In the Matter of ) ) Telecommunications Carriers' ) CC Docket No. 96-115 Use of Customer Proprietary ) Network Information and ) Other Customer Information ) REPLY COMMENTS OF THE NATIONAL TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION Larry Irving Barbara S. Wellbery Assistant Secretary for Chief Counsel Communications and Information Shirl Kinney Timothy R. Robinson Deputy Assistant Secretary for Attorney-Adviser Communications and Information Kathryn C. Brown Jana Gagner Associate Administrator Attorney-Adviser Tim Sloan Alfred Lee Office of Policy Analysis and Development National Telecommunications and Information Administration U.S. Department of Commerce Room 4713 14th and Constitution Ave., N.W. Washington, D.C. 20230 (202) 482-1816 March 27, 1997
Table of Contents
I. BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . .
A. Computer Networks and Databases Are Largely
Responsible for Growing Privacy Concerns . . . . . .
B. The Act Calls For Establishment of a Regulatory
Regime That Weighs Privacy Equally With Competition . . . . . . . . . . . . . . . .
II. THE COMMISSION SHOULD IMPLEMENT SECTION 222 BY GIVING
FULL EFFECT TO THE PRIVACY AND COMPETITION PRINCIPLES
UNDERLYING ITS PROVISIONS . . . . . . . . . . . . .
A. "Telecommunications Service" Should Be Narrowly Defined . . . . . . . .
B. The Commission has Correctly Concluded
that Section 222 Applies to All Telecommunications Carriers . . . . . .
III. THE COMMISSION'S MINIMUM NATIONAL PRIVACY REQUIREMENTS
SHOULD MAXIMIZE CUSTOMERS' ABILITY TO CONTROL USE OF
THEIR CPNI WHILE MAINTAINING THE FREE FLOW OF INFORMATION . . . . . . . .
A. Subscriber Notice Must Be Adequate . .
B. The Form of Notice Should Maximize Subscriber Response Rates and Be Cost-Effective . . . . . .
C. Subscribers Should Be Able to "Opt-Out" and Respond to Notice In Other Cost-Effective, Flexible Ways . . . .
IV. STATES MAY IMPOSE ADDITIONAL CPNI REQUIREMENTS THAT
DO NOT CONFLICT WITH FEDERAL POLICIES . . .
V. IN RESOLVING THE INTERPLAY BETWEEN SECTION 222 AND
SECTIONS 272 AND 274, THE COMMISSION CAN FURTHER BOTH
PRIVACY AND COMPETITION POLICIES BY ENSURING CUSTOMER
CONTROL OF CPNI THROUGH ADEQUATE NOTICE AND CONSENT . . .
Congress enacted Section 222 of the Telecommunications Act
of 1996 against a backdrop of growing concerns about information
privacy and a regulatory regime for Customer Proprietary Network
Information (CPNI) based mostly on competition policy.
Accordingly, the Act calls for establishment of a new regulatory
regime that weighs privacy equally with competition. To give
full effect to the privacy and competition principles underlying
Section 222, NTIA recommends that the Commission define
"telecommunications service" narrowly for purposes of
implementing this section, and that the Commission ensure that
Section 222 is applied to all telecommunications carriers.
NTIA further recommends that the Commission's minimum
national privacy requirements maximize customers' ability to
control use of their CPNI while maintaining the free flow of
information. Subscriber notice must therefore be adequate, and
the form of notice should maximize subscriber response rates and
be cost-effective. In addition, subscribers should be able to
"opt-out" and respond to notice in other cost-effective, flexible
ways in most situations. Furthermore, NTIA believes that States
may impose additional CPNI requirements that do not conflict with
Finally, in resolving the interplay between Section 222 and Sections 272 and 274 of the Act, NTIA believes that the Commission can further both privacy and competition policies by ensuring customer control of CPNI through adequate notice and consent.
