms "telecommunications service" in section 222(c)(1)(A) and "services" in section 222(c)(1)(B) suggests that the terms deliberately were chosen to signify different meanings.  Accordingly, we believe that Congress intended that carriers' use of CPNI for providing telecommunications services be governed solely by section 222(c)(1)(A), whereas the use of CPNI for providing non-telecommunications services is controlled by section 222(c)(1)(B).
  46.  Commission precedent has treated "information services" and  "telecommunications services" as separate, non-overlapping categories, so that information services do not constitute "telecommunications" within the meaning of the 1996 Act. 172  Accordingly, we conclude that carriers may not use CPNI derived from the provision of a telecommunications service for the provision or marketing of information services pursuant to section 222(c)(1)(A). 173  We likewise conclude that inside wiring and CPE do not fall within the definition of "telecommunications service," and thus do not fall within the scope of section 222(c)(1)(A).
  47.  We recognize that the Commission has permitted CMRS providers to offer bundled service, including various "enhanced services" and CPE, prior to the 1996 Act.  We disagree with PacTel, however, that, consistent with section 222(c)(1)(A), CMRS providers should be able to use CMRS-derived CPNI without customer approval to market these offerings when they provide CMRS to a customer. 174  The 1996 Act defines "mobile service" in pertinent part as a "radio communication service carried on between mobile stations or receivers and land stations, and by mobile stations communicating among themselves ...." 175 "Radio communication service," in turn, is defined in terms of "the transmission by radio of writings, signs, signals, pictures, and sounds of all kinds, including all instrumentalities, facilities, apparatus, and services (among other things, the receipt, forwarding, and delivery of communications) incidental to such transmission." 176  These definitions do not include information services or CPE within the meaning of CMRS.  Accordingly, while nothing in section 222(c)(1) prohibits CMRS providers from continuing to bundle various offerings consistent with other provisions of the 1996 Act, 177 including CMRS-specific CPE and information services, they cannot use CPNI to market these related offerings as part of the CMRS category of service without customer approval, because even when they are bundled with a CMRS service, they do not constitute CMRS and are not telecommunications services.
. . . . .
  68.  Section 222(c)(1) of the Act provides that, "except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains [CPNI by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable [CPNI in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories." 250  In the Notice, the Commission stated that CPNI obtained from the provision of any telecommunications service may not be used to market CPE or information services without prior customer authorization, and sought comment on which "services" should be deemed "necessary to, or used in" the provision of such telecommunications service. 251  The Commission also sought comment on whether carriers, absent customer approval, may use CPNI derived from the provision of one telecommunications service to perform installation, maintenance, and repair for any telecommunications service, either under section 222(c)(1)(B) because they are "services necessary to, or used in, the provision of such telecommunications service," or under section 222(d)(1) because the CPNI is used to "initiate, render, bill and collect for telecommunications services." 252
. . . . .
  72.  Second, we conclude that, while the information services set forth in the record (e.g., call answering, 258 voice mail 259 or messaging, 260 voice storage and retrieval services, 261 fax store and forward, 262 and Internet access services 263) constitute non-telecommunications "services," they are not "necessary to, or used in" the carrier's provision of telecommunications service.  Rather, we agree with the observation of several commenters that, although telecommunications service is "necessary to, or used in, the provision of" information services, information services generally are not "necessary to, or used in, the provision of" any telecommunications service. 264  As ITAA notes, 265 telecommunications service is defined under the Act in terms of "transmission," 266 and involves the establishment of a transparent communications path.  The transmission of information over that path is provided without the carrier's "use" of, or "need" for, information services.  In contrast, information services involve the "offering of a capability for generating, acquiring, storing, transforming, processing, retrieving, utilizing, or making available information via telecommunications." 267  Indeed, the statute specifically excludes from the definition of information service "any use of any such [information service capability for the management, control, or operation of a telecommunications system or the management of a telecommunications service." 268 Because information services generally, and in particular those few identified in the record (i.e., call answering, voice mail or messaging, voice storage and retrieval services, fax store and forward, and Internet access services), 269 are provided to consumers independently of their telecommunication service, they neither are used by the carrier nor necessary to the provision of such carrier's service.
-- In Re In The Matter Of Implementation Of The Telecommunications Act Of 1996, CC Docket No. 96-115, Second Report and Order and Further Notice of Proposed Rulemaking (February 26, 1998)

272 Share with LD Affiliate

  19. The Commission also affirmed the conclusion reached in the CPNI Order regarding the interpretation of the interplay between sections 222 and 272 that "information," as defined in section 272, does not include CPNI. 47 As a result, Bell operating companies ("BOCs") are not obligated by section 272 to make CPNI available to other carriers on a non discriminatory basis when they share it with their long distance affiliates.
. . . . .
   78. ... Third, we reaffirm our conclusion that the term "information" in section 272(c)(1) does not include CPNI as defined under section 222, and we explicitly hold that this conclusion is not impacted by the opt in/opt out mechanism we adopt today.
. . . . . .
  135. We find that our adoption today of an opt out customer approval mechanism for the use of CPNI by carriers and their affiliates that provide communications related services does not affect our prior statutory interpretation regarding the interplay between sections 222 and 272, nor does it alter our ultimate conclusion that the term "information" in section 272(c)(1) 310 does not include CPNI. 311
  136. In the CPNI Clarification Order, the Commission sought comment 312 on the interplay between sections 222 and 272 if the customer approval mechanism was revised in light of the Tenth Circuit's opinion. 313 The Commission noted it might need to revisit its conclusion if it adopted an opt  out approach as a final rule in this proceeding. 314 However, we decline to revisit our interpretation of the interplay between sections 222 and 272 simply because we have amended our customer approval mechanisms. 315 While the Commission addressed the interplay of sections 222 and 272 in the context of an opt in mechanism, the Commission did not rely on its adoption of the opt in method in reaching its conclusion. 316 Instead, its decision was based upon statutory analysis and application of the terms used in the Act. 317 However, even if we were to review the portion of analysis that discussed the opt in mechanism, we would still reach the same conclusion, as discussed below.
  137. We find that the legal basis for our decision does not change with our modification of the customer approval mechanism. In prior orders, the Commission found that in the context of the 1996 Act, it is not readily apparent that the meaning of "information" in section 272 necessarily includes CPNI. The Commission found that the most reasonable interpretation of the interplay between sections 222 and 272 is that section 272 "does not impose any additional CPNI requirements on BOCs' sharing of CPNI with their section 272 affiliates when they share information with their section 272 affiliates according to the requirements of section 222." 318 The Commission found this to be reasonable because, as we have affirmed above, 319 section 222(c)(1) contemplates that, under the total service approach, carriers have implied approval to market services within the package of services to which the customer subscribes, and can also share CPNI with their affiliates to do so. However, section 272(c)(1) prohibits BOCs from discriminating against other parties in the provision and procurement of "information." Thus, if "information" includes CPNI, BOCs would be unable to share CPNI with their affiliates to the extent contemplated by section 222, unless they also met the nondiscrimination requirements of section 272. To meet these requirements, the BOC would be required, under section 222, to seek express approval from its customers to share CPNI with its affiliates and with any third parties. 320 Thus, the Commission found that these requirements, in the context of an opt in approach, "pose a potentially insurmountable burden because a BOC soliciting approval to share CPNI with its affiliates would have to solicit approval for countless other carriers as well, known or unknown." 321
  138. This rationale is still applicable under the Commission's new approval mechanism. First, because opt in is required for third parties, a BOC would still need to obtain express approval for sharing with its 272 affiliates and third parties to meet the nondiscrimination requirements of 272. 322 Applying opt out to intracompany sharing would not therefore alter the "potentially insurmountable burden" upon BOCs to obtain customer approval either. Even in a completely opt out environment, a BOC seeking to share CPNI with its affiliates would have to solicit approval for countless other carriers as well, known or unknown. 323 We find that this result is neither required by the statute nor is it necessary to protect consumers' privacy interests. If we adopted AT&T's proposal to allow competing carriers to obtain CPNI on the same basis as the BOCs' 272 affiliates   that is, using an opt out approval method under the rules adopted today   we would defeat our purpose in requiring opt in approval for third parties. As described above, we have found that disclosure to and use of CPNI by third parties requires greater assurance of a customer's knowing consent to prevent unintentional disclosure of CPNI. Therefore, as in our previous orders, we still find that our interpretation best furthers the goals of Congress to protect customer privacy and to promote customer convenience and control. 324
  139. At any rate, the Commission has previously concluded that section 222's customer privacy protections effectively preclude the same anticompetitive behaviors as section 272, and this conclusion is not altered by the Order we adopt today. 325 In the CPNI Reconsideration Order, the Commission outlined three factors in section 222 that eliminate the necessity for the application of section 272's nondiscrimination requirements to prevent anticompetitive harms. 326 First, competitors are still afforded access to customer CPNI through section 222(c)(2), which requires disclosure of CPNI to "any person designated by the customer," upon affirmative written request by the customer. 327 Changing the mechanism for obtaining customer approval under section 222(c)(1) does not alter the ability of competitors to obtain CPNI through section 222(c)(2). Second, section 222(c)(3) continues to allow a LEC to use customer aggregate information only if it provides that information to other carriers upon reasonable request. 328 Again, changing section 222(c)(1)'s approval mechanism does not alter the ability of competitors to obtain aggregate information through section 222(c)(3).
  140. Third, the Commission stated that under the opt in mechanism, BOCs could not share CPNI with their section 272 affiliates unless they either obtained express customer approval or the customer is an existing subscriber of a service of that affiliate. 329 Under the opt in/opt out mechanisms established in this Order, BOCs are allowed to share customer CPNI with their section 272 affiliates without obtaining express customer approval. Under the opt out approval mechanism we adopt today, BOCs must still provide customer notice and the opportunity for customers to opt out for CPNI uses beyond the existing carrier customer relationship prior to sharing CPNI with an affiliate. 330 However, as a practical matter, it is likely that the BOCs will be able to share more CPNI with their 272 affiliates under opt out than they would have been able to share under opt in. As shown above, consumers typically will accept whatever choice does not require any action on their part. 331 As a result, when the default is opt out, carriers will be able to use more customer CPNI. 332
  141. The possibility that BOCs will share more CPNI with their affiliates does not tip the scale to require application of section 272 to CPNI. 333 First, section 222 applies to all "telecommunications carriers" and does not single out any carriers for specific treatment, signaling Congress' intent that all carriers should be treated alike in the CPNI context. For example, an interexchange carrier with a significant customer base can share CPNI, after receiving opt out approval, with its local or wireless affiliates. Thus, under our rules, all carriers can share CPNI with their affiliates. Accordingly, we decline to place additional restrictions upon BOCs. Second, section 272(g) allows BOCs and their section 272 affiliates to market their services jointly. 334 A fair reading of that section indicates that Congress did not intend to preclude BOCs and their long distance affiliates from conducting joint marketing, which is the primary intent behind CPNI use. 335 As we found in earlier orders, we believe our conclusion is therefore consistent with the "regulatory symmetry Congress intended for carrier marketing activities." 336
  142. Finally, numerous commenters used the Further NPRM as an opportunity to reargue the statutory and policy issues that we have previously addressed and that are unrelated to the issue before us. 337 AT&T and other commenters that request we reverse our holding in the CPNI Order do not get yet another "bite at the apple." The Commission has previously considered these arguments in both the CPNI Order and the CPNI Reconsideration Order. 338 The Further NPRM did not request comment on these issues, and commenters have not presented changed circumstances, new evidence or additional arguments that would affect our prior decisions. Therefore, we decline to address them again here.
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking, para 19 (July 25, 2002)


