|
Cybertelecom
Federal Internet Law & Policy
An Educational Project
|
|
Notes:
CPNI
|
|
Notes
> Privacy
> CPNI Regulatory
Page
These notes are not complete and there is no guarantee
that they are accurate. They are presented simply as notes. Feel free to
use them but as with all material on the Internet Telecom Project, you
should consider them a beginning to your research and not an end.
Privacy
"The right to be left alone -the most comprehensive of rights, and the
most valued by a free people."
Olmstead v. U.S., 277 U.S. 438, 1928. Justice Brandeis
Privacy, particularly in the area of communications, is a well established
policy and objective of the Communications Act. Thus, any threatened or
potential invasion of privacy is cause for concern by the Commission and
the industry. In the past, the invasion of information privacy was rendered
difficult by the scattered and random nature of individual data. Now the
fragmentary nature of information is becoming a relic of the past."
--Notice of Inquiry, In the Matter of Regulatory and Policy Problems
Presented by the Interdependence of Computer and Communication Services
and Facilities, Docket No. 16979, 8 R.R. 2d 1567, 1572 (1966)
CPNI
47
CFR § 2001 et seq
Definition
CPNI
CPNI is defined as "(A) information that relates to the quantity, technical
configuration, type, destination, location, and amount of use of a telecommunications
service subscribed to by any customer of a telecommunications carrier,
and that is made available to the carrier by the customer solely by virtue
of the carrier customer relationship; and (B) information contained in
the bills pertaining to telephone exchange service or telephone toll service
received by a customer of a carrier."19 Practically speaking,
CPNI includes personal information such as the phone numbers called by
a consumer, the length of phone calls, and services purchased by the consumer,
such as call waiting.
1947 U.S.C. § 222(f)(1) and 47 U.S.C.
§ 222(h)(1)(A) (The 911 Act amended the definition of CPNI at
section 222(h) to include "location" among a customer's information that
carriers are required to protect under the privacy provisions of section
222)
-- In the Matter of Implementation of the Telecommunications Act of 1996
Telecommunications Carriers' Use of Customer Proprietary Network Information
and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149,
CC Docket No. 00 257, Third Report and Order and Third Further Notice of
Proposed Rulemaking, para 7 (July 25, 2002)
9. On May 21, 1998, in response to a number of requests for clarification
of the CPNI Order, the Common Carrier Bureau released a Clarification Order.
This order addressed several issues. It concluded that independently-derived
information regarding customer premises equipment (CPE) and information
services is not CPNI and may be used to market CPE and information services
to customers in conjunction with bundled offerings. In addition,
it clarified that a customer's name, address, and telephone number are
not CPNI.
. . . . .
159. Section 222(c)(1) prohibits the use of CPNI only where it
is derived from the provision of a telecommunications service. Consequently,
we find that information that is not received by a carrier in connection
with its provision of telecommunications service can be used by the carrier
without customer approval, regardless of whether such information is contained
in a bill generated by the carrier. Therefore, consistent with the
Clarification Order, customer information derived from information services
that are held not to be telecommunications services may be used,
even if the telephone bill covers charges for such information services.
-- In Re Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information, CC Docket No. 96-115, 96-149,
Order On Reconsideration And Petitions For Forbearance (September 3, 1999)
Moreover, the Commission expressly noted that "customer information
derived from the provision of any non-telecommunications service, such
as CPE or information services, is not covered by section 222(c)(1), and
thus may be used to provide or market any telecommunications service regardless
of telecommunications service categories or customer approval."
4. The Bureau believes that further clarification of carriers'
obligations and rights in the context of bundled offerings will serve to
minimize any potential confusion regarding a carrier's ability to use CPNI
and other customer information to market new bundled offerings to existing
customers. Accordingly, we make clear that, when a customer purchases
CPE or information services from a carrier that are bundled with a telecommunications
service, the carrier subsequently may use any customer information independently
derived from the carrier's prior sale of CPE to the customer or the customer's
subscription to a particular information service offered by the carrier
in its marketing of new CPE or a similar information service that is bundled
with a telecommunications service. Neither CPE nor information services
constitute "telecommunications services" as defined in the Act.
Therefore, any customer information derived from the carrier's sale of
CPE or from the customer's subscription to the carrier's information service
would not be "CPNI" because section 222(f) defines CPNI in terms of information
related to a "telecommunications service." As a result, in situations
where the bundling of a telecommunications service with CPE, information
services, or other non-telecommunications services is permissible, a carrier
may use CPNI to target particular customers in a manner consistent with
the Second Report and Order, and it also may use the customer information
independently derived from the prior sale of the CPE, the customer's subscription
to a particular information service, or the carrier's provision of other
non-telecommunications offerings to market its bundled offering.
. . . . .
9. Although the definition of CPNI includes "information contained
in the bills pertaining to telephone exchange service or telephone toll
service received by a customer of a carrier," we do not interpret this
language to include every item that appears on a customer's bill.
Specifically, we do not consider a customer's name, address, and telephone
number to be "information pertaining to telephone exchange service or telephone
toll service." Rather, we consider this information to be part
of a carrier's business record or customer list that identifies the customer
and indicates how that customer can be contacted by the carrier.
Although such information generally appears on a customer's billing statement,
it does not pertain to the "telephone exchange service or toll service"
received by the customer, as specified by the statutory definition in section
222(f)(1)(B). If the definition of CPNI included a customer's name,
address, and telephone number, a carrier would be prohibited from using
its business records to contact any of its customers to market any new
service that falls outside the scope of its existing service relationship
with those customers. In fact, under such an interpretation,
a carrier would not even be able to contact a single customer in an effort
to obtain permission to use their CPNI for marketing purposes because the
carrier's mere use of its customer list to initiate contact with its customers
would constitute a violation of section 222. This anomalous result
was clearly not intended by section 222. Therefore, we clarify that
a carrier's use of its customers' name, address, and telephone number for
marketing purposes would not be subject to the CPNI restrictions in section
222(c)(1) because such information is not CPNI. Thus, under section
222 and the Commission's rules, a carrier could contact all of its customers
or all of its former customers, for marketing purposes, by using a customer
list that contains each customer's name, address, and telephone number,
so long as it does not use CPNI to select a subset of customers from that
list.
-- In Re Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information, CC Docket No. 96-115, Order
¶ 3 (May 21, 1998)
Subscriber List Info
Foot Note 25. 47 U.S.C. s 222(f)(3). "The term 'subscriber list information'
means any information (A) identifying the listed names of subscribers
of a carrier and such subscribers' telephone numbers, addresses or primary
advertising classifications (as such classifications are assigned at the
time of the establishment of such service), or any combination of such
listed names, numbers, addresses, or classifications; and (B) that the
carrier or an affiliate has published, caused to be published, or accepted
for publication in any directory format." Id.
-- In the Matter of Implementation of the Telecommunications Act of
1996 Telecommunications Carriers' Use of Customer Proprietary Network Information
and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149,
CC Docket No. 00 257, Third Report and Order and Third Further Notice of
Proposed Rulemaking (July 25, 2002)
8. We clarify that a customer's name, address, and telephone
number do not fall within the definition of CPNI, set forth in section
222(f)(1). Section 222(f)(1) defines CPNI as:
(A) information that relates to the quantity, technical configuration,
type, destination, and amount of use of a telecommunications service subscribed
to by any customer of a telecommunications carrier, and that is made available
to the carrier by the customer solely by virtue of the carrier-customer
relationship; and (B) information contained in the bills pertaining to
telephone exchange service or telephone toll service received by a customer
of a carrier; except that such term does not include subscriber list information.
Subscriber list information includes a customer's name, address, and telephone
number so long as they have been published. Therefore, it is
clear that the definition of CPNI does not include a customer's name, address,
and telephone number that have been published, in the manner described
by section 222(f)(3)(B). The question remains, however, as to whether
such information that has not been published should be considered CPNI.
--In Re Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information, CC Docket No. 96-115, Order
(May 21, 1998)
FCC Implementation of
Section 222
47 C.F.R. § 64.2000 et seq.
5. This proceeding was initiated in 1996 to implement section
222 of the Act, which governs carriers' use and disclosure of CPNI.13 Section
222, entitled "Privacy of Customer Information," obligates carriers to
protect the confidentiality of certain information. Section 222(a) imposes
a general duty on telecommunications carriers to protect the confidentiality
of proprietary information.14 Carriers owe this duty to other carriers,
equipment manufacturers, and customers.15 Section 222(b) states that a
carrier that receives or obtains proprietary information of other carriers
in order to provide a telecommunications service can only use that information
for that purpose and cannot use that information for its own marketing
efforts.16 Finally, section 222(c) protects the confidentiality of customer
information and specifically delineates the exceptions to the general principle
of confidentiality.17
6. In section 222, Congress laid out a framework for carriers'
use of customer information based on the sensitivity of the information.
In particular, the statute allows easier dissemination of information beyond
the existing customer carrier relationship where information is not sensitive,
or where the customer so directs. Thus, section 222 establishes three categories
of customer information to which different privacy protections and carrier
obligations apply: (1) individually identifiable CPNI, (2) aggregate customer
information, and (3) subscriber list information. The Wireless Communications
and Public Safety Act of 1999 (911 Act) amended section 222 with respect
to privacy of wireless location information.18
-- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further
Notice of Proposed Rulemaking, ¶ 8 (July 25, 2002).
On May 17, 1996, the Commission initiated a rulemaking, in response
to various formal requests for guidance from the telecommunications industry,
regarding the obligation of carriers under section 222 and related issues.
The Commission subsequently released the CPNI Order on February
26, 1998. The CPNI Order addressed the scope and meaning of section
222, and promulgated regulations to implement that section. It concluded,
among other things, as follows: (a) carriers are permitted to use CPNI,
without customer approval, to market offerings that are related to, but
limited by, the customers' existing service relationship; (b) before carriers
may use CPNI to market outside the customer's existing service relationship,
carriers must obtain express written, oral, or electronic customer approval;
(c) prior to soliciting customer approval, carriers must provide a one-time
notification to customers of their CPNI rights; (d) in light of the comprehensive
regulatory scheme established in section 222, the Computer III CPNI
framework is unnecessary; and (e) sections 272 and 274 impose no additional
CPNI requirements on the Bell Operating Companies (BOCs) beyond those imposed
by section 222. -- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, Order on Recon and Petitions for Forebearance, ¶ 8 (September
3, 1999).
158. In the Common Carrier Bureau's
Clarification
Order, the Bureau said that Acustomer
information derived from the provision of any non-telecommunications service,
such as CPE or information services . . . may be used to provide or market
any telecommunications service . . . .@
Omnipoint asks the Commission to clarify that section 222 does not prohibit
the use of customer information derived from non-telecommunications services
bundled with telecommunications services merely because charges for those
services appeared on a customer's telephone bill. Omnipoint contends that
its position logically follows from the statement in the Clarification
Order. U S WEST agrees with Omnipoint's position, but contends that
the statute is clear, and no clarification is required.
Section 222(c)(1) prohibits the use of CPNI
only where it is derived from the provision of a telecommunications service.
Consequently, we find that information that is not received by a carrier
in connection with its provision of telecommunications service can be used
by the carrier without customer approval, regardless of whether such information
is contained in a bill generated by the carrier. Therefore, consistent
with the Clarification Order, customer information derived from
information services that are held not to be telecommunications services
may be used, even if the telephone bill covers charges for such information
services. -- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, Order on Recon and Petitions for Forebearance, ¶ 159 (September
3, 1999).
We agree with the Bureau that carriers that have complied
with the Computer III notification and prior written approval requirements
in order to market enhanced services to certain large business customers
should be deemed in compliance with section 222 and the Commission's rules.
For the reasons stated in the Clarification Order, we agree that
the Computer III framework required carriers to provide these large
business customers with adequate notice and obtain express, affirmative
approval in material compliance with the form and content of those required
by section 222 and the Commission's rules. Although it is true that the
Computer
III consents were given prior to the advent of local competition, we
believe that the detailed notice and express, affirmative consent required
under that regime compensate for this deficiency. Moreover, we are not
persuaded by CompTel's assertion that the BOCs warnings that they may
have to change the customer's account representatives put undue pressure
on these business customers to relent. Finally, we also conclude that although
some of the Computer III annual notifications may not have been
"proximate to" the carrier solicitations as required by section 222, the
Computer
III regime's annual notification requirement and limitation to business
customers with more than 20 access linesCrequirements
that we note are more stringent than required by section 222Cmaterially
satisfy the concerns we intended to address by the proximate notification
requirement promulgated in the CPNI Order. As such, we agree with
the Bureau that the Computer III notifications are in material compliance
with section 222 and the Commission's rules, and adopt the reasoning and
conclusions of the Clarification Order as our own. -- In
the Matter of Implementation of the Telecommunications Act of 1996
Telecommunications Carriers' Use of Customer Proprietary Network Information
and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149,
Order on Recon and Petitions for Forebearance, ¶ 98 (September 3,
1999).
46. We continue to exclude from this list, as the
Commission did in the CPNI Order, Internet access services. Despite
contrary claims from some petitioners, there is no convincing new evidence
on the record that shows that such services are necessary to, or used in,
the making of a call, even in the broadest sense. There is also no evidence,
currently, that customers expect to receive such services from their wireline
provider, or that they expect to use such services in the way that they
expect to receive or use the above-listed services.
47. We will, however, add protocol conversions to
the list of services that carriers may market using CPNI without customer
approval. In its petition, Bell Atlantic requests that we redefine protocol
conversion as a telecommunications service. A protocol conversion assists
terminals or networks operating with different protocols to communicate
with each other. Bell Atlantic asserts that protocol conversions that do
not alter the underlying information sent and received should not be defined
as information services. We do not believe that protocol conversions should
be redefined as a telecommunications service but because protocol conversions
are necessary to the provision of the telecommunications service, in the
instances where they are used, protocol conversions should be included
in the group of information services listed above. Accordingly, we grant
Bell Atlantic's request to use CPNI to market, without customer approval,
protocol conversions. -- In the Matter of Implementation
of the Telecommunications Act of 1996 Telecommunications Carriers' Use
of Customer Proprietary Network Information and Other Customer Information;
CC Docket No. 96-115, CC Docket No. 96-149, Order on Recon and Petitions
for Forebearance, ¶¶ 46-47 (September 3, 1999).
We grant, in part, the petitions for reconsideration which request that
we allow all carriers to use CPNI to market customer premises equipment
(CPE) and information services under section 222(c)(1) without customer
approval. We conclude that all carriers may use CPNI, without customer
approval, to market CPE. We further conclude that CMRS carriers may use
CPNI, without customer approval, to market all information services, while
wireline carriers may do so for certain information services. We deny the
petitions for forbearance on these issues. -- In the Matter of Implementation
of the Telecommunications Act of 1996 Telecommunications Carriers' Use
of Customer Proprietary Network Information and Other Customer Information;
CC Docket No. 96-115, CC Docket No. 96-149, Order on Recon and Petitions
for Forebearance, ¶ 7 (September 3, 1999).
On May 21, 1998, in response to a number of requests for clarification
of the CPNI Order, the Common Carrier Bureau released a Clarification
Order. This order addressed several issues. It concluded that independently-derived
information regarding customer premises equipment (CPE) and information
services is not CPNI and may be used to market CPE and information services
to customers in conjunction with bundled offerings. In addition, it clarified
that a customer's name, address, and telephone number are not CPNI. --
In the Matter of Implementation of the Telecommunications Act of
1996 Telecommunications Carriers' Use of Customer Proprietary Network Information
and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149,
Order on Recon and Petitions for Forebearance, ¶ 9 (September 3, 1999).
On February 26, 1998, the Commission released a Second Report and
Order and Further Notice of Proposed Rulemaking (Second Report and
Order) interpreting and implementing, among other things, the portions
of section 222 of the Communications Act of 1934, as amended, that govern
the use and disclosure of, and access to, customer proprietary network
information (CPNI) by telecommunications carriers. Since the release of
the Second Report and Order, a number of parties have requested
that the Commission clarify various issues pertaining to that order. In
response to these requests, the Common Carrier Bureau issues this order
clarifying the Second Report and Order as follows:
(a) Independently-derived information regarding customer premises equipment
(CPE) and information services is not CPNI and may be used to market CPE
and information services to customers in conjunction with bundled offerings.
(b) A customer's name, address, and telephone number are not CPNI.
(c) A carrier has met the requirements for notice and approval under
section 222 and the Commission's rules where it has both provided annual
notification to, and obtained prior written authorization from, customers
with more than 20 access lines in accordance with the Commission's former
CPNI rules.
(d) Although a carrier must ensure that its certification of corporate
compliance with the Commission's CPNI rules is made publicly available,
it is not required to file this certification with the Commission.
--In the Matter of Implementation of the Telecommunications Act of 1996:
Telecommunications Carriers' Use of Customer Proprietary Network Information
and Other Customer Information, CC Docket No. 96-115, ¶ 1 (CCB May
21, 1998).
Accordingly, we make clear that, when a customer purchases CPE or information
services from a carrier that are bundled with a telecommunications service,
the carrier subsequently may use any customer information independently
derived from the carrier's prior sale of CPE to the customer or the customer's
subscription to a particular information service offered by the carrier
in its marketing of new CPE or a similar information service that is bundled
with a telecommunications service. Neither CPE nor information services
constitute "telecommunications services" as defined in the Act. Therefore,
any customer information derived from the carrier's sale of CPE or from
the customer's subscription to the carrier's information service would
not be "CPNI" because section 222(f) defines CPNI in terms of information
related to a "telecommunications service." As a result, in situations where
the bundling of a telecommunications service with CPE, information services,
or other non-telecommunications services is permissible, a carrier may
use CPNI to target particular customers in a manner consistent with the
Second
Report and Order, and it also may use the customer information independently
derived from the prior sale of the CPE, the customer's subscription to
a particular information service, or the carrier's provision of other non-telecommunications
offerings to market its bundled offering. --In the Matter of Implementation
of the Telecommunications Act of 1996: Telecommunications Carriers' Use
of Customer Proprietary Network Information and Other Customer Information,
CC Docket No. 96-115, ¶ 4 (CCB May 21, 1998).
Prior to the adoption of the Telecommunications Act of 1996, the framework
established under the Commission's Computer III regime governed
the use of CPNI by the BOCs, AT&T, and GTE to market CPE and enhanced
services. Two important components of this Computer III framework
were: (1) a carrier's obligation to provide an annual notification of CPNI
rights to multi-line customers regarding enhanced services, as well as
a similar notification requirement regarding CPE that applied only to the
BOCs, and (2) a carrier's obligation to obtain prior written authorization
from business customers with more than 20 access lines to use CPNI to market
enhanced services. We clarify that in circumstances where a carrier has
provided annual notification and received prior written authorization from
customers with more than twenty access lines, the requirements for notice
and approval under section 222, and the associated Commission rules, are
satisfied for those customers. --In the Matter of Implementation of the
Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer
Proprietary Network Information and Other Customer Information, CC Docket
No. 96-115, ¶ 10 (CCB May 21, 1998).
Appellate Court Vacates
FCC Rules
20. On August 18, 1999, the Tenth Circuit issued an opinion vacating a
portion of the CPNI Order in U S WEST. 49 U S WEST (now Qwest) contended
that the opt in approach adopted by the Commission violated the First and
Fifth Amendments of the Constitution. 50 The Tenth Circuit struck down
the Commission's original customer approval rules, finding that the CPNI
rules impermissibly regulated protected commercial speech and thus violated
the First Amendment. 51 Specifically, the court found that the opt in regime
was not narrowly tailored because the Commission had failed to adequately
consider an opt out option. 52
. . . .
29. Importantly, the court did not find section 222 of the Act
unconstitutional. 86 As noted, U S WEST did not even challenge the constitutionality
of section 222. 87 Therefore, the task before the Commission remains the
same: to implement regulations that satisfy Congress' goal of protecting
consumer privacy by requiring carriers to obtain customer consent for certain
uses of CPNI. As required by the Tenth Circuit, any new regulations adopted
by the Commission in the instant proceeding must meet the standard articulated
by the Supreme Court in Central Hudson.
. . . . .