NATIONAL TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION
The National Telecommunications and Information
Administration (NTIA), which is within the U.S. Department of
Commerce, is the President's principal adviser on
telecommunications and information policy. NTIA respectfully
submits these reply comments to the Commission's Notice of
Proposed Rulemaking (Notice) in the above-captioned proceeding.(1)
Section 222 of the Telecommunications Act of 1996 (the
"Act") mandates that all telecommunications carriers abide by
certain requirements affecting the use and release of customer
proprietary network information ("CPNI").(2) In implementing this
provision, the Commission must be mindful that Congress enacted
this statute against a backdrop of growing concerns about
information privacy and a CPNI regulatory regime based mostly on
A. Computer Networks and Databases Are Largely Responsible
for Growing Privacy Concerns.
The proliferation of computerized information systems and
electronic databases has created increased concerns about
information privacy. Such systems have made it infinitely
easier, faster, and far less expensive to collect, generate,
sort, and disseminate personal information than had been possible
previously.(3) As a result, businesses can harvest a wealth of
personal information about individuals. There is also a large
and growing market in the sale and purchase of personal
Personal information has become a valuable commodity that
benefits firms and consumers alike. It enables firms to develop
new service offerings and target the marketing of them to
subscribers. As a result, telecommunications carriers have
become large users of personal information. Telecommunications
carriers can mine proprietary customer databases to discover whom
subscribers call; from whom subscribers receive calls; when and
how frequently subscribers make certain calls; and details about
the technical configuration of subscribers' telecommunication
services. This data, along with other personal data from other
sources, can then be translated into intelligible subscriber
profiles containing information about the identities and
whereabouts of subscribers' friends and relatives; which
businesses subscribers patronize; when subscribers are likely to
be home and/or awake; product and service preferences; and how
frequently and cost-effectively subscribers use their
B. The Act Calls For Establishment of a Regulatory Regime
That Weighs Privacy Equally With Competition.
The Commission's existing regulatory regime regarding CPNI
circumscribes the ability of some telecommunications carriers --
but not others -- to use CPNI for marketing enhanced services and
customer premises equipment. The prevailing rationale for these
differences in treatment hinges to a great extent on competition
policy, not subscriber privacy.(5)
As evidenced by the Act's legislative history, Congress
recognized the potential tensions between growing business demand
for personal information and consumers' privacy interest in
controlling the use and dissemination of their personal
information. Specifically, the Conference Report stated that, in
Section 222, Congress was striving "to balance both competitive
and consumer privacy interests with respect to CPNI."(6) Thus, to
satisfy consumers' demands and needs, Congress explicitly
required a different regulatory regime that places privacy
interests in CPNI on an equal footing with competition policy.(7)
The Clinton Administration has also recognized the
importance of consumer privacy issues in this new electronic
information era. The President established the Information
Infrastructure Task Force (the IITF) to formulate National
Information Infrastructure (NII)-friendly policies in various
areas, including privacy and security. The IITF, in turn,
through its privacy working group, developed principles
applicable to all NII participants, users of personal
information, and individuals who provide personal information to
users of that information.(8)
Drawing on these principles and guidelines, NTIA developed a
voluntary framework to address privacy concerns in a white paper
entitled, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information.(9) This framework can assist the
Commission in fulfilling Congress's intent: it balances
subscribers' interests in privacy against the interest in the
free flow of information. This framework is premised on two
minimum requirements: (1) carriers must provide subscribers with
adequate notice about the types of personal information that are
collected and the intended uses of that information and (2) they
must obtain subscriber consent before using that information.
II. THE COMMISSION SHOULD IMPLEMENT SECTION 222 BY GIVING FULL
EFFECT TO THE PRIVACY AND COMPETITION PRINCIPLES UNDERLYING
To give full effect to the privacy and competition
principles underlying Section 222, the Commission must construe
"telecommunications service" narrowly and apply the provision to
all telecommunications carriers.