 135. Section 272(c)(1) states that, "[i]n its dealings with its [section 272 affiliates], a Bell operating company . . . may not discriminate between the company or affiliate and any other entity in the provision or procurement of goods, services, facilities, and information, or in the establishment of standards."   The Commission concluded in the Non-Accounting Safeguards Order that: (1) the term "information" in section 272(c)(1) includes CPNI; and (2) the BOCs must comply with the requirements of both sections 222 and 272(c)(1).   The Commission, however, declined to address the parties' other arguments regarding the interplay between section 272(c)(1) and section 222 to avoid prejudging issues that would be addressed in the CPNI Order.   The Commission also declined to address the parties' arguments regarding the interplay between section 222 and section 272(g), which permits certain joint marketing between a BOC and its section 272 affiliate.   The Commission emphasized, however, that, if a BOC markets or sells the services of its section 272 affiliate pursuant to section 272(g), it must comply with the statutory requirements of section 222 and any rules promulgated thereunder.
 136. In the CPNI Order the Commission overruled the Non-Accounting Safeguards Order, in part, concluding that the most reasonable interpretation of the interplay between sections 222 and 272 is that the latter does not impose any additional CPNI requirements on BOCs' sharing of CPNI with their section 272 affiliates when they share information with their section 272 affiliates according to the requirements of section 222.   The Commission reached this conclusion only after recognizing an apparent conflict between sections 222 and 272.   We noted in the CPNI Order that, on the one hand, certain parties argued that under the principle of statutory construction the "specific governs the general," and that section 222 specifically governs the use and protection of CPNI, but section 272 only refers to "information" generally.   As such, they claimed that section 222 should control section 272.   On the other hand, under the same principle of construction, other parties argued that section 272 specifically governs the BOCs' sharing of information with affiliates, whereas section 222 generally relates to all carriers.   Therefore, they asserted, section 272 should control section 222.   Because either interpretation is plausible, it was left to the Commission to resolve the tension between these provisions, and to formulate the interpretation that, in the Commission's judgment, best furthers the policies of both provisions and the statutory design.   We determine that interpreting section 272 to impose no additional obligations on the BOCs when they share CPNI with their section 272 affiliates according to the requirements of section 222 most reasonably reconciles the goals of these two principles.
-- In Re Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, 96-149, Order On Reconsideration And Petitions For Forbearance (September 3, 1999)
 

Rural Exemption Sec 254

Finally, the Commission determined that section 254 does "not confer any special status on carriers seeking to use CPNI to market enhanced services and CPE in rural exchanges to select customers." 48
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking, para 19 (July 25, 2002)


 15. Still other carriers request that we treat rural and small carriers differently.   As we noted in the CPNI Order, however, the Commission's CPNI rules apply to small carriers just as they apply to other sized carriers "because we are unpersuaded that customers of small businesses have less meaningful privacy interests in their CPNI."   Petitioners have not raised any new arguments or facts that persuade us to reverse this conclusion with respect to these carriers.  Thus, we will not distinguish among carriers based upon the number or density of lines they serve either.
. . . . .
 151. We disagree with the arguments made by CenturyTel and NTCA.  As stated in Section V.A of this Order, we affirm the "total service approach" for all carriers.  We find no reason to impose different notification requirements on large and small carriers.  As we stated in the CPNI Order, concerns regarding customer privacy are the same irrespective of the carrier's size or identity.   Further to the extent that CenturyTel and NTCA are requesting to use CPNI, without customer approval, to market CPE and certain information services, those requests have been granted above.   We also disagree with CenturyTel and NTCA?s argument that  section 254 requires the use of CPNI to allow rural carriers to implement Congress? Universal Service standards.  Section 254 envisions that rural carriers would introduce and make available new technology to all of its customers.  The CPNI rules in no way discourage rural carriers from doing that.  In fact, one could argue that some of the CPNI rules require a carrier to make all of its customers aware of such new technology rather than using CPNI to pick and choose which customers to market the new technology to.  The basis of CenturyTel and NTCA?s arguments, however, is that they do not want to market the new technology to all of its customers.  They want to make it available only to certain customers that they select by using their customers? CPNI.  We fail to see how section 254 requires this outcome.
--In Re Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, 96-149, Order On Reconsideration And Petitions For Forbearance (September 3, 1999)


  50.  We also decline to forbear from applying section 222(c)(1), or any of our associated rules, to small or competitive carriers, as SBT requests. 186 First, SBT has not explained adequately in its comments how it meets the three statutory criteria for forbearance. 187  Second, while SBT points out that competitive concerns may differ according to carrier size, it does not persuade us that customers of small businesses have less meaningful privacy interests in their CPNI.  We thus disagree with SBT that the three category approach gives large carriers flexibility to develop and meet customers' needs, but may unnecessarily limit small business as competition grows. 188  Even if, as SBT alleges, a large carrier can base the design of a new offering on statistical customer data and market widely, but a small business can best meet specialized subscriber needs if it offers CMRS, local, and interexchange service tailored to the specific subscriber, the total service approach allows tailored packages.  We likewise disagree, therefore, with USTA that small carriers could be competitively disadvantaged in any interpretation of section 222(c)(1)(A) other than the single category approach. 189  Rather, we are persuaded that the total service approach provides all carriers, including small and mid-sized LECs, with flexibility in the marketing of their telecommunications products and services.  In fact, if SBT's claims that small businesses typically have closer personal relationships with their customers are accurate, then small businesses likely would have less difficulty in obtaining customer approval to market services outside of a customer's service existing service.
-- In Re In The Matter Of Implementation Of The Telecommunications Act Of 1996, CC Docket No. 96-115, Second Report and Order and Further Notice of Proposed Rulemaking (February 26, 1998)

      Narrowly Tailored: Opted Out

  31. Although in 1999 the Commission concluded that the more stringent opt in rule was necessary, in light of U S WEST we now conclude that an opt in rule for intra company use cannot be justified based on the record we have before us. Thus, we adopt a less restrictive alternative   an opt out rule   which is less burdensome on commercial speech. Applying the Central Hudson test to possible schemes for carriers to obtain customer approval for use and disclosure of CPNI under section 222(c)(1), we conclude that: (1) the government has a substantial interest in ensuring that a customer be given an opportunity to approve (or disapprove) uses of her CPNI by a carrier and a carrier's affiliates that provide communications related services; 89 (2) opt out directly and materially advances this interest by mandating that carriers provide prior notice to customers along with an opportunity to decline the carrier's requested use or disclosure; and (3) opt out is no more extensive than necessary to serve the government interest in protecting privacy because it is less burdensome on carriers than other alternatives such as opt in, while still serving the government's interest in ensuring that consumers have an opportunity to exercise their approval rights regarding intra company use and disclosure of CPNI. 90
  32. We also conclude that opt out is an appropriate approval mechanism for the sharing of CPNI with, and use by, a carrier's joint venture partners and independent contractors in connection with communications related services that are provided by the carrier (or its affiliates) individually, or together with the joint venture partner. 91 That is, in these two contexts, this form of consent directly and materially advances the government's interest in ensuring that customers have an opportunity to approve such uses of CPNI, while also burdening no more carrier speech than necessary.
. . . . .
  34. Direct and Material Advancement. The next prong of Central Hudson examines whether a regulation impacting commercial speech directly and materially advances the government's interest, i.e., the restriction is effective at promoting the government's interest. 96 We conclude that, with respect to intra company uses, opt out directly and materially advances the government's interest that a customer be given an opportunity to approve (or disapprove) uses of her CPNI by mandating that carriers provide prior notice to customers along with an opportunity to decline the carrier's requested use or disclosure.
  35. Although the record evidence demonstrates that a substantial portion of consumers have a high level of concern about protecting the privacy of their CPNI (a concern most acute for disclosure to parties other than their own carrier), 97 the record also makes evident that a majority of customers nevertheless want to be advised of the services that their telecommunications providers offer. 98 Furthermore, the record establishes that customers are in a position to reap significant benefits in the form of more personalized service offerings (and possible cost savings) from their carriers and carriers' affiliates providing communications related services based on the CPNI that the carriers collect. Enabling carriers to communicate with customers in this way is conducive to the free flow of information, 99 which can result in more efficient and better tailored marketing 100 and has the potential to reduce junk mail and other forms of unwanted advertising. 101 Thus, consumers may profit from having more and better information provided to them, or by being introduced to products or services that interest them. 102 The empirical evidence indicating that a majority of customers want to be advised of service offerings from their carriers is consistent with the expectation that targeted carrier marketing will benefit them. 103
  36. Based on this record evidence, we think it is reasonable to conclude that targeted marketing of communications related services using CPNI by the carrier that collects it is within the range of reasonable customer expectations. We find that telecommunications consumers expect to receive targeted notices from their carriers about innovative telecommunications offerings that may bundle desired telecommunications services and/or products, save the consumer money, and provide other consumer benefits. 104 Similar to a case recently before the D.C. Circuit, the record here indicates that "the identity of the audience and the use to which the information may be put" 105 bear strongly on consumers' privacy interests. 106 In this respect, we conclude that consumers are concerned about use of CPNI, but that a large percentage of telecommunications customers also expect that carriers will use CPNI to market their own telecommunications services and products, as well as those of their affiliates. Thus, we conclude that an opt out scheme giving customers an opportunity to disapprove intra company uses of CPNI directly and materially advances customers' interest in avoiding unexpected and unwanted use and disclosure of CPNI and is sufficient to meet the "approval" requirement under section 222.
  37. Although many commenters have argued that opt out necessarily is a less effective protection against unapproved dissemination of private information than opt in, we are convinced, based on the record, that these concerns can be adequately addressed in the intra company context. We find that an opt out regime would adequately protect consumers' privacy interests with respect to disclosure to carrier affiliates based on two important considerations that are dependent upon the underlying carrier customer relationship. First, likelihood of any potential privacy harm from an inadvertent approval under opt out is significantly reduced in the intra company context by the carrier's need for a continuing relationship with the customer. 107 As AT&T argues, "[if a carrier were to abuse CPNI, customers would likely switch carriers." 108 Because of commercial constraints required to ensure customer accountability, therefore, the carrier with whom the customer has the existing business relationship has a strong incentive not to misuse its customers' CPNI or it will risk losing its customers' business. 109
  38. Second, we find the potential harm to privacy to be much less significant in instances where the entity that uses and shares the CPNI is subject to section 222 and our implementing rules. If a consumer should decide to restrict disclosure after the original period to respond to an opt out notice has elapsed, she may do so at any time and the carrier must comply with that request. Significantly, the holder of CPNI, the customer's existing telecommunications provider (including its telecommunications affiliates), is subject to enforcement action by the Commission 110 for any failure to abide by the notice rules regarding planned use, disclosure, or permission to access a customer's CPNI. 111
  39. We are given further comfort that we can protect privacy interests under intra company opt out by fine tuning our notification rules. These rules, as described below, are crafted to ensure that any opt out mechanism provides effective notification to consumers. We are mindful of the deficiencies widely reported for the Gramm Leach Bliley 112 notifications in the financial services sector, 113 and have fashioned our CPNI notification requirements in this Order with an eye toward learning from that experience. As discussed further in section III.C infra, we bolster the CPNI opt out regime by requiring a 30 day waiting period before consent is inferred and by refreshing consumers on a company's opt out policy every two years. Moreover, we note that under the opt out rules we adopt today, the customer's carrier would remain subject to enforcement action from the Commission for any deficiencies in its opt out notice.
  40. Narrow Tailoring. We now consider whether opt out is narrowly tailored, i.e., whether it burdens substantially more of a carrier's speech than necessary. The Tenth Circuit points out that the narrow tailoring requirement under Central Hudson means that the government's speech restriction must signify a "carefu[l calculat[ion of the costs and benefits associated with the burden on speech imposed by its prohibition." 114 We have described the primary benefit associated with opt out above. It directly and materially addresses customers' interest in avoiding unexpected and unwanted use and disclosure of individually identifiable CPNI. Turning to the carriers' burdens, i.e., the "costs" of the regulation, we find that, in this case, there is no flat prohibition on speech, but rather a requirement that a telecommunications carrier use a specified means of obtaining a customer's consent before using that customer's personal information in CPNI to market communications related services or share the information with an affiliate that provides communications related services. We also find that carriers have provided evidence that their commercial speech interest in using a customer's CPNI for tailored telecommunications marketing is real and significant, and that an opt  out regime is a less burdensome means of obtaining a customer's "approval" under section 222(c)(1) than is an opt in regime.
  41. Carriers uniformly assert a significant competitive need to use CPNI for marketing purposes and/or to share such information with their affiliates that provide communications related services. 115 The carriers seek to offer competitive packages that are tailored to their customers' usage patterns and demonstrated service needs. Carriers have demonstrated on the record that use of CPNI to develop such targeted offerings can lower the costs and improve the effectiveness of customer solicitations. 116 Moreover, carriers assert that opt out imposes fewer burdens on their commercial speech interests than the other alternative for ascertaining approval   opt in   and is thus the only approval mechanism that will satisfy First Amendment scrutiny under Central Hudson. 117 This assertion rests on a comparison of the relative costs of the mechanisms: under opt out, carriers would be required to provide customers with advance notice that they intend to use a customer's CPNI, and give the customer an opportunity to disapprove of the use; under opt in, carriers are prohibited from using a customer's CPNI unless the customer expressly approves the use that the carrier requests the customer to approve in its notice. 118 Given that approval is required under section 222(c)(1), and opt out or opt in are the only means of obtaining an expression of the customer's preference, carriers assert that opt out is obviously less burdensome than opt  in and sufficient to ascertain approval for a carrier's marketing of communications related services. 119
  42. We note that the particular form of opt out that we adopt here is narrowly tailored to ensuring that a customer be given an opportunity to approve (or disapprove) uses of CPNI by a carrier and its affiliates that provide communications related services. Specifically, as noted above, opt out has been criticized in other contexts, e.g., the financial services sector, because of the possibility that customers may not actually see, read, or understand opt out notices, and therefore the customers may not be able to respond to a carrier's request for approval in a timely and appropriate manner. Furthermore, circumstances may change over time that would cause a customer to want to reexamine any privacy election he or she has made with respect to CPNI. We respond to these specific problems with requirements that are designed to increase the effectiveness of opt out without burdening more carrier speech than necessary.
  43. We require a 30 day waiting period following notice before customer consent can be inferred to ensure that customers have adequate time to respond to a notice. We also require carriers to provide refresher notices to customers of their opt out rights every two years in case circumstances have changed so as to warrant a change in customers' privacy elections. These requirements are narrowly tailored because they address the known shortcomings of opt out in a targeted manner in lieu of adopting a more restrictive approach such as opt in. Furthermore, there is no indication in the record that these requirements impose any undue burden on carriers. Carriers have been following the 30 day waiting period on an interim basis and are generally supportive of it in their comments. 120 Refresher notices, which are only required once every two years, give carriers an opportunity to reconfigure their CPNI policies.
  44. We thus conclude, after weighing the relevant considerations, that a more stringent opt in mechanism is not necessary to protect the substantial governmental interest evinced by section 222. Rather, an opt out regime for intra company use of CPNI to market communications related services directly and materially advances Congress' interest in ensuring that customers' personal information is not used in unexpected ways without their permission, while at the same time avoiding unnecessary and improper burdens on commercial speech, thus meeting Central Hudson's narrow tailoring requirement.
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking, (July 25, 2002)