79. We affirm our previous determinations that the "Tenth Circuit
vacated only the specific portion of our CPNI rules relating to the opt
in mechanism." 173 As the Commission noted in seeking comment in the Clarification
Order Further NRPM, the Tenth Circuit's order was subject to interpretation
as to whether it vacated the entirety of the CPNI rules or just those related
to the opt in requirement. 174 However, as we have twice previously held,
substantial portions of the Commission's CPNI rules were not relevant to
the issue before the court and were beyond the scope of the court's constitutional
analysis. 175
-- In the Matter of Implementation of the Telecommunications Act of
1996 Telecommunications Carriers' Use of Customer Proprietary Network Information
and Other Customer Information; CC Docket No. 96-115, CC Docket No. 96-149,
CC Docket No. 00 257, Third Report and Order and Third Further Notice of
Proposed Rulemaking, para 20 f(July 25, 2002)
"After the Commission adopted the Order on Reconsideration, but prior
to its release, the Court of Appeals for the Tenth Circuit issued its opinion
vacating the Commission's CPNI rules. (U S WEST, Inc. v. FCC, 10th Circuit
No. 98-9518 (filed August 18, 1999)). The Court held that the Commission's
CPNI rules "must fall under the First Amendment." The Court's mandate has
not yet issued and further litigation remains a possibility. Once the Court's
mandate issues, the Commission will take appropriate steps to implement
the Court's final decision." -- Welcome To The FCC, Common Carrier Bureau's
Homepage For The CPNI Proceeding Last Updated 9/9/99 (accessed February
15, 2000) http://www.fcc.gov/ccb/ppp/Cpni/welcome.html
US West v. FCC, Docket 98-9518 (10th Cir. Aug 18, 1999),
cert. denied sub. Nom Competitive Policy Institute v. U.S. West Docket
99-1427 (S.Ct. June 2000) http://www.kscourts.org/ca10/cases/1999/08/98-9518.htm
We vacate the FCC's CPNI Order, concluding that the FCC failed to adequately
consider the constitutional ramifications of the regulations interpreting
§ 222 and that the regulations violate the First Amendment.
. . . . .
The FCC failed to adequately consider the constitutional implications
of its CPNI regulations. Even if we accept the government's proffered interests
and assume those interests are substantial, the FCC still insufficiently
justified its choice to adopt an opt-in regime. Consequently, its CPNI
regulations must fall under the First Amendment. At the very least, the
foregoing analysis shows that the CPNI regulations clearly raise a serious
constitutional question, invoking the rule of constitutional doubt. Accordingly,
we VACATE the FCC's CPNI Order and the regulations adopted therein.(15)
Background: Procedural
History
10. On May 17, 1996, the Commission initiated a rulemaking in response
to requests for guidance from the telecommunications industry regarding
the obligations of telecommunications carriers under section 222 of the
Act and related issues. 29 The Commission released the CPNI Order on February
26, 1998, in which it addressed the scope and meaning of section 222 and
promulgated implementing regulations.30
. . . .
15. On August 16, 1999, the Commission adopted the CPNI Reconsideration
Order in response to a number of petitions for reconsideration, forbearance,
and clarification of the CPNI Order.34 The CPNI Reconsideration Order was
adopted "to preserve the consumer protections mandated by Congress while
more narrowly tailoring [the CPNI] rules, where necessary, to enable telecommunications
carriers to comply with the law in a more flexible and less costly manner."35f
. . . . .
23. On August 28, 2001, the Commission adopted an order (CPNI
Clarification Order) clarifying the status of its CPNI rules in light of
the Tenth Circuit order and issuing a Further Notice of Proposed Rulemaking
(Clarification Order Further NPRM). 58 The Commission affirmed its previous
determination that the Tenth Circuit invalidated only the opt in rule,
not the entire CPNI Order. 59 The Commission sought comment on its interpretation
of the scope of the Tenth Circuit order, and on what type of approval (opt
in or opt out) would best serve the government's goals while respecting
constitutional limits. 60 In addition, the Commission noted that "the consent
mechanism that we eventually adopt in response to the Tenth Circuit's Order
could impact our previous findings regarding the interplay between [sections
222 and 272, and we therefore find it necessary to raise the relevant issues
here." 61
-- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further
Notice of Proposed Rulemaking, para 10 (July 25, 2002)
2. On May 17, 1996, the Commission initiated a rulemaking, in
response to various informal requests for guidance from the telecommunications
industry, regarding the obligation of telecommunications carriers under
Section 222 of the Act and related issues. 5 The Commission subsequently
released the CPNI Order, on February 26, 198, which addressed the scope
and meaning of Section 222, and promulgated regulations to implement that
section. In the CPNI Order, the Commission determined that 'with Section
222, Congress expressly directs a balance of 'both competitive and consumer
privacy interests with respect to CPNI." 6 It found this conclusion to
be supported by the comprehensive statutory design, which expressly recognizes
the duty of all telecommunications carriers to protect customer information,
and embodies the principle that customers must be able to control information
they view as sensitive and personal from unauthorized use, disclosure,
and access by carriers. Where information is not sensitive, it found that
Section 222 permits the free flow of information beyond the customer-carrier
relationship, because in this situation, the customer's interest rests
more in choosing service with respect to a variety of competitors, thus
necessitating competitive access to the information. 7
3. In the CPNI Order, the Commission stated that Section
222(c)(1) of the Act allows a carrier to use, without the customer's prior
approval, the customer's CPNI derived from the complete service that the
customer subscribes to from that carrier and its affiliates, for marketing
purposes within the existing service relationship. 8 This is known as the
'total service approach.' The Commission also concluded that carriers must
notify the customer of the customer's rights under Section 222 and then
obtain express written, oral or electronic customer approval -- a 'notice
and opt-in' approach -- before a carrier may use CPNI to market services
outside the customer's existing service relationship with that carrier.
9 U S West appealed this order to the Tenth Circuit. On August 16, 1999,
the Commission adopted the CPNI Reconsideration Order 10 in response
to a number of petitions for reconsideration, forbearance, and clarification
of the CPNI Order. The CPNI Reconsideration Order, among other things,
further clarified the total service approach. 11 It also retained the opt-in
approach. 12
4. After the Commission adopted the CPNI Reconsideration Order,
the Tenth Circuit issued its decision in U S WEST v. FCC, vacating a portion
of the CPNI Order 'and the regulations adopted therein. 13 In U S WEST
V. FCC, U S WEST contended that the opt-in approach for customer approval
in the CPNI Order violated the First and Fifth Amendments of the Constitution.
14 The court declined to review the Commission's opt-in approach under
the traditional administrative law standards of *16509 Chevron, 15 in light
of what it perceived as the 'serious constitutional questions' raised by
the approach, and determined that it must be reviewed under the constitutional
standards applicable to regulations of commercial speech in Central Hudson
Gas & Elec. Corp. v. Public Service Commission. 16
5. Implementation of the Telecommunications
Act of 1996: Telecommunications Carriers' use of Customer Proprietary Network
Information and Other Customer Information, Notice of Proposed Rulemaking,
CC Docket No. 96-115, 11 FCC Rcd 12513 (1996) (NPRM).
6. CPNI Order, 13 FCC Rcd 8065, para. 3 (citing
the Joint statement of Mangers, S. Conf. Rep. No. 104-230, 104th Cong.,
2d Sess., 1 (1996).
7. CPNI Order,13 FCC Rcd at 8066, para. 3 ('Indeed,
in provisions governing use of aggregate customer and subscriber list information,
Sections 222(c)(3) and 222(e) respectively, where privacy of sensitive
information is by definition not at stake, Congress expressly required
carriers to provide such information to third parties on nondiscriminatory
terms and conditions.').
8. CPNI Order,13 FCC Rcd at 8080, 8083-84, 8087-88,
paras. 23-24, 30, 35.
9. Id. at 8127-45, paras. 86-107: see also U S WEST
v. FCC, 182 F. 3d at 1230. This approach is distinguished from an 'opt-out'
or negative option approach 'in shich approval would be inferred from the
customer-carrier relationship unless the customer specifically requested
that his or her CPNI be restricted.' U S WEST v. FCC, 182 F. 3d at 1230.
10. Implementation of the Telecommunications Act
of 1996: Telecommunications Carriers' use of Customer Proprietary Network
Information and Other Customer Information and Implementaiton of the Non-Accounting
Safeguards of Sections 271 and 272 of the Communications Act of 1934, as
amended, CC Docket Nos. 96-115 and 96-149, Order on Reconsideration and
Petitions for Forbearance, 14 FCC Rcd 14409 (1999) (CPNI Reconsideration
Order.). On November 1, 1999, MCI Communications Corp. filed a Petition
for Further Reconsideration. We will Address MCI's Petition in a separate
order.
11. CPNI Reconsideration Order, 14 FCC Rcd at 14464,
paras. 109-110. In particular, the Order expanded Section 64.2005 of the
Commission's rules, 47 C.F.R.§ 64.2005, which codifies the total
service approach, to include customer premises equipment and some information
services.
12. Only one carrier, Omnipoint Communications,
Inc., requested that we reconsider that the Commission 'opt-in' approach,
and limited its request ro CMRS carriers only. CPNI Reconsideration Order,
14 FCC Rcd at 14463-64, paras. 107-08. The Commission denied to reconsider
its original finding that 'the requirement of affirmative consent is consistent
with Congressional intent, as well as principles of customer control and
convenience.' Id.
13. U S West, Inc. v. FCC, 182 F. 3d 1240.
14. Id. at 1231.
15. See Chevron USA Inc. v. Natural Resources Defense
Council, Inc., 467 U.S. 837 (1984) (Chevron).
16. 447 U.S. 557 (1980) (Central Hudson).
---In Re Implementation Of The Telecommunications Act Of 1996; Telecommunications
Carriers' Use Of Customer Proprietary Network Information And Other Customer
Information; Implementation Of The Non-Accounting Safeguards Of Sections
271 And 272 Of The Communications Act Of 1934, As Amended CC Docket No.
96-149, CC Docket No. 96-115, Order (September 7, 2001)
Faced with the new CPNI restrictions, various telecommunications companies
and trade associations sought FCC guidance regarding their obligations
under § 222. See id. ¶ 6 & n.25. These requests, along with
a petition for a declaratory ruling regarding the interpretation of the
term "telecommunication service" under § 222(c)(1), prompted the FCC
to commence a rulemaking on May 17, 1996. See id. ¶ 6; In the Matter
of Implementation of the Telecommunications Act of 1996: Telecommunication
Carriers' Use of Customer Proprietary Network Information and Other Customer
Information, Notice of Proposed Rulemaking, 61 Fed. Reg. 26,483 (1996)
("CPNI NPRM"). The CPNI NPRM sought comment on, among other things: "(1)
the scope of the phrase 'telecommunications service,' as it is used in
section 222(c)(1) . . . ; (2) the requirements for customer approval; and
(3) whether the Commission's existing CPNI requirements should be amended
in light of section 222." CPNI Order ¶ 6 (citing CPNI NPRM ¶¶
20-33, 38-42). On February 26, 1998, the FCC released the CPNI Order we
now review. The CPNI Order addresses the meaning and scope of § 222
and adopts regulations to implement the statute's CPNI requirements. See
47 C.F.R. pt. 64, subpt. U (1998).
The regulations adopted by the CPNI Order interpret § 222(c)(1)
through a framework known as the "total service approach." That approach
divides the term "telecommunications service" into three service categories:
(1) local; (2) interexchange (which includes most long-distance toll service);
and (3) commercial mobile radio service ("CMRS") (which includes mobile
or cellular service). See 47 C.F.R. § 64.2005(a). Broadly stated,
the regulations permit a telecommunications carrier to use, disclose, or
share CPNI for the purpose of marketing products within a category of service
to customers, provided the customer already subscribes to that category
of service. See id. However, the carrier may not, without customer approval,
use, disclose, or permit access to CPNI for the purpose of marketing categories
of service to which the customer does not already subscribe. See id. §
64.2005(b).(2) For example, petitioner could use CPNI obtained through
the provision of local service to market other local service products,
but not cellular services. Moreover, if the customer subscribes to both
local and long-distance services, petitioner could use the CPNI to market
either service and could exchange the CPNI between affiliates that provide
such services, but petitioner could still not use the CPNI to market cellular
services. In addition, the regulations prevent telecommunications carriers
from using, without customer approval, CPNI gained from any of the three
categories described above to: (1) market customer premises equipment ("CPE")
or information services (such as call answering, voice mail, or Internet
access services); (2) identify or track customers that call competitors;
and (3) regain the business of customers who have switched to another carrier.
See id. § 64.2005(b)(1)-(3). The regulations also set forth some additional
narrow exceptions to the CPNI requirements, other than those stated in
§ 222(d). See id. § 64.2005(c).
The regulations also describe the means by which a carrier must obtain
customer approval. Section 222(c)(1) did not elaborate as to what form
that approval should take. The FCC decided to require an "opt-in" approach,
in which a carrier must obtain prior express approval from a customer through
written, oral, or electronic means before using the customer's CPNI. See
47 C.F.R. § 64.2007(b). The government acknowledged that the means
of approval could have taken numerous other forms, including an "opt-out"
approach, in which approval would be inferred from the customer-carrier
relationship unless the customer specifically requested that his or her
CPNI be restricted.
Petitioner challenges the FCC's chosen approval process, claiming it
violates the First Amendment by restricting its ability to engage in commercial
speech with customers. In addition, petitioner argues that the CPNI regulations
raise serious Fifth Amendment Takings Clause concerns because CPNI represents
valuable property that belongs to the carriers and the regulations greatly
diminish its value. The respondents assert that the FCC's CPNI regulations
raise no constitutional concerns, are reasonable, and are entitled to deference
under the Chevron U.S.A., Inc. v. Natural Resources
Defense Council, Inc., 467 U.S. 837 (1984).
. . . . .
CPNI Clarification Order
2001
23. On August 28, 2001, the Commission adopted
an order (CPNI Clarification Order) clarifying the status of its CPNI rules
in light of the Tenth Circuit order and issuing a Further Notice of Proposed
Rulemaking (Clarification Order Further NPRM). 58 The Commission affirmed
its previous determination that the Tenth Circuit invalidated only the
opt in rule, not the entire CPNI Order. 59 The Commission sought comment
on its interpretation of the scope of the Tenth Circuit order, and on what
type of approval (opt in or opt out) would best serve the government's
goals while respecting constitutional limits. 60 In addition, the Commission
noted that "the consent mechanism that we eventually adopt in response
to the Tenth Circuit's Order could impact our previous findings regarding
the interplay between [sections 222 and 272, and we therefore find it necessary
to raise the relevant issues here." 61
24. In the CPNI Clarification Order, the
Commission sought to obtain a more complete record on ways in which consumers
can consent to a carrier's use of their CPNI. 62 Taking into account the
Tenth Circuit's opinion, the Commission sought comment on what methods
of approval would serve the governmental interests at issue and afford
informed consent, while also satisfying the First Amendment's requirement
that any restrictions on speech be narrowly tailored. 63 Specifically,
the Commission sought comment on the interests and policies underlying
section 222 that are relevant to formulating an approval requirement, including
an analysis of the privacy interests that are at issue, and on the extent
to which we should take competitive concerns into account. 64 To the extent
that promoting competition is also a legitimate government interest under
section 222, the Commission sought comment on the likely difference in
competitive harms under opt in and opt out approvals.
25. In the CPNI Clarification Order, the Commission
also sought comment on whether adoption of an opt out mechanism is consistent
with the rationale for the total service approach set forth in the CPNI
Order. 65 Additionally, in the CPNI Reconsideration Order, the Commission
determined that carriers may use CPNI derived from the provision of a telecommunications
service to market CPE necessary to, or used in, the provision of that telecommunications
service in accordance with section 222(c)(1). 66 In a separate proceeding,
the Commission modified and clarified its bundling rules promulgated under
Computer II 67 to allow carriers to bundle CPE and enhanced services with
telecommunications services. 68 The Commission sought comment on whether
the issues raised in that proceeding should affect our interpretation of
section 222(c)(1) and the total service approach. 69 The Commission received
extensive comments and replies from commenters representing a broad cross
section of the industry and consumer interest groups in this proceeding.
70
-- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further
Notice of Proposed Rulemaking, para 25 (July 25, 2002)
Aggregate Information
Aggregate customer information and subscriber
list information, in contrast, do not involve personal, individually identifiable
information, but nevertheless are valuable to competitors.23 Aggregate
customer information means "collective data that relates to a group or
category of services or customers, from which individual customer identities
and characteristics have been removed." 24 Subscriber list information
generally includes subscribers' names, addresses and telephone numbers.25
Accordingly, under sections 222(c)(3) and 222(e), aggregate customer information
and subscriber list information receive less protection from use and disclosure
in order to promote competition. In particular, aggregate customer information
which by definition has been stripped of individually identifiable information
may be used beyond the purposes identified in section 222(c)(1) for CPNI,
but local exchange carriers (LECs) must make aggregate customer information
available to competitors on reasonable and nondiscriminatory terms and
conditions.26
-- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further
Notice of Proposed Rulemaking, para 9 (July 25, 2002)
Subscriber List Information
Subscriber list information which is generally
publicly available must be provided to third parties for the
purpose of publishing directories on a timely and unbundled basis, under
nondiscriminatory and reasonable rates, terms, and conditions.27 In addition,
subscriber listed and unlisted information must be disclosed to providers
of emergency service and emergency support services under the circumstances
set forth in section 222(g).28
-- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further
Notice of Proposed Rulemaking, para 9 (July 25, 2002)
Purpose / Govt Interest
Not Competition
Section 222 is not the first time the government has placed restrictions
on telecommunications carriers' use or disclosure of CPNI. Prior to the
enactment of § 222, the FCC had imposed CPNI requirements on the enhanced
service operations of several major telecommunications carriers. See CPNI
Order ¶ 7. The FCC imposed these CPNI requirements primarily to prevent
large carriers from gaining a competitive advantage in the unregulated
enhanced services markets through the use of CPNI, thereby protecting smaller
carriers. See id. In contrast, Congress made § 222, which is much
broader in scope than previous CPNI requirements, applicable to all carriers,
not just the dominant ones. This suggests that Congress enacted §
222 for a substantially different purpose than previous FCC CPNI requirements.
. . . . .
We harbor different reservations about the government's
asserted interest in competition. While we afford agencies broad deference
in interpreting a statute they are charged to administer, they must obey
the dictates of Congress and administer the statute true to Congress' intent.
See Ernst & Ernst v. Hochfelder, 425 U.S. 185, 213-14 (1976). We are
not satisfied that the interest in promoting competition was a significant
consideration in the enactment of § 222.
While the broad
purpose of the Telecommunications Act of 1996 is to foster increased competition
in the telecommunications industry,(9) the language of § 222 reveals
no such concern.(10) Rather, the specific and dominant purpose of §
222 is the protection of customer privacy. Indeed, the FCC and members
of Congress characterize § 222 as "striv[ing] to balance both the
competitive and consumer privacy interests with respect to CPNI," Joint
Statement of Managers, S. Conf. Rep. No. 104-230, at 205 (1996) (emphasis
added), which suggests that § 222's purpose in fostering privacy may
even run counter to the broad pro-competition purpose of the Telecommunications
Act. In any event, three other considerations persuade us that Congress
did not intend for competition to be a significant purpose of § 222.
First, and most important, the plain language of the section deals almost
exclusively with privacy. Section 222 is entitled "Privacy of customer
information" and is replete with references to privacy and confidentiality
of customer information. In contrast, § 222 contains no explicit mention
of competition. Although § 222(c)(3) and § 222(e) impose nondiscrimination
requirements with respect to disclosure of aggregate customer and subscriber
list information which could be construed as pro-competition measures,
we find that these do not sufficiently indicate that increasing competition
was a purpose of § 222. Moreover, the provisions of § 222 relating
to CPNI which the challenged regulations interpret contain no reference
to nondiscrimination requirements and reflect solely a concern for customer
privacy. See 47 U.S.C. § 222(c)(1)-(2), (d). Second, § 222 differs
from previous CPNI restrictions designed to foster competition because
it applies to all telecommunications carriers, not just the dominant ones.
This indicates a different purpose for the new restriction. Finally, §
222 contains measures that will allow full use, disclosure, and access
to CPNI if customer approval is obtained. Assuming that a carrier is able
to obtain a high rate of customer approval, the alleged competitive effect
of § 222's CPNI restrictions is minimal and can perhaps even be nullified.
Consequently, we find that Congress' primary purpose in enacting §
222 was concern for customer privacy, not the broader purpose of increasing
competition.
Privacy
33. Government's Substantial Interest. The customer
approval requirement in section 222(c)(1) is designed to protect the interest
of telecommunications consumers in limiting unexpected and unwanted use
and disclosure of their personal information by carriers who must collect
such information in order to render bills and perform other services. Section
222(c)(1) thus assumes a minimum level of customer concern regarding certain
uses of CPNI by a carrier and its affiliates. This assumption has been
borne out by evidence in the record, including surveys indicating consumers'
desires regarding dissemination of CPNI and other personal information.
Notably, in one study, 55.5 percent of Cincinnati Bell Telephone (CBT)
customers expressed some level of concern with use of CPNI by CBT for targeted
marketing, including 17.2 percent that were "extremely concerned." 92 Likewise,
the Westin Study submitted by Pacific Telesis in the original CPNI proceeding
indicated that 36 percent of customers found it "not acceptable" for their
local telephone company to use CPNI for targeted marketing. 93 These concerns
show a sensitivity to use of CPNI, consistent with the very private nature
of the information collected by a telecommunications carrier, which includes,
at a minimum, the telephone numbers a subscriber calls, and the times,
dates, destinations and duration of those calls. 94 CPNI also includes
services that a subscriber purchases, the equipment and facilities used,
and it may also include personal/household usage patterns, among other
things. 95 Based on the record before us, we conclude that the government's
interest in limiting unexpected disclosure and use of consumers' CPNI is
a substantial one.
-- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further
Notice of Proposed Rulemaking, para 33 (July 25, 2002)
Congress recognized, however, that the new competitive market forces
and technology ushered in by the 1996 Act had the potential to threaten
consumer privacy interests. Congress, therefore, enacted section
222 to prevent consumer privacy protections from being inadvertently swept
away along with the prior limits on competition. 3 Section 222 establishes
a new statutory framework governing carrier use and disclosure of customer
proprietary network information (CPNI) and other customer information obtained
by carriers in their provision of telecommunications services.
. . . . .
3. In contrast to other provisions of the 1996 Act that
seek primarily to "[open all telecommunications markets to competition,"
8 and mandate competitive access to facilities and services, the CPNI regulations
in section 222 are largely consumer protection provisions that establish
restrictions on carrier use and disclosure of personal customer information.
With section 222, Congress expressly directs a balance of "both competitive
and consumer privacy interests with respect to CPNI." 9 Congress'
new balance, and privacy concern, are evidenced by the comprehensive statutory
design, which expressly recognizes the duty of all carriers to protect
customer information, 10 and embodies the principle that customers must
be able to control information they view as sensitive and personal from
use, disclosure, and access by carriers. 11 Where information is not sensitive,
12 or where the customer so directs, 13 the statute permits the free flow
or dissemination of information beyond the existing customer-carrier relationship.
Indeed, in the provisions governing use of aggregate customer and subscriber
list information, sections 222(c)(3) and 222(e) respectively, where privacy
of sensitive information is by definition not at stake, Congress expressly
required carriers to provide such information to third parties on nondiscriminatory
terms and conditions. 14 Thus, although privacy and competitive concerns
can be at odds, the balance struck by Congress aligns these interests for
the benefit of the consumer. This is so because, where customer information
is not sensitive, the customer's interest rests more in choosing service
with respect to a variety of competitors, thus necessitating competitive
access to the information, than in prohibiting the sharing of information.
-- In Re In The Matter Of Implementation Of The Telecommunications
Act Of 1996, CC Docket No. 96-115, Second Report and Order and Further
Notice of Proposed Rulemaking ¶ 1 (February 26, 1998)
Under Computer II: Protect CPE and ESPs
7. Prior to the 1996 Act, the Commission had established CPNI
requirements applicable to the enhanced services 30 operations of AT&T,
the BOCs, and GTE, and the CPE operations of AT&T and the BOCs, in
the Computer II, 31 Computer III, 32 GTE ONA, 33 and BOC CPE Relief 34
proceedings. The Commission recognized in the Notice that it had
adopted these CPNI requirements, together with other nonstructural safeguards,
to protect independent enhanced services providers and CPE suppliers from
discrimination by AT&T, the BOCs, and GTE.35 The
Notice stated that the Commission's existing CPNI requirements were intended
to prohibit AT&T, the BOCs, and GTE from using CPNI obtained from their
provision of regulated services to gain a competitive advantage in the
unregulated CPE and enhanced services markets. 36 The Notice further stated
that the existing CPNI requirements also were intended to protect legitimate
customer expectations of confidentiality regarding individually identifiable
information. 37 The Commission concluded in the Notice that existing
CPNI requirements would remain in effect, pending the outcome of this rulemaking,
to the extent that they do not conflict with section 222. 38 On November
13, 1996, the Common Carrier Bureau (Bureau) waived the annual CPNI notification
requirement for multi-line business customers that had been imposed on
AT&T, the BOCs, and GTE under our pre-existing CPNI framework, pending
our action in this proceeding. 39
35. Notice at 12516, 4.
36. Notice at 12516, 12530, 4, 40.
37. Notice at 12516, 4.
38. Notice at 12515-16, 12529, 3, 38.
39. Petition for Exemption from Customer Proprietary Network Information
Notification Requirements, Order, CCB Pol 96-20, DA 96-1878, 12 FCC Rcd
15134. On December 16, 1997, the Policy and Program Planning Division
waived this requirement for 1997. In the Matter of Waiver from Customer
Proprietary Network Information Notification Requirements, CCB Pol 97-13,
DA 97-2599 (rel. Dec. 16, 1997).
174. In the Computer III, 595 GTE ONA, 596 and BOC CPE Relief
597 proceedings, the Commission established a framework of CPNI requirements
applicable to the enhanced services operations of AT&T, the BOCs, and
GTE and the CPE operations of AT&T and the BOCs (Computer III CPNI
framework).598 As we observed in the Notice, the Commission adopted
the Computer III CPNI framework, together with other nonstructural safeguards,
to protect independent enhanced services providers and CPE suppliers from
discrimination by AT&T, the BOCs, and GTE. 599 The framework
prohibited these carriers' use of CPNI to gain an anticompetitive advantage
in the unregulated CPE and enhanced services markets, while protecting
legitimate customer expectations of confidentiality regarding individually
identifiable information. 600 Alternatively, for those carriers that
maintain structurally separate affiliates in connection with their CPE
and enhanced services operations, our Computer II 601 rule 64.702(d)(3)
prohibits carriers from sharing CPNI with those affiliates unless it is
made publicly available. 602 We likewise prohibit the BOCs from providing
CPNI to their cellular affiliates unless they make the CPNI publicly available
on the same terms and conditions. 603
-- In Re In The Matter Of Implementation Of The Telecommunications
Act Of 1996, CC Docket No. 96-115, Second Report and Order and Further
Notice of Proposed Rulemaking ¶ 3 (February 26, 1998)
Harm
The government presents no evidence showing the harm
to either privacy or competition is real. Instead, the government relies
on speculation that harm to privacy and competition for new services will
result if carriers use CPNI. In Edenfield, the Supreme Court struck down
a Florida ban on CPA in-person solicitation because the state had presented
no evidence -- anecdotal or empirical -- that such solicitation created
the dangers of "fraud, overreaching, or compromised independence" that
the state sought to combat. See 507 U.S. at 771; cf. Florida Bar v. Went
For It, Inc., 515 U.S. 618, 626-27 (1995) (upholding restriction on solicitation
of accident victims within thirty days of accident, based on two-year study
and written report analyzing statistically and anecdotally the impacts
of such solicitation). The FCC faces the same problem here. While protecting
against disclosure of sensitive and potentially embarrassing personal information
may be important in the abstract, we have no indication of how it may occur
in reality with respect to CPNI. Indeed, we do not even have indication
that the disclosure might actually occur. The government presents no evidence
regarding how and to whom carriers would disclose CPNI. By its own admission,
the government is not concerned about the disclosure of CPNI within a firm.
See CPNI Order at ¶ 55, n.203 ("[W]e agree . . . that sharing of CPNI
within one integrated firm does not raise significant privacy concerns
because customers would not be concerned with having their CPNI disclosed
within a firm in order to receive increased competitive offerings."). Yet
the government has not explained how or why a carrier would disclose CPNI
to outside parties, especially when the government claims CPNI is information
that would give one firm a competitive advantage over another. This leaves
us unsure exactly who would potentially receive the sensitive information.
Similarly, the FCC can theorize that allowing existing
carriers to market new services with CPNI will impede competition for those
services, but it provides no analysis of how or if this might actually
occur. Beyond its own speculation, the best the government can offer is
that "[t]he vigor of US West's protests against the rules . . . indicates
that US West also believes that this restriction will be effective in promoting
Congress's competitive interest." Appellees Br. at 30. This is simply additional
conjecture, and it is inadequate to justify restrictions under the First
Amendment. See Edenfield, 507 U.S. at 770-71.
Total Service Approach
12. At the same time, the Commission adopted what is called the
"total service approach" allowing carriers and their affiliates to use
customers' CPNI, without notice or approval, to market services within
the package of services to which the customer already subscribes.32 The
total service approach recognized existing customer relationships for local,
interexchange, and wireless services. Under the total service approach,
a carrier that provides local service to a customer may use that customer's
local service CPNI to sell that customer other product offerings within
the existing local service relationship (e.g., caller ID) without customer
approval of the use of the CPNI. As service relationships expanded (e.g.,
the customer selected both local and wireless service), so too did the
parameters of the permissible use of CPNI to market new product offerings.
This approach recognizes that the customer may be fairly considered to
have given implied consent to the carrier's use of CPNI within the total
service package to which the customer subscribes.
13. Such sharing was intended to allow carriers with a pre existing
relationship with the customer to develop "packages" of services best tailored
to their customers' needs. The Commission noted that customers would reasonably
expect carriers with whom they dealt to review their CPNI to fashion service
packages tailored to their needs, and thus would not object to inter affiliate
sharing if each affiliate already has a relationship with the customer.
Because the order required express consent for any type of disclosures
beyond those permitted by section 222(c)(1), the order did not distinguish
between disclosure to an affiliate or other carrier for telecommunications
marketing purposes or disclosure to an unrelated third party for non telecommunications
purposes (e.g., divorce actions, insurance reviews, or random product marketing).
. . . . . .
83. We affirm the continued use of the total service approach
to define what carriers may do under section 222(c)(1) without notice to
customers. 184 Based on the language of section 222(c)(1), Congress intended
that a carrier could use CPNI without customer approval, but could only
do so depending on the service(s) to which the customer subscribes. 185
The total service approach defines the parameters of those services and
thus defines what carriers may do without the approval of the customer.
84. In reaching our conclusion, we note that every commenter
that addressed this issue save one 186 supports retaining the total service
approach, 187 largely because the original justification for its adoption
remains valid even if an opt out system is applied to some uses of CPNI.
Accordingly, today, as when we originally adopted it, the total service
approach is a reasonable implementation of section 222(c)(1) and remains
reasonable regardless of the mechanism we adopt in this Order to provide
for customer approval of other uses of CPNI. We also note that no better
alternative has been proposed. The sole commenter to question the approach,
CenturyTel, basically requests that we abandon the total service approach
and instead adopt the "single category approach." 188 The single category
approach was considered and rejected in the CPNI Order and again rejected
in the CPNI Reconsideration Order. 189 We again decline to adopt such an
approach because that would vitiate the total service approach and attendant
protection of customers' personal information. As the Commission has stated,
"[the hallmark of the total service approach is that the customer, whose
privacy is at issue, establishes the bounds of his or her relationship
with the carrier." 190 CenturyTel has provided no new evidence to convince
us to reconsider the total service approach and the benefits and protections
it affords to consumers and carriers alike. Finally, in the absence of
comments indicating that the total service approach is undermined by our
CPE bundling rules, we find no reason to modify our interpretation of section
222(c)(1) or the total service approach at this time. 191
-- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further
Notice of Proposed Rulemaking, para12 (July 25, 2002)
17. After considering the record, statutory language, history,
and structure of section 222, we concluded that Congress intended that
a carrier's use of CPNI without customer approval should depend on the
service subscribed to by the customer. Accordingly, the Commission
adopted the "total service approach" which allows carriers to use a customer's
entire record, derived from complete service subscribed to from that carrier,
to market improved services within the parameters of the existing customer-carrier
relationship. The total service approach permits carriers to
use CPNI to market offerings related to the customer's existing service
to which the customer presently subscribes. Under the total service
approach, the customer retains ultimate control over the permissible marketing
use of CPNI, a balance which best protects customer privacy interests while
furthering fair competition. Presented with the opportunity to permit
or prevent a carrier from accessing CPNI for marketing purposes, the customer
has the ability to determine the bounds of the carrier's use of CPNI.
-- In Re Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information, CC Docket No. 96-115, 96-149,
Order On Reconsideration And Petitions For Forbearance (September 3, 1999)
2. Section 222(c)(1) establishes the limited circumstances in
which carriers can use, disclose, or permit access to CPNI without first
obtaining customer approval. In interpreting section 222(c)(1) in
the Second Report and Order, the Commission adopted an approach that allows
carriers to use CPNI, without first obtaining customer approval, to market
improvements or enhancements to the package of telecommunications services
the carrier already provides to a particular customer, which it referred
to as the "total service approach." The Commission determined, however,
that carriers may not use CPNI, without first obtaining customer approval,
to market offerings that fall outside the scope of the customer's existing
service relationship with the carrier. The Commission also concluded
that, as required by section 222(c)(1), carriers may not use CPNI, without
first obtaining customer approval, to market non-telecommunications offerings,
including CPE and information services. More specifically,
the Commission concluded that CPE and information services are not
"telecommunications services," and thus do not fall within the scope of
section 222(c)(1)(A). In addition, the Commission concluded
that neither CPE nor most information services fall within the meaning
of "services necessary to, or used in" the provision of telecommunications
service under section 222(c)(1)(B).
-- In Re Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information, CC Docket No. 96-115, Order
(May 21, 1998)
24. The language also suggests, however, that the carrier's
right under section 222(c)(1)(A) and (B) is a limited one, in that the
carrier "shall only " use, disclose, or permit access to CPNI "in the provision
of" the telecommunications service from which such CPNI is derived or services
necessary to, or used in, such telecommunications service. 97 Indeed,
insofar as the customer consent in sections 222(c)(1)(A) and (B) is inferred
rather than based on express customer direction, we conclude that Congress
intended that implied customer approval be restricted solely to what customers
reasonably understand their telecommunications service to include.
This customer understanding, in turn, is manifested in the complete service
offering to which the customer subscribes from a carrier. We are
persuaded that customers expect that CPNI generated from their entire service
will be used by their carrier to market improved service within the parameters
of the customer- carrier relationship. 98 Although most customers
presently obtain their service from different carriers in terms of traditional
categories of offerings -- local, interexchange, and commercial mobile
radio services (CMRS) -- with the likely advent of integrated and bundled
service packages, the "total service approach" accommodates any future
changes in customer subscriptions to integrated service. 99
25. For the reasons described below, we believe that the
total service approach best represents the scope of "the telecommunications
service from which the CPNI is derived." Under the total service
approach, the customer's implied approval is limited to the parameters
of the customer's existing service, and is neither extended to permit CPNI
use in marketing all of a carrier's telecommunications services regardless
of whether subscribed to by the customer, nor narrowed to permit use only
in providing a discrete service feature. In this way, the total service
approach appropriately furthers Congress' intent to balance privacy and
competitive concerns, and maximize customer control over carrier use of
CPNI.
. . . . .
32. The statutory language makes clear that Congress did
not intend for the implied customer approval to use, disclose, or permit
access to CPNI under section 222(c)(1)(A) to extend to all of the categories
of telecommunications services offered by the carrier, as proposed by advocates
of the single category approach. First, Congress' repeated use of
the singular "telecommunications service" must be given meaning.
Section 222(c)(1) prohibits a carrier from using CPNI obtained from the
provision of "a telecommunications service" for any purpose other than
to provide "the telecommunications service from which such information
is derived" or services necessary to, or used in, provision of "such telecommunications
service. " 110 We agree with many commenters that this language plainly
indicates that Congress both contemplated the possible existence of more
than one carrier service and made a deliberate decision that section 222(c)(1)(A)
not extend to all. 111 Indeed, Congress' reference to plural "telecommunications
services" in sections 222(a) and 222(d)(1) demonstrates a clear distinction
between the singular and plural forms of the term. 112 Under well-
established principles of statutory construction, "where Congress has chosen
different language in proximate subsections of the same statute," we are
"obligated to give that choice effect." 113 Consistent with this,
section 222(c)(1)'s explicit restriction of a carrier's "use" of CPNI "in
the provision of" service further evidences Congress' intent that carriers'
own use of CPNI be limited to the service provided to the particular customer,
and not be expanded to all the categories of telecommunications services
available from the carrier. 114
33. We therefore reject the single category approach as
contrary to the statutory language. In particular, we do not agree
with several parties' claim that the general definition of "telecommunications
service" found in Title I of the Act, which focuses on the offering of
"telecommunications ... regardless of the facilities used," 115 indicates
that Congress did not intend to differentiate among telecommunications
technologies or services in section 222(c)(1)(A). 116 We likewise
find U S WEST's reliance on the general plural reference included in the
definition of "telecommunications" misplaced. 117 Rather, we agree with
the California Commission, CompTel, MCI, and TRA that the single category
interpretation would render the specific limiting language in section 222(c)(1)(A)
meaningless. 118 Approval would be necessary, if at all, only if
a carrier wished to use CPNI to market non- telecommunications services.
119 Like Sprint, we conclude that, had Congress intended such a result,
the text could have been drafted much more simply by stating that carriers
may use CPNI, without customer approval, only for telecommunications-related
purposes, instead of the language of section 222(c)(1)(A), which expressly
limits carrier use to the "provision of the service from which [the CPNI
is derived." 120
. . . . .
37. The legislative history confirms our view that in
section 222 Congress intended neither to allow carriers unlimited use of
CPNI for marketing purposes as they moved into new service avenues opened
through the 1996 Act, nor to restrict carrier use of CPNI for marketing
purposes altogether. Specifically, although the general purpose of
the 1996 Act was to expand markets available to both new and established
carriers, the legislative history makes clear that Congress specifically
intended section 222 to ensure that customers retained control over CPNI
in the face of the powerful carrier incentives to use such CPNI to gain
a foothold in new markets. The Conference Report states that, through
section 222, Congress sought to "balance both competitive and consumer
privacy interests with respect to CPNI." 137 Congress further admonishes
that "[in new subsection 222(c) the use of CPNI by telecommunications carriers
is limited, except as provided by law or with the approval of the customer."
138 Contrary to Congressional intent as expressed in the legislative history,
the single category approach asserts a broad carrier right, affording customers
virtually no control over intra-company use of their CPNI. This approach
would undermine section 222's focus on balancing customer privacy interests,
139 and likewise would potentially harm competition. Carriers already
in possession of CPNI could leverage their control of CPNI in one market
to perpetuate their dominance as they enter other service markets. 140
In these respects, therefore, the legislative history wholly fails to support
the single category approach. On the other hand, the legislative
history makes no mention of any need or intention to restrict the carrier's
use of CPNI to market discrete offerings within the service subscribed
to by the customer. In this regard, therefore, the legislative history
likewise does not support the discrete offering approach.
-- In Re In The Matter Of Implementation Of The Telecommunications
Act Of 1996, CC Docket No. 96-115, Second Report and Order and Further
Notice of Proposed Rulemaking (February 26, 1998)
CPE
17. The Commission granted, in part, petitions
for reconsideration requesting that all carriers be allowed to use CPNI
to market customer premises equipment ("CPE") and information services
under section 222(c)(1) without customer approval. In particular, the Commission
allowed all carriers to use CPNI, without customer approval, to market
CPE. 41
-- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further
Notice of Proposed Rulemaking (July 25, 2002)
Info Service
The Commission also allowed CMRS carriers to use, without
customer approval, CPNI to market all information services, while allowing
wireline carriers to do so for most information services. 42
42. Id. The Commission found
that CMRS providers historically have bundled CPE and information services
with the underlying telecommunications service, and therefore, due primarily
to customer expectations, those services fell within the meaning of "necessary
to, or used in" the provision of service. Id. While wireline carriers traditionally
have bundled CPE with wireline services, wireline carriers had not bundled
Internet access services with wireline services. As a result, the Commission
found that Internet access services are not "necessary to, or used in"
the provision of service. Id. at 14434, para. 46.
-- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further
Notice of Proposed Rulemaking, para 17 (July 25, 2002)
39. Section 222(c)(1) states that, "[e]xcept
as required by law or with the approval of the customer, a telecommunications
carrier that receives or obtains [CPNI] by virtue of its provision of a
telecommunications service shall only use, disclose, or permit access to
individually identifiable [CPNI] in its provision of (A) the telecommunications
service from which such information is derived, or (B) services necessary
to, or used in, the provision of such telecommunications service, including
the publishing of directories.? In the CPNI Order, we concluded
that Congress intended that section 222(c)(1)(A) govern carriers' use of
CPNI for providing telecommunications services and that section 222(c)(1)(B)
governs carriers' use of CPNI for non-telecommunications services.
Based upon the language of section 222(c)(1), we further concluded that:
(1) inside wiring, CPE, and certain information services do not fall within
the scope of section 222(c)(1)(A) because they are not "telecommunications
services;" and (2) CPE and most information services do not fall
under section 222(c)(1)(B) because they are not "services necessary to,
or used in, the provision of such telecommunications service."
We now find that the phrase "services necessary to, or used in, the provision
of such telecommunications service" should be given a broader reading than
the one given in the CPNI Order. The record produced on reconsideration
persuades us that a different statutory interpretation is permissible,
and importantly, would lead to appropriate policy results consistent with
the statutory goals. Therefore, we conclude that section 222(c)(1)(B)
allows carriers to use CPNI, without customer approval, to separately market
CPE and many information services to their customers.
We further clarify that the tuning and retuning of CMRS units and repair
and maintenance of such units is a service necessary to or used in the
provision of CMRS service under section 222(c)(1)(B). Finally, we
deny petitioners' requests that we forbear from applying these restrictions
for related CPE and information services.
40. Customer Premises Equipment
and Information Services under Section 222(c)(1). We grant the petitions
for reconsideration that argue that CPE and certain information services
are "necessary to, or used in, the provision of" telecommunications services,
and therefore use of CPNI derived from the provision of a telecommunications
service, without customer approval, to market CPE and information services
would be permitted under section 222(c)(1)(B). Under
our previous interpretation, the exception was narrowly construed, resulting
in very few services for which CPNI could be shared. Indeed,
we rejected all CPE because it was not a "service" and most information
services because they were not necessary to or used in the carrier's
provision of the telecommunications service. While this interpretation
is not inconsistent with the statutory language, we are persuaded that
the better interpretation is that the exception includes certain products
and services provisioned by the carrier with the underlying telecommunications
service to comprise the customer's total service. This is because
those related services and products facilitate the underlying telecommunications
service and customers expect that they will be used in the provisioning
of that service offering. Our new interpretation accords with
the Commission's stated intention in the CPNI Order to revisit and if necessary
revise its conclusions regarding customer expectations as those expectations
changed in the marketplace with advancements in technology or as new evidence
of the evolution of customer expectations becomes available to the Commission.
Such evidence has now been made available to us by the record developed
on reconsideration.
. . . . .
43. In the wireless context, our regulation
of CMRS providers and the history of the industry has allowed the development
of bundles of CPE and information services with the underlying telecommunications
service. Thus, information services and CPE offered in connection
with CMRS are directly associated and developed together with the service
itself. Indeed, we are persuaded by the record and our observations
of the development of the CMRS market generally that the information services
and CPE associated with CMRS are reasonably understood by customers as
within the existing service relationship with the CMRS provider.
Customers expect to have CPE and information services marketed to them
along with their CMRS service by their CMRS provider. Accordingly,
we conclude that such CPE and information services come within the meaning
of "necessary to, or used in," the provision of service. In the CMRS
context, carriers should be permitted to use CPNI, without customer approval,
to market information services and CPE to their CMRS customers.
44. The wireline industry has developed
somewhat differently from CMRS and, while the analysis is the same, the
results concerning how carriers may use CPNI accordingly differ from the
wireless industry. The provision of CPE, like the publishing of directories,
is a service which is used in and generally necessary to the provision
of the telecommunications service. For at least the past ten years,
all wireline companies have been able to market CPE along with their telecommunications
service. Petitioners argue that by erecting a CPNI approval
requirement with respect to CPE, the Commission frustrates customers' one-stop
shopping expectations and stymies carriers' abilities to offer complete
service solutions that customers want and have come to expect.
Simply put, customers expect their carriers to market CPE to them.
No evidence has been produced on the record which shows that allowing wireline
carriers to market CPE to their customers, using CPNI without customer
consent, violates customers' expectations. We are convinced that
such usage by carriers would be beneficial to customers as new and advanced
products develop. Therefore, wireline carriers should be permitted
to use CPNI, without customer approval, to market CPE to their customers.
45. Within the broader reading of the
statute, we find that certain wireline information services should also
be considered necessary to, or used in, the provision of the underlying
telecommunications service. In the CPNI Order, the Commission listed
several information services that it believed should not be considered
necessary to, or used in, the underlying telecommunications service: call
answering, voice mail or messaging, voice storage and retrieval services,
and fax storage and retrieval services. Applying the broader
reading of the statute, along with the new evidence on the record, we now
believe that all of these services should be considered necessary to, or
used in, the provision of the underlying telecommunications service because
customers have come to depend on these services to help them make or complete
calls. The record indicates that customers have come to expect
that their service provider can and will offer these services along with
the underlying telecommunications service. Therefore, carriers
may use CPNI, without customer approval, to market call answering, voice
mail or messaging, voice storage and retrieval services, and fax storage
and retrieval services.
46. We continue to exclude from
this list, as the Commission did in the CPNI Order, Internet access
services.130 Despite contrary claims from some petitioners,
there is no convincing new evidence on the record that shows that such
services are necessary to, or used in, the making of a call, even in the
broadest sense. There is also no evidence, currently, that customers
expect to receive such services from their wireline provider, or that they
expect to use such services in the way that they expect to receive or use
the above-listed services.
47. We will, however, add protocol conversions
to the list of services that carriers may market using CPNI without customer
approval. In its petition, Bell Atlantic requests that we redefine
protocol conversion as a telecommunications service. A protocol
conversion assists terminals or networks operating with different protocols
to communicate with each other. Bell Atlantic asserts that
protocol conversions that do not alter the underlying information sent
and received should not be defined as information services.
We do not believe that protocol conversions should be redefined as a telecommunications
service but because protocol conversions are necessary to the provision
of the telecommunications service, in the instances where they are used,
protocol conversions should be included in the group of information services
listed above. Accordingly, we grant Bell Atlantic's request
to use CPNI to market, without customer approval, protocol conversions.
130. We note that the Internet access services being
addressed here are the dial-up services. We have previously determined
that xDSL services are telecommunications services. In the Matter
of Deployment of Wireline Services Offering Advanced Telecommunications
Capability, 13 FCC Rcd 24012, 24029-24030 (1998).
--In Re Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information, CC Docket No. 96-115, 96-149,
Order On Reconsideration And Petitions For Forbearance (September 3, 1999)
6. In contrast, where a particular customer has not purchased
CPE or information services from the carrier that is providing its telecommunications
services, the carrier would be subsequently prohibited from using CPNI,
without first obtaining customer approval, to market a bundled offering
of CPE or information services with telecommunications services to such
a customer. In this situation, absent customer approval, the carrier
would be using CPNI in violation of section 222(c)(1) to market CPE or
information services to a customer with whom they had no existing relationship
derived from the carrier's sale of CPE or the customer's subscription to
the carrier's information service. Similarly, the general knowledge
that all wireline customers have a telephone would not permit carriers
to use CPNI derived from wireline service to select those individuals to
whom to market the carrier's CPE offerings.
7. We also clarify that, only where CPE or an information service
is part of a bundled offering, including a telecommunications service,
and the carrier is the existing CPE or information service provider, could
the carrier use CPNI to market a new bundled offering that includes new
CPE or similar information services. For example, carriers cannot
use CPNI to select certain high usage customers to whom they also sold
telephones, and then market only new CPE that is not part of a new bundled
plan. Section 222(c)(1)(A) permits the use of CPNI, without
first obtaining customer approval, only "in the provision of the telecommunications
service from which such information is derived." Therefore, when
a carrier has identified a customer through the use of CPNI, but is not
offering a telecommunications service in conjunction with its marketing
of CPE or information services, that carrier would be using CPNI outside
the provision of the service from which it is derived, in violation of
section 222 and the Commission's rules.
--In Re Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information, CC Docket No. 96-115, Order
(May 21, 1998)
45. Non-Telecommunications Offerings. Several carriers
argue that certain non-telecommunications offerings, in addition to being
covered by section 222(c)(1)(B), also should be included within any service
distinctions we adopt pursuant to section 222(c)(1)(A), including inside
wiring, customer premises equipment (CPE), and certain information services.
168 Based on the statutory language, however, we conclude that inside
wiring, CPE, and information services do not fall within the scope of section
222(c)(1)(A) because they are not "telecommunications services." 169
More specifically, section 222(c)(1)(A) refers expressly to carrier use
of CPNI in the provision of a "telecommunications service." 170 In
contrast, the word "telecommunications" does not precede the word "services"
in section 222(c)(1)(B)'s phrase "services necessary to, or used in." 171
The varying use of the terms "telecommunications service" in section 222(c)(1)(A)
and "services" in section 222(c)(1)(B) suggests that the terms deliberately
were chosen to signify different meanings. Accordingly, we believe
that Congress intended that carriers' use of CPNI for providing telecommunications
services be governed solely by section 222(c)(1)(A), whereas the use of
CPNI for providing non-telecommunications services is controlled by section
222(c)(1)(B).
46. Commission precedent has treated "information services"
and "telecommunications services" as separate, non-overlapping categories,
so that information services do not constitute "telecommunications" within
the meaning of the 1996 Act. 172 Accordingly, we conclude that carriers
may not use CPNI derived from the provision of a telecommunications service
for the provision or marketing of information services pursuant to section
222(c)(1)(A). 173 We likewise conclude that inside wiring and CPE
do not fall within the definition of "telecommunications service," and
thus do not fall within the scope of section 222(c)(1)(A).
47. We recognize that the Commission has permitted CMRS
providers to offer bundled service, including various "enhanced services"
and CPE, prior to the 1996 Act. We disagree with PacTel, however,
that, consistent with section 222(c)(1)(A), CMRS providers should be able
to use CMRS-derived CPNI without customer approval to market these offerings
when they provide CMRS to a customer. 174 The 1996 Act defines "mobile
service" in pertinent part as a "radio communication service carried on
between mobile stations or receivers and land stations, and by mobile stations
communicating among themselves ...." 175 "Radio communication service,"
in turn, is defined in terms of "the transmission by radio of writings,
signs, signals, pictures, and sounds of all kinds, including all instrumentalities,
facilities, apparatus, and services (among other things, the receipt, forwarding,
and delivery of communications) incidental to such transmission." 176
These definitions do not include information services or CPE within the
meaning of CMRS. Accordingly, while nothing in section 222(c)(1)
prohibits CMRS providers from continuing to bundle various offerings consistent
with other provisions of the 1996 Act, 177 including CMRS-specific CPE
and information services, they cannot use CPNI to market these related
offerings as part of the CMRS category of service without customer approval,
because even when they are bundled with a CMRS service, they do not constitute
CMRS and are not telecommunications services.
. . . . .
68. Section 222(c)(1) of the Act provides that, "except
as required by law or with the approval of the customer, a telecommunications
carrier that receives or obtains [CPNI by virtue of its provision of a
telecommunications service shall only use, disclose, or permit access to
individually identifiable [CPNI in its provision of (A) the telecommunications
service from which such information is derived, or (B) services necessary
to, or used in, the provision of such telecommunications service, including
the publishing of directories." 250 In the Notice, the Commission
stated that CPNI obtained from the provision of any telecommunications
service may not be used to market CPE or information services without prior
customer authorization, and sought comment on which "services" should be
deemed "necessary to, or used in" the provision of such telecommunications
service. 251 The Commission also sought comment on whether carriers,
absent customer approval, may use CPNI derived from the provision of one
telecommunications service to perform installation, maintenance, and repair
for any telecommunications service, either under section 222(c)(1)(B) because
they are "services necessary to, or used in, the provision of such telecommunications
service," or under section 222(d)(1) because the CPNI is used to "initiate,
render, bill and collect for telecommunications services." 252
. . . . .
72. Second, we conclude that, while the information services
set forth in the record (e.g., call answering, 258 voice mail 259 or messaging,
260 voice storage and retrieval services, 261 fax store and forward, 262
and Internet access services 263) constitute non-telecommunications "services,"
they are not "necessary to, or used in" the carrier's provision of telecommunications
service. Rather, we agree with the observation of several commenters
that, although telecommunications service is "necessary to, or used in,
the provision of" information services, information services generally
are not "necessary to, or used in, the provision of" any telecommunications
service. 264 As ITAA notes, 265 telecommunications service is defined
under the Act in terms of "transmission," 266 and involves the establishment
of a transparent communications path. The transmission of information
over that path is provided without the carrier's "use" of, or "need" for,
information services. In contrast, information services involve the
"offering of a capability for generating, acquiring, storing, transforming,
processing, retrieving, utilizing, or making available information via
telecommunications." 267 Indeed, the statute specifically excludes
from the definition of information service "any use of any such [information
service capability for the management, control, or operation of a telecommunications
system or the management of a telecommunications service." 268 Because
information services generally, and in particular those few identified
in the record (i.e., call answering, voice mail or messaging, voice storage
and retrieval services, fax store and forward, and Internet access services),
269 are provided to consumers independently of their telecommunication
service, they neither are used by the carrier nor necessary to the provision
of such carrier's service.
-- In Re In The Matter Of Implementation Of The Telecommunications
Act Of 1996, CC Docket No. 96-115, Second Report and Order and Further
Notice of Proposed Rulemaking (February 26, 1998)
272 Share with LD Affiliate
19. The Commission also affirmed the conclusion
reached in the CPNI Order regarding the interpretation of the interplay
between sections 222 and 272 that "information," as defined in section
272, does not include CPNI. 47 As a result, Bell operating companies ("BOCs")
are not obligated by section 272 to make CPNI available to other carriers
on a non discriminatory basis when they share it with their long distance
affiliates.
. . . . .
78. ... Third, we reaffirm our conclusion
that the term "information" in section 272(c)(1) does not include CPNI
as defined under section 222, and we explicitly hold that this conclusion
is not impacted by the opt in/opt out mechanism we adopt today.
. . . . . .
135. We find that our adoption today of an
opt out customer approval mechanism for the use of CPNI by carriers and
their affiliates that provide communications related services does not
affect our prior statutory interpretation regarding the interplay between
sections 222 and 272, nor does it alter our ultimate conclusion that the
term "information" in section 272(c)(1) 310 does not include CPNI. 311
136. In the CPNI Clarification Order, the
Commission sought comment 312 on the interplay between sections 222 and
272 if the customer approval mechanism was revised in light of the Tenth
Circuit's opinion. 313 The Commission noted it might need to revisit its
conclusion if it adopted an opt out approach as a final rule in this
proceeding. 314 However, we decline to revisit our interpretation of the
interplay between sections 222 and 272 simply because we have amended our
customer approval mechanisms. 315 While the Commission addressed the interplay
of sections 222 and 272 in the context of an opt in mechanism, the Commission
did not rely on its adoption of the opt in method in reaching its conclusion.
316 Instead, its decision was based upon statutory analysis and application
of the terms used in the Act. 317 However, even if we were to review the
portion of analysis that discussed the opt in mechanism, we would still
reach the same conclusion, as discussed below.
137. We find that the legal basis for our
decision does not change with our modification of the customer approval
mechanism. In prior orders, the Commission found that in the context of
the 1996 Act, it is not readily apparent that the meaning of "information"
in section 272 necessarily includes CPNI. The Commission found that the
most reasonable interpretation of the interplay between sections 222 and
272 is that section 272 "does not impose any additional CPNI requirements
on BOCs' sharing of CPNI with their section 272 affiliates when they share
information with their section 272 affiliates according to the requirements
of section 222." 318 The Commission found this to be reasonable because,
as we have affirmed above, 319 section 222(c)(1) contemplates that, under
the total service approach, carriers have implied approval to market services
within the package of services to which the customer subscribes, and can
also share CPNI with their affiliates to do so. However, section 272(c)(1)
prohibits BOCs from discriminating against other parties in the provision
and procurement of "information." Thus, if "information" includes CPNI,
BOCs would be unable to share CPNI with their affiliates to the extent
contemplated by section 222, unless they also met the nondiscrimination
requirements of section 272. To meet these requirements, the BOC would
be required, under section 222, to seek express approval from its customers
to share CPNI with its affiliates and with any third parties. 320 Thus,
the Commission found that these requirements, in the context of an opt
in approach, "pose a potentially insurmountable burden because a BOC soliciting
approval to share CPNI with its affiliates would have to solicit approval
for countless other carriers as well, known or unknown." 321
138. This rationale is still applicable under
the Commission's new approval mechanism. First, because opt in is required
for third parties, a BOC would still need to obtain express approval for
sharing with its 272 affiliates and third parties to meet the nondiscrimination
requirements of 272. 322 Applying opt out to intracompany sharing would
not therefore alter the "potentially insurmountable burden" upon BOCs to
obtain customer approval either. Even in a completely opt out environment,
a BOC seeking to share CPNI with its affiliates would have to solicit approval
for countless other carriers as well, known or unknown. 323 We find that
this result is neither required by the statute nor is it necessary to protect
consumers' privacy interests. If we adopted AT&T's proposal to allow
competing carriers to obtain CPNI on the same basis as the BOCs' 272 affiliates
that is, using an opt out approval method under the rules adopted today
we would defeat our purpose in requiring opt in approval for third parties.
As described above, we have found that disclosure to and use of CPNI by
third parties requires greater assurance of a customer's knowing consent
to prevent unintentional disclosure of CPNI. Therefore, as in our previous
orders, we still find that our interpretation best furthers the goals of
Congress to protect customer privacy and to promote customer convenience
and control. 324
139. At any rate, the Commission has previously
concluded that section 222's customer privacy protections effectively preclude
the same anticompetitive behaviors as section 272, and this conclusion
is not altered by the Order we adopt today. 325 In the CPNI Reconsideration
Order, the Commission outlined three factors in section 222 that eliminate
the necessity for the application of section 272's nondiscrimination requirements
to prevent anticompetitive harms. 326 First, competitors are still afforded
access to customer CPNI through section 222(c)(2), which requires disclosure
of CPNI to "any person designated by the customer," upon affirmative written
request by the customer. 327 Changing the mechanism for obtaining customer
approval under section 222(c)(1) does not alter the ability of competitors
to obtain CPNI through section 222(c)(2). Second, section 222(c)(3) continues
to allow a LEC to use customer aggregate information only if it provides
that information to other carriers upon reasonable request. 328 Again,
changing section 222(c)(1)'s approval mechanism does not alter the ability
of competitors to obtain aggregate information through section 222(c)(3).
140. Third, the Commission stated that under
the opt in mechanism, BOCs could not share CPNI with their section 272
affiliates unless they either obtained express customer approval or the
customer is an existing subscriber of a service of that affiliate. 329
Under the opt in/opt out mechanisms established in this Order, BOCs are
allowed to share customer CPNI with their section 272 affiliates without
obtaining express customer approval. Under the opt out approval mechanism
we adopt today, BOCs must still provide customer notice and the opportunity
for customers to opt out for CPNI uses beyond the existing carrier customer
relationship prior to sharing CPNI with an affiliate. 330 However, as a
practical matter, it is likely that the BOCs will be able to share more
CPNI with their 272 affiliates under opt out than they would have been
able to share under opt in. As shown above, consumers typically will accept
whatever choice does not require any action on their part. 331 As a result,
when the default is opt out, carriers will be able to use more customer
CPNI. 332
141. The possibility that BOCs will share
more CPNI with their affiliates does not tip the scale to require application
of section 272 to CPNI. 333 First, section 222 applies to all "telecommunications
carriers" and does not single out any carriers for specific treatment,
signaling Congress' intent that all carriers should be treated alike in
the CPNI context. For example, an interexchange carrier with a significant
customer base can share CPNI, after receiving opt out approval, with its
local or wireless affiliates. Thus, under our rules, all carriers can share
CPNI with their affiliates. Accordingly, we decline to place additional
restrictions upon BOCs. Second, section 272(g) allows BOCs and their section
272 affiliates to market their services jointly. 334 A fair reading of
that section indicates that Congress did not intend to preclude BOCs and
their long distance affiliates from conducting joint marketing, which is
the primary intent behind CPNI use. 335 As we found in earlier orders,
we believe our conclusion is therefore consistent with the "regulatory
symmetry Congress intended for carrier marketing activities." 336
142. Finally, numerous commenters used the
Further NPRM as an opportunity to reargue the statutory and policy issues
that we have previously addressed and that are unrelated to the issue before
us. 337 AT&T and other commenters that request we reverse our holding
in the CPNI Order do not get yet another "bite at the apple." The Commission
has previously considered these arguments in both the CPNI Order and the
CPNI Reconsideration Order. 338 The Further NPRM did not request comment
on these issues, and commenters have not presented changed circumstances,
new evidence or additional arguments that would affect our prior decisions.
Therefore, we decline to address them again here.
-- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further
Notice of Proposed Rulemaking, para 19 (July 25, 2002)
135. Section 272(c)(1) states that, "[i]n its dealings with its
[section 272 affiliates], a Bell operating company . . . may not discriminate
between the company or affiliate and any other entity in the provision
or procurement of goods, services, facilities, and information, or in the
establishment of standards." The Commission concluded in the
Non-Accounting Safeguards Order that: (1) the term "information" in section
272(c)(1) includes CPNI; and (2) the BOCs must comply with the requirements
of both sections 222 and 272(c)(1). The Commission, however,
declined to address the parties' other arguments regarding the interplay
between section 272(c)(1) and section 222 to avoid prejudging issues that
would be addressed in the CPNI Order. The Commission also declined
to address the parties' arguments regarding the interplay between section
222 and section 272(g), which permits certain joint marketing between a
BOC and its section 272 affiliate. The Commission emphasized,
however, that, if a BOC markets or sells the services of its section 272
affiliate pursuant to section 272(g), it must comply with the statutory
requirements of section 222 and any rules promulgated thereunder.
136. In the CPNI Order the Commission overruled the Non-Accounting
Safeguards Order, in part, concluding that the most reasonable interpretation
of the interplay between sections 222 and 272 is that the latter does not
impose any additional CPNI requirements on BOCs' sharing of CPNI with their
section 272 affiliates when they share information with their section 272
affiliates according to the requirements of section 222. The
Commission reached this conclusion only after recognizing an apparent conflict
between sections 222 and 272. We noted in the CPNI Order that,
on the one hand, certain parties argued that under the principle of statutory
construction the "specific governs the general," and that section 222 specifically
governs the use and protection of CPNI, but section 272 only refers to
"information" generally. As such, they claimed that section
222 should control section 272. On the other hand, under the
same principle of construction, other parties argued that section 272 specifically
governs the BOCs' sharing of information with affiliates, whereas section
222 generally relates to all carriers. Therefore, they asserted,
section 272 should control section 222. Because either interpretation
is plausible, it was left to the Commission to resolve the tension between
these provisions, and to formulate the interpretation that, in the Commission's
judgment, best furthers the policies of both provisions and the statutory
design. We determine that interpreting section 272 to impose
no additional obligations on the BOCs when they share CPNI with their section
272 affiliates according to the requirements of section 222 most reasonably
reconciles the goals of these two principles.
-- In Re Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information, CC Docket No. 96-115, 96-149,
Order On Reconsideration And Petitions For Forbearance (September 3, 1999)
Rural Exemption Sec 254
Finally, the Commission determined that section 254
does "not confer any special status on carriers seeking to use CPNI to
market enhanced services and CPE in rural exchanges to select customers."
48
-- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further
Notice of Proposed Rulemaking, para 19 (July 25, 2002)
15. Still other carriers request that we treat rural and small
carriers differently. As we noted in the CPNI Order, however,
the Commission's CPNI rules apply to small carriers just as they apply
to other sized carriers "because we are unpersuaded that customers of small
businesses have less meaningful privacy interests in their CPNI."
Petitioners have not raised any new arguments or facts that persuade us
to reverse this conclusion with respect to these carriers. Thus,
we will not distinguish among carriers based upon the number or density
of lines they serve either.
. . . . .
151. We disagree with the arguments made by CenturyTel and NTCA.
As stated in Section V.A of this Order, we affirm the "total service approach"
for all carriers. We find no reason to impose different notification
requirements on large and small carriers. As we stated in the CPNI
Order, concerns regarding customer privacy are the same irrespective of
the carrier's size or identity. Further to the extent that
CenturyTel and NTCA are requesting to use CPNI, without customer approval,
to market CPE and certain information services, those requests have been
granted above. We also disagree with CenturyTel and NTCA?s
argument that section 254 requires the use of CPNI to allow rural
carriers to implement Congress? Universal Service standards. Section
254 envisions that rural carriers would introduce and make available new
technology to all of its customers. The CPNI rules in no way discourage
rural carriers from doing that. In fact, one could argue that some
of the CPNI rules require a carrier to make all of its customers aware
of such new technology rather than using CPNI to pick and choose which
customers to market the new technology to. The basis of CenturyTel
and NTCA?s arguments, however, is that they do not want to market the new
technology to all of its customers. They want to make it available
only to certain customers that they select by using their customers? CPNI.
We fail to see how section 254 requires this outcome.
--In Re Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information, CC Docket No. 96-115, 96-149,
Order On Reconsideration And Petitions For Forbearance (September 3, 1999)
50. We also decline to forbear from applying section 222(c)(1),
or any of our associated rules, to small or competitive carriers, as SBT
requests. 186 First, SBT has not explained adequately in its comments how
it meets the three statutory criteria for forbearance. 187 Second,
while SBT points out that competitive concerns may differ according to
carrier size, it does not persuade us that customers of small businesses
have less meaningful privacy interests in their CPNI. We thus disagree
with SBT that the three category approach gives large carriers flexibility
to develop and meet customers' needs, but may unnecessarily limit small
business as competition grows. 188 Even if, as SBT alleges, a large
carrier can base the design of a new offering on statistical customer data
and market widely, but a small business can best meet specialized subscriber
needs if it offers CMRS, local, and interexchange service tailored to the
specific subscriber, the total service approach allows tailored packages.
We likewise disagree, therefore, with USTA that small carriers could be
competitively disadvantaged in any interpretation of section 222(c)(1)(A)
other than the single category approach. 189 Rather, we are persuaded
that the total service approach provides all carriers, including small
and mid-sized LECs, with flexibility in the marketing of their telecommunications
products and services. In fact, if SBT's claims that small businesses
typically have closer personal relationships with their customers are accurate,
then small businesses likely would have less difficulty in obtaining customer
approval to market services outside of a customer's service existing service.
-- In Re In The Matter Of Implementation Of The Telecommunications
Act Of 1996, CC Docket No. 96-115, Second Report and Order and Further
Notice of Proposed Rulemaking (February 26, 1998)
Narrowly Tailored:
Opted Out
31. Although in 1999 the Commission concluded that the more stringent
opt in rule was necessary, in light of U S WEST we now conclude that an
opt in rule for intra company use cannot be justified based on the record
we have before us. Thus, we adopt a less restrictive alternative
an opt out rule which is less burdensome on commercial speech.
Applying the Central Hudson test to possible schemes for carriers to obtain
customer approval for use and disclosure of CPNI under section 222(c)(1),
we conclude that: (1) the government has a substantial interest in ensuring
that a customer be given an opportunity to approve (or disapprove) uses
of her CPNI by a carrier and a carrier's affiliates that provide communications
related services; 89 (2) opt out directly and materially advances this
interest by mandating that carriers provide prior notice to customers along
with an opportunity to decline the carrier's requested use or disclosure;
and (3) opt out is no more extensive than necessary to serve the government
interest in protecting privacy because it is less burdensome on carriers
than other alternatives such as opt in, while still serving the government's
interest in ensuring that consumers have an opportunity to exercise their
approval rights regarding intra company use and disclosure of CPNI. 90
32. We also conclude that opt out is an appropriate approval
mechanism for the sharing of CPNI with, and use by, a carrier's joint venture
partners and independent contractors in connection with communications
related services that are provided by the carrier (or its affiliates) individually,
or together with the joint venture partner. 91 That is, in these two contexts,
this form of consent directly and materially advances the government's
interest in ensuring that customers have an opportunity to approve such
uses of CPNI, while also burdening no more carrier speech than necessary.
. . . . .
34. Direct and Material Advancement. The next prong of Central
Hudson examines whether a regulation impacting commercial speech directly
and materially advances the government's interest, i.e., the restriction
is effective at promoting the government's interest. 96 We conclude that,
with respect to intra company uses, opt out directly and materially advances
the government's interest that a customer be given an opportunity to approve
(or disapprove) uses of her CPNI by mandating that carriers provide prior
notice to customers along with an opportunity to decline the carrier's
requested use or disclosure.
35. Although the record evidence demonstrates that a substantial
portion of consumers have a high level of concern about protecting the
privacy of their CPNI (a concern most acute for disclosure to parties other
than their own carrier), 97 the record also makes evident that a majority
of customers nevertheless want to be advised of the services that their
telecommunications providers offer. 98 Furthermore, the record establishes
that customers are in a position to reap significant benefits in the form
of more personalized service offerings (and possible cost savings) from
their carriers and carriers' affiliates providing communications related
services based on the CPNI that the carriers collect. Enabling carriers
to communicate with customers in this way is conducive to the free flow
of information, 99 which can result in more efficient and better tailored
marketing 100 and has the potential to reduce junk mail and other forms
of unwanted advertising. 101 Thus, consumers may profit from having more
and better information provided to them, or by being introduced to products
or services that interest them. 102 The empirical evidence indicating that
a majority of customers want to be advised of service offerings from their
carriers is consistent with the expectation that targeted carrier marketing
will benefit them. 103
36. Based on this record evidence, we think it is reasonable
to conclude that targeted marketing of communications related services
using CPNI by the carrier that collects it is within the range of reasonable
customer expectations. We find that telecommunications consumers expect
to receive targeted notices from their carriers about innovative telecommunications
offerings that may bundle desired telecommunications services and/or products,
save the consumer money, and provide other consumer benefits. 104 Similar
to a case recently before the D.C. Circuit, the record here indicates that
"the identity of the audience and the use to which the information may
be put" 105 bear strongly on consumers' privacy interests. 106 In this
respect, we conclude that consumers are concerned about use of CPNI, but
that a large percentage of telecommunications customers also expect that
carriers will use CPNI to market their own telecommunications services
and products, as well as those of their affiliates. Thus, we conclude that
an opt out scheme giving customers an opportunity to disapprove intra company
uses of CPNI directly and materially advances customers' interest in avoiding
unexpected and unwanted use and disclosure of CPNI and is sufficient to
meet the "approval" requirement under section 222.
37. Although many commenters have argued that opt out necessarily
is a less effective protection against unapproved dissemination of private
information than opt in, we are convinced, based on the record, that these
concerns can be adequately addressed in the intra company context. We find
that an opt out regime would adequately protect consumers' privacy interests
with respect to disclosure to carrier affiliates based on two important
considerations that are dependent upon the underlying carrier customer
relationship. First, likelihood of any potential privacy harm from an inadvertent
approval under opt out is significantly reduced in the intra company context
by the carrier's need for a continuing relationship with the customer.
107 As AT&T argues, "[if a carrier were to abuse CPNI, customers would
likely switch carriers." 108 Because of commercial constraints required
to ensure customer accountability, therefore, the carrier with whom the
customer has the existing business relationship has a strong incentive
not to misuse its customers' CPNI or it will risk losing its customers'
business. 109
38. Second, we find the potential harm to privacy to be much
less significant in instances where the entity that uses and shares the
CPNI is subject to section 222 and our implementing rules. If a consumer
should decide to restrict disclosure after the original period to respond
to an opt out notice has elapsed, she may do so at any time and the carrier
must comply with that request. Significantly, the holder of CPNI, the customer's
existing telecommunications provider (including its telecommunications
affiliates), is subject to enforcement action by the Commission 110 for
any failure to abide by the notice rules regarding planned use, disclosure,
or permission to access a customer's CPNI. 111
39. We are given further comfort that we can protect privacy
interests under intra company opt out by fine tuning our notification rules.
These rules, as described below, are crafted to ensure that any opt out
mechanism provides effective notification to consumers. We are mindful
of the deficiencies widely reported for the Gramm Leach Bliley 112 notifications
in the financial services sector, 113 and have fashioned our CPNI notification
requirements in this Order with an eye toward learning from that experience.
As discussed further in section III.C infra, we bolster the CPNI opt out
regime by requiring a 30 day waiting period before consent is inferred
and by refreshing consumers on a company's opt out policy every two years.
Moreover, we note that under the opt out rules we adopt today, the customer's
carrier would remain subject to enforcement action from the Commission
for any deficiencies in its opt out notice.
40. Narrow Tailoring. We now consider whether opt out is narrowly
tailored, i.e., whether it burdens substantially more of a carrier's speech
than necessary. The Tenth Circuit points out that the narrow tailoring
requirement under Central Hudson means that the government's speech restriction
must signify a "carefu[l calculat[ion of the costs and benefits associated
with the burden on speech imposed by its prohibition." 114 We have described
the primary benefit associated with opt out above. It directly and materially
addresses customers' interest in avoiding unexpected and unwanted use and
disclosure of individually identifiable CPNI. Turning to the carriers'
burdens, i.e., the "costs" of the regulation, we find that, in this case,
there is no flat prohibition on speech, but rather a requirement that a
telecommunications carrier use a specified means of obtaining a customer's
consent before using that customer's personal information in CPNI to market
communications related services or share the information with an affiliate
that provides communications related services. We also find that carriers
have provided evidence that their commercial speech interest in using a
customer's CPNI for tailored telecommunications marketing is real and significant,
and that an opt out regime is a less burdensome means of obtaining
a customer's "approval" under section 222(c)(1) than is an opt in regime.
41. Carriers uniformly assert a significant competitive need
to use CPNI for marketing purposes and/or to share such information with
their affiliates that provide communications related services. 115 The
carriers seek to offer competitive packages that are tailored to their
customers' usage patterns and demonstrated service needs. Carriers have
demonstrated on the record that use of CPNI to develop such targeted offerings
can lower the costs and improve the effectiveness of customer solicitations.
116 Moreover, carriers assert that opt out imposes fewer burdens on their
commercial speech interests than the other alternative for ascertaining
approval opt in and is thus the only approval mechanism
that will satisfy First Amendment scrutiny under Central Hudson. 117 This
assertion rests on a comparison of the relative costs of the mechanisms:
under opt out, carriers would be required to provide customers with advance
notice that they intend to use a customer's CPNI, and give the customer
an opportunity to disapprove of the use; under opt in, carriers are prohibited
from using a customer's CPNI unless the customer expressly approves the
use that the carrier requests the customer to approve in its notice. 118
Given that approval is required under section 222(c)(1), and opt out or
opt in are the only means of obtaining an expression of the customer's
preference, carriers assert that opt out is obviously less burdensome than
opt in and sufficient to ascertain approval for a carrier's marketing
of communications related services. 119
42. We note that the particular form of opt out that we adopt
here is narrowly tailored to ensuring that a customer be given an opportunity
to approve (or disapprove) uses of CPNI by a carrier and its affiliates
that provide communications related services. Specifically, as noted above,
opt out has been criticized in other contexts, e.g., the financial services
sector, because of the possibility that customers may not actually see,
read, or understand opt out notices, and therefore the customers may not
be able to respond to a carrier's request for approval in a timely and
appropriate manner. Furthermore, circumstances may change over time that
would cause a customer to want to reexamine any privacy election he or
she has made with respect to CPNI. We respond to these specific problems
with requirements that are designed to increase the effectiveness of opt
out without burdening more carrier speech than necessary.
43. We require a 30 day waiting period following notice before
customer consent can be inferred to ensure that customers have adequate
time to respond to a notice. We also require carriers to provide refresher
notices to customers of their opt out rights every two years in case circumstances
have changed so as to warrant a change in customers' privacy elections.
These requirements are narrowly tailored because they address the known
shortcomings of opt out in a targeted manner in lieu of adopting a more
restrictive approach such as opt in. Furthermore, there is no indication
in the record that these requirements impose any undue burden on carriers.
Carriers have been following the 30 day waiting period on an interim basis
and are generally supportive of it in their comments. 120 Refresher notices,
which are only required once every two years, give carriers an opportunity
to reconfigure their CPNI policies.
44. We thus conclude, after weighing the relevant considerations,
that a more stringent opt in mechanism is not necessary to protect the
substantial governmental interest evinced by section 222. Rather, an opt
out regime for intra company use of CPNI to market communications related
services directly and materially advances Congress' interest in ensuring
that customers' personal information is not used in unexpected ways without
their permission, while at the same time avoiding unnecessary and improper
burdens on commercial speech, thus meeting Central Hudson's narrow tailoring
requirement.
-- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further
Notice of Proposed Rulemaking, (July 25, 2002)
Even assuming, arguendo, that the state
interests in privacy and competition are substantial and that the regulations
directly and materially advance those interests, we do not find, on this
record, the FCC rules regarding customer approval properly tailored. The
CPNI regulations must be "no more extensive than necessary to serve [the
stated] interest[s]." Rubin, 514 U.S. at 486. In order for a regulation
to satisfy this final Central Hudson prong, there must be a fit between
the legislature's means and its desired objective "a fit that is
not necessarily perfect, but reasonable; that represents not necessarily
the single best disposition but one whose scope is in proportion to the
interest served." Board of Trustees of the State Univ. of N.Y. v. Fox,
492 U.S. 469, 480 (1989) (internal quotation marks omitted). While clearly
the government need not employ the least restrictive means to accomplish
its goal, it must utilize a means that is "narrowly tailored" to its desired
objective. Id.; Florida Bar v. Went For It, Inc., 515 U.S. 618, 632 (1995).
Narrow tailoring means that the government's speech restriction must signify
a "carefu[l] calculat[ion of] the costs and benefits associated with the
burden on speech imposed by its prohibition." Cincinnati v. Discovery Network,
Inc., 507 U.S. 410, 417 (1993) (internal quotation marks omitted). "The
availability of less burdensome alternatives to reach the stated goal signals
that the fit between the legislature's ends and the means chosen to accomplish
those ends may be too imprecise to withstand First Amendment scrutiny."
44 Liquormart, Inc. v. Rhode Island, 517 U.S. 484, 529 (1996) (O'Connor,
J., concurring); see also, e.g., Went For It, 517 U.S. at 632; Rubin, 514
U.S. at 490-91; Discovery Network, 507 U.S. at 417 n.13. This is particularly
true when such alternatives are obvious and restrict substantially less
speech.(11) See Fox, 492 U.S. at 479 ("[A]lmost all of the restrictions
disallowed under Central Hudson's fourth prong have been substantially
excessive, disregarding 'far less restrictive and more precise means.'"
(quoting Shapero v. Kentucky Bar Ass'n, 486 U.S. 466, 476 (1988))).
It is difficult, if not impossible,
for us to conduct a full and proper narrow tailoring analysis, given the
deficiencies that we have already encountered with respect to the previous
portions of the Central Hudson test. Nevertheless, on this record, the
FCC's failure to adequately consider an obvious and substantially less
restrictive alternative, an opt-out strategy, indicates that it did not
narrowly tailor the CPNI regulations regarding customer approval. The respondents
argue that the record contains adequate support that the CPNI regulations
are narrowly tailored because a study conducted by petitioner U.S. West
shows that a majority of individuals, when affirmatively asked for approval
to use CPNI, refused to grant it. The U.S. West study shows that 33% of
those called refused to grant approval to use their CPNI, 28% granted such
approval, and 39% either hung up or asked not to be called again. See CPNI
Order ¶ 99 n.380. Additionally, U.S. West secured a 72% affirmative
response rate from customers whom it solicited after they initiated contact
with the company for some other reason.(12) See id. ¶ 99 n.378. This
study does not provide sufficient evidence that customers do not want carriers
to use their CPNI. The results may simply reflect that a substantial number
of individuals are ambivalent or disinterested in the privacy of their
CPNI or that consumers are averse to marketing generally. The FCC stated
that the study supported "an equally plausible interpretation . . . that
many customers value the privacy of their personal information and do not
want it shared for purposes beyond the existing service relationship."
CPNI Order ¶ 100. We are not convinced that the study supports the
FCC's interpretation, and the FCC provides no additional evidence to bolster
its argument.
Even assuming that telecommunications
customers value the privacy of CPNI, the FCC record does not adequately
show that an opt-out strategy would not sufficiently protect customer privacy.
The respondents merely speculate that there are a substantial number of
individuals who feel strongly about their privacy, yet would not bother
to opt-out if given notice and the opportunity to do so. Such speculation
hardly reflects the careful calculation of costs and benefits that our
commercial speech jurisprudence requires.
Opt In
11. In the CPNI Order, the Commission found that in order to ensure
the "informed consent" of consumers for use of their CPNI in a manner
other than specifically allowed under section 222(c)(1), carriers would
be required to obtain express written, oral or electronic consent from
their customers, i.e., an "opt in" requirement, before a carrier could
use CPNI to market services outside the customer's existing service relationship
with that carrier.31 The Commission reasoned that approval by "implied
consent" (or opt out) would not fulfill the statutory purpose of affording
consumers with meaningful privacy protection. The Commission also concluded
that a carrier must notify the customer of the customer's rights under
section 222 before soliciting approval to use the customer's CPNI.
-- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further
Notice of Proposed Rulemaking, para11 (July 25, 2002)
Opt In: Third Parties
2. Third Parties and Carriers' Affiliates That Do Not
Provide Communications Related Services
50. Applying the Central Hudson test to methods
for carriers to obtain customer approval under section 222(c)(1) to disclose
or allow access to CPNI to third parties, we conclude that: (1) the government
has a substantial interest in ensuring that a customer give her knowing
approval to disclosures of CPNI to third parties because such disclosures
can have significant privacy consequences and be irreversible; (2) opt
in directly and materially advances this interest by mandating that carriers
provide prior notice to customers and refrain from disclosing or allowing
access to CPNI unless a customer gives her express consent by written,
oral, or electronic means; and (3) opt in is narrowly tailored because
carriers have not asserted any intention of sharing CPNI with unaffiliated
third parties, and thus the burden of requiring opt in in this context
is negligible and certainly warranted in light of consumers' substantial
privacy interest in protecting their CPNI from unapproved disclosure to
third parties.
51. As discussed in the following paragraphs,
the record unequivocally demonstrates that, in contrast to intra company
use and disclosure of CPNI, there is a more substantial privacy interest
with respect to third party disclosures. The record indicates not only
that consumers' wishes are different regarding third party disclosure,
but that the privacy consequences are more significant in the case of unintended
disclosure to third parties. Once the personal information in CPNI is disclosed
to such companies or individuals, the use of that information is no longer
subject to the constraints of section 222, and further, these third parties
have no incentive to honor the privacy expectations of customers with whom
they have no relationship. On the other hand, any carrier speech burden
from having to seek express consent for third party disclosures appears
to be negligible. Carriers say that they need to share with third parties
for telemarketing and joint ventures, for which we adopt opt out with certain
protections. Beyond that, carriers say they do not share with third parties,
making any burden on speech nil, or speculative at best. Therefore, with
respect to customer approval of third party disclosures, carriers have
not established on our record that there is, or would be, any significant
burden on their First Amendment commercial speech interest from opt in
to weigh against consumers' substantial privacy interest in avoiding unapproved
disclosures to third parties. There is also no demonstrated consumer benefit
to be derived from third party sharing that would impact our balancing
analysis. Thus, we find that opt in is narrowly tailored under Central
Hudson because it burdens no more carrier speech than necessary to directly
and materially advance the government's interest in ensuring informed consent
before a customer's personal information is disclosed to third parties
by its telecommunications carrier.
52. We also conclude that opt in is necessary
with respect to disclosures of CPNI to a carrier's affiliates that provide
no communications related services. 128 In this context, opt in consent
directly and materially advances the government's interest in ensuring
that customers give their knowing approval to such uses of CPNI, while
burdening no more carrier speech than necessary.
. . . . .
b. Disclosure to Affiliates that Provide no Communications
Related Services
64. We find that the same factors we consider
above weigh in favor of requiring opt in before a carrier may share CPNI
with its affiliates that do not provide communications related services.
We find that CPNI dissemination to such affiliates is far more similar
to third party dissemination than to the sharing of CPNI with affiliates
that provide communications related services, and thus warrants a similar
level of protection as that required for third party disclosure.
-- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further
Notice of Proposed Rulemaking, para11 (July 25, 2002)
Notice
C. Customer Notification Requirements
89. In this Order we largely affirm our previous
notice rules, 204 which specify, inter alia, that a carrier's notification
"must be comprehensible and must not be misleading," and that written notices
"must be clearly legible, use sufficiently large type, and be placed in
an area so as to be readily apparent to a customer." 205 A telecommunications
carrier's solicitation for approval must also be proximate to the notification
of a customer's CPNI rights. 206 Failure to comply with these rules will
subject carriers to appropriate enforcement action by the Commission. This
Order also makes changes to the notice rules based on industry experience
since their adoption, as well as some changes that are necessary to synchronize
the notice requirements with the approval methods we adopt herein. Specifically,
with respect to opt in notices, we allow carriers more flexibility to determine
what type of notices best suit their customers' needs, and with respect
to opt out, we adopt more stringent notice requirements to ensure that
customers are in a position to comprehend their choices and express their
preferences regarding the use of their CPNI. In addition, we allow carriers
to choose whether to use an opt in or opt out method for obtaining customer
approval for carriers and their affiliates to use CPNI to market communications
related services. 207 We recognize, as SBC points out, that different types
of customer relationships may be better suited to different types of notice
and approval methods. 208
1. Form of Notice
90. We continue to allow carriers to use
written, electronic, and oral notice to customers when soliciting opt in
approval. However, except as described below, we require carriers to provide
some type of individual 209 tangible notice (written or electronic) to
customers when soliciting opt out approval. We continue to allow carriers
to use oral notice to obtain limited, one time use of CPNI, whether opt
in or opt out. 210
91. In addition, we allow carriers the flexibility
to provide combined opt out and opt in notices or to provide such
notices separately, at individual carriers' discretion. Accordingly, a
carrier seeking approval to use CPNI internally and to share with third
parties could combine notice for opt out and opt in CPNI uses on one notification,
so long as it complies with our notice rules. Alternatively, we allow carriers
that prefer to do so to provide separate notices to customers seeking different
types (opt in or opt out) of CPNI approval. Of course, carriers may choose
to use opt in for all CPNI uses, in which case a carrier making such an
election can provide a single notice to its customers. Finally, we allow
carriers to provide notice based on the CPNI usage approvals they seek
to obtain. Accordingly, a carrier that does not intend to disclose CPNI
to third parties or affiliates that do not provide communications related
services does not need to provide to its customers notice regarding opt
in. Carriers that do not intend to use CPNI outside of the total service
approach do not need to provide notice to their customers at all.
a. Electronic Notice
92. We allow carriers to provide CPNI notices
to customers through the use of e mail or other electronic formats, 211
such as a website, as urged by some commenters. 212 However, we recognize
that consumers are deluged with unrequested or unwanted commercial e mail
("spam") and could easily overlook a notice provided via e mail. Accordingly,
we require carriers to follow certain precautions to ensure that such notices
will not be mistaken as spam. Such requirements directly and materially
advance our goal of ensuring that consumers have the information necessary
to make informed decisions regarding the use of their personal information.
93. We require carriers that use e mail to
provide opt out notices to obtain express, verifiable, prior approval from
consumers to send notices via e mail regarding their service in general,
or CPNI in particular. 213 In addition, we require carriers to allow consumers
to reply directly to e mails containing CPNI notices in order to opt out.
We also encourage carriers who elect to use e mail for opt in notices to
accept replies, but, because we do not think it is necessary to ensure
consumers' privacy choices are honored, we do not so mandate. Further,
we require that opt out e mail notices which are returned to the carrier
as undeliverable be sent to the customer in another form before carriers
may consider the consumer to have opted out. Finally, we require carriers
that use e mail to send CPNI notices to ensure that the subject line of
the message clearly and accurately identifies the subject matter of the
e mail.
94. Carriers that elect to use other forms
of electronic notice, such as notice provided on a website during the carrier
selection process, are cautioned that, similar to our warning on the shrinkwrap/break
the seal approach in the next section, such notice must comply with our
form requirements (e.g., placement so as to be readily apparent to the
customer). In particular, we likely would not consider a CPNI notice that
was combined with other legal terms and conditions, or other privacy information,
to comply with our rules if the customer were deemed to have opted in or
opted out simply by signing up for service.
b. Shrinkwrap or Break the Seal "Notice"
95. Commenters raise the issue of shrinkwrap
or break the seal agreements, 214 and whether such agreements constitute
effective solicitation of approval under section 222(c)(1). 215 While we
decline to adopt more stringent notice requirements at this time, we confirm
that all of the existing notice requirements generally applicable under
section 222 apply equally when a carrier solicits customer approval through
shrinkwrap or break the seal methods. As a threshold matter, we note that
the distinctions between notice of a customer's rights, solicitation for
approval to use CPNI, and the approval process sometimes become blurred.
216 In fact, shrinkwrap or break the seal approval "notice" implicates
all three areas of our rules. Using a shrinkwrap or break the seal approach,
a carrier 217 purports to provide "notice" of customers' CPNI rights to
the customer usually in connection with other terms and conditions
of service and claims to "solicit" consumers' approval for
CPNI use and disclosure by asserting that by using the service or "breaking
the seal" (as in the case of a cellular phone), the consumer has approved
use and disclosure of his CPNI. Some shrinkwrap/break the seal approaches
offer the consumer an opportunity to take some action regarding his CPNI,
218 while some do not.
96. We are concerned that the shrinkwrap/break
the seal notices as they have been described to us are ineffective and
may not comply with either the letter or spirit of our notice rules. However,
in the absence of specific concerns on this record of abuse of these types
of agreements, we do not find that additional restrictions beyond generally
applicable notice requirements are warranted at this time. Nevertheless,
we caution carriers that abuse of shrinkwrap or break the seal approaches
will cause us to reexamine this question or initiate enforcement action.
2. Content of Notice
97. We largely affirm our previously adopted
content rules with a few changes. 219 First, we allow carriers to obtain
one time limited use CPNI approval using a streamlined notice. Second,
as discussed in more detail below, we require carriers to provide opt out
notices to their customers every two years. Accordingly, we require carriers
to advise customers that if they have opted out previously, no action is
needed to maintain the opt out election. However, consumers who wish to
reverse their previous decision to opt out, or consumers who have not previously
opted out but wish to do so, must take action as described in the notice.
Carriers that elect to provide opt in notices more than once are required
to advise customers that no action is needed to maintain their opt in election.
These requirements are necessary to minimize customer confusion and complaints
regarding previously expressed privacy preferences.
a. Streamlined Consent for One Time Use of CPNI
98. We grant in part MCI WorldCom's request
to modify our notice requirements for customers placing inbound calls to
telecommunications providers. 220 While we do not grant MCI's request in
its entirety, we do allow carriers to omit the information described below
in providing notice for limited, one time use, where such information is
not applicable to the circumstances for which the carrier seeks CPNI approval.
This streamlining applies both to inbound and outbound customer contacts
that seek CPNI approval only for the duration of the call, and is a reasonable
way to further narrow application of the CPNI rules in light of the burden
they might otherwise work on protected uses of CPNI for solicitation. However,
we caution carriers to take a conservative approach in deciding which information
is necessary for consumers to make informed decisions regarding their CPNI
usage. Should we learn of abuses, we will not hesitate to readdress this
issue, and to pursue enforcement actions against individual carriers. Finally,
we note that this does not change the opt in or opt out requirement in
any way, although we are aware that CPNI approval received for limited
one time use during an inbound call necessarily takes the form of an opt
in approval, because the carrier must obtain some sort of approval after
giving the customer the required notice and soliciting the customer's approval
to use the CPNI. 221
99. Carriers may omit any of the following
notice provisions if not relevant to the limited use for which the carrier
seeks CPNI:
. Carriers need not advise customers
that if they have opted out previously, no action is needed to maintain
the opt out election. Obviously, if this is the first contact with the
consumer, such a disclosure would be confusing and meaningless. 222
. Carriers need not advise customers
that they may share CPNI with their affiliates or non affiliates and name
those entities, if the limited CPNI usage will not result in use by or
disclosure to an affiliate or third party.
. So long as carriers explain
to the customers that the scope of the approval the carrier seeks is limited
to one time use, the carrier need not disclose the means by which a customer
can deny or withdraw future access to CPNI.
. In addition, carriers may omit
disclosure of the precise steps consumers must take in order to grant or
deny access to CPNI, as long as the carrier clearly communicates to the
customer that the customer can deny access to his CPNI for the call. 223
b. Availability of Customer Service Feature Information
During Outbound Calls
100. We deny MCI WorldCom's request that
we modify our interpretation of section 222(c)(1)(A) of the Act to enable
carriers making sales calls to potential customers to access the CPNI records
of those potential customers' without meeting the customer approval requirements
previously adopted by the Commission. 224 In particular, MCI WorldCom states
that it wants access to certain CPNI the list of features that
a potential customer receives from its current carrier so that
MCI WorldCom may make direct price comparisons against its own services
in order to persuade the customer to choose MCI WorldCom as its local service
provider. 225 Additionally, MCI WorldCom makes a second argument that this
same customer feature information should be made available to smooth the
process of provisioning a customer that has chosen to migrate from his
former carrier to MCI WorldCom. 226 Sprint, AT&T, U S WEST, and RCN
filed comments in support of MCI's request for further reconsideration
on this subject 227 while Verizon, BellSouth, GTE, and SBC filed comments
in opposition to MCI WorldCom's request. 228
101. The Commission previously has considered
and rejected this same argument twice. 229 The Commission's rules permit
disclosure of a customer's records only upon adequate notice to and approval
from the customer. 230 These rules are designed to allow customers to make
reasoned, informed decisions about their CPNI in which they have a privacy
interest. 231 As several commenting parties note, the short notice statement
proposed by MCI WorldCom is too vague to enable the customer to make an
informed decision. 232 Although MCI WorldCom presents information about
its experience competing for local exchange customers, MCI WorldCom and
the other commenters supporting this request do not present compelling
new facts or arguments that justify altering the existing rules, especially
in light of the fact that, in the instant proceeding, we streamline the
notice requirements. Specifically, MCI WorldCom does not establish how
its need for this information 233 during an initial cold call to a potential
customer overcomes that customer's privacy interests especially
since there is no existing business relationship, making MCI WorldCom or
another similarly situated carrier a third party to the consumer. 234 Accordingly,
for the same reasons that we have differentiated the approval required
depending on intended use as described above, we reject MCI WorldCom's
arguments here and again find no reason to disturb our earlier decisions.
c. Notice Requirements Regarding Disclosure of Carriers'
Affiliates
102. We deny MCI WorldCom's request that
we allow carriers to use "broad, general terms" when providing notice,
rather than informing "customers of the types of CPNI that may be viewed
and the entities that may view it." 235 MCI WorldCom provides no new facts
and makes no arguments that we have not previously considered in our analysis
and determination in the CPNI Reconsideration Order. 236
d. Ability to Warn Customer that Provisioning Delays
are Possible Without Access to CPNI
103. We grant, with certain safeguards, MCI
WorldCom's request that we remove the prohibition against warning customers
that failure to approve the disclosure of CPNI to a new carrier may disrupt
the installation of service. 237 In the CPNI Second Report and Order, the
Commission explained that customer notification "must provide sufficient
information to enable the customer to make an informed decision as to whether
to permit a carrier to disclose, or permit access to CPNI." 238 In that
same discussion, the Commission prohibited the inclusion of any implication
"that approval is necessary to ensure the continuation of services to which
the customer subscribes, or the proper servicing of the customer's account."
239 In the CPNI Reconsideration Order, based on a lack of evidence, the
Commission denied an MCI petition to allow carriers to warn customers of
problems that could result from failure to give permission to access the
customer's CPNI. 240 Because we want customers to be able to make informed
decisions, 241 and because we do not want to place an undue burden on truthful
speech, 242 we consider this topic below.
104. Several parties commented on this issue.
243 For example, RCN and Qwest support MCI's contention that without access
to CPNI, delays or problems with proper provisioning are likely when a
customer chooses to change carriers. 244 Verizon, however, disagrees with
the argument that a competing carrier's lack of access to a customer's
CPNI necessarily causes delays or provisioning problems, arguing instead
that if such problems occur, they are the fault of MCI WorldCom. 245 Parties
raise sufficient cause for us to believe that our current rules may restrict
truthful speech that could beneficially inform consumers' decisions on
CPNI disclosure. 246
105. We recognize an important balance of
interests in warning customers that failure to grant access to CPNI may
impede the provisioning process. On one hand, we believe that customers
should be given useful and truthful information that will better inform
their decisions regarding CPNI. On the other hand, we are wary that carriers
might use such a warning in such a way as to coerce customers into granting
consent to access CPNI. Therefore, in order to maximize the ability of
customers to make fully informed decisions about their CPNI, we permit
carriers to provide an informative statement to customers about problems
that often occur in provisioning service without access to CPNI.
106. Specifically, we decide that carriers
soliciting consent to access a customer's CPNI may, in addition to the
statements required to obtain consent, provide a brief statement, in clear
and neutral language, describing consequences directly resulting from the
lack of access to CPNI. However, any consequences must affect customers
and must be provable and material. 247 By requiring carriers to limit their
representations in this way, we can best ensure that customers are protected
from coercive or trivial assertions, while nevertheless ensuring that customers
have information that is relevant to their decisions to allow use of their
CPNI. We decline, at this time, to mandate specific language for such warnings
because we believe that our rules will provide carriers with sufficient
guidance to formulate scripts that inform customers in a neutral manner
of significant consequences, without unduly restricting carrier flexibility
in delivering the message.
3. Frequency of Notice
107. We hold that carriers using the opt
in customer approval mechanism must provide customers with a one time notice
before soliciting approval to use CPNI. Carriers electing the opt out mechanism
must provide notices to their customers every two years. We note that few
commenters addressed the issue of frequency of notice and none suggested
a specific time period. 248
108. We adopt a more stringent notice requirement
for the opt out regime for several reasons. First, under the opt out mechanism,
the possibility exists that customers have not made a conscious decision
to allow the additional use of their CPNI. For example, the lack of response
could be due to a customer's failure to receive the notice, a failure to
read the notice, or a failure to understand the notice. 249 As Qwest itself
recognized in its comments, "[the failure to act, then, provides little
evidence of an individual's true intentions, and no dispositive or compelling
demonstration of a 'decision."' 250 As already discussed, the opt out mechanism
requires more stringent safeguards because of the possibility that consumers
are unaware of their rights and because opt out provides incentives for
carriers to not be as forthright as possible. 251 By contrast, in an opt
in environment, customers have taken affirmative action regarding the use
of their CPNI that demonstrates they are informed of the scope and duration
of a carrier's use of CPNI. 252
109. Second, a number of relevant customer
and carrier circumstances can change over time. A customer's marital or
parental status, job status, or health status can change. Carriers may
change their affiliates, the methods available to opt out, and the uses
the carrier makes of the information. For example, a customer might be
willing to share his CPNI with a local telephone company, but decide that
he wants to restrict the use of his CPNI after that company merges with
a larger entity. Periodic renotification is thus a reasonable way of ensuring
that customers have an adequate opportunity to indicate approval.
110. Therefore, in accordance with the general
policy we have adopted regarding the need for consumer safeguards in an
opt out regime, and because failing to provide for periodic confirmation
would fail to account for material changes in circumstances over time,
we hold that carriers must provide opt out notices at least once every
two years. A two year period is a reasonable period over which one might
reasonably expect changed circumstances to warrant confirmation of an opt
out election. Biennial notice is also unlikely to impose an onerous burden
on carriers, particularly when compared to their likely benefit in making
use of the opt out mechanism. 253
111. In addition, we require carriers to
honor their customers' CPNI elections unless and until a customer affirmatively
changes his election. Following a customer's election to withhold approval
of CPNI usage, the carrier may subsequently attempt to secure the customer's
approval to use, disclose, or permit access to his CPNI as frequently as
the carrier deems appropriate, but carriers may not force customers to
opt out repeatedly in an attempt to wear the customer down or obtain an
inadvertent "approval." Accordingly, although carriers must provide biennial
opt out notice to their customers, carriers must respect previously expressed
opt outs. Nor can carriers provide opt in notices to their customers and
immediately provide additional notices to those customers who choose not
to opt in, because such use of repeated notices is burdensome to customers
and fails to respect their privacy choices regarding CPNI.
4. Waiting Period for Opt Out Notification
112. We adopt a 30 day minimum period of
time that carriers must wait after giving customers' notice before assuming
customer approval. In the CPNI Clarification Order, the Commission noted
that the then current rules did not provide for any time period after which
a customer's implicit approval of the use or sharing of CPNI could be reasonably
assumed to have been given to the carrier. 254 As an interim measure, the
Commission adopted a 30 day period from customer receipt of notice as a
"safe harbor," but permitted some shorter period if supported by an adequate
explanation from the carrier. 255 Commenters addressing this topic uniformly
supported a 30 day waiting period, 256 although one commenter found troubling
that "[a carrier's notice gave customers only thirty days to object." 257
In light of the comments we received supporting the 30 day time frame and
the lack of any other suggested time frames or evidence of harm to consumers
or carriers, we adopt as permanent the interim 30 day time frame. We clarify
that this 30 day period is merely the minimum time a carrier must wait
to infer a customer's approval of its requested use of CPNI; it is no way
a deadline for customer action. Carriers are required to honor customer
decisions to opt out of requested uses whenever those decisions are communicated
by customers, which may occur during or after the 30 day waiting period.
113. We also sought comment on how carriers
should manage later requests for privacy from the customer. 258 For example,
if a customer chooses to opt out after the date on which approval has already
been inferred, or, in the case of an opt in mechanism, after the customer
revokes an express consent previously granted, what would be a reasonable
time period within which the carrier and its affiliates should be required
to implement that opt out request or revocation? We received limited comments
on this topic, and note that we are unaware of any complaints regarding
carriers' failure to implement and honor later requests for privacy. Accordingly,
we require carriers to implement customers' privacy requests as expeditiously
as possible within the regular course of business. However, we caution
carriers that if we receive complaints that later privacy choices are not
being effectuated in a timely manner, we will not hesitate to readdress
this issue, and adopt prescriptive rules. In addition, we caution carriers
that failure to implement customers' privacy elections in a timely manner
would likely be actionable violations of sections 222 and 201 of the Act.
114. We also require carriers to notify the
Commission if their opt out mechanisms break down. During the period preceding
this Order, a number of carriers implemented opt out policies. We are aware
that many consumers experienced problems in effectuating their choice to
opt out. 259 For example, it was reported that Qwest's call center was
understaffed for the level of response and consumers were unable to get
through or put on hold for unacceptably long periods; SBC generated similar
complaints. 260 In light of recent problems customers have had opting out,
as well as the vital role that proper implementation of the opt out mechanism
plays in protecting consumers' privacy, we require that carriers provide
written notice within five business days to the Commission in any instances
where opt out mechanisms do not work properly, to such a degree that consumers'
inability to opt out is more than an anomaly. 261
115. In such instances, the Commission will
consider whether to require carriers to extend the date by which opt outs
must be received, or if other corrective action is required. We encourage
carriers to take such action voluntarily, and to advise the Commission
of such action in the notice. The notice should take the form of a letter,
and include the carrier's name, a description of the opt out mechanism(s)
used, the problem(s) experienced, the remedy proposed and when it will
be/was implemented, whether the relevant state commission(s) has been notified
and whether it has taken any action, a copy of the notice provided to customers,
and contact information. Such notice must be submitted even if the carrier
offers other methods by which consumers may opt out.
116. In addition, we no longer allow carriers
to use a time frame shorter than 30 days even if supported by an explanation.
262 To the degree that carriers previously provided notices that otherwise
comply with our rules, but used a shorter time frame, we allow carriers
to continue to use approval generated from those notices consistent with
our holding regarding grandfathering of previously obtained approvals.
263
117. Moreover, we agree with Nextel's request
to "allow a carrier to provide the requisite notification at the time of
an individual transaction and request that the consumer decide whether
to opt out as a requisite to completing that transaction." 264 In particular,
subject to our discussion of shrinkwrap consent, carriers may request that
consumers affirmatively make a CPNI election when the consumer signs up
for service. However, if the carrier provides an opt out notice but does
not require the customer to specifically demonstrate his decision whether
or not to opt out, then the carrier must abide by the thirty day waiting
period. Specifically, a carrier must obtain a demonstrable customer election
to opt in or opt out that is separate and distinct from the customer's
decision to purchase the carrier's service. For example, a carrier that
uses an Internet sign up page may provide the required notice and then
require a customer to click on a button agreeing to opt out or opt in.
265 However, carriers may not require customers to assent to CPNI usage
as a condition of service. 266
5. Methods by Which Customers Can Exercise CPNI
Rights Under Opt Out or Opt In
118. We require that carriers make available
to every customer (including, but not limited to, those without Internet
access, and disabled customers) a method to opt out that is of no additional
cost 267 to the customer and available 24 hours a day, seven days a week.
We allow carriers to satisfy this requirement through a combination of
methods, 268 so long as all customers have the ability to opt out at no
cost and are able to effectuate that choice whenever they choose. 269 We
note that in an opt in paradigm, carriers have an incentive to make it
as easy as possible for customers to opt in because they need to receive
the customer's express approval to use CPNI. However, in the case of opt
out, it makes economic sense for carriers to make it difficult and expensive
for customers to opt out, because opting out deprives the carrier of approval
for its intended use of CPNI. 270 Many commenters suggest that the Commission
allow carriers to determine what methods to offer customers to opt in or
out. 271 Based on comments as well as recent experiences with opt in and
opt out in this and other industries, we allow carriers the freedom to
choose the method(s) by which consumers may express their opt out or opt
in choices, so long as all customers are able to access and use those mechanisms,
24 hours a day, seven days a week. We believe that these requirements will
ensure that all consumers are afforded a reasonable opportunity to effectuate
their privacy choices, while allowing carriers flexibility in determining
how to meet their obligations. 272
119. We deny the request by a few commenters
to require carriers to obtain written evidence of customers' approval.
273 We have previously considered whether to require written evidence and
were not convinced that such an approach was necessary, especially in light
of the burden it would place on carriers. 274 We decline to do so here
because we have not been presented any evidence that carriers are failing
to obtain customers' approval and then claiming to have such approval.
To the degree that we receive complaints that abuses of this nature are
occurring, we will revisit this issue and will not hesitate to initiate
enforcement actions against offending carriers. In addition, we note that
carriers bear the burden to provide proof that approval was obtained should
a complaint arise. 275
-- In the Matter of Implementation of the Telecommunications
Act of 1996 Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information; CC Docket No. 96-115, CC Docket
No. 96-149, CC Docket No. 00 257, Third Report and Order and Third Further
Notice of Proposed Rulemaking (July 25, 2002)
CPNI & Computer III
8. On May 17, 1996, the Commission initiated a rulemaking, in response
to various formal requests for guidance from the telecommunications industry,
regarding the obligation of carriers under section 222 and related issues.
The Commission subsequently released the CPNI Order on February 26, 1998.
The CPNI Order addressed the scope and meaning of section 222, and promulgated
regulations to implement that section. It concluded, among other
things, as follows: (a) carriers are permitted to use CPNI, without customer
approval, to market offerings that are related to, but limited by, the
customers' existing service relationship; (b) before carriers may use CPNI
to market outside the customer's existing service relationship, carriers
must obtain express written, oral, or electronic customer approval; (c)
prior to soliciting customer approval, carriers must provide a one-time
notification to customers of their CPNI rights; (d) in light of the comprehensive
regulatory scheme established in section 222, the Computer III CPNI
framework is unnecessary; and (e) sections 272 and 274 impose no additional
CPNI requirements on the Bell Operating Companies (BOCs) beyond those imposed
by section 222.
. . . . . .
94. As discussed in the Clarification Order,
the framework established under the Commission's Computer III regime, prior
to the adoption of section 222, governed the use of CPNI by the BOCs, AT&T,
and GTE to market CPE and enhanced services. Under this framework,
those carriers were obligated to: (1) provide an annual notification of
CPNI rights to multi-line customers regarding enhanced services, as well
as a similar notification requirement that applied only to the BOCs regarding
CPE; and (2) obtain prior written authorization from business customers
with more than 20 access lines to use CPNI to market enhanced services.
The
CPNI Order, however, replaced the Computer III CPNI framework in all material
respects. In its place, the CPNI Order established requirements
compelling carriers to provide customers with specific one-time notifications
prior and proximate to soliciting express written, oral, or electronic
approval for CPNI uses beyond those set forth in sections 222(c)(1)(A)
and (B). The CPNI Order further established an express approval
mechanism for such solicitations as it is the "best means to implement
this provision because it will minimize any unwanted or unknowing disclosure
of CPNI" and will also "limit the potential for untoward competitive advantages
by incumbent carriers."
95. The Clarification Order noted that, like
the requirements established in the CPNI Order, "the notification obligation
established by the Computer III framework required, among other things,
that carriers provide customers with illustrative examples of enhanced
services and CPE, expanded definitions of CPNI and CPE, information about
a customer's right to restrict CPNI use at any time, information about
the effective duration of requests to restrict CPNI, and background information
to enable customers to understand why they were being asked to make decisions
about their CPNI." The Clarification Order determined that
these Computer III notifications comply materially with the form and content
of the notices required by the CPNI Order. In addition, the
Clarification Order concluded that the Computer III requirement to obtain
prior written authorization constitutes a form of express, affirmative
approval, as required by section 222. Accordingly, the Clarification
Order concluded that carriers that complied with the Computer III notification
and prior written approval requirement in order to market enhanced services
to such carriers are also in compliance with section 222 and the Commission's
rules.
--In Re Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information, CC Docket No. 96-115, 96-149,
Order On Reconsideration And Petitions For Forbearance (September 3, 1999)
IV. NOTICE AND WRITTEN APPROVAL UNDER THE COMPUTER III CPNI
FRAMEWORK
10. Prior to the adoption of the Telecommunications Act of 1996,
the framework established under the Commission's Computer III regime governed
the use of CPNI by the BOCs, AT&T, and GTE to market CPE and enhanced
services. Two important components of this Computer III framework
were: (1) a carrier's obligation to provide an annual notification
of CPNI rights to multi-line customers regarding enhanced services,
as well as a similar notification requirement regarding CPE that applied
only to the BOCs, and (2) a carrier's obligation to obtain prior
written authorization from business customers with more than 20 access
lines to use CPNI to market enhanced services. We clarify that
in circumstances where a carrier has provided annual notification and received
prior written authorization from customers with more than twenty access
lines, the requirements for notice and approval under section 222, and
the associated Commission rules, are satisfied for those customers.
11. In the Second Report and Order, the Commission concluded
that the statutory framework of section 222 contemplated informed customer
approval because such notification and affirmative approval would maximize
customers' control over their CPNI when carriers use CPNI for purposes
beyond those specified in sections 222(c)(1)(A) and (B), thus furthering
the objectives of section 222. As elements of informed customer
approval, the Commission established the following requirements in the
Second Report and Order: (1) a one-time notice to customers, prior
and proximate to any solicitation for approval, informing them of their
right to restrict carrier use of CPNI, the precise steps necessary to grant
or deny access to CPNI, the scope and duration of a carrier's use of CPNI
in the event of a grant, and the carrier's duty to protect the confidentiality
of such information and ensure the continuance of service despite a denial
of carrier access to CPNI; and (2) express, affirmative oral, written,
or electronic customer approval.
12. Similarly, the notification obligation established by the
Computer III framework required, among other things, that carriers provide
customers with illustrative examples of enhanced services and CPE, expanded
definitions of CPNI and CPE, information about a customer's right to restrict
CPNI use at any time, information about the effective duration of requests
to restrict CPNI, and background information to enable customers to understand
why they were being asked to make decisions about their CPNI.
We determine that these written annual notifications materially comply
with the form and content of the notices required in the Second Report
and Order. In addition, the Computer III requirement to obtain
prior written authorization constitutes a form of express, affirmative
approval, as required by section 222. Therefore, we find that carriers
that have complied with the Computer III notification and prior written
approval requirement in order to market enhanced services to business customers
with more than 20 access lines are also in compliance with section 222
and the Commission's rules. Such carriers may rely on their previous
compliance with the Computer III notification and approval requirements
to market enhanced services to business customers with more than 20 access
lines without taking any additional steps to notify such customers of their
CPNI rights or to obtain customer approval to use CPNI to market enhanced
services to such customers.
--In Re Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information, CC Docket No. 96-115, Order
(May 21, 1998)
(c) We eliminate the Computer III CPNI framework,
as well as sections 22.903(f) and 64.702(d)(3) of our rules, in light of
the comprehensive regulatory scheme Congress established in section 222.
19
. . . . .
7. Prior to the 1996 Act, the Commission had established
CPNI requirements applicable to the enhanced services 30 operations of
AT&T, the BOCs, and GTE, and the CPE operations of AT&T and the
BOCs, in the Computer II, 31 Computer III, 32 GTE ONA, 33 and BOC CPE Relief
34 proceedings. The Commission recognized in the Notice that it had
adopted these CPNI requirements, together with other nonstructural safeguards,
to protect independent enhanced services providers and CPE suppliers from
discrimination by AT&T, the BOCs, and GTE. 35 The Notice stated
that the Commission's existing CPNI requirements were intended to prohibit
AT&T, the BOCs, and GTE from using CPNI obtained from their provision
of regulated services to gain a competitive advantage in the unregulated
CPE and enhanced services markets. 36 The Notice further stated that the
existing CPNI requirements also were intended to protect legitimate customer
expectations of confidentiality regarding individually identifiable information.
37 The Commission concluded in the Notice that existing CPNI requirements
would remain in effect, pending the outcome of this rulemaking, to the
extent that they do not conflict with section 222. 38 On November
13, 1996, the Common Carrier Bureau (Bureau) waived the annual CPNI notification
requirement for multi-line business customers that had been imposed on
AT&T, the BOCs, and GTE under our pre-existing CPNI framework, pending
our action in this proceeding. 39
. . . . .
174. In the Computer III, 595 GTE ONA, 596 and BOC CPE
Relief 597 proceedings, the Commission established a framework of CPNI
requirements applicable to the enhanced services operations of AT&T,
the BOCs, and GTE and the CPE operations of AT&T and the BOCs (Computer
III CPNI framework).598 As we observed in the Notice, the Commission
adopted the Computer III CPNI framework, together with other nonstructural
safeguards, to protect independent enhanced services providers and CPE
suppliers from discrimination by AT&T, the BOCs, and GTE. 599
The framework prohibited these carriers' use of CPNI to gain an anticompetitive
advantage in the unregulated CPE and enhanced services markets, while protecting
legitimate customer expectations of confidentiality regarding individually
identifiable information. 600 Alternatively, for those carriers that
maintain structurally separate affiliates in connection with their CPE
and enhanced services operations, our Computer II 601 rule 64.702(d)(3)
prohibits carriers from sharing CPNI with those affiliates unless it is
made publicly available. 602 We likewise prohibit the BOCs from providing
CPNI to their cellular affiliates unless they make the CPNI publicly available
on the same terms and conditions. 603
175. We conclude that the new CPNI scheme that we implement
in this order, which is applicable to all telecommunications carriers,
fully addresses and satisfies the competitive concerns that our Computer
III framework as well as our Computer II and BOC CPNI cellular rules sought
to address. Accordingly, we eliminate these existing CPNI requirements
in their entirety. 604 Nevertheless, the record supports our
specifying general minimum safeguards, applicable to all carriers, to ensure
compliance with section 222's statutory scheme. Toward that end,
we first require that all carriers conform their database systems to restrict
carrier use of CPNI as contemplated in section 222(c)(1) and section 222(d)(3),
through file indicators that flag restricted use, in conjunction with personnel
training and supervisory review. Second, we impose recording requirements
on carriers that serve both to ensure that use restrictions are being followed
and to afford a method of verification in the event they are not.
B. Computer III CPNI Framework
1. Background
176. The CPNI framework the Commission adopted prior to the
1996 Act, which applies only to the BOCs, AT&T, and GTE, and only in
connection with their use of CPNI to market CPE and enhanced services,
involves five general components. The first concerns customer notification.
The
current framework requires the BOCs, AT&T, and GTE to send annual notices
of CPNI rights regarding enhanced services to all their multi-line business
customers. 605 With respect to CPE, the BOCs must also send annual
notices to multi-line business customers, and AT&T must provide a one-time
notice to its WATS and private line customers. Each notice must be
written, describe the carrier's CPNI obligations, the customer's CPNI rights,
and include a response form allowing the customer to restrict access to
CPNI. 606 Second, the BOCs and GTE, but not AT&T, must obtain
prior written authorization from business customers with 20 or more access
lines before using CPNI to market enhanced services. 607 All BOC
and AT&T customers with fewer lines have the right to restrict access
to their CPNI by carrier CPE personnel, and along with GTE customers, enhanced
services personnel as well. 608 These carriers must also accommodate
customer requests for partial or temporary restrictions on access to their
CPNI. 609 Third, we require the BOCs, AT&T, and GTE to make
CPNI available to unaffiliated enhanced services providers and CPE suppliers
at the customer's request on the same terms and conditions as the CPNI
is made available to their personnel. 610 Fourth, the BOCs must provide
unaffiliated enhanced services and CPE providers any non-proprietary, aggregate
CPNI that they share with their own personnel on the same terms and conditions.
611 GTE is subject to the same requirement for its enhanced services
operations. 612 AT&T, however, is not subject to any Commission requirements
with respect to aggregate CPNI. 613 Finally, the BOCs, AT&T,
and GTE must use passwords to protect and block access to the accounts
of customers that exercise their right to restrict. 614 We also mandate
that the BOCs and GTE address their compliance with our CPNI requirements
in their ONA, CEI, and CPE relief plans. 615
177. The Commission acknowledged in
the Notice that section 222 may address the anticompetitive concerns that
its existing CPNI requirements had sought to address, and the Commission
invited comment on which, if any, of its requirements may no longer be
necessary in view of section 222. 616 The Commission tentatively
concluded that it should not extend its CPNI requirements to carriers that
are not affiliated with AT&T, the BOCs, or GTE. 617 The Commission
also recognized that, in certain respects, the Computer III CPNI framework
is more restrictive than the 1996 Act. 618 The Commission decided that
these additional restrictions would remain in effect, pending the outcome
of this rulemaking, to the extent that they do not conflict with section
222. 619 The Commission also asked parties to address whether
privacy, competitive concerns, or other considerations justified the retention
of our existing CPNI requirements, what the costs and benefits of retaining
these CPNI requirements would be, and how changing our CPNI requirements
might influence other nonstructural safeguards adopted prior to the 1996
Act. 620 In the event the Commission concluded that we should continue
to subject the BOCs, AT&T, and GTE to CPNI requirements that are more
restrictive than those applicable to other carriers, the Commission sought
comment on whether such differential treatment should be permanent or limited
in duration and, if limited, what sunset provisions should apply. 621
178. The Commission also tentatively
concluded that AT&T's recent classification as a non-dominant carrier
for domestic services, and its plan to separate its equipment business
from its telecommunications service business, justified removal of our
CPNI requirements as to it. 622 The Commission asked whether AT&T
continues to possess a competitive advantage with respect to access to
and use of customer CPNI, and whether privacy concerns, competitive concerns,
or any other considerations justify special regulatory treatment of AT&T
with regard to CPNI. 623
179. Several parties argue that our existing
Computer III CPNI framework for the BOCs and GTE is unnecessary and should
be eliminated. 624 AT&T and LDDS Worldcom argue that, in any
event, the Commission's existing CPNI requirements should not continue
to apply to AT&T because it has been classified as nondominant. 625
Other parties argue that we should retain the Computer III CPNI requirements
for the BOCs and GTE, 626 and additionally for AT&T. 627 Several
of these commenters further contend that we should extend some or all of
the preexisting requirements to carriers other than AT&T, the BOCs,
and GTE. 628
2. Discussion
180. We conclude that retaining the
Computer III CPNI requirements, applicable solely to the BOCs, AT&T
and GTE, would produce no discernable competitive protection, and would
be confusing to both carriers and customers. 629 The statutory scheme we
implement in this order effectively replaces our Computer III CPNI framework
in all material respects. 630 For example, like under the Computer
III CPNI framework, our new scheme establishes the extent that carriers,
including AT&T, the BOCs, and GTE, must notify customers of their CPNI
rights, obtain customer approval before using CPNI for marketing purposes,
and accommodate customer requests for partial or temporary restrictions
on access to CPNI. 631 We also set forth under the new scheme the
circumstances under which carriers, including AT&T, the BOCs, and GTE,
must make individually identifiable and aggregate CPNI available upon request.
632
181. The legislative history is silent
on the issue of the Computer III requirements. Some commenters argue
that we should interpret Congress' silence as indicating its intention
that the Computer III CPNI requirements be retained. 633 Other parties
argue that the silence indicates the intention that the existing framework
be eliminated. 634 Because Congress offered no explanation on this
point, we do not find the history helpful either way. Rather, we find that
the rules we implement in this order satisfy the concerns upon which the
Computer III framework is based, and therefore we replace them with the
new scheme. We note that, although we eliminate our Computer III
approval and notification requirements, as requested by several carriers,
the rules we implement herein are actually more in line with those endorsed
by carriers urging us to retain our prior framework in which the BOCs,
AT&T, and GTE provide notification to their multi-line business customers,
and need prior authorization in the case of twenty or more lines. 635
182. We are persuaded that the competitive
and privacy concerns upon which the Computer III CPNI framework rests are
fully addressed by our new CPNI scheme, and that, continued retention of
our Computer III CPNI framework would produce no additional benefit. 636
Indeed, in two important respects, the rules we promulgate herein implementing
section 222 afford information services providers and CPE suppliers greater
protection from carriers' anticompetitive CPNI use. First, the new
scheme applies to all carriers, and in so doing, extends the scope of protection
consistent with section 222. 637 We believe applying our new CPNI
rules to all carriers generally furthers the objective of section 222 of
safeguarding customer privacy.
183. Second, several of the new scheme's
CPNI requirements operate to make carriers' anticompetitive use of CPNI
more difficult. Unlike the Computer III CPNI framework, which requires
customer authorization only from businesses with over twenty lines, we
now require that all carriers obtain customer approval from all customers,
including small businesses and residential customers with any number of
lines, before carriers can use CPNI to market information services or CPE.
638 Although the Computer III CPNI framework affords customers the
right to restrict access to their CPNI records, whereas under our new scheme
the customer's right is to withhold approval, the result nevertheless is
the same -- the customer has the right to control whether a carrier uses,
discloses, or permits access to its CPNI. 639 Indeed, in contrast with
the Computer III CPNI framework, which generally permits CPNI use unless
and until the customer affirmatively acts to restrict, our new scheme prohibits
carriers from using CPNI unless and until they obtain customer approval,
and in this way offers customers greater control. 640 Moreover, we conclude
that carriers must notify all customers of their CPNI rights under our
new scheme, not merely their multi-line business customers as is required
under the Computer III CPNI framework. 641 This notice requirement,
therefore, similarly affords greater competitive protections. Finally,
by its terms, section 222(c)(3) extends the obligation to provide non-
discriminatory access to aggregate customer information, when used for
purposes outside of the provision of the customer's total service offering,
to all LECs, not just the BOCs and GTE. Thus, under section 222(c)(3),
information service providers and CPE suppliers are entitled to competitively
useful aggregate information from more carriers than they had been in the
past. 642 In these ways, the new scheme is more protective of competitive
and privacy interests than currently exists under the Computer III CPNI
framework. 643 We thus find no competitive or privacy justification
at this time to retain our former framework.
184. Nor will the elimination of the Computer III
CPNI framework weaken other nonstructural safeguards. We agree with
Ameritech, PacTel and GTE that the Commission's other Computer III requirements
are independent of CPNI regulation, and would continue to prohibit discriminatory
network access and protect against any alleged "bottleneck" leverage. 644
Finally, we conclude that, insofar as we eliminate the Computer III CPNI
requirements, carriers' ONA and CEI plans no longer have to address CPNI.
645
-- In Re In The Matter Of Implementation Of The Telecommunications
Act Of 1996, CC Docket No. 96-115, Second Report and Order and Further
Notice of Proposed Rulemaking ¶ 3 (February 26, 1998)
"41. Under the Commission's Computer III requirements, Ameritech
is required to describe the procedures it intends to establish to comply
with the Commission's CPNI safeguards. In addition, section 222 of the
1996 Act contains CPNI requirements. Although the requirements of section
222 became effective immediately upon enactment, the Commission has initiated
a proceeding to consider regulations interpreting and specifying in more
detail, a telecommunications carrier's obligations under this provision.
In the Notice initiating this proceeding, the Commission tentatively concluded
that its existing CPNI regulations remain in effect, pending completion
of the CPNI rulemaking, to the extent that they do not conflict with section
222." -- In the Matter of Ameritech's Comparably Efficient Interconnection
Plan for Electronic Vaulting Service, CCBPol 97-03, Order ¶ 41 (December
31, 1997)
46. Customer Proprietary Network Information: The Phase II
Order established CPNI requirements for BOCs' enhanced service operations,
requiring them, among other things, to (1) make CPNI available, upon customer
request, to unaffiliated enhanced service vendors, on the same terms and
conditions that are available to their own enhanced services personnel;
(2) limit their enfhanced services personnel from obtaining access to a
customer's CPNI if the customer so requests; and (3) notify multi-line
business customers annually of their CPNI rights. The Commission also requires
BOCs to provide any nonproprietary aggregate CPNI to unaffiliated enhanced
service vendors on the same terms and conditions that the BOCs provide
that information to their own enhanced services personnel.
---In the Matter of Bell Operating Companies Joint Petition for Waiver
of Computer II Rules, DA 95-2264, Order, ¶ 46 (October 31, 1995)
73. The Commission's Customer Proprietary Network Information (CPNI)
rules restrict a BOC's use of individual CPNI. BOCs are required to describe
the types of information they will treat as CPNI, and to explain their
procedures for determining which customers have the right to restrict access
to particular CPNI. First, for customers with 20 or fewer lines, the BOC
must limit access to a customer's CPNI by its marketing personnel that
sell enhanced services, if the customer so requests. Second, the BOC must
release that CPNI at the customer's request to any ESP designated by the
customer, and make that information available on the same terms and conditions
as it is made available to its own enhanced service operations. Third,
the BOC's enhanced services marketing personnel may not obtain access to
the CPNI of any customer with more than 20 access lines without that customer's
prior permission. Fourth, the BOC must notify all of its multiline business
customers annually of their CPNI options, and include response forms "which
fully and fairly inform[] customers of their CPNI rights." Fifth, the BOC
is required to accommodate requests for "partial or temporary restriction
of CPNI." In the GTE ONA Order, the Commission extended to GTE the BOC
ONA requirements relating to CPNI. The Commission specifically required
GTE to describe in its ONA Plan how it intends to meet the CPNI requirements
and to include the CPNI notification letter that it proposes to send to
its multiline business customers.
. . . . .
81. The Commission requires that, if a BOC makes nonproprietary, aggregate
CPNI available to its own enhanced service personnel, it must make such
information available to competing ESPs on the same terms and conditions.
The BOC must explain how it will notify ESPs that aggregate CPNI is available.
The Commission extended these requirements to GTE.
. . . . .
83. The Commission has stated that a password/identification (password
ID) system is the preferred method for restricting CPNI access for enhanced
services, and should be used absent a specific showing that it would be
unduly burdensome to do so. The BOC must implement password ID systems
for "all primary databases that are routinely accessed by [the BOC's] enhanced
services marketing personnel and contain comprehensive restricted CPNI."
The Commission does not require BOCs to implement password ID systems for
auxiliary databases that contain fragmented CPNI and that are not routinely
accessed by enhanced services marketing personnel. The Commission, however,
requires the BOC to state, for each database that contains CPNI and that
does not have password ID protection, the following: (a) database name;
(b) database purpose; (c) accessibility and frequency of use by enhanced
services marketing personnel; (d) types and amount of CPNI; (e) method
of access restriction; and (f) justification for not imposing password
ID restrictions. In the GTE ONA Order, the Commission required GTE to implement
password ID systems by April 4, 1996.
-- In the Matter of Application of Open Network Architecture and Nondiscrimination
Safeguards to GTE Corporation, CC Docket No. 92-256, Memorandum Opinion
and Order, (July 29, 1995)
34. Bell Atlantic is required to describe the procedures it intends
to establish to comply with CPNI safeguards. The Phase II Order established
CPNI requirements for BOCs' enhanced service operations, requiring them
in part to (1) make CPNI available, upon customer request, to unaffiliated
enhanced service vendors, on the same terms and conditions that are available
to their own enhanced services personnel; (2) limit their enhanced services
personnel from accessing a customers CPNI if the customer so requests;
and (3) notify multiline business customers annually of their CPNI rights.
The Commission also requires BOCs, but not AT&T, to provide to unaffiliated
enhanced service vendors on the same terms and conditions, any nonproprietary,
aggregate CPNI that the BOCs provide to their own enhanced services personnel.
--- In the Matter of Bell Atlantic Telephone Companies, Offer of Comparably
Efficient Interconnection to Providers of Video Dialtone-Related Enhanced
Services, DA 95-1283, Order (June 9, 1995)
Third, we imposed CPNI obligations on the enhanced
service operations of AT & T and the BOCs similar to those we imposed
for AT&T CPE operations; AT&T and the BOCs may use CPNI for enhanced
service marketing operations, provided that those carriers establish procedures
to honor any requests from customers that their CPNI be withheld from
carrier-affiliated enhanced service personnel or released to other enhanced
service vendors. 38 We required AT & T and the BOCs
to notify their multiline business customers of these rights on an annual
basis. We also required the BOCs to provide any nonproprietary, aggregate
CPNI that the BOCs provide to their own enhanced services personnel to
unaffiliated enhanced service vendors. 39 -- In the Matter
of Filing and Review of Open Network Architecture Plans, CC Docket No.
88-2, Phase I, Memorandum Opinion And Order, ¶ 25 (December 22, 1988)
27. We declined to modify
our CPNI rules to require that the BOCs' enhanced service personnel be
denied access to CPNI absent prior authorization from customers.45
We stated that we expected carriers to take special care to protect the
CPNI of customers, especially ESPs, that request restricted treatment of
their CPNI.46 We also required AT & T and the BOCs to amend
their ONA plans to describe the types of information that they will treat
as CPNI.47 We added a number of provisions to our CPNI rules
to facilitate users' ability to limit access to their CPNI, including a
requirement that each CPNI notice to multiline business customers include
a response form that customers may use to inform the carrier of their preferred
CPNI treatment.48 We also declined to relieve the BOCs of the
requirement that they make nonproprietary, aggregate CPNI available to
unaffiliated enhanced service providers.49
. . . .
398. The Phase II Order
established four basic requirements governing BOC use of CPNI. First, BOCs
must limit the access of their enhanced service personnel to a customer's
CPNI if that customer so requests. Second, on customer request, the BOCs
must release a customer's CPNI to any ESP designated by the customer, and
the BOCs must make this information available on the same terms and conditions
that they make CPNI available to their own enhanced service operations.
Third, the BOCs must notify multiline business customers annually of these
CPNI options. Fourth, if the BOCs make nonproprietary, aggregate CPNI available
to their own enhanced services personnel, they must make such information
available on the same terms and conditions to unaffiliated ESPs. We also
required the BOCs to file ONA plans with us describing how they propose
to comply with these requirements.
399. The Phase II Reconsideration
clarified these requirements. 981 We required the BOCs to enclose
with their CPNI notices response forms that customers could use to make
CPNI elections. We also required the BOCs to accommodate requests for partial
or temporary restriction of CPNI and to honor any customers' CPNI instructions
received prior to the mailing of the CPNI notification. In addition, we
clarified that a customer's election to restrict its CPNI would remain
in effect until the customer specifically revokes this choice. 982
We directed the BOCs to amend their plans on or before March 10, 1988,
to reflect these modifications, and we instructed the BOCs to include copies
of their proposed CPNI notice and response form with their amendments.
We also required the BOCs to describe in their amended plans the types
of information they will treat as CPNI and to explain their procedures
for determining which customer has the right to restrict a particular item
of CPNI.983
. . . .
411. Our CPNI rules apply,
with minor exceptions,1011 to all information about customers'
network services and customers' use of those services that a BOC possesses
by virtue of its provision of network services. The BOCs' CPNI definitions
serve as a check that BOCs will comply with our rules in this sensitive
area for the broadest possible range of customer-specific information.
Thus, we agree with ADCU that the BOCs' CPNI definitions should not be
unduly restrictive. 1012 We find that while the BOCs' CPNI definitions
are largely adequate, some of these definitions are incomplete in one or
more respects. For example, Pactel does not include billing information
within its CPNI definition. In addition, only Pactel and Ameritech include
usage data and calling patterns within their CPNI definitions. This is
precisely the kind of customer information to which the CPNI rules apply,
since it is information that can invoke proprietary and competitive considerations
and that customers might thus want to restrict. 1013 It is also
information that ESPs can use to better identify customers' enhanced services
needs, and that customers might wish to make available to the BOCs' enhanced
service competitors. Accordingly, by May 19, 1989 we require that: (1)
Pactel amend its CPNI definition to add billing information for each network
service a customer uses; and (2) all BOCs except Pactel and Ameritech must
amend their definitions to include usage data and information on customer
calling patterns. 1014
412. We also clarify that
we do not consider credit information to be CPNI. As noted above,
CPNI is information about a customer's network services and its use of
those services. This type of information is uniquely in the possession
of the carrier serving the customer. Credit information, in contrast, only
addresses information on whether, and how promptly, a customer pays its
bills. Such information is available to every entity that does business
with the customer.
. . . . .
415. Finally, we agree with the Ameritech States
that we should give unlisted telephone numbers special protection
beyond that provided by the CPNI rules. An unlisted telephone number reflects
a customer's general decision to restrict the availability of its telephone
number. Accordingly, we prohibit the BOCs from making unpublished and unlisted
telephone numbers available to their enhanced services personnel.1017
. . . . .
447. Since the Phase II Order explicitly noted that
residential and single line business customers have the right to control
access to their CPNI, SWBT must amend its plan to clarify that it will
permit all customers--residential and single line business, as well as
multiline business--to restrict their CPNI from access by SWBT enhanced
service operations, and to arrange for the release of their CPNI to
unaffiliated ESPs. 1090 We reject the suggestion of ATSI and
AICC that we should prohibit all BOCs from using the CPNI of residential
customers. Such a rule would deprive these customers of the full benefits
of integrated marketing and of their ability to control access to their
own CPNI. The Phase II Order stated that if it appeared that the CPNI of
residential and single-line business customers was, in fact, being used
on a large scale by the BOCs, we would entertain petitions for rulemaking
to include residential and single-line business customers in the CPNI notification
requirement. No such petitions have been filed.1091
-- In the Matter of Filing and Review of Open Network Architecture
Plans, CC Docket No. 88-2, Phase I, Memorandum Opinion And Order (December
22, 1988)
CPNI Under Computer II
47 CFR 64.702(d)(3) Customer Information: [From FCC CCB, Computer
II Rules: Digest and Status Report, p. 86 April 18, 1985 (released through
FCC Library)]
A carrier subject to the Computer II rules may
... not provide to any such separate corporation any cusomter
proproietyar information unless such information is available to any member
of the public on the same terms and conditions.
a. Generally
Section 64.702(d)(3) prohibits disclosure without customer authorization
of cusomter proprietary information and requires that, if unauthorized
disclosure is makde, the information disclosued must be made available
to other CPE vendors on the same terms and conditions.
(i) ATT
(a) Bureau Letter
In a letter dated Nov 24, 1982, the Bureau informed ATT that, with a few
exceptions, ATT's instructions to employees regarding info flow was satisfactory.153
These exceptions included the manner in which ATT notified customers of
their rights regarding customer info flow and the manner in which ATT instructed
its employees on customer info rules. First, the Bureau explained
to ATT that any correspondence to customers which discusses customer proprietary
information must inform the affected customer of the following: (1) the
customer must provide ATT with written authorization to release such info
to ATT-IS; and (2) the customer has the prerogative at any time to designate
other parties to receive the same info, including info pertaining to communications
service, facilities, or CPE. To ensure that other parties receive
identical information, ATT was required to maintain auditable records of
the info released. Second, ATT employees transferred to ATT-IS were
permitted to retain documents pertaining to specific customers only if
the cusomters affirmatively authorized the transfer in writing and only
then to those parties approved by the cusomter. Last, the Bureau asked
ATT to distriubute instructional info to employees dispite a pending reconsideration
of those rules.
(b) Embedded Base
In the ATT CPE Detariffing Order, the Commission premitted ATT-IS to have
access to "customer-specific" embedded CPE information (eg customer name,
billing address, billed telephone number, business or residence class of
service.) 154 ATT-IS
access to ATT's non-CPE service information (eg, access line, toll usage,
and directory advertising) was prphibited, howerver. Furthermore,
the Commission required ATT-IS to inform its embedded base customers that
they may obtain info regarding their CPE from ATT-IS.
(ii) BOCS
(a) Generally
The staff reports in the BOC capitalization Plan Order detain the steps
the BOCs have taken to secure their data bases against unauthorized access
and to train employees in observing information flow restrictions.
It appears that, for the most part, the BOCs have instituted procedures
which should promote compliance with Sections 64.702(d)(2) and (3).
(b) Provision of Customer Info by COGs
GOGs155 are permitted to supply
CPE vendors with info about a cusomter's network services which the CPE
vendor requires in order to determine the customer's CPE needs. However,
under the Computer II rules, such information may be released to ta vendor
only with cusomter permission.156
The staff reports in the BOC Capitalization Plans Order describe "blanket
agency letters" which vendors have filled with some COGs stating that the
vendor will not requiest customer info without the permission of the customer.
While it does not appear that nay COGs are currently releasing customer
proprietyar information to vendors solely on the authority fo these letters,
improper release of customer proprietyar info is difficult to detect absent
auditable records of both info releases and of the authorization of those
releases by customers. Therefore, in the BOC Cap Plan Order, the
Commission reminded the BOCs that it is the duty of the telephone companies
to protect customer proprietary information. 157
Telephone companies should, at a minimum, in their blanket agency letters
or in their tariffs, require both their subsidiearies and independent vendors
seeking customer proprietary information to retain in their files written
customer authorization for the release of the information. Absent
such a telehone company requirement, reliance upon blanket agency letters
as authorization for the transfer of customer propietary information is
inadequate to protect agst anti-competitive abuses. The Commission
stated that it intends to rely on our complaint process to enforce violations
of its info flow restrictions.158
(c) Info Transfers Incident to Dial Tone Referral
As discussed at section V(F)($)(a)(ii)(c) above, dial tone referral could
provide an opportunity for the transfer of info about a customer from operating
company service reps to subsidiary marketing personnel. The staff
reports in the BOC Cap Plan Order identifying several instances in which
operating companies provided their subs with cusotmer properitary info
such as credit ratings or info about the customer's network services or
potential CPE needs. One company, Bell
South, discontinued this practice and retrained its employees to ensure
that they understood the changed procedures. Some Ameritech operating
companies however have contined to provided subs with customer proprietary
info without written authorization from the customer. In its BOC
Cap Plan Order, the Commission directed Ameritech, as well as all the RBOCs
not to provide to its subs any info about potential CPE customers other
than the customer's name, address, and telephone number.159.
NOTES
153 > Letter from Chief, Common
Carrier Bureau, to Alfred A Greet, ATT (Nov 24, 1982); see also Letter
from Chief, CCB, to Francine J Berry, ATT (Sept 16, 1983) (info request
on alleged violations of Computer II prohibitions on the transfer of customer
proprietary info).
154 > ATT CPE Detarriffing ORder,
at paras. 117-128. See also American Telephone and Telegraph Company,
Request
for Waiver of Section 64.702(d)(3) of the Commission's Rules and Regulations,
File No Enf 83-38 (released Sept 2, 1983) (Bureau greanted interim permission
pending the Implementation Proceeding for ATT Long Lines and BOCs to transfer
customer proprietary information relating to embedded CPE, including customer
credit information, type and quantity of CPE and customer identification,
provided, among other things, that ATT-IS will not use the info for marketing
or sales purposes). This Sept wavier was approved permanently in
the ATT CPE Detariffing Order, 95 FCC 2d at 1351, para 124, n 106.
155 See section V(F)(3)(c)(1)
above. See also letter from Chief, Common Carrier Bureau, to Alfred
A Green ATT (Aug 12, 1982) (information request on ATT petition for supp
cap of ATT-IS).
156 See section V(F)(3) Above.
157 BOC Cap Plan Order, at para
51.
158 Id. at para 52.
159 Id. at para 47.