NTIA Reply Comments, Telecommunications Carriers' Use of Customer Proprietary Network Information (CPNI) and Other Customer Information
In the Matter of ) ) Telecommunications Carriers' ) CC Docket No. 96-115 Use of Customer Proprietary ) Network Information and ) Other Customer Information ) REPLY COMMENTS OF THE NATIONAL TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION Larry Irving Barbara S. Wellbery Assistant Secretary for Chief Counsel Communications and Information Shirl Kinney Timothy R. Robinson Deputy Assistant Secretary for Attorney-Adviser Communications and Information Kathryn C. Brown Jana Gagner Associate Administrator Attorney-Adviser Tim Sloan Alfred Lee Office of Policy Analysis and Development National Telecommunications and Information Administration U.S. Department of Commerce Room 4713 14th and Constitution Ave., N.W. Washington, D.C. 20230 (202) 482-1816 March 27, 1997
Table of Contents
I. BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . .
A. Computer Networks and Databases Are Largely
Responsible for Growing Privacy Concerns . . . . . .
B. The Act Calls For Establishment of a Regulatory
Regime That Weighs Privacy Equally With Competition . . . . . . . . . . . . . . . .
II. THE COMMISSION SHOULD IMPLEMENT SECTION 222 BY GIVING
FULL EFFECT TO THE PRIVACY AND COMPETITION PRINCIPLES
UNDERLYING ITS PROVISIONS . . . . . . . . . . . . .
A. "Telecommunications Service" Should Be Narrowly Defined . . . . . . . .
B. The Commission has Correctly Concluded
that Section 222 Applies to All Telecommunications Carriers . . . . . .
III. THE COMMISSION'S MINIMUM NATIONAL PRIVACY REQUIREMENTS
SHOULD MAXIMIZE CUSTOMERS' ABILITY TO CONTROL USE OF
THEIR CPNI WHILE MAINTAINING THE FREE FLOW OF INFORMATION . . . . . . . .
A. Subscriber Notice Must Be Adequate . .
B. The Form of Notice Should Maximize Subscriber Response Rates and Be Cost-Effective . . . . . .
C. Subscribers Should Be Able to "Opt-Out" and Respond to Notice In Other Cost-Effective, Flexible Ways . . . .
IV. STATES MAY IMPOSE ADDITIONAL CPNI REQUIREMENTS THAT
DO NOT CONFLICT WITH FEDERAL POLICIES . . .
V. IN RESOLVING THE INTERPLAY BETWEEN SECTION 222 AND
SECTIONS 272 AND 274, THE COMMISSION CAN FURTHER BOTH
PRIVACY AND COMPETITION POLICIES BY ENSURING CUSTOMER
CONTROL OF CPNI THROUGH ADEQUATE NOTICE AND CONSENT . . .
Congress enacted Section 222 of the Telecommunications Act of 1996 against a backdrop of growing concerns about information privacy and a regulatory regime for Customer Proprietary Network Information (CPNI) based mostly on competition policy. Accordingly, the Act calls for establishment of a new regulatory regime that weighs privacy equally with competition. To give full effect to the privacy and competition principles underlying Section 222, NTIA recommends that the Commission define "telecommunications service" narrowly for purposes of implementing this section, and that the Commission ensure that Section 222 is applied to all telecommunications carriers.
NTIA further recommends that the Commission's minimum national privacy requirements maximize customers' ability to control use of their CPNI while maintaining the free flow of information. Subscriber notice must therefore be adequate, and the form of notice should maximize subscriber response rates and be cost-effective. In addition, subscribers should be able to "opt-out" and respond to notice in other cost-effective, flexible ways in most situations. Furthermore, NTIA believes that States may impose additional CPNI requirements that do not conflict with Federal policies.
Finally, in resolving the interplay between Section 222 and Sections 272 and 274 of the Act, NTIA believes that the Commission can further both privacy and competition policies by ensuring customer control of CPNI through adequate notice and consent.
NATIONAL TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION
The National Telecommunications and Information Administration (NTIA), which is within the U.S. Department of Commerce, is the President's principal adviser on telecommunications and information policy. NTIA respectfully submits these reply comments to the Commission's Notice of Proposed Rulemaking (Notice) in the above-captioned proceeding.(1)
Section 222 of the Telecommunications Act of 1996 (the "Act") mandates that all telecommunications carriers abide by certain requirements affecting the use and release of customer proprietary network information ("CPNI").(2) In implementing this provision, the Commission must be mindful that Congress enacted this statute against a backdrop of growing concerns about information privacy and a CPNI regulatory regime based mostly on competition policy.
A. Computer Networks and Databases Are Largely Responsible
for Growing Privacy Concerns.
The proliferation of computerized information systems and electronic databases has created increased concerns about information privacy. Such systems have made it infinitely easier, faster, and far less expensive to collect, generate, sort, and disseminate personal information than had been possible previously.(3) As a result, businesses can harvest a wealth of personal information about individuals. There is also a large and growing market in the sale and purchase of personal information.(4)
Personal information has become a valuable commodity that benefits firms and consumers alike. It enables firms to develop new service offerings and target the marketing of them to subscribers. As a result, telecommunications carriers have become large users of personal information. Telecommunications carriers can mine proprietary customer databases to discover whom subscribers call; from whom subscribers receive calls; when and how frequently subscribers make certain calls; and details about the technical configuration of subscribers' telecommunication services. This data, along with other personal data from other sources, can then be translated into intelligible subscriber profiles containing information about the identities and whereabouts of subscribers' friends and relatives; which businesses subscribers patronize; when subscribers are likely to be home and/or awake; product and service preferences; and how frequently and cost-effectively subscribers use their telecommunications services.
B. The Act Calls For Establishment of a Regulatory Regime
That Weighs Privacy Equally With Competition.
The Commission's existing regulatory regime regarding CPNI circumscribes the ability of some telecommunications carriers -- but not others -- to use CPNI for marketing enhanced services and customer premises equipment. The prevailing rationale for these differences in treatment hinges to a great extent on competition policy, not subscriber privacy.(5)
As evidenced by the Act's legislative history, Congress recognized the potential tensions between growing business demand for personal information and consumers' privacy interest in controlling the use and dissemination of their personal information. Specifically, the Conference Report stated that, in Section 222, Congress was striving "to balance both competitive and consumer privacy interests with respect to CPNI."(6) Thus, to satisfy consumers' demands and needs, Congress explicitly required a different regulatory regime that places privacy interests in CPNI on an equal footing with competition policy.(7)
The Clinton Administration has also recognized the importance of consumer privacy issues in this new electronic information era. The President established the Information Infrastructure Task Force (the IITF) to formulate National Information Infrastructure (NII)-friendly policies in various areas, including privacy and security. The IITF, in turn, through its privacy working group, developed principles applicable to all NII participants, users of personal information, and individuals who provide personal information to users of that information.(8)
Drawing on these principles and guidelines, NTIA developed a voluntary framework to address privacy concerns in a white paper entitled, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information.(9) This framework can assist the Commission in fulfilling Congress's intent: it balances subscribers' interests in privacy against the interest in the free flow of information. This framework is premised on two minimum requirements: (1) carriers must provide subscribers with adequate notice about the types of personal information that are collected and the intended uses of that information and (2) they must obtain subscriber consent before using that information.
II. THE COMMISSION SHOULD IMPLEMENT SECTION 222 BY GIVING FULL
EFFECT TO THE PRIVACY AND COMPETITION PRINCIPLES UNDERLYING
To give full effect to the privacy and competition principles underlying Section 222, the Commission must construe "telecommunications service" narrowly and apply the provision to all telecommunications carriers.
A. "Telecommunications Service" Should Be Narrowly
NTIA believes that the "plain-face" meaning of Section 222 of the Act and sound policy reasons support a narrow definition of "telecommunications service." Although the Commission -- through its proposed definition of "telecommunications service" -- has attempted to bridge the divide between narrow and broad definitions of that term, the statute does not support either the Commission's tripartite definition (i.e., local, interexchange, or commercial mobile radio services) or the "package" definition that some comments recommend.(10) Moreover, both definitions would give subscribers less control over how their CPNI is used than a narrow definition would. Therefore, as discussed further below, NTIA urges the Commission to adopt a narrow definition of "telecommunications service" in order to protect subscribers' privacy interests adequately.(11)
A narrow definition of "telecommunications service" is supported by the clear language of Subsection 222(c)(1).(12) Under this provision, only upon a subscriber's approval or where required by another law, would a carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service be authorized to use, disclose, or permit access to CPNI in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.(13)
The singular use of "telecommunications service" suggests a limited reading of the provision as does reading the provision in its entirety. Subsection 222(c)(1)(B) provides a gloss to Subsection 222(c)(1)(A) and makes clear that only a narrow definition of "telecommunications service" comports with a reading of both subsections of Section 222(c).(14) By specifying that carriers can use CPNI only for "services necessary to, or used in, the provision of such telecommunications service," Congress made clear its intent to limit closely the uses to which CPNI could be used without consumer consent and thus its intent to define "telecommunications service" narrowly. A broad reading of "telecommunications service" in subsection (A) would be inconsistent with the very limited circumstance in which Congress permits CPNI to be used in subsection (B).(15)
As a policy matter, it is critical that the Commission adopt a narrow definition of "telecommunications service." A narrow definition will better implement Congress' mandate to protect subscriber privacy by requiring carriers in many more instances to obtain subscribers' authority before using their CPNI. A narrow definition provides subscribers with a better mechanism to limit uses of their CPNI.
A broad definition, on the other hand, would permit carriers to use CPNI in many more instances without giving subscribers any voice in how their information is used. In addition, defining "telecommunications service" broadly could create perverse incentives for carriers -- who will in the first instance categorize services -- to lump otherwise discrete service offerings together.(16) Finally, a broader definition could also favor incumbent local exchange carriers who would be able to use CPNI gathered from one service to market another service to the disadvantage of new market entrants.
Finally, as discussed further in Part III.C, a narrow reading of "telecommunications services" would not create barriers to the free flow of information. Rather, it would enhance customers' privacy by giving them more control over how their personal information is used and may in fact provide competition benefits.
The statute's clear language and underlying policies are all compelling reasons for defining "telecommunications service" narrowly. For these reasons, NTIA urges the Commission to define "telecommunications service" more narrowly than it proposes.
B. The Commission has Correctly Concluded that Section 222
Applies to All Telecommunications Carriers.
Under the Commission's proposed reading of Section 222 of the Act, all telecommunications carriers providing telecommunications services in all instances would be subject to the provision's terms, not just those with market power or those providing service to certain subscribers.(17) NTIA endorses this approach because it is consistent with the statute's plain language and promotes the policies inherent in the new provision.(18)
The existing CPNI regime illustrates how the application of CPNI safeguards to select carriers in certain instances fails to protect all subscribers' privacy interests adequately.(19) Limiting CPNI restrictions to situations where a carrier has market power or the CPNI has certain commercial value to carriers (e.g., individual vs. business, single line vs. multiline), clearly leaves some subscribers with no privacy protection for their CPNI. Applying Section 222's requirements to all telecommunications carriers would correct that problem.
The proposed regime would also promote competition in the telecommunications services marketplace better than the current regime does.(20) Notwithstanding the existing regime's focus on protecting competition, that regime nonetheless skews competition by imposing greater regulatory burdens on certain carriers than it imposes on others.
Applying Section 222 to all carriers also would allow the Commission to establish minimum nationwide requirements for notice and consent.(21) Such requirements would both adequately protect subscriber privacy and prevent carriers from exploiting their monopoly position to access and make use of subscriber CPNI. Holding all carriers to such requirements would also minimize subscriber confusion by establishing a clear standard on which subscribers can rely. In addition, once the privacy of their personal information is assured, subscribers will undoubtedly be more willing to subscribe to new telecommunications services. The consequence should be greater expansion of the telecommunications services marketplace, which in turn will benefit all telecommunications carriers.
III. THE COMMISSION'S MINIMUM NATIONAL PRIVACY REQUIREMENTS
SHOULD MAXIMIZE CUSTOMERS' ABILITY TO CONTROL USE OF THEIR
CPNI WHILE MAINTAINING THE FREE FLOW OF INFORMATION.
In implementing Section 222 of the Act, the Commission should balance maximizing to the extent possible consumers' ability to control use of their personal information against the interest in the free flow of such information. Requiring adequate consumer notice and flexible consent procedures will go far in allowing consumers control over their personal information while protecting the free flow of information. These minimum nationwide requirements should be incorporated into any new CPNI regulatory regime that the Commission constructs.
A. Subscriber Notice Must Be Adequate.
In order to give subscribers meaningful control over how their personal information is used, they must have adequate notice that specifies in clear terms the nature of the information collected, how it will be used, and its potential uses and users.(22)
More specifically, the notice provided should inform subscribers about their carrier's:
reasons for collecting CPNI;
- proposed uses for that CPNI; and
- measures to protect the CPNI's confidentiality, integrity, and quality.(23)
By evaluating the notice they provide against these criteria, telecommunications carriers can gauge the "adequacy" of such notice.(24)
Carriers should also be required to notify subscribers about the consequences of withholding permission to use their personal information.(25) This requirement will allow subscribers to make informed decisions by weighing the pros and cons of consenting to the use and possible disclosure of their personal information.(26) Notices containing this information will advance the Act's goal to promote competition by better enabling subscribers to compare the CPNI information-handling practices of competing telecommunications services providers.(27) By promoting freer flows of information, these measures will in turn enhance consumer welfare and improve carriers' abilities to compete.(28)
B. The Form of Notice Should Maximize Subscriber Response
Rates and Be Cost-Effective.
In the Notice, the Commission asks comments in what form -- oral or written -- carriers should have to notify consumers about how their information will be used and how they may control access to their CPNI.(29) Traditionally, written notice has been viewed as substantially better than oral notice, but that view may be changing as technology evolves.(30) NTIA therefore recommends that the Commission look to whether the form of notice meets two objectives -- maximization of subscriber response and cost-effectiveness -- rather than specifying that it be oral or written.
For notice to be effective, it must be designed to maximize subscriber response. Therefore, carriers should be required to provide notice in formats that are easily identifiable and understandable to subscribers and which they will not reflexively discard or disregard. But carriers should also be afforded the latitude to develop notice in the lowest-cost format possible so long as it is complete and will actually elicit response from those subscribers who would care to make known their views on whether they consent to the use of their CPNI.
C. Subscribers Should Be Able to "Opt-Out" and Respond to
Notice In Other Cost-Effective, Flexible Ways.
The Commission should permit carriers to use "opt-out" consent. Under an opt-out approach, carriers could presume, absent a subscriber's objection within a prescribed time, that they could use CPNI for purposes identified in the notice.(31) Opt-out consent gives subscribers who care about limiting the use of their CPNI the ability to do so while minimizing the burden on consumers who do not. It also minimizes costs for companies as well burdens on the free flow of information.(32) Subscribers should not be restricted, however, from also contacting their carriers directly and affirmatively authorizing them to use CPNI in accordance with the terms and conditions of the carrier-provided notice.(33) In short, an "opt-out" approach would minimize the burden on subscribers, carriers, and the free flow of information.
To elicit greater responsiveness by subscribers to carrier-provided notice the Commission should also require carriers to permit subscribers to respond -- as flexibly as possibly -- to the notice provided. Allowing subscribers to express their decision flexibly increases the likelihood that subscribers will choose how they wish their personal information to be handled. For example, the carriers could permit subscribers to respond orally to carriers' 800 and 888 numbers as well as through simple "checks" on carrier-supplied reply forms.(34)
Subscribers should also be able to indicate with specificity which particular CPNI can be used, by whom, and for what purposes so that they can determine the precise levels of privacy protection they would like. For example, consumers should have the option to permit their carriers to use CPNI to market information about other services to them but to prohibit the sale of their CPNI to third parties.(35) Allowing this degree of specificity will maximize subscriber control over CPNI while also enhancing the ability of companies to use their customers' CPNI to market other services to them.(36)
IV. STATES MAY IMPOSE ADDITIONAL CPNI REQUIREMENTS THAT DO NOT
CONFLICT WITH FEDERAL POLICIES.
The Commission seeks comment on the extent to which Section 222 permits States to impose additional CPNI requirements.(37) As noted above, NTIA believes Section 222 was intended to establish minimum nationwide CPNI requirements. States may therefore impose additional CPNI requirements that enhance but do not impede the Federal privacy and competition policies the provision embodies.
The 1996 Act creates a different regulatory scheme from that contained in the 1934 Act -- one that expands the applicability of national rules to historically intrastate issues and State rules to interstate issues.(38) Section 222 must be read in light of this new jurisdictional balance.
The plain language of Section 222 also supports this interpretation. Section 222 does not distinguish between CPNI collected in connection with interstate and intrastate telecommunications services. It refers to all telecommunications carriers and thus plainly includes both interstate and intrastate carriers and services.(39) Congress was clearly able to make such distinctions in the Act where it wished to.(40) It is therefore reasonable to read Section 222 as establishing minimum national standards for use of CPNI to implement Congress' competitive and privacy policies.(41) Accordingly, Commission preemption of conflicting State regulations is appropriate.
This reading is bolstered by the fact that Congress is charged with knowledge of the Commission's past preemption of conflicting State CPNI regulations (which was upheld by a Federal appeals court).(42) It nonetheless chose not to reassess the Commission's authority.(43) Thus, Congress has tacitly endorsed the Commission's authority to preempt State CPNI regulations that conflict with Federal CPNI requirements.
Even if the Act were not read to create a new jurisdictional partnership between the State and Federal governments, the 1934 Act clearly authorized the Commission to preempt State CPNI regulations that impeded the Commission's regulations.(44) For example, if a State defined "telecommunications service" more broadly than the Commission -- such as referring to "local, interexchange, or commercial mobile radio service" and the Commission had chosen the narrower definition we recommend -- a carrier could potentially use CPNI obtained from provision of one local service to market another local service. This result would conflict with both the competition and privacy policies embodied in the Act. It would skew the competitive playing field and deprive residents of that State of the privacy protections that Congress and the Commission sought to afford them. Under this analysis, too, the Commission may preempt State CPNI regulations that undermine the Commission's policies promoting privacy and competition. For these reasons, the Commission should preempt State regulations that impede rather than augment the Commission's requirements.
We note, however, that nothing bars States from taking further steps to improve competition and privacy with respect to CPNI in a manner consistent with the Commission's regulations. Indeed, State regulators have more direct knowledge of market developments and customers' expectations about privacy in individual communities. In addition, many States have been at the forefront of improvements in telecommunications competition and privacy regulation. So long as the Commission's fundamental CPNI requirements are met, such experimentation by the States with regulatory improvements should be welcome.
V. IN RESOLVING THE INTERPLAY BETWEEN SECTIONS 222 AND SECTIONS
272 AND 274, THE COMMISSION CAN FURTHER BOTH PRIVACY AND
COMPETITION POLICIES BY ENSURING CUSTOMER CONTROL OF CPNI
THROUGH ADEQUATE NOTICE AND CONSENT.
In its February 20, 1997 Request for Further Comment,(45) the Commission asks a number of specific questions concerning the relationship between Section 222 and the non-discrimination and joint marketing obligations of Bell Operating Companies (BOCs) under Sections 272 and 274 of the Act. In answering these questions, it is important to bear in mind that Congress intended the 1996 Act to further competition generally and Section 222 to enhance privacy as well as competition.(46) NTIA suggests that the general principles it has articulated in interpreting Section 222 offer the Commission guidance in resolving many of the questions posed by the Commission in its Further Request. More specifically, NTIA believes Congress' goals can be reconciled without undue burdens on consumers or carriers and without sacrificing privacy or competition policies by providing consumers with full and adequate notice and an opportunity to consent to use of their CPNI.
The Commission's Non-Accounting Safeguards Order makes clear that CPNI is subject to the nondiscrimination requirement of Section 272(c)(1).(47) Thus, to the extent CPNI is made available to a BOC's affiliate, it must also be made available to unaffiliated companies on the same terms and conditions as it is made available to the affiliated company. Under NTIA's narrow reading of "telecommunications service" in Section 222, a BOC would have to provide notice and obtain customer consent whenever it provided information to its affiliated company in any event.(48) The Commission can minimize the impact of the nondiscrimination provisions of Section 272 on a customer's privacy by allowing consumers to determine whether they want CPNI to be made available in these circumstances.
Specifically, the Commission's rules can require that when a carrier seeks consent to provide information to its affiliated companies, the same notice must also inform consumers that if they consent to having their CPNI provided to a carrier's affiliate, the requesting carrier would also have to provide their CPNI to other nonaffiliated companies on the same terms and conditions. For the most part, customers could register their consent by "opting out." Where they wished to provide their CPNI to a carrier's affiliated company but withhold it from non-affiliated companies, however, they would have to provide an affirmative written response to the requesting carrier indicating their views.
For the foregoing reasons, NTIA respectfully requests that the Commission adopt the recommendations contained herein.
Respectfully submitted, Larry Irving ________________________ Assistant Secretary for Barbara S. Wellbery Communications and Information Chief Counsel Shirl Kinney Deputy Assistant Secretary for Timothy R. Robinson Communications and Information Attorney-Adviser Kathryn C. Brown Jana Gagner Associate Administrator Attorney-Adviser Tim Sloan Alfred Lee Office of Policy Analysis and Development National Telecommunications and Information Administration U.S. Department of Commerce Room 4713 14th and Constitution Ave., N.W. Washington, D.C. 20230 (202) 482-1816 March 27, 1997
1. Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, Notice of Proposed Rulemaking, CC Docket No. 96-115, FCC No. 96-221, 11 FCC Rcd 12513 (1996) [hereinafter Notice].
2. See 47 U.S.C. §222(c)(1). The Act defines CPNI as "information that relates to the quantity, technical configuration, type, destination, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship." 47 U.S.C. §222(f)(1)(A).
3. An on-line research service caused tremendous public outrage last year when it released a subscriber service that allegedly provided access to a database of more than 300 million names, addresses, aliases, maiden names, and social security numbers. See Wagner, Rumors Fuel Privacy Angst, ComputerWorld 1 (Sept. 23, 1996). Thousands of calls, faxes, and e-mails streamed in to the service requesting that personal information be purged from the database. Id. Although some of the resulting furor may have been caused by rumors ultimately said to be untrue about the nature of the information available (e.g., mothers' maiden names and social security numbers), the readiness of consumers to believe these rumors and the associated uproar suggest great public anxiety about the extent to which personal information is readily available and how subscribers' concerns about privacy have become more acute.
4. It has been estimated that a $5 billion dollar market could arise over the next three years for the distribution of personal information over the World Wide Web to businesses and consumers. Indeed, several firms are now designing software to enable Internet users to make queries of databases about individuals. See Foley and Caldwell, Dangerous Data: Linking Data Warehouses to the Web Can Bring in Billions of Dollars -- and Violate Your Customers' Privacy, Info. Wk. (Sept. 30, 1996).
5. See, e.g., Amendment to Sections 64.702 of the Commission's Rules and Regulations, Report and Order, 2 FCC Rcd 3072, 3096 modified on reconsideration, 3 FCC Rcd 1150 (1988) (the Commission exempts carriers from providing notice about CPNI use to single-line users to reduce carriers' administrative expenses but requires provision of notice about CPNI use to those customers with CPNI having greater marketing value and whose purchase of enhanced services would most likely raise competitive concerns)(See Notice, supra note 1, ¶3 n. 9 for full citation of these proceedings). See also Computer III Remand Proceedings, Report and Order, 6 FCC Rcd 7571, 7611-12, n. 159 (1991) (internal Bell Operating Company use of small subscriber CPNI does not raise significant privacy concerns).
6. H.R. Rep. No. 104-458, 104th Cong., 2d Sess. 205 (1996)[hereinafter Conference Report].
7. See id.
8. Participants in the IITF's Privacy Working Group were NTIA, the Bureau of Census, the Office of Management and Budget, the Department of Justice, the Department of Treasury, the Internal Revenue Service, the Department of Health and Human Services, the Federal Trade Commission, the Office of Consumer Affairs, the National Science Foundation, the National Archives and Records Administration, the Social Security Administration, and the Postal Service. The IITF privacy principles build upon pre-existing, international privacy guidelines, which include those adopted by the Organization for Economic Cooperation and Development in 1980. See IITF Privacy Working Group, Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information 3 (1995) [hereinafter IITF Report].
9. National Telecommunications and Info. Admin., U.S. Dep't. Of Commerce, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (1995) [hereinafter Privacy Report].
10. See Notice, supra note 1, ¶22 (the Commission tentatively concluded that "telecommunications service" should be based on traditional service distinctions including local, interexchange, and commercial mobile radio service). Some comments have expressed support for an even broader, alternative definition. Under this "package" definition, carriers could use CPNI derived from a discrete service offering to market a second service or group of services that the carrier has packaged together with the first service. See Comments of US West at 15; Comments of BellSouth at 17. All comments referenced now and hereinafter were filed in response to the Notice on or around June 11, 1996.
11. See infra Part V (arguing that a narrow definition of telecommunications service also eases somewhat the tensions between §§222 and 272 of the Act).
12. See Comments of AT&T at 12; Comments of BellSouth at 10.
13. 47 U.S.C. §222(c)(1)(emphasis added). The Commission correctly points to the use of the singular articles "a" and "the" to divine Congress's intent that carriers are to be prohibited "from using CPNI obtained from the provision of one service for marketing or other purposes in connection with the provision of another service." Notice, supra note 1, ¶21. The Commission, however, then strays from its logical path and tentatively concludes that it should demarcate telecommunications services based on "traditional service distinctions." Id. ¶22.
14. Notwithstanding this clear language, some commenters contend that a broader definition of telecommunications service comports better with the customer-carrier relationship. See Comments of GTE at 10; Comments of SBC at 5. According to those commenters, "consumers reasonably expect carriers with whom they have a business relationship to use internally information . . . to improve the range and level of service provided to that customer." Comments of SBC at 8. If that expectation is indeed the case for most consumers, they will readily consent to use of their CPNI. See infra Parts III.A at 19-22 and III.C at 24-27; see also Part V at 33-35.
15. Compare 47 U.S.C. §222(c)(1)(A) with 47 U.S.C. §222(c)(1)(B).
16. Under the package definition, a carrier could load service packages with one or more popular service offerings, thus allowing them to use CPNI derived from any telecommunications service within that package to market numerous, unrelated packages.
17. See Notice, supra note 1, ¶26. The Commission's existing CPNI rules prevent only the use of CPNI from regulated services to provide enhanced services and customer premises equipment, which are unregulated services. The Act, however, restricts the cross-utilization of CPNI derived from any telecommunications service to provide another service, regardless of whether the services are regulated. See 47 U.S.C. §222(c).
18. The express language contained in Section 222(c)(1) supports this conclusion. See 47 C.F.R. §222(a)(providing that "[e]very telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to . . . customers . . . .")(emphasis added). There are no exceptions in either the statute or the legislative history to support an interpretation that the Act should apply only to select telecommunications carriers. Furthermore, neither the Act nor its history suggest that the Commission has latitude to regulate some carriers, such as the monopoly local exchange carriers, while forbearing from regulating other carriers having less market power. But see Comments of MCI at 10; Comments of Sprint at 6.
Under newly added Section 10 of the Act, Congress requires the Commission to forbear from regulating a telecommunications carrier or telecommunications service if such regulation is not necessary to, among other things, protect consumers and promote the public interest. See 47 U.S.C. §160(a). Invoking Section 10 in this instance would be inappropriate, however, because
§§222(a) and 222(c)(1) are "necessary for the protection of [the privacy interests] of consumers." 47 U.S.C. §160(a)(2).
19. For example, these regulations require some telecommunications carriers -- namely the Bell Operating Companies and AT&T -- to notify multiline subscribers that they may allow or restrict internal use and disclosure of their CPNI to third-party vendors and service providers. See Notice, supra note 1, ¶3 n. 8-9. As a result, the existing regime falls short of promoting the legitimate privacy interests of single-line subscribers -- most of whom are residential subscribers and the primary intended beneficiaries of the Act -- and the single- and multi-line subscribers of all other telecommunications carriers. The existing regulations further discriminate against the privacy interests of the Bell Operating Companies' and GTE's non-business subscribers as well as all AT&T's subscribers whose CPNI may be used without prior authorization. Id.
20. See Comments of NYNEX at 4; Comments of MFS at 5; Comments of BellSouth at 23. See also Comments of Cable & Wireless at 5 (advance notice would better ensure customer understanding and help establish baseline uniformity among carriers). Some carriers have already begun to extol their privacy policies as part of their marketing strategies. For example, AT&T maintains an Internet home page directed at residential, long-distance subscribers that enables them to switch from their existing carrier to AT&T. As part of its marketing pitch, AT&T advises prospective subscribers about its commitment to maintaining privacy over subscriber information. See AT&T Corp. Web Page, <http:www.att.com>.
21. See infra Part IV.
22. Notice should leave subscribers with a clear understanding of how a carrier will use CPNI, especially for non-obvious purposes. NTIA does not suggest that carriers should have to advise subscribers about every conceivable use of their CPNI, but rather, it should advise subscribers generally that their CPNI may be used for developing and marketing new and additional telecommunications and information services. If a carrier plans to make CPNI available to its affiliates and falls within the requirements of Section 272, such notice should also indicate that a customer's CPNI will have to be made available to other carriers if it is made available to a carrier's affiliates. See 47 U.S.C. §272.
23. IITF Report, supra note 8, at 21 (referring to the Notice Principle as the "crux" of all principles of fair information practices). The House of Representatives defined three fundamental principles that are necessary to protect all consumers. These principles include (I) the right of consumers to know the specific information that is being collected about them; (ii) the right of consumers to have proper notice that such information is being used for other purposes; and (iii) the right of consumers to stop the reuse or sale of that information. See Conference Report, supra note 6, at 204; IITF Report, supra note 8, at 7.
24. See id. (stating that the goal of the notice principle is to ensure that an individual has sufficient information in an understandable form to make an informed decision). NTIA supports annual provision of notice by carriers to inform subscribers about their information handling practices. Annual notice will benefit subscribers by reminding them of their CPNI rights and advising them of any changes to their carriers' information handling practices. If a carrier changes its information policies substantially within the annual term, however, it should have to provide new notice before proceeding to use its subscribers' CPNI.
25. For example, if a subscriber does not permit a carrier to use his/her CPNI to market other services, the carrier will be unable to target marketing materials to that subscriber. See IITF Report, supra note 8, at 9, 14 (stressing that the notice and awareness principles require both information users who collect personal information to provide, and consumers who provide personal information to receive, adequate relevant information about the consequences of providing or withholding information).
26. The costs of providing notice and obtaining subscriber consent are relatively small. Carriers can minimize costs of providing notice to subscribers by, for example, including inserts in billings and other mailings to subscribers. In addition, these costs may be offset by cost-savings that some carriers could achieve as a result of providing subscribers with notice. Anecdotal evidence from firms that provide notice to consumers regarding their intended uses of consumer information and response mechanisms for those consumers, suggests that these costs are minimal. In addition, some of these firms report that these processes render their mailings more targeted and thus more cost-effective.
27. Notice should further advise subscribers that they may direct their existing carrier(s), in writing, to disclose their CPNI to designated third parties. Upon receiving written requests from subscribers, carriers must make such disclosure under the Act. See 47 U.S.C. §222(c)(2)(entitled "Disclosure on Request by Customers"). Of course, telecommunications carriers who receive CPNI, pursuant to a subscriber's written request, should also be required to notify subscribers about their CPNI handling practices before using or disclosing that information. See 47 U.S.C. §222(c)(1)("a telecommunications carrier that receives or obtains customer proprietary network information . . .")(emphasis added).
28. See Comments of AT&T at 7 (asserting that a firms' ability to use CPNI will encourage development and marketing of other new telecommunications services).
29. Notice, supra note 1, ¶28.
30. Even though providing adequate notice will present costs to telecommunications carriers, NTIA believes it is essential to inform subscribers about the use of their CPNI and their rights regarding that information. Written notice has been thought to be preferable to oral notice because it would reduce the likelihood of omissions by the notice giver, afford a subscriber more time to deliberate about whether to consent, and provide subscribers with a record of their rights and courses of redress. The transition to an electronic world, however, may be changing that equation.
31. See Privacy Report, supra note 9, at 25.
32. Many companies that do use opt-out forms of consent report that opt-out rates tend to be small -- in the three to five percent range.
33. See Privacy Report, supra note 9, at 25; see also Comments of BellSouth at 18-20 (supporting NTIA's modified contractual approach in dealing with notice and consent issues). Although BellSouth supports NTIA's privacy framework, NTIA takes issue with BellSouth's application of its privacy framework as it relates to BellSouth's proposed definition for "telecommunications service" under Section 222(c)(1). See supra, note 10 and accompanying text.
34. Obviously, any such consent would also have to be provided by a date certain or it could obviate carrier efforts to use opt-out consent.
35. At the same time, however, carriers must comply with Section 272 of the Act, which regards nondiscrimination requirements for Bell Operating Companies. If a Bell Operating Company shares CPNI with its Section 272 affiliate, it must also share the information with third parties, and if it is not willing to share the information with third parties, it cannot share it with its Section 272 affiliate, except as discussed supra in Part V at 34-35. See 47 U.S.C. § 272 (e).
36. As stated in the Privacy Report, different standards should apply to sensitive information. See Privacy Report, supra note 9, at 25. Some CPNI may involve information that appears sensitive, e.g., calls to and from AIDS clinics, women's shelters, and adult hotlines. For this reason, the Commission should examine the extent to which CPNI includes sensitive information. To the extent the Commission concludes that CPNI involves sensitive information, NTIA believes that affirmative consumer consent should be required before this information is released. See id.
37. 37 Notice, supra note 1, ¶17.
38. 38 See 47 U.S.C. §§251-54.
39. 47 U.S.C. §222. This reading of subsection 222(c) is supported further by subsection 222(e). Subsection 222(e) prescribes rules relating to the provision of subscriber list information by carriers providing telephone exchange service, which traditionally encompasses local service and comparable services. See 47 U.S.C. §153(47). As subsection (e) is structured as an exception to subsection (c), subsection (c) must clearly encompass both interstate and intrastate telecommunications services.
40. See 47 U.S.C. §§251-254.
41. Promoting privacy and competition are the twin goals of the Commission's regulations. See Conference Report, supra note 6, at 205.
We note that the overall thrust of the Act, as well as economic and technological trends, are eroding the traditional distinction between intrastate and intrastate service and give further credence to this view of Section 222.
42. California v. FCC, 39 F.3d 919, 931033 (9th Cir. 1994), cert. denied, __ U.S. __, 115 S. Ct. 1427 (1995).
43. 43 The Commission preempted State privacy protections that interfered with its Federal CPNI regulations in 1991. See Computer III Remand Proceedings: Bell Operating Company Safeguards and Tier I Local Exchange Company Safeguards, Report and Order, CC Docket No. 90-623, 6 FCC Rcd 7571, 7631 (1991).
44. 44 The Commission may preempt a State regulation that impedes a valid Federal regulatory objective. See Louisiana Public Service Commission v. FCC, 476 U.S. 355, 375 n.4 (1986); National Ass'n of Regulatory Util. Comm'rs v FCC, 880 F.2d 422, 429-30 (D.C. Cir. 1989); Public Service Commission of Maryland v. FCC, 909 F.2d 1510, 1515 (D.C. Cir. 1990); California v. FCC, 905 F.2d 1217, 1243 (9th Cir. 1990); California v. FCC, 39 F.3d 919, 931-33 (9th Cir. 1994), cert. denied, __ U.S. __, 115 S. Ct. 1427 (1995); and California v. FCC, 75 F.3d 1350 (9th Cir. 1996).
45. Common Carrier Bureau Seeks Further Comment on Specific Questions in CPNI Rulemaking, FCC Public Notice, CC Docket No. 96-115, DA 97-385 (Feb. 20, 1997).
46. See Conference Report, supra note 6, at 1, 205.
47. Implementation of the Non-Accounting Safeguards of Section 271 and 272 of the Communications Act of 1934, as amended, CC Docket No. 96-149, First Report and Order and Further Notice of Proposed Rulemaking, FCC 96-489, ¶222 (Dec. 24, 1996),
48. See supra, Part II.A at 9-14, Part III.A at 19-22. By its very nature, a carrier's affiliate provides a different type of "telecommunications service" than the carrier itself. (If it were providing the same service, no affiliate would be required.) As Section 222 allows access to and use and disclosure of CPNI only for the telecommunications service in which it was derived, notice and consent would be required before a carrier could share CPNI with an affiliate. See 47 U.S.C. §222(c)(1).
49. Section 222(c)(2) requires that a carrier "shall disclose customer proprietary network information, upon affirmative written request by the customer..." (emphasis added) while Section 222(c)(1) is silent as to the requisite form of a customer's approval. Section 222(c)(2) deals with customer initiated requests for disclosure for CPNI and makes such disclosure mandatory, while Section 222(c)(1) deals with carrier initiated disclosures that are permissive. Given these distinctions, there is no basis for concluding that the same type of consent is required for both provisions and that a customer must also provide affirmative written consent before a carrier may disclose CPNI under Section 222(c)(1). Congress clearly distinguished between the two types of disclosure, specifying affirmative written consent under Section 222(c)(2) perhaps as a means of ensuring that such information was indeed transmitted when requested by a customer. Given that disclosures under Section 222(c)(2) are customer-initiated, NTIA would also conclude that if a customer requests disclosure to a company affiliated with the carrier, CPNI would not have to be provided to unaffiliated companies pursuant to that request. The Commission would, however, have to be vigilant about the potential for carrier manipulation in such instances.