      Even assuming, arguendo, that the state interests in privacy and competition are substantial and that the regulations directly and materially advance those interests, we do not find, on this record, the FCC rules regarding customer approval properly tailored. The CPNI regulations must be "no more extensive than necessary to serve [the stated] interest[s]." Rubin, 514 U.S. at 486. In order for a regulation to satisfy this final Central Hudson prong, there must be a fit between the legislature's means and its desired objective ­ "a fit that is not necessarily perfect, but reasonable; that represents not necessarily the single best disposition but one whose scope is in proportion to the interest served." Board of Trustees of the State Univ. of N.Y. v. Fox, 492 U.S. 469, 480 (1989) (internal quotation marks omitted). While clearly the government need not employ the least restrictive means to accomplish its goal, it must utilize a means that is "narrowly tailored" to its desired objective. Id.; Florida Bar v. Went For It, Inc., 515 U.S. 618, 632 (1995). Narrow tailoring means that the government's speech restriction must signify a "carefu[l] calculat[ion of] the costs and benefits associated with the burden on speech imposed by its prohibition." Cincinnati v. Discovery Network, Inc., 507 U.S. 410, 417 (1993) (internal quotation marks omitted). "The availability of less burdensome alternatives to reach the stated goal signals that the fit between the legislature's ends and the means chosen to accomplish those ends may be too imprecise to withstand First Amendment scrutiny." 44 Liquormart, Inc. v. Rhode Island, 517 U.S. 484, 529 (1996) (O'Connor, J., concurring); see also, e.g., Went For It, 517 U.S. at 632; Rubin, 514 U.S. at 490-91; Discovery Network, 507 U.S. at 417 n.13. This is particularly true when such alternatives are obvious and restrict substantially less speech.(11) See Fox, 492 U.S. at 479 ("[A]lmost all of the restrictions disallowed under Central Hudson's fourth prong have been substantially excessive, disregarding 'far less restrictive and more precise means.'" (quoting Shapero v. Kentucky Bar Ass'n, 486 U.S. 466, 476 (1988))).
      It is difficult, if not impossible, for us to conduct a full and proper narrow tailoring analysis, given the deficiencies that we have already encountered with respect to the previous portions of the Central Hudson test. Nevertheless, on this record, the FCC's failure to adequately consider an obvious and substantially less restrictive alternative, an opt-out strategy, indicates that it did not narrowly tailor the CPNI regulations regarding customer approval. The respondents argue that the record contains adequate support that the CPNI regulations are narrowly tailored because a study conducted by petitioner U.S. West shows that a majority of individuals, when affirmatively asked for approval to use CPNI, refused to grant it. The U.S. West study shows that 33% of those called refused to grant approval to use their CPNI, 28% granted such approval, and 39% either hung up or asked not to be called again. See CPNI Order ¶ 99 n.380. Additionally, U.S. West secured a 72% affirmative response rate from customers whom it solicited after they initiated contact with the company for some other reason.(12) See id. ¶ 99 n.378. This study does not provide sufficient evidence that customers do not want carriers to use their CPNI. The results may simply reflect that a substantial number of individuals are ambivalent or disinterested in the privacy of their CPNI or that consumers are averse to marketing generally. The FCC stated that the study supported "an equally plausible interpretation . . . that many customers value the privacy of their personal information and do not want it shared for purposes beyond the existing service relationship." CPNI Order ¶ 100. We are not convinced that the study supports the FCC's interpretation, and the FCC provides no additional evidence to bolster its argument.
       Even assuming that telecommunications customers value the privacy of CPNI, the FCC record does not adequately show that an opt-out strategy would not sufficiently protect customer privacy. The respondents merely speculate that there are a substantial number of individuals who feel strongly about their privacy, yet would not bother to opt-out if given notice and the opportunity to do so. Such speculation hardly reflects the careful calculation of costs and benefits that our commercial speech jurisprudence requires.

Opt In

  11. In the CPNI Order, the Commission found that in order to ensure the  "informed consent" of consumers for use of their CPNI in a manner other than specifically allowed under section 222(c)(1), carriers would be required to obtain express written, oral or electronic consent from their customers, i.e., an "opt in" requirement, before a carrier could use CPNI to market services outside the customer's existing service relationship with that carrier.31 The Commission reasoned that approval by "implied consent" (or opt out) would not fulfill the statutory purpose of affording consumers with meaningful privacy protection. The Commission also concluded that a carrier must notify the customer of the customer's rights under section 222 before soliciting approval to use the customer's CPNI.
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking, para11 (July 25, 2002)
 

Opt In: Third Parties

2. Third Parties and Carriers' Affiliates That Do Not Provide Communications  Related Services
  50. Applying the Central Hudson test to methods for carriers to obtain customer approval under section 222(c)(1) to disclose or allow access to CPNI to third parties, we conclude that: (1) the government has a substantial interest in ensuring that a customer give her knowing approval to disclosures of CPNI to third parties because such disclosures can have significant privacy consequences and be irreversible; (2) opt in directly and materially advances this interest by mandating that carriers provide prior notice to customers and refrain from disclosing or allowing access to CPNI unless a customer gives her express consent by written, oral, or electronic means; and (3) opt in is narrowly tailored because carriers have not asserted any intention of sharing CPNI with unaffiliated third parties, and thus the burden of requiring opt in in this context is negligible and certainly warranted in light of consumers' substantial privacy interest in protecting their CPNI from unapproved disclosure to third parties.
  51. As discussed in the following paragraphs, the record unequivocally demonstrates that, in contrast to intra company use and disclosure of CPNI, there is a more substantial privacy interest with respect to third party disclosures. The record indicates not only that consumers' wishes are different regarding third party disclosure, but that the privacy consequences are more significant in the case of unintended disclosure to third parties. Once the personal information in CPNI is disclosed to such companies or individuals, the use of that information is no longer subject to the constraints of section 222, and further, these third parties have no incentive to honor the privacy expectations of customers with whom they have no relationship. On the other hand, any carrier speech burden from having to seek express consent for third  party disclosures appears to be negligible. Carriers say that they need to share with third parties for telemarketing and joint ventures, for which we adopt opt out with certain protections. Beyond that, carriers say they do not share with third parties, making any burden on speech nil, or speculative at best. Therefore, with respect to customer approval of third party disclosures, carriers have not established on our record that there is, or would be, any significant burden on their First Amendment commercial speech interest from opt in to weigh against consumers' substantial privacy interest in avoiding unapproved disclosures to third parties. There is also no demonstrated consumer benefit to be derived from third party sharing that would impact our balancing analysis. Thus, we find that opt in is narrowly tailored under Central Hudson because it burdens no more carrier speech than necessary to directly and materially advance the government's interest in ensuring informed consent before a customer's personal information is disclosed to third parties by its telecommunications carrier.
  52. We also conclude that opt in is necessary with respect to disclosures of CPNI to a carrier's affiliates that provide no communications  related services. 128 In this context, opt in consent directly and materially advances the government's interest in ensuring that customers give their knowing approval to such uses of CPNI, while burdening no more carrier speech than necessary.
. . . . .
b. Disclosure to Affiliates that Provide no Communications Related Services
  64. We find that the same factors we consider above weigh in favor of requiring opt in before a carrier may share CPNI with its affiliates that do not provide communications related services. We find that CPNI dissemination to such affiliates is far more similar to third party dissemination than to the sharing of CPNI with affiliates that provide communications related services, and thus warrants a similar level of protection as that required for third party disclosure.
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking, para11 (July 25, 2002)
 

Notice

C. Customer Notification Requirements
  89. In this Order we largely affirm our previous notice rules, 204 which specify, inter alia, that a carrier's notification "must be comprehensible and must not be misleading," and that written notices "must be clearly legible, use sufficiently large type, and be placed in an area so as to be readily apparent to a customer." 205 A telecommunications carrier's solicitation for approval must also be proximate to the notification of a customer's CPNI rights. 206 Failure to comply with these rules will subject carriers to appropriate enforcement action by the Commission. This Order also makes changes to the notice rules based on industry experience since their adoption, as well as some changes that are necessary to synchronize the notice requirements with the approval methods we adopt herein. Specifically, with respect to opt in notices, we allow carriers more flexibility to determine what type of notices best suit their customers' needs, and with respect to opt out, we adopt more stringent notice requirements to ensure that customers are in a position to comprehend their choices and express their preferences regarding the use of their CPNI. In addition, we allow carriers to choose whether to use an opt in or opt out method for obtaining customer approval for carriers and their affiliates to use CPNI to market communications related services. 207 We recognize, as SBC points out, that different types of customer relationships may be better suited to different types of notice and approval methods. 208
1. Form of Notice
  90. We continue to allow carriers to use written, electronic, and oral notice to customers when soliciting opt in approval. However, except as described below, we require carriers to provide some type of individual 209 tangible notice (written or electronic) to customers when soliciting opt out approval. We continue to allow carriers to use oral notice to obtain limited, one time use of CPNI, whether opt in or opt out. 210
  91. In addition, we allow carriers the flexibility to provide combined opt  out and opt in notices or to provide such notices separately, at individual carriers' discretion. Accordingly, a carrier seeking approval to use CPNI internally and to share with third parties could combine notice for opt out and opt in CPNI uses on one notification, so long as it complies with our notice rules. Alternatively, we allow carriers that prefer to do so to provide separate notices to customers seeking different types (opt in or opt out) of CPNI approval. Of course, carriers may choose to use opt in for all CPNI uses, in which case a carrier making such an election can provide a single notice to its customers. Finally, we allow carriers to provide notice based on the CPNI usage approvals they seek to obtain. Accordingly, a carrier that does not intend to disclose CPNI to third parties or affiliates that do not provide communications related services does not need to provide to its customers notice regarding opt in. Carriers that do not intend to use CPNI outside of the total service approach do not need to provide notice to their customers at all.
a. Electronic Notice
  92. We allow carriers to provide CPNI notices to customers through the use of e mail or other electronic formats, 211 such as a website, as urged by some commenters. 212 However, we recognize that consumers are deluged with unrequested or unwanted commercial e mail ("spam") and could easily overlook a notice provided via e mail. Accordingly, we require carriers to follow certain precautions to ensure that such notices will not be mistaken as spam. Such requirements directly and materially advance our goal of ensuring that consumers have the information necessary to make informed decisions regarding the use of their personal information.
  93. We require carriers that use e mail to provide opt out notices to obtain express, verifiable, prior approval from consumers to send notices via e mail regarding their service in general, or CPNI in particular. 213 In addition, we require carriers to allow consumers to reply directly to e mails containing CPNI notices in order to opt out. We also encourage carriers who elect to use e mail for opt in notices to accept replies, but, because we do not think it is necessary to ensure consumers' privacy choices are honored, we do not so mandate. Further, we require that opt out e mail notices which are returned to the carrier as undeliverable be sent to the customer in another form before carriers may consider the consumer to have opted out. Finally, we require carriers that use e mail to send CPNI notices to ensure that the subject line of the message clearly and accurately identifies the subject matter of the e  mail.
  94. Carriers that elect to use other forms of electronic notice, such as notice provided on a website during the carrier selection process, are cautioned that, similar to our warning on the shrinkwrap/break the seal approach in the next section, such notice must comply with our form requirements (e.g., placement so as to be readily apparent to the customer). In particular, we likely would not consider a CPNI notice that was combined with other legal terms and conditions, or other privacy information, to comply with our rules if the customer were deemed to have opted in or opted out simply by signing up for service.
b. Shrinkwrap or Break the Seal "Notice"
  95. Commenters raise the issue of shrinkwrap or break the seal agreements,  214 and whether such agreements constitute effective solicitation of approval under section 222(c)(1). 215 While we decline to adopt more stringent notice requirements at this time, we confirm that all of the existing notice requirements generally applicable under section 222 apply equally when a carrier solicits customer approval through shrinkwrap or break the seal methods. As a threshold matter, we note that the distinctions between notice of a customer's rights, solicitation for approval to use CPNI, and the approval process sometimes become blurred. 216 In fact, shrinkwrap or break the seal approval "notice" implicates all three areas of our rules. Using a shrinkwrap or break the seal approach, a carrier 217 purports to provide "notice" of customers' CPNI rights to the customer   usually in connection with other terms and conditions of service   and claims to "solicit" consumers' approval for CPNI use and disclosure by asserting that by using the service or "breaking  the seal" (as in the case of a cellular phone), the consumer has approved use and disclosure of his CPNI. Some shrinkwrap/break the seal approaches offer the consumer an opportunity to take some action regarding his CPNI, 218 while some do not.
  96. We are concerned that the shrinkwrap/break the seal notices as they have been described to us are ineffective and may not comply with either the letter or spirit of our notice rules. However, in the absence of specific concerns on this record of abuse of these types of agreements, we do not find that additional restrictions beyond generally applicable notice requirements are warranted at this time. Nevertheless, we caution carriers that abuse of shrinkwrap or break the seal approaches will cause us to reexamine this question or initiate enforcement action.
2. Content of Notice
  97. We largely affirm our previously adopted content rules with a few changes. 219 First, we allow carriers to obtain one time limited use CPNI approval using a streamlined notice. Second, as discussed in more detail below, we require carriers to provide opt out notices to their customers every two years. Accordingly, we require carriers to advise customers that if they have opted out previously, no action is needed to maintain the opt out election. However, consumers who wish to reverse their previous decision to opt out, or consumers who have not previously opted out but wish to do so, must take action as described in the notice. Carriers that elect to provide opt in notices more than once are required to advise customers that no action is needed to maintain their opt in election. These requirements are necessary to minimize customer confusion and complaints regarding previously expressed privacy preferences.
a. Streamlined Consent for One Time Use of CPNI
  98. We grant in part MCI WorldCom's request to modify our notice requirements for customers placing inbound calls to telecommunications providers. 220 While we do not grant MCI's request in its entirety, we do allow carriers to omit the information described below in providing notice for limited, one time use, where such information is not applicable to the circumstances for which the carrier seeks CPNI approval. This streamlining applies both to inbound and outbound customer contacts that seek CPNI approval only for the duration of the call, and is a reasonable way to further narrow application of the CPNI rules in light of the burden they might otherwise work on protected uses of CPNI for solicitation. However, we caution carriers to take a conservative approach in deciding which information is necessary for consumers to make informed decisions regarding their CPNI usage. Should we learn of abuses, we will not hesitate to readdress this issue, and to pursue enforcement actions against individual carriers. Finally, we note that this does not change the opt in or opt out requirement in any way, although we are aware that CPNI approval received for limited one time use during an inbound call necessarily takes the form of an opt in approval, because the carrier must obtain some sort of approval after giving the customer the required notice and soliciting the customer's approval to use the CPNI. 221
  99. Carriers may omit any of the following notice provisions if not relevant to the limited use for which the carrier seeks CPNI:
    . Carriers need not advise customers that if they have opted out previously, no action is needed to maintain the opt out election. Obviously, if this is the first contact with the consumer, such a disclosure would be confusing and meaningless. 222
    . Carriers need not advise customers that they may share CPNI with their affiliates or non affiliates and name those entities, if the limited CPNI usage will not result in use by or disclosure to an affiliate or third party.
    . So long as carriers explain to the customers that the scope of the approval the carrier seeks is limited to one time use, the carrier need not disclose the means by which a customer can deny or withdraw future access to CPNI.
    . In addition, carriers may omit disclosure of the precise steps consumers must take in order to grant or deny access to CPNI, as long as the carrier clearly communicates to the customer that the customer can deny access to his CPNI for the call. 223
b. Availability of Customer Service Feature Information During Outbound Calls
  100. We deny MCI WorldCom's request that we modify our interpretation of section 222(c)(1)(A) of the Act to enable carriers making sales calls to potential customers to access the CPNI records of those potential customers' without meeting the customer approval requirements previously adopted by the Commission. 224 In particular, MCI WorldCom states that it wants access to certain CPNI   the list of features that a potential customer receives from its current carrier   so that MCI WorldCom may make direct price comparisons against its own services in order to persuade the customer to choose MCI WorldCom as its local service provider. 225 Additionally, MCI WorldCom makes a second argument that this same customer feature information should be made available to smooth the process of provisioning a customer that has chosen to migrate from his former carrier to MCI WorldCom. 226 Sprint, AT&T, U S WEST, and RCN filed comments in support of MCI's request for further reconsideration on this subject 227 while Verizon, BellSouth, GTE, and SBC filed comments in opposition to MCI WorldCom's request. 228
  101. The Commission previously has considered and rejected this same argument twice. 229 The Commission's rules permit disclosure of a customer's records only upon adequate notice to and approval from the customer. 230 These rules are designed to allow customers to make reasoned, informed decisions about their CPNI in which they have a privacy interest. 231 As several commenting parties note, the short notice statement proposed by MCI WorldCom is too vague to enable the customer to make an informed decision. 232 Although MCI WorldCom presents information about its experience competing for local exchange customers, MCI WorldCom and the other commenters supporting this request do not present compelling new facts or arguments that justify altering the existing rules, especially in light of the fact that, in the instant proceeding, we streamline the notice requirements. Specifically, MCI WorldCom does not establish how its need for this information 233 during an initial cold call to a potential customer overcomes that customer's privacy interests   especially since there is no existing business relationship, making MCI WorldCom or another similarly situated carrier a third party to the consumer. 234 Accordingly, for the same reasons that we have differentiated the approval required depending on intended use as described above, we reject MCI WorldCom's arguments here and again find no reason to disturb our earlier decisions.
c. Notice Requirements Regarding Disclosure of Carriers' Affiliates
  102. We deny MCI WorldCom's request that we allow carriers to use  "broad, general terms" when providing notice, rather than informing "customers of the types of CPNI that may be viewed and the entities that may view it." 235 MCI WorldCom provides no new facts and makes no arguments that we have not previously considered in our analysis and determination in the CPNI Reconsideration Order. 236
d. Ability to Warn Customer that Provisioning Delays are Possible Without Access to CPNI
  103. We grant, with certain safeguards, MCI WorldCom's request that we remove the prohibition against warning customers that failure to approve the disclosure of CPNI to a new carrier may disrupt the installation of service. 237 In the CPNI Second Report and Order, the Commission explained that customer notification "must provide sufficient information to enable the customer to make an informed decision as to whether to permit a carrier to disclose, or permit access to CPNI." 238 In that same discussion, the Commission prohibited the inclusion of any implication "that approval is necessary to ensure the continuation of services to which the customer subscribes, or the proper servicing of the customer's account." 239 In the CPNI Reconsideration Order, based on a lack of evidence, the Commission denied an MCI petition to allow carriers to warn customers of problems that could result from failure to give permission to access the customer's CPNI. 240 Because we want customers to be able to make informed decisions, 241 and because we do not want to place an undue burden on truthful speech, 242 we consider this topic below.
  104. Several parties commented on this issue. 243 For example, RCN and Qwest support MCI's contention that without access to CPNI, delays or problems with proper provisioning are likely when a customer chooses to change carriers. 244 Verizon, however, disagrees with the argument that a competing carrier's lack of access to a customer's CPNI necessarily causes delays or provisioning problems, arguing instead that if such problems occur, they are the fault of MCI WorldCom. 245 Parties raise sufficient cause for us to believe that our current rules may restrict truthful speech that could beneficially inform consumers' decisions on CPNI disclosure. 246
  105. We recognize an important balance of interests in warning customers that failure to grant access to CPNI may impede the provisioning process. On one hand, we believe that customers should be given useful and truthful information that will better inform their decisions regarding CPNI. On the other hand, we are wary that carriers might use such a warning in such a way as to coerce customers into granting consent to access CPNI. Therefore, in order to maximize the ability of customers to make fully informed decisions about their CPNI, we permit carriers to provide an informative statement to customers about problems that often occur in provisioning service without access to CPNI.
  106. Specifically, we decide that carriers soliciting consent to access a customer's CPNI may, in addition to the statements required to obtain consent, provide a brief statement, in clear and neutral language, describing consequences directly resulting from the lack of access to CPNI. However, any consequences must affect customers and must be provable and material. 247 By requiring carriers to limit their representations in this way, we can best ensure that customers are protected from coercive or trivial assertions, while nevertheless ensuring that customers have information that is relevant to their decisions to allow use of their CPNI. We decline, at this time, to mandate specific language for such warnings because we believe that our rules will provide carriers with sufficient guidance to formulate scripts that inform customers in a neutral manner of significant consequences, without unduly restricting carrier flexibility in delivering the message.
3. Frequency of Notice
  107. We hold that carriers using the opt in customer approval mechanism must provide customers with a one time notice before soliciting approval to use CPNI. Carriers electing the opt out mechanism must provide notices to their customers every two years. We note that few commenters addressed the issue of frequency of notice and none suggested a specific time period. 248
  108. We adopt a more stringent notice requirement for the opt out regime for several reasons. First, under the opt out mechanism, the possibility exists that customers have not made a conscious decision to allow the additional use of their CPNI. For example, the lack of response could be due to a customer's failure to receive the notice, a failure to read the notice, or a failure to understand the notice. 249 As Qwest itself recognized in its comments, "[the failure to act, then, provides little evidence of an individual's true intentions, and no dispositive or compelling demonstration of a 'decision."' 250 As already discussed, the opt out mechanism requires more stringent safeguards because of the possibility that consumers are unaware of their rights and because opt out provides incentives for carriers to not be as forthright as possible. 251 By contrast, in an opt in environment, customers have taken affirmative action regarding the use of their CPNI that demonstrates they are informed of the scope and duration of a carrier's use of CPNI. 252
  109. Second, a number of relevant customer and carrier circumstances can change over time. A customer's marital or parental status, job status, or health status can change. Carriers may change their affiliates, the methods available to opt out, and the uses the carrier makes of the information. For example, a customer might be willing to share his CPNI with a local telephone company, but decide that he wants to restrict the use of his CPNI after that company merges with a larger entity. Periodic renotification is thus a reasonable way of ensuring that customers have an adequate opportunity to indicate approval.
  110. Therefore, in accordance with the general policy we have adopted regarding the need for consumer safeguards in an opt out regime, and because failing to provide for periodic confirmation would fail to account for material changes in circumstances over time, we hold that carriers must provide opt out notices at least once every two years. A two year period is a reasonable period over which one might reasonably expect changed circumstances to warrant confirmation of an opt out election. Biennial notice is also unlikely to impose an onerous burden on carriers, particularly when compared to their likely benefit in making use of the opt out mechanism. 253
  111. In addition, we require carriers to honor their customers' CPNI elections unless and until a customer affirmatively changes his election. Following a customer's election to withhold approval of CPNI usage, the carrier may subsequently attempt to secure the customer's approval to use, disclose, or permit access to his CPNI as frequently as the carrier deems appropriate, but carriers may not force customers to opt out repeatedly in an attempt to wear the customer down or obtain an inadvertent "approval." Accordingly, although carriers must provide biennial opt out notice to their customers, carriers must respect previously expressed opt outs. Nor can carriers provide opt in notices to their customers and immediately provide additional notices to those customers who choose not to opt in, because such use of repeated notices is burdensome to customers and fails to respect their privacy choices regarding CPNI.
4. Waiting Period for Opt Out Notification
  112. We adopt a 30 day minimum period of time that carriers must wait after giving customers' notice before assuming customer approval. In the CPNI Clarification Order, the Commission noted that the then current rules did not provide for any time period after which a customer's implicit approval of the use or sharing of CPNI could be reasonably assumed to have been given to the carrier. 254 As an interim measure, the Commission adopted a 30 day period from customer receipt of notice as a "safe harbor," but permitted some shorter period if supported by an adequate explanation from the carrier. 255 Commenters addressing this topic uniformly supported a 30 day waiting period, 256 although one commenter found troubling that "[a carrier's notice gave customers only thirty days to object." 257 In light of the comments we received supporting the 30 day time frame and the lack of any other suggested time frames or evidence of harm to consumers or carriers, we adopt as permanent the interim 30 day time frame. We clarify that this 30 day period is merely the minimum time a carrier must wait to infer a customer's approval of its requested use of CPNI; it is no way a deadline for customer action. Carriers are required to honor customer decisions to opt out of requested uses whenever those decisions are communicated by customers, which may occur during or after the 30 day waiting period.
  113. We also sought comment on how carriers should manage later requests for privacy from the customer. 258 For example, if a customer chooses to opt out after the date on which approval has already been inferred, or, in the case of an opt in mechanism, after the customer revokes an express consent previously granted, what would be a reasonable time period within which the carrier and its affiliates should be required to implement that opt out request or revocation? We received limited comments on this topic, and note that we are unaware of any complaints regarding carriers' failure to implement and honor later requests for privacy. Accordingly, we require carriers to implement customers' privacy requests as expeditiously as possible within the regular course of business. However, we caution carriers that if we receive complaints that later privacy choices are not being effectuated in a timely manner, we will not hesitate to readdress this issue, and adopt prescriptive rules. In addition, we caution carriers that failure to implement customers' privacy elections in a timely manner would likely be actionable violations of sections 222 and 201 of the Act.
  114. We also require carriers to notify the Commission if their opt out mechanisms break down. During the period preceding this Order, a number of carriers implemented opt out policies. We are aware that many consumers experienced problems in effectuating their choice to opt out. 259 For example, it was reported that Qwest's call center was understaffed for the level of response and consumers were unable to get through or put on hold for unacceptably long periods; SBC generated similar complaints. 260 In light of recent problems customers have had opting out, as well as the vital role that proper implementation of the opt out mechanism plays in protecting consumers' privacy, we require that carriers provide written notice within five business days to the Commission in any instances where opt out mechanisms do not work properly, to such a degree that consumers' inability to opt out is more than an anomaly. 261
  115. In such instances, the Commission will consider whether to require carriers to extend the date by which opt outs must be received, or if other corrective action is required. We encourage carriers to take such action voluntarily, and to advise the Commission of such action in the notice. The notice should take the form of a letter, and include the carrier's name, a description of the opt out mechanism(s) used, the problem(s) experienced, the remedy proposed and when it will be/was implemented, whether the relevant state commission(s) has been notified and whether it has taken any action, a copy of the notice provided to customers, and contact information. Such notice must be submitted even if the carrier offers other methods by which consumers may opt  out.
  116. In addition, we no longer allow carriers to use a time frame shorter than 30 days even if supported by an explanation. 262 To the degree that carriers previously provided notices that otherwise comply with our rules, but used a shorter time frame, we allow carriers to continue to use approval generated from those notices consistent with our holding regarding grandfathering of previously obtained approvals. 263
  117. Moreover, we agree with Nextel's request to "allow a carrier to provide the requisite notification at the time of an individual transaction and request that the consumer decide whether to opt out as a requisite to completing that transaction." 264 In particular, subject to our discussion of shrinkwrap consent, carriers may request that consumers affirmatively make a CPNI election when the consumer signs up for service. However, if the carrier provides an opt out notice but does not require the customer to specifically demonstrate his decision whether or not to opt out, then the carrier must abide by the thirty day waiting period. Specifically, a carrier must obtain a demonstrable customer election to opt in or opt out that is separate and distinct from the customer's decision to purchase the carrier's service. For example, a carrier that uses an Internet sign up page may provide the required notice and then require a customer to click on a button agreeing to opt out or opt in. 265 However, carriers may not require customers to assent to CPNI usage as a condition of service. 266
5. Methods by Which Customers Can Exercise CPNI Rights Under Opt Out or Opt In
  118. We require that carriers make available to every customer (including, but not limited to, those without Internet access, and disabled customers) a method to opt out that is of no additional cost 267 to the customer and available 24 hours a day, seven days a week. We allow carriers to satisfy this requirement through a combination of methods, 268 so long as all customers have the ability to opt out at no cost and are able to effectuate that choice whenever they choose. 269 We note that in an opt in paradigm, carriers have an incentive to make it as easy as possible for customers to opt in because they need to receive the customer's express approval to use CPNI. However, in the case of opt out, it makes economic sense for carriers to make it difficult and expensive for customers to opt out, because opting out deprives the carrier of approval for its intended use of CPNI. 270 Many commenters suggest that the Commission allow carriers to determine what methods to offer customers to opt in or out. 271 Based on comments as well as recent experiences with opt in and opt out in this and other industries, we allow carriers the freedom to choose the method(s) by which consumers may express their opt out or opt in choices, so long as all customers are able to access and use those mechanisms, 24 hours a day, seven days a week. We believe that these requirements will ensure that all consumers are afforded a reasonable opportunity to effectuate their privacy choices, while allowing carriers flexibility in determining how to meet their obligations. 272
  119. We deny the request by a few commenters to require carriers to obtain written evidence of customers' approval. 273 We have previously considered whether to require written evidence and were not convinced that such an approach was necessary, especially in light of the burden it would place on carriers. 274 We decline to do so here because we have not been presented any evidence that carriers are failing to obtain customers' approval and then claiming to have such approval. To the degree that we receive complaints that abuses of this nature are occurring, we will revisit this issue and will not hesitate to initiate enforcement actions against offending carriers. In addition, we note that carriers bear the burden to provide proof that approval was obtained should a complaint arise. 275
-- In the Matter of Implementation of the Telecommunications Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further Notice of Proposed Rulemaking (July 25, 2002)

    CPNI & Computer III

 8. On May 17, 1996, the Commission initiated a rulemaking, in response to various formal requests for guidance from the telecommunications industry, regarding the obligation of carriers under section 222 and related issues.   The Commission subsequently released the CPNI Order on February 26, 1998.   The CPNI Order addressed the scope and meaning of section 222, and promulgated regulations to implement that section.  It concluded, among other things, as follows: (a) carriers are permitted to use CPNI, without customer approval, to market offerings that are related to, but limited by, the customers' existing service relationship; (b) before carriers may use CPNI to market outside the customer's existing service relationship, carriers must obtain express written, oral, or electronic customer approval; (c) prior to soliciting customer approval, carriers must provide a one-time notification to customers of their CPNI rights; (d) in light of the comprehensive regulatory scheme established in section 222, the Computer III CPNI framework is unnecessary; and (e) sections 272 and 274 impose no additional CPNI requirements on the Bell Operating Companies (BOCs) beyond those imposed by section 222.
. . . . . .
     94. As discussed in the Clarification Order, the framework established under the Commission's Computer III regime, prior to the adoption of section 222, governed the use of CPNI by the BOCs, AT&T, and GTE to market CPE and enhanced services.   Under this framework, those carriers were obligated to: (1) provide an annual notification of CPNI rights to multi-line customers regarding enhanced services, as well as a similar notification requirement that applied only to the BOCs regarding CPE; and (2) obtain prior written authorization from business customers with more than 20 access lines to use CPNI to market enhanced services. The CPNI Order, however, replaced the Computer III CPNI framework in all material respects.   In its place, the CPNI Order established requirements compelling carriers to provide customers with specific one-time notifications prior and proximate to soliciting express written, oral, or electronic approval for CPNI uses beyond those set forth in sections 222(c)(1)(A) and (B).   The CPNI Order further established an express approval mechanism for such solicitations as it is the "best means to implement this provision because it will minimize any unwanted or unknowing disclosure of CPNI" and will also "limit the potential for untoward competitive advantages by incumbent carriers."
     95. The Clarification Order noted that, like the requirements established in the CPNI Order, "the notification obligation established by the Computer III framework required, among other things, that carriers provide customers with illustrative examples of enhanced services and CPE, expanded definitions of CPNI and CPE, information about a customer's right to restrict CPNI use at any time, information about the effective duration of requests to restrict CPNI, and background information to enable customers to understand why they were being asked to make decisions about their CPNI."   The Clarification Order determined that these Computer III notifications comply materially with the form and content of the notices required by the CPNI Order.   In addition, the Clarification Order concluded that the Computer III requirement to obtain prior written authorization constitutes a form of express, affirmative approval, as required by section 222.   Accordingly, the Clarification Order concluded that carriers that complied with the Computer III notification and prior written approval requirement in order to market enhanced services to such carriers are also in compliance with section 222 and the Commission's rules.
--In Re Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, 96-149, Order On Reconsideration And Petitions For Forbearance (September 3, 1999)


IV. NOTICE AND WRITTEN APPROVAL UNDER THE COMPUTER III CPNI   FRAMEWORK

 10. Prior to the adoption of the Telecommunications Act of 1996,  the framework established under the Commission's Computer III regime governed the use of CPNI by the BOCs, AT&T, and GTE to market CPE and enhanced services.   Two important components of this Computer III framework were:  (1) a carrier's obligation to provide an annual notification of CPNI rights to multi-line customers regarding enhanced services,  as well as a similar notification requirement regarding CPE that applied only to the BOCs,  and (2) a carrier's obligation to obtain prior written authorization from business customers with more than 20 access lines to use CPNI to market enhanced services.   We clarify that in circumstances where a carrier has provided annual notification and received prior written authorization from customers with more than twenty access lines, the requirements for notice and approval under section 222, and the associated Commission rules, are satisfied for those customers.
 11. In the Second Report and Order, the Commission concluded that the statutory framework of section 222 contemplated informed customer approval because such notification and affirmative approval would maximize customers' control over their CPNI when carriers use CPNI for purposes beyond those specified in sections 222(c)(1)(A) and (B), thus furthering the objectives of section 222.   As elements of informed customer approval, the Commission established the following requirements in the Second Report and Order:  (1) a one-time notice to customers, prior and proximate to any solicitation for approval, informing them of their right to restrict carrier use of CPNI, the precise steps necessary to grant or deny access to CPNI, the scope and duration of a carrier's use of CPNI in the event of a grant, and the carrier's duty to protect the confidentiality of such information and ensure the continuance of service despite a denial of carrier access to CPNI; and (2) express, affirmative oral, written, or electronic customer approval.
 12. Similarly, the notification obligation established by the Computer III framework required, among other things, that carriers provide customers with illustrative examples of enhanced services and CPE, expanded definitions of CPNI and CPE, information about a customer's right to restrict CPNI use at any time, information about the effective duration of requests to restrict CPNI, and background information to enable customers to understand why they were being asked to make decisions about their CPNI.   We determine that these written annual notifications materially comply with the form and content of the notices required in the Second Report and Order.   In addition, the Computer III requirement to obtain prior written authorization constitutes a form of express, affirmative approval, as required by section 222.  Therefore, we find that carriers that have complied with the Computer III notification and prior written approval requirement in order to market enhanced services to business customers with more than 20 access lines are also in compliance with section 222 and the Commission's rules.  Such carriers may rely on their previous compliance with the Computer III notification and approval requirements to market enhanced services to business customers with more than 20 access lines without taking any additional steps to notify such customers of their CPNI rights or to obtain customer approval to use CPNI to market enhanced services to such customers.
--In Re Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, Order (May 21, 1998)



    (c)  We eliminate the Computer III CPNI framework, as well as sections 22.903(f) and 64.702(d)(3) of our rules, in light of the comprehensive regulatory scheme Congress established in section 222. 19
. . . . .
  7.  Prior to the 1996 Act, the Commission had established CPNI requirements applicable to the enhanced services 30 operations of AT&T, the BOCs, and GTE, and the CPE operations of AT&T and the BOCs, in the Computer II, 31 Computer III, 32 GTE ONA, 33 and BOC CPE Relief 34 proceedings.  The Commission recognized in the Notice that it had adopted these CPNI requirements, together with other nonstructural safeguards, to protect independent enhanced services providers and CPE suppliers from discrimination by AT&T, the BOCs, and GTE. 35  The Notice stated that the Commission's existing CPNI requirements were intended to prohibit AT&T, the BOCs, and GTE from using CPNI obtained from their provision of regulated services to gain a competitive advantage in the unregulated CPE and enhanced services markets. 36 The Notice further stated that the existing CPNI requirements also were intended to protect legitimate customer expectations of confidentiality regarding individually identifiable information. 37  The Commission concluded in the Notice that existing CPNI requirements would remain in effect, pending the outcome of this rulemaking, to the extent that they do not conflict with section 222. 38  On November 13, 1996, the Common Carrier Bureau (Bureau) waived the annual CPNI notification requirement for multi-line business customers that had been imposed on AT&T, the BOCs, and GTE under our pre-existing CPNI framework, pending our action in this proceeding. 39
. . . . .
  174.  In the Computer III, 595 GTE ONA, 596 and BOC CPE Relief 597 proceedings, the Commission established a framework of CPNI requirements applicable to the enhanced services operations of AT&T, the BOCs, and GTE and the CPE operations of AT&T and the BOCs (Computer III CPNI framework).598  As we observed in the Notice, the Commission adopted the Computer III CPNI framework, together with other nonstructural safeguards, to protect independent enhanced services providers and CPE suppliers from discrimination by AT&T, the BOCs, and GTE. 599  The framework prohibited these carriers' use of CPNI to gain an anticompetitive advantage in the unregulated CPE and enhanced services markets, while protecting legitimate customer expectations of confidentiality regarding individually identifiable information. 600  Alternatively, for those carriers that maintain structurally separate affiliates in connection with their CPE and enhanced services operations, our Computer II 601 rule 64.702(d)(3) prohibits carriers from sharing CPNI with those affiliates unless it is made publicly available. 602  We likewise prohibit the BOCs from providing CPNI to their cellular affiliates unless they make the CPNI publicly available on the same terms and conditions. 603
  175.  We conclude that the new CPNI scheme that we implement in this order, which is applicable to all telecommunications carriers, fully addresses and satisfies the competitive concerns that our Computer III framework as well as our Computer II and BOC CPNI cellular rules sought to address. Accordingly, we eliminate these existing CPNI requirements in their entirety. 604  Nevertheless, the record supports our specifying general minimum safeguards, applicable to all carriers, to ensure compliance with section 222's statutory scheme.  Toward that end, we first require that all carriers conform their database systems to restrict carrier use of CPNI as contemplated in section 222(c)(1) and section 222(d)(3), through file indicators that flag restricted use, in conjunction with personnel training and supervisory review. Second, we impose recording requirements on carriers that serve both to ensure that use restrictions are being followed and to afford a method of verification in the event they are not.
B.  Computer III CPNI Framework
1.  Background
  176.  The CPNI framework the Commission adopted prior to the 1996 Act, which applies only to the BOCs, AT&T, and GTE, and only in connection with their use of CPNI to market CPE and enhanced services, involves five general components. The first concerns customer notification. The current framework requires the BOCs, AT&T, and GTE to send annual notices of CPNI rights regarding enhanced services to all their multi-line business customers. 605  With respect to CPE, the BOCs must also send annual notices to multi-line business customers, and AT&T must provide a one-time notice to its WATS and private line customers.  Each notice must be written, describe the carrier's CPNI obligations, the customer's CPNI rights, and include a response form allowing the customer to restrict access to CPNI. 606  Second, the BOCs and GTE, but not AT&T, must obtain prior written authorization from business customers with 20 or more access lines before using CPNI to market enhanced services. 607 All BOC and AT&T customers with fewer lines have the right to restrict access to their CPNI by carrier CPE personnel, and along with GTE customers, enhanced services personnel as well. 608  These carriers must also accommodate customer requests for partial or temporary restrictions on access to their CPNI. 609  Third, we require the BOCs, AT&T, and GTE to make CPNI available to unaffiliated enhanced services providers and CPE suppliers at the customer's request on the same terms and conditions as the CPNI is made available to their personnel. 610  Fourth, the BOCs must provide unaffiliated enhanced services and CPE providers any non-proprietary, aggregate CPNI that they share with their own personnel on the same terms and conditions. 611  GTE is subject to the same requirement for its enhanced services operations. 612 AT&T, however, is not subject to any Commission requirements with respect to aggregate CPNI. 613  Finally, the BOCs, AT&T, and GTE must use passwords to protect and block access to the accounts of customers that exercise their right to restrict. 614  We also mandate that the BOCs and GTE address their compliance with our CPNI requirements in their ONA, CEI, and CPE relief plans. 615
     177.  The Commission acknowledged in the Notice that section 222 may address the anticompetitive concerns that its existing CPNI requirements had sought to address, and the Commission invited comment on which, if any, of its requirements may no longer be necessary in view of section 222. 616  The Commission tentatively concluded that it should not extend its CPNI requirements to carriers that are not affiliated with AT&T, the BOCs, or GTE. 617 The Commission also recognized that, in certain respects, the Computer III CPNI framework is more restrictive than the 1996 Act. 618 The Commission decided that these additional restrictions would remain in effect, pending the outcome of this rulemaking, to the extent that they do not conflict with section 222. 619  The Commission also asked parties to address whether privacy, competitive concerns, or other considerations justified the retention of our existing CPNI requirements, what the costs and benefits of retaining these CPNI requirements would be, and how changing our CPNI requirements might influence other nonstructural safeguards adopted prior to the 1996 Act. 620 In the event the Commission concluded that we should continue to subject the BOCs, AT&T, and GTE to CPNI requirements that are more restrictive than those applicable to other carriers, the Commission sought comment on whether such differential treatment should be permanent or limited in duration and, if limited, what sunset provisions should apply. 621
      178.  The Commission also tentatively concluded that AT&T's recent classification as a non-dominant carrier for domestic services, and its plan to separate its equipment business from its telecommunications service business, justified removal of our CPNI requirements as to it. 622  The Commission asked whether AT&T continues to possess a competitive advantage with respect to access to and use of customer CPNI, and whether privacy concerns, competitive concerns, or any other considerations justify special regulatory treatment of AT&T with regard to CPNI. 623
    179.  Several parties argue that our existing Computer III CPNI framework for the BOCs and GTE is unnecessary and should be eliminated. 624  AT&T and LDDS Worldcom argue that, in any event, the Commission's existing CPNI requirements should not continue to apply to AT&T because it has been classified as nondominant. 625  Other parties argue that we should retain the Computer III CPNI requirements for the BOCs and GTE, 626 and additionally for AT&T. 627  Several of these commenters further contend that we should extend some or all of the preexisting requirements to carriers other than AT&T, the BOCs, and GTE. 628
2.  Discussion
      180.  We conclude that retaining the Computer III CPNI requirements, applicable solely to the BOCs, AT&T and GTE, would produce no discernable competitive protection, and would be confusing to both carriers and customers. 629 The statutory scheme we implement in this order effectively replaces our Computer III CPNI framework in all material respects. 630  For example, like under the Computer III CPNI framework, our new scheme establishes the extent that carriers, including AT&T, the BOCs, and GTE, must notify customers of their CPNI rights, obtain customer approval before using CPNI for marketing purposes, and accommodate customer requests for partial or temporary restrictions on access to CPNI. 631  We also set forth under the new scheme the circumstances under which carriers, including AT&T, the BOCs, and GTE, must make individually identifiable and aggregate CPNI available upon request. 632
     181.  The legislative history is silent on the issue of the Computer III requirements.  Some commenters argue that we should interpret Congress' silence as indicating its intention that the Computer III CPNI requirements be retained. 633  Other parties argue that the silence indicates the intention that the existing framework be eliminated. 634  Because Congress offered no explanation on this point, we do not find the history helpful either way. Rather, we find that the rules we implement in this order satisfy the concerns upon which the Computer III framework is based, and therefore we replace them with the new scheme.  We note that, although we eliminate our Computer III approval and notification requirements, as requested by several carriers, the rules we implement herein are actually more in line with those endorsed by carriers urging us to retain our prior framework in which the BOCs, AT&T, and GTE provide notification to their multi-line business customers, and need prior authorization in the case of twenty or more lines. 635
    182.  We are persuaded that the competitive and privacy concerns upon which the Computer III CPNI framework rests are fully addressed by our new CPNI scheme, and that, continued retention of our Computer III CPNI framework would produce no additional benefit. 636  Indeed, in two important respects, the rules we promulgate herein implementing section 222 afford information services providers and CPE suppliers greater protection from carriers' anticompetitive CPNI use.  First, the new scheme applies to all carriers, and in so doing, extends the scope of protection consistent with section 222. 637  We believe applying our new CPNI rules to all carriers generally furthers the objective of section 222 of safeguarding customer privacy.
     183.  Second, several of the new scheme's CPNI requirements operate to make carriers' anticompetitive use of CPNI more difficult.  Unlike the Computer III CPNI framework, which requires customer authorization only from businesses with over twenty lines, we now require that all carriers obtain customer approval from all customers, including small businesses and residential customers with any number of lines, before carriers can use CPNI to market information services or CPE. 638  Although the Computer III CPNI framework affords customers the right to restrict access to their CPNI records, whereas under our new scheme the customer's right is to withhold approval, the result nevertheless is the same -- the customer has the right to control whether a carrier uses, discloses, or permits access to its CPNI. 639 Indeed, in contrast with the Computer III CPNI framework, which generally permits CPNI use unless and until the customer affirmatively acts to restrict, our new scheme prohibits carriers from using CPNI unless and until they obtain customer approval, and in this way offers customers greater control. 640 Moreover, we conclude that carriers must notify all customers of their CPNI rights under our new scheme, not merely their multi-line business customers as is required under the Computer III CPNI framework. 641  This notice requirement, therefore, similarly affords greater competitive protections. Finally, by its terms, section 222(c)(3) extends the obligation to provide non- discriminatory access to aggregate customer information, when used for purposes outside of the provision of the customer's total service offering, to all LECs, not just the BOCs and GTE.  Thus, under section 222(c)(3), information service providers and CPE suppliers are entitled to competitively useful aggregate information from more carriers than they had been in the past. 642  In these ways, the new scheme is more protective of competitive and privacy interests than currently exists under the Computer III CPNI framework. 643  We thus find no competitive or privacy justification at this time to retain our former framework.
   184.  Nor will the elimination of the Computer III CPNI framework weaken other nonstructural safeguards.  We agree with Ameritech, PacTel and GTE that the Commission's other Computer III requirements are independent of CPNI regulation, and would continue to prohibit discriminatory network access and protect against any alleged "bottleneck" leverage. 644  Finally, we conclude that, insofar as we eliminate the Computer III CPNI requirements, carriers' ONA and CEI plans no longer have to address CPNI. 645
-- In Re In The Matter Of Implementation Of The Telecommunications Act Of 1996, CC Docket No. 96-115, Second Report and Order and Further Notice of Proposed Rulemaking ¶ 3 (February 26, 1998)


"41. Under the Commission's Computer III requirements, Ameritech is required to describe the procedures it intends to establish to comply with the Commission's CPNI safeguards. In addition, section 222 of the 1996 Act contains CPNI requirements. Although the requirements of section 222 became effective immediately upon enactment, the Commission has initiated a proceeding to consider regulations interpreting and specifying in more detail, a telecommunications carrier's obligations under this provision. In the Notice initiating this proceeding, the Commission tentatively concluded that its existing CPNI regulations remain in effect, pending completion of the CPNI rulemaking, to the extent that they do not conflict with section 222." -- In the Matter of Ameritech's Comparably Efficient Interconnection Plan for Electronic Vaulting Service, CCBPol 97-03, Order ¶ 41 (December 31, 1997)


46. Customer Proprietary Network Information: The Phase II Order established CPNI requirements for BOCs' enhanced service operations, requiring them, among other things, to (1) make CPNI available, upon customer request, to unaffiliated enhanced service vendors, on the same terms and conditions that are available to their own enhanced services personnel; (2) limit their enfhanced services personnel from obtaining access to a customer's CPNI if the customer so requests; and (3) notify multi-line business customers annually of their CPNI rights. The Commission also requires BOCs to provide any nonproprietary aggregate CPNI to unaffiliated enhanced service vendors on the same terms and conditions that the BOCs provide that information to their own enhanced services personnel.
---In the Matter of Bell Operating Companies Joint Petition for Waiver of Computer II Rules, DA 95-2264, Order, ¶ 46 (October 31, 1995)


73. The Commission's Customer Proprietary Network Information (CPNI) rules restrict a BOC's use of individual CPNI. BOCs are required to describe the types of information they will treat as CPNI, and to explain their procedures for determining which customers have the right to restrict access to particular CPNI. First, for customers with 20 or fewer lines, the BOC must limit access to a customer's CPNI by its marketing personnel that sell enhanced services, if the customer so requests. Second, the BOC must release that CPNI at the customer's request to any ESP designated by the customer, and make that information available on the same terms and conditions as it is made available to its own enhanced service operations. Third, the BOC's enhanced services marketing personnel may not obtain access to the CPNI of any customer with more than 20 access lines without that customer's prior permission. Fourth, the BOC must notify all of its multiline business customers annually of their CPNI options, and include response forms "which fully and fairly inform[] customers of their CPNI rights." Fifth, the BOC is required to accommodate requests for "partial or temporary restriction of CPNI." In the GTE ONA Order, the Commission extended to GTE the BOC ONA requirements relating to CPNI. The Commission specifically required GTE to describe in its ONA Plan how it intends to meet the CPNI requirements and to include the CPNI notification letter that it proposes to send to its multiline business customers.
. . . . .
81. The Commission requires that, if a BOC makes nonproprietary, aggregate CPNI available to its own enhanced service personnel, it must make such information available to competing ESPs on the same terms and conditions. The BOC must explain how it will notify ESPs that aggregate CPNI is available. The Commission extended these requirements to GTE.
. . . . .
83. The Commission has stated that a password/identification (password ID) system is the preferred method for restricting CPNI access for enhanced services, and should be used absent a specific showing that it would be unduly burdensome to do so. The BOC must implement password ID systems for "all primary databases that are routinely accessed by [the BOC's] enhanced services marketing personnel and contain comprehensive restricted CPNI." The Commission does not require BOCs to implement password ID systems for auxiliary databases that contain fragmented CPNI and that are not routinely accessed by enhanced services marketing personnel. The Commission, however, requires the BOC to state, for each database that contains CPNI and that does not have password ID protection, the following: (a) database name; (b) database purpose; (c) accessibility and frequency of use by enhanced services marketing personnel; (d) types and amount of CPNI; (e) method of access restriction; and (f) justification for not imposing password ID restrictions. In the GTE ONA Order, the Commission required GTE to implement password ID systems by April 4, 1996.
-- In the Matter of Application of Open Network Architecture and Nondiscrimination Safeguards to GTE Corporation, CC Docket No. 92-256, Memorandum Opinion and Order, (July 29, 1995)


34. Bell Atlantic is required to describe the procedures it intends to establish to comply with CPNI safeguards. The Phase II Order established CPNI requirements for BOCs' enhanced service operations, requiring them in part to (1) make CPNI available, upon customer request, to unaffiliated enhanced service vendors, on the same terms and conditions that are available to their own enhanced services personnel; (2) limit their enhanced services personnel from accessing a customers CPNI if the customer so requests; and (3) notify multiline business customers annually of their CPNI rights. The Commission also requires BOCs, but not AT&T, to provide to unaffiliated enhanced service vendors on the same terms and conditions, any nonproprietary, aggregate CPNI that the BOCs provide to their own enhanced services personnel.
--- In the Matter of Bell Atlantic Telephone Companies, Offer of Comparably Efficient Interconnection to Providers of Video Dialtone-Related Enhanced Services, DA 95-1283, Order (June 9, 1995)