A. "Telecommunications Service" Should Be Narrowly
NTIA believes that the "plain-face" meaning of Section 222
of the Act and sound policy reasons support a narrow definition
of "telecommunications service." Although the Commission --
through its proposed definition of "telecommunications service"
-- has attempted to bridge the divide between narrow and broad
definitions of that term, the statute does not support either the
Commission's tripartite definition (i.e., local, interexchange,
or commercial mobile radio services) or the "package" definition
that some comments recommend.(10)
Moreover, both definitions would
give subscribers less control over how their CPNI is used than a
narrow definition would. Therefore, as discussed further below,
NTIA urges the Commission to adopt a narrow definition of
"telecommunications service" in order to protect subscribers'
privacy interests adequately.(11)
A narrow definition of "telecommunications service" is supported by the clear language of Subsection 222(c)(1).(12) Under this provision, only upon a subscriber's approval or where required by another law, would a carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service be authorized to use, disclose, or permit access to CPNI in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.(13)
The singular use of "telecommunications service" suggests a
limited reading of the provision as does reading the provision in
its entirety. Subsection 222(c)(1)(B) provides a gloss to
Subsection 222(c)(1)(A) and makes clear that only a narrow
definition of "telecommunications service" comports with a
reading of both subsections of Section 222(c).(14) By specifying
that carriers can use CPNI only for "services necessary to, or
used in, the provision of such telecommunications service,"
Congress made clear its intent to limit closely the uses to which
CPNI could be used without consumer consent and thus its intent
to define "telecommunications service" narrowly. A broad reading
of "telecommunications service" in subsection (A) would be
inconsistent with the very limited circumstance in which Congress
permits CPNI to be used in subsection (B).(15)
As a policy matter, it is critical that the Commission adopt
a narrow definition of "telecommunications service." A narrow
definition will better implement Congress' mandate to protect
subscriber privacy by requiring carriers in many more instances
to obtain subscribers' authority before using their CPNI. A
narrow definition provides subscribers with a better mechanism to
limit uses of their CPNI.
A broad definition, on the other hand, would permit carriers
to use CPNI in many more instances without giving subscribers any
voice in how their information is used. In addition, defining
"telecommunications service" broadly could create perverse
incentives for carriers -- who will in the first instance
categorize services -- to lump otherwise discrete service
offerings together.(16) Finally, a broader definition could also
favor incumbent local exchange carriers who would be able to use
CPNI gathered from one service to market another service to the
disadvantage of new market entrants.
Finally, as discussed further in Part III.C, a narrow
reading of "telecommunications services" would not create
barriers to the free flow of information. Rather, it would
enhance customers' privacy by giving them more control over how
their personal information is used and may in fact provide
The statute's clear language and underlying policies are all
compelling reasons for defining "telecommunications service"
narrowly. For these reasons, NTIA urges the Commission to define
"telecommunications service" more narrowly than it proposes.
B. The Commission has Correctly Concluded that Section 222
Applies to All Telecommunications Carriers.
Under the Commission's proposed reading of Section 222 of
the Act, all telecommunications carriers providing
telecommunications services in all instances would be subject to
the provision's terms, not just those with market power or those
providing service to certain subscribers.(17) NTIA endorses this
approach because it is consistent with the statute's plain
language and promotes the policies inherent in the new
The existing CPNI regime illustrates how the application of
CPNI safeguards to select carriers in certain instances fails to
protect all subscribers' privacy interests adequately.(19)
Limiting CPNI restrictions to situations where a carrier has
market power or the CPNI has certain commercial value to carriers
(e.g., individual vs. business, single line vs. multiline),
clearly leaves some subscribers with no privacy protection for
their CPNI. Applying Section 222's requirements to all
telecommunications carriers would correct that problem.
The proposed regime would also promote competition in the
telecommunications services marketplace better than the current
regime does.(20) Notwithstanding the existing regime's focus on
protecting competition, that regime nonetheless skews competition
by imposing greater regulatory burdens on certain carriers than
it imposes on others.
Applying Section 222 to all carriers also would allow the
Commission to establish minimum nationwide requirements for
notice and consent.(21) Such requirements would both adequately
protect subscriber privacy and prevent carriers from exploiting
their monopoly position to access and make use of subscriber
CPNI. Holding all carriers to such requirements would also
minimize subscriber confusion by establishing a clear standard on
which subscribers can rely. In addition, once the privacy of
their personal information is assured, subscribers will
undoubtedly be more willing to subscribe to new
telecommunications services. The consequence should be greater
expansion of the telecommunications services marketplace, which
in turn will benefit all telecommunications carriers.
III. THE COMMISSION'S MINIMUM NATIONAL PRIVACY REQUIREMENTS
SHOULD MAXIMIZE CUSTOMERS' ABILITY TO CONTROL USE OF THEIR
CPNI WHILE MAINTAINING THE FREE FLOW OF INFORMATION.
In implementing Section 222 of the Act, the Commission
should balance maximizing to the extent possible consumers'
ability to control use of their personal information against the
interest in the free flow of such information. Requiring
adequate consumer notice and flexible consent procedures will go
far in allowing consumers control over their personal information
while protecting the free flow of information. These minimum
nationwide requirements should be incorporated into any new CPNI
regulatory regime that the Commission constructs.
A. Subscriber Notice Must Be Adequate.
In order to give subscribers meaningful control over how their personal information is used, they must have adequate notice that specifies in clear terms the nature of the information collected, how it will be used, and its potential uses and users.(22)
More specifically, the notice provided should inform subscribers about their carrier's:
By evaluating the notice they provide against these criteria,
telecommunications carriers can gauge the "adequacy" of such
Carriers should also be required to notify subscribers about the consequences of withholding permission to use their personal information.(25) This requirement will allow subscribers to make informed decisions by weighing the pros and cons of consenting to the use and possible disclosure of their personal information.(26) Notices containing this information will advance the Act's goal to promote competition by better enabling subscribers to compare the CPNI information-handling practices of competing telecommunications services providers.(27) By promoting freer flows of information, these measures will in turn enhance consumer welfare and improve carriers' abilities to compete.(28)
B. The Form of Notice Should Maximize Subscriber Response
Rates and Be Cost-Effective.
In the Notice, the Commission asks comments in what form -- oral or written -- carriers should have to notify consumers about how their information will be used and how they may control access to their CPNI.(29) Traditionally, written notice has been viewed as substantially better than oral notice, but that view may be changing as technology evolves.(30) NTIA therefore recommends that the Commission look to whether the form of notice meets two objectives -- maximization of subscriber response and cost-effectiveness -- rather than specifying that it be oral or written.
For notice to be effective, it must be designed to maximize
subscriber response. Therefore, carriers should be required to
provide notice in formats that are easily identifiable and
understandable to subscribers and which they will not reflexively
discard or disregard. But carriers should also be afforded the
latitude to develop notice in the lowest-cost format possible so
long as it is complete and will actually elicit response from
those subscribers who would care to make known their views on
whether they consent to the use of their CPNI.
C. Subscribers Should Be Able to "Opt-Out" and Respond to
Notice In Other Cost-Effective, Flexible Ways.
The Commission should permit carriers to use "opt-out" consent. Under an opt-out approach, carriers could presume, absent a subscriber's objection within a prescribed time, that they could use CPNI for purposes identified in the notice.(31) Opt-out consent gives subscribers who care about limiting the use of their CPNI the ability to do so while minimizing the burden on consumers who do not. It also minimizes costs for companies as well burdens on the free flow of information.(32) Subscribers should not be restricted, however, from also contacting their carriers directly and affirmatively authorizing them to use CPNI in accordance with the terms and conditions of the carrier-provided notice.(33) In short, an "opt-out" approach would minimize the burden on subscribers, carriers, and the free flow of information.
To elicit greater responsiveness by subscribers to carrier-provided notice the Commission should also require carriers to
permit subscribers to respond -- as flexibly as possibly -- to
the notice provided. Allowing subscribers to express their
decision flexibly increases the likelihood that subscribers will
choose how they wish their personal information to be handled.
For example, the carriers could permit subscribers to respond
orally to carriers' 800 and 888 numbers as well as through simple
"checks" on carrier-supplied reply forms.(34)
Subscribers should also be able to indicate with specificity
which particular CPNI can be used, by whom, and for what purposes
so that they can determine the precise levels of privacy
protection they would like. For example, consumers should have
the option to permit their carriers to use CPNI to market
information about other services to them but to prohibit the sale
of their CPNI to third parties.(35) Allowing this degree of
specificity will maximize subscriber control over CPNI while also
enhancing the ability of companies to use their customers' CPNI
to market other services to them.(36)
IV. STATES MAY IMPOSE ADDITIONAL CPNI REQUIREMENTS THAT DO NOT
CONFLICT WITH FEDERAL POLICIES.
The Commission seeks comment on the extent to which Section
222 permits States to impose additional CPNI requirements.(37) As
noted above, NTIA believes Section 222 was intended to establish
minimum nationwide CPNI requirements. States may therefore
impose additional CPNI requirements that enhance but do not
impede the Federal privacy and competition policies the provision
The 1996 Act creates a different regulatory scheme from that
contained in the 1934 Act -- one that expands the applicability
of national rules to historically intrastate issues and State
rules to interstate issues.(38) Section 222 must be read in light
of this new jurisdictional balance.
The plain language of Section 222 also supports this
interpretation. Section 222 does not distinguish between CPNI
collected in connection with interstate and intrastate
telecommunications services. It refers to all telecommunications
carriers and thus plainly includes both interstate and intrastate
carriers and services.(39) Congress was clearly able to make such
distinctions in the Act where it wished to.(40) It is therefore
reasonable to read Section 222 as establishing minimum national
standards for use of CPNI to implement Congress' competitive and
privacy policies.(41) Accordingly, Commission preemption of
conflicting State regulations is appropriate.
This reading is bolstered by the fact that Congress is
charged with knowledge of the Commission's past preemption of
conflicting State CPNI regulations (which was upheld by a Federal
appeals court).(42) It nonetheless chose not to reassess the
Commission's authority.(43) Thus, Congress has tacitly endorsed
the Commission's authority to preempt State CPNI regulations that
conflict with Federal CPNI requirements.
Even if the Act were not read to create a new jurisdictional
partnership between the State and Federal governments, the 1934
Act clearly authorized the Commission to preempt State CPNI
regulations that impeded the Commission's regulations.(44) For
example, if a State defined "telecommunications service" more
broadly than the Commission -- such as referring to "local,
interexchange, or commercial mobile radio service" and the
Commission had chosen the narrower definition we recommend -- a
carrier could potentially use CPNI obtained from provision of one
local service to market another local service. This result would
conflict with both the competition and privacy policies embodied
in the Act. It would skew the competitive playing field and
deprive residents of that State of the privacy protections that
Congress and the Commission sought to afford them. Under this
analysis, too, the Commission may preempt State CPNI regulations
that undermine the Commission's policies promoting privacy and
competition. For these reasons, the Commission should preempt
State regulations that impede rather than augment the
We note, however, that nothing bars States from taking
further steps to improve competition and privacy with respect to
CPNI in a manner consistent with the Commission's regulations.
Indeed, State regulators have more direct knowledge of market
developments and customers' expectations about privacy in
individual communities. In addition, many States have been at
the forefront of improvements in telecommunications competition
and privacy regulation. So long as the Commission's fundamental
CPNI requirements are met, such experimentation by the States
with regulatory improvements should be welcome.
V. IN RESOLVING THE INTERPLAY BETWEEN SECTIONS 222 AND SECTIONS
272 AND 274, THE COMMISSION CAN FURTHER BOTH PRIVACY AND
COMPETITION POLICIES BY ENSURING CUSTOMER CONTROL OF CPNI
THROUGH ADEQUATE NOTICE AND CONSENT.
In its February 20, 1997 Request for Further Comment,(45) the Commission asks a number of specific questions concerning the relationship between Section 222 and the non-discrimination and joint marketing obligations of Bell Operating Companies (BOCs) under Sections 272 and 274 of the Act. In answering these questions, it is important to bear in mind that Congress intended the 1996 Act to further competition generally and Section 222 to enhance privacy as well as competition.(46) NTIA suggests that the general principles it has articulated in interpreting Section 222 offer the Commission guidance in resolving many of the questions posed by the Commission in its Further Request. More specifically, NTIA believes Congress' goals can be reconciled without undue burdens on consumers or carriers and without sacrificing privacy or competition policies by providing consumers with full and adequate notice and an opportunity to consent to use of their CPNI.
The Commission's Non-Accounting Safeguards Order makes clear
that CPNI is subject to the nondiscrimