Yesterday, FCC Chairwoman Jessica Rosenworcel circulated a Notice of Proposed Rulemaking (“NPRM”) with her colleagues on the Commission to update the agency’s rules for notifying customers and federal law enforcement of breaches involving customer proprietary network information (“CPNI”). According to a press release, the proposed “updates would better align the Commission’s rules with recent developments in federal and state data breach laws covering other sectors.”

The Chairwoman’s proposal is significant because it signals a potentially more active FCC in consumer protection as the Democrats solidify control of the agency following the Presidential transition and Chairwoman Rosenworcel’s elevation from Acting Chair to Chair. The scope of the proposal appears to be fairly narrow (based on the limited information currently available) but represents the second CPNI-related action proposed in the past three months. Once a fifth commissioner is confirmed, Chairwoman Rosenworcel may be able to press a broader consumer protection agenda for the agency.


Continue Reading Rosenworcel Moves to Update Data Breach Reporting Requirements Under CPNI Rules

Over the past few years, the data collection and use practices of Internet Service Providers (“ISPs”) have largely flown under the radar while large internet platforms and the broader adtech industry have been under greater scrutiny. That respite may be coming to end following a staff report released last week by the FTC detailing the scope of ISPs’ data collection and use practices. The staff report was based on orders issued in 2019 under Section 6(b) of the FTC Act and puts ISPs and large platforms on similar footing, observing that “many ISPs in our study can be at least as privacy-intrusive as large advertising platforms.” In addition, the staff report finds that several ISP data practices could cause harm to consumers but does not go as far as calling any practices unfair or deceptive.

What the FTC will do with the staff report is less clear. The Commission voted unanimously to release the report, which does not make any specific policy recommendations. Members of the Commission, however, drew their own conclusions and articulated starkly different outlooks on the report’s implications. Chair Lina Khan and Commissioner Rebecca Kelly Slaughter declared that the FCC should play a leading role in overseeing ISPs’ data practices, citing the FCC’s industry expertise and legal authority. Commissioner Christine Wilson, however, stated that “oversight of ISPs for privacy and data security issues should remain at the FTC.” ISPs’ data practices – and the broader question of whether the FCC should reclassify broadband service back to a Title II telecommunications service and re-impose strict broadband privacy rules – are likely to be prominent issues as the Biden FCC takes shape in the months ahead.


Continue Reading FTC Staff Report Puts Spotlight Back on ISP Data Collection and Use Practices; FCC Re-Regulation Suggested

Last week, in a major enforcement action, the FCC proposed $208 million in fines against the nation’s four largest wireless carriers—AT&T, Verizon, T-Mobile, and Sprint—for allegedly selling access to their customers’ location information without taking “reasonable measures” to protect the information against unauthorized disclosure. The FCC argued that such actions violated its rules regarding the protection of customer data known as customer proprietary network information (CPNI).

This enforcement action marks a series of firsts. It is the first CPNI enforcement action since the pre-2016 CPNI regulations were reinstated following the repeal of the broadband privacy rules by Congress in 2017. This is also the first large consumer protection enforcement action under Chairman Pai’s leadership—up to now, Chairman Pai has eschewed the principle-based enforcement of his predecessor in favor of more clear-cut rules violations. The action also generated criticism both for being too soft (and too late) and for potentially being beyond the Commission’s jurisdiction.


Continue Reading FCC Proposes Over $200 Million in Fines to Big Four Wireless Carriers for Allegedly Selling Customer Data Without Safeguards

Today the Office of Federal Register published a final rule from the Federal Communications Commission (FCC or Commission) that formally voids the rule changes in the Commission’s 2016 Privacy Order—which Congress invalidated in a 2017 Congressional Review Act (CRA) joint resolution earlier this year—and reinstates the voice-centric customer proprietary network information (CPNI) rules “in

iStock_000019536561Large

At the Federal Communications Commission’s (“FCC”) Open Meeting on October 27, the Commission voted along party lines (3-2) to impose more stringent rules on broadband Internet service providers (“ISPs”). Chairman Tom Wheeler, along with Commissioners Rosenworcel and Clyburn voted in favor of the item, while Commissioners Pai and O’Rielly voted against it.

The new rules clarify the privacy requirements applicable to broadband ISPs pursuant to Section 222 of the Communications Act. The new rules also apply to voice services and treat call-detail records as “sensitive” in the context of voice services.

According to an FCC press release issued immediately after the meeting, these rules “establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information.” The Commission further asserts that this approach is consistent with the existing privacy framework of the Federal Trade Commission (“FTC”).


Continue Reading FCC Votes to Impose Aggressive New Privacy Rules on Broadband Providers

stock_03082013_0826It’s official: next Thursday, March 31, 2016, the FCC will vote on a Notice of Proposed Rulemaking seeking comment on a proposed framework for new privacy and data security rules for broadband Internet access service (BIAS) providers.  This proceeding will have important implications for not only the broadband providers subject to the rules, but also for the Internet ecosystem as a whole.

This rulemaking proceeding stems from the 2015 Open Internet Order, which reclassified BIAS as a telecommunications service and applied several of the FCC’s core consumer protection provisions—including Section 201 and 222 of the Communications Act—to BIAS.  Section 201(b) prohibits “unjust or unreasonable” practices, which the FCC has interpreted to require reasonable data security practices.  Section 222 (and the Commission’s interpretations of that section) establishes a complex framework for the protection of proprietary information (PI), carrier proprietary information (CPI), and customer proprietary network information (CPNI).  CPNI, in short, is the information that a carrier has about its customer solely by virtue of the customer-provider relationship.  However, because the CPNI rules promulgated pursuant to Section 222 were designed with traditional telecommunications services in mind, the FCC declined to impose those rules on BIAS, instead opting for a rulemaking proceeding to create new broadband CPNI rules.


Continue Reading FCC Includes Privacy Item on Its March Open Meeting Agenda: What to Expect

iStock_000019536561LargeOn April 8, 2015, the Federal Communications Commission (“FCC” or the “Commission”) Enforcement Bureau (“EB”) reached a $25 million consent decree with AT&T over privacy and data security breaches involving its customers’ proprietary information (“PI”) and customer proprietary network information (“CPNI”) at three of AT&T’s international call centers.  Under the terms of the settlement, AT&T must implement a wide-ranging compliance plan, notify affected customers of the breach (and provide free credit monitoring services), and report any noncompliance or future breaches to the Commission.

As explained in more detail below, this settlement represents the latest in a growing trend in aggressive enforcement of the Commission’s privacy and data security rules.  As the Commission continues to find new ways to apply its rules against carriers—and begins to implement its 2015 Open Internet Order against broadband Internet access service providers—providers should take steps to bring themselves (and their vendors) into compliance.


Continue Reading AT&T Reaches $25 Million Settlement with FCC over Privacy and Data Security Violations

iStock_000000295237LargeEarlier today, the Federal Communications Commission released an enforcement advisory reminding telecommunications carriers and interconnected VoIP providers of the upcoming annual customer proprietary network information (“CPNI”) certification due by March 2, 2015.  For Kelley Drye’s own advisory on this CPNI filing requirement, please see the attached alert.


Continue Reading FCC Issues Enforcement Advisory Discussing Upcoming Annual CPNI Certification Filing Deadline

On October 28, 2014, the Federal Communications Commission (“FCC” or the “Commission”) announced that it had joined the Global Privacy Enforcement Network (“GPEN”), a network of privacy enforcement and regulatory bodies from around the world that engages in collaboration and coordination on cross-border privacy enforcement actions.


Continue Reading Federal Communications Commission Announces Membership in Global Privacy Enforcement Network

On October 24, the FCC, over the dissent of its two Republican commissioners, issued a Notice of Apparent Liability (NAL) proposing a fine of $10 million to Lifeline eligible telecommunications carriers (“ETCs”) TerraCom, Inc. and YourTel America, Inc. for violations of laws protecting “phone customers’ personal information.”

This is the agency’s first data security case and the largest privacy action in the Commission’s history.  See News Release.  Friday’s decision follows through on numerous public statements made by FCC Enforcement Bureau Chief Travis LeBlanc indicating that privacy and security is a high enforcement priority for the Commission and that the agency would begin to use a Communications Act provision barring unjust and unreasonable practices as a privacy and security enforcement tool.

According to the NAL, the Enforcement Bureau investigation found that both TerraCom and YourTel “collected names, addresses, Social Security numbers, driver’s licenses and other proprietary information” gathered through the Lifeline eligibility approval process “and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation.”  The NAL states that the TerraCom and YourTel violations exposed more than 300,000 customers’ personal information to unauthorized access as well as heightened risk of fraud and identity theft. 
Continue Reading FCC Proposes $10 Million in Fines for Privacy and Data Security Violations