Third, we imposed CPNI obligations on the enhanced service operations of AT & T and the BOCs similar to those we imposed for AT&T CPE operations; AT&T and the BOCs may use CPNI for enhanced service marketing operations, provided that those carriers establish procedures to honor any requests from customers that their CPNI be withheld from carrier-affiliated enhanced service personnel or released to other enhanced service vendors. 38 We required AT & T and the BOCs to notify their multiline business customers of these rights on an annual basis. We also required the BOCs to provide any nonproprietary, aggregate CPNI that the BOCs provide to their own enhanced services personnel to unaffiliated enhanced service vendors. 39 -- In the Matter of Filing and Review of Open Network Architecture Plans, CC Docket No. 88-2, Phase I, Memorandum Opinion And Order, ¶ 25 (December 22, 1988)


     27. We declined to modify our CPNI rules to require that the BOCs' enhanced service personnel be denied access to CPNI absent prior authorization from customers.45 We stated that we expected carriers to take special care to protect the CPNI of customers, especially ESPs, that request restricted treatment of their CPNI.46 We also required AT & T and the BOCs to amend their ONA plans to describe the types of information that they will treat as CPNI.47 We added a number of provisions to our CPNI rules to facilitate users' ability to limit access to their CPNI, including a requirement that each CPNI notice to multiline business customers include a response form that customers may use to inform the carrier of their preferred CPNI treatment.48 We also declined to relieve the BOCs of the requirement that they make nonproprietary, aggregate CPNI available to unaffiliated enhanced service providers.49
 . . . .
     398. The Phase II Order established four basic requirements governing BOC use of CPNI. First, BOCs must limit the access of their enhanced service personnel to a customer's CPNI if that customer so requests. Second, on customer request, the BOCs must release a customer's CPNI to any ESP designated by the customer, and the BOCs must make this information available on the same terms and conditions that they make CPNI available to their own enhanced service operations. Third, the BOCs must notify multiline business customers annually of these CPNI options. Fourth, if the BOCs make nonproprietary, aggregate CPNI available to their own enhanced services personnel, they must make such information available on the same terms and conditions to unaffiliated ESPs. We also required the BOCs to file ONA plans with us describing how they propose to comply with these requirements.
     399. The Phase II Reconsideration clarified these requirements. 981 We required the BOCs to enclose with their CPNI notices response forms that customers could use to make CPNI elections. We also required the BOCs to accommodate requests for partial or temporary restriction of CPNI and to honor any customers' CPNI instructions received prior to the mailing of the CPNI notification. In addition, we clarified that a customer's election to restrict its CPNI would remain in effect until the customer specifically revokes this choice. 982 We directed the BOCs to amend their plans on or before March 10, 1988, to reflect these modifications, and we instructed the BOCs to include copies of their proposed CPNI notice and response form with their amendments. We also required the BOCs to describe in their amended plans the types of information they will treat as CPNI and to explain their procedures for determining which customer has the right to restrict a particular item of CPNI.983
 . . . .
     411. Our CPNI rules apply, with minor exceptions,1011 to all information about customers' network services and customers' use of those services that a BOC possesses by virtue of its provision of network services. The BOCs' CPNI definitions serve as a check that BOCs will comply with our rules in this sensitive area for the broadest possible range of customer-specific information. Thus, we agree with ADCU that the BOCs' CPNI definitions should not be unduly restrictive. 1012 We find that while the BOCs' CPNI definitions are largely adequate, some of these definitions are incomplete in one or more respects. For example, Pactel does not include billing information within its CPNI definition. In addition, only Pactel and Ameritech include usage data and calling patterns within their CPNI definitions. This is precisely the kind of customer information to which the CPNI rules apply, since it is information that can invoke proprietary and competitive considerations and that customers might thus want to restrict. 1013 It is also information that ESPs can use to better identify customers' enhanced services needs, and that customers might wish to make available to the BOCs' enhanced service competitors. Accordingly, by May 19, 1989 we require that: (1) Pactel amend its CPNI definition to add billing information for each network service a customer uses; and (2) all BOCs except Pactel and Ameritech must amend their definitions to include usage data and information on customer calling patterns. 1014
     412. We also clarify that we do not consider credit information to be CPNI. As noted above, CPNI is information about a customer's network services and its use of those services. This type of information is uniquely in the possession of the carrier serving the customer. Credit information, in contrast, only addresses information on whether, and how promptly, a customer pays its bills. Such information is available to every entity that does business with the customer.
. . . . .
415. Finally, we agree with the Ameritech States that we should give unlisted telephone numbers special protection beyond that provided by the CPNI rules. An unlisted telephone number reflects a customer's general decision to restrict the availability of its telephone number. Accordingly, we prohibit the BOCs from making unpublished and unlisted telephone numbers available to their enhanced services personnel.1017
. . . . .
447. Since the Phase II Order explicitly noted that residential and single line business customers have the right to control access to their CPNI, SWBT must amend its plan to clarify that it will permit all customers--residential and single line business, as well as multiline business--to restrict their CPNI from access by SWBT enhanced service operations, and to arrange for the release of their CPNI to unaffiliated ESPs. 1090 We reject the suggestion of ATSI and AICC that we should prohibit all BOCs from using the CPNI of residential customers. Such a rule would deprive these customers of the full benefits of integrated marketing and of their ability to control access to their own CPNI. The Phase II Order stated that if it appeared that the CPNI of residential and single-line business customers was, in fact, being used on a large scale by the BOCs, we would entertain petitions for rulemaking to include residential and single-line business customers in the CPNI notification requirement. No such petitions have been filed.1091
-- In the Matter of Filing and Review of Open Network Architecture Plans, CC Docket No. 88-2, Phase I, Memorandum Opinion And Order (December 22, 1988)
 

        CPNI Under Computer II

47 CFR 64.702(d)(3) Customer Information:  [From FCC CCB, Computer II Rules: Digest and Status Report, p. 86 April 18, 1985 (released through FCC Library)]
A carrier subject to the Computer II rules may
... not provide to any such separate corporation any cusomter proproietyar information unless such information is available to any member of the public on the same terms and conditions.
a. Generally

Section 64.702(d)(3) prohibits disclosure without customer authorization of cusomter proprietary information and requires that, if unauthorized disclosure is makde, the information disclosued must be made available to other CPE vendors on the same terms and conditions.

(i) ATT
(a) Bureau Letter
In a letter dated Nov 24, 1982, the Bureau informed ATT that, with a few exceptions, ATT's instructions to employees regarding info flow was satisfactory.153 These exceptions included the manner in which ATT notified customers of their rights regarding customer info flow and the manner in which ATT instructed its employees on customer info rules.  First, the Bureau explained to ATT that any correspondence to customers which discusses customer proprietary information must inform the affected customer of the following: (1) the customer must provide ATT with written authorization to release such info to ATT-IS; and (2) the customer has the prerogative at any time to designate other parties to receive the same info, including info pertaining to communications service, facilities, or CPE.  To ensure that other parties receive identical information, ATT was required to maintain auditable records of the info released.  Second, ATT employees transferred to ATT-IS were permitted to retain documents pertaining to specific customers only if the cusomters affirmatively authorized the transfer in writing and only then to those parties approved by the cusomter. Last, the Bureau asked ATT to distriubute instructional info to employees dispite a pending reconsideration of those rules.
(b) Embedded Base
In the ATT CPE Detariffing Order, the Commission premitted ATT-IS to have access to "customer-specific" embedded CPE information (eg customer name, billing address, billed telephone number, business or residence class of service.) 154  ATT-IS access to ATT's non-CPE service information (eg, access line, toll usage, and directory advertising) was prphibited, howerver.  Furthermore, the Commission required ATT-IS to inform its embedded base customers that they may obtain info regarding their CPE from ATT-IS.
(ii) BOCS
(a) Generally
The staff reports in the BOC capitalization Plan Order detain the steps the BOCs have taken to secure their data bases against unauthorized access and to train employees in observing information flow restrictions.  It appears that, for the most part, the BOCs have instituted procedures which should promote compliance with Sections 64.702(d)(2) and (3).
(b) Provision of Customer Info by COGs
GOGs155 are permitted to supply CPE vendors with info about a cusomter's network services which the CPE vendor requires in order to determine the customer's CPE needs.  However, under the Computer II rules, such information may be released to ta vendor only with cusomter permission.156

The staff reports in the BOC Capitalization Plans Order describe "blanket agency letters" which vendors have filled with some COGs stating that the vendor will not requiest customer info without the permission of the customer.  While it does not appear that nay COGs are currently releasing customer proprietyar information to vendors solely on the authority fo these letters, improper release of customer proprietyar info is difficult to detect absent auditable records of both info releases and of the authorization of those releases by customers.  Therefore, in the BOC Cap Plan Order, the Commission reminded the BOCs that it is the duty of the telephone companies to protect customer proprietary information. 157  Telephone companies should, at a minimum, in their blanket agency letters or in their tariffs, require both their subsidiearies and independent vendors seeking customer proprietary information to retain in their files written customer authorization for the release of the information.  Absent such a telehone company requirement, reliance upon blanket agency letters as authorization for the transfer of customer propietary information is inadequate to protect agst anti-competitive abuses.  The Commission stated that it intends to rely on our complaint process to enforce violations of its info flow restrictions.158

(c) Info Transfers Incident to Dial Tone Referral
As discussed at section V(F)($)(a)(ii)(c) above, dial tone referral could provide an opportunity for the transfer of info about a customer from operating company service reps to subsidiary marketing personnel.  The staff reports in the BOC Cap Plan Order identifying several instances in which operating companies provided their subs with cusotmer properitary info such as credit ratings or info about the customer's network services or potential CPE needs.  One company, Bell South, discontinued this practice and retrained its employees to ensure that they understood the changed procedures.  Some Ameritech operating companies however have contined to provided subs with customer proprietary info without written authorization from the customer.  In its BOC Cap Plan Order, the Commission directed Ameritech, as well as all the RBOCs not to provide to its subs any info about potential CPE customers other than the customer's name, address, and telephone number.159.
NOTES

153 > Letter from Chief, Common Carrier Bureau, to Alfred A Greet, ATT (Nov 24, 1982); see also Letter from Chief, CCB, to Francine J Berry, ATT (Sept 16, 1983) (info request on alleged violations of Computer II prohibitions on the transfer of customer proprietary info).
154 > ATT CPE Detarriffing ORder, at paras. 117-128.  See also American Telephone and Telegraph Company, Request for Waiver of Section 64.702(d)(3) of the Commission's Rules and Regulations, File No Enf 83-38 (released Sept 2, 1983) (Bureau greanted interim permission pending the Implementation Proceeding for ATT Long Lines and BOCs to transfer customer proprietary information relating to embedded CPE, including customer credit information, type and quantity of CPE and customer identification, provided, among other things, that ATT-IS will not use the info for marketing or sales purposes).  This Sept wavier was approved permanently in the ATT CPE Detariffing Order, 95 FCC 2d at 1351, para 124, n 106.
155 See section V(F)(3)(c)(1) above.  See also letter from Chief, Common Carrier Bureau, to Alfred A Green ATT (Aug 12, 1982) (information request on ATT petition for supp cap of ATT-IS).
156 See section V(F)(3) Above.
157 BOC Cap Plan Order, at para 51.
158  Id. at para 52.
159  Id. at para 47.