FCC Acts to Protect Private Consumer Information on Wireless Devices

The Federal Communications Commission clarified its customer proprietary network information (CPNI) policies in response to changes in technology and market practices in recent years. The Declaratory Ruling rests on a simple and fundamentally fair principle: when a telecommunications carrier collects CPNI using its control of its customers’ mobile devices, and the carrier or its designee has access to or control over the information, the carrier is responsible for safeguarding that information.

Specifically, the Declaratory Ruling makes clear that when mobile carriers use their control of customers’ devices to collect information about customers’ use of the network, including using preinstalled apps, and the carrier or its designee has access to or control over the information, carriers are required to protect that information in the same way they are required to protect CPNI on the network. This sensitive information can include phone numbers that a customer has called and received calls from, the durations of calls, and the phone’s location at the beginning and end of each call. Carriers are allowed to collect this information and to use it to improve their networks and for customer support. Carriers’ collection of this information can benefit consumers by enabling a carrier to detect a weak signal, a dropped call, or trouble with particular phone models. But if carriers collect CPNI in this manner, today’s ruling makes clear that they must protect it. The Declaratory Ruling does not impose any requirements on non-carrier, third-party developers of applications that consumers may install on their own. The ruling also does not adopt or propose any new rules regarding how carriers may use CPNI or how they must protect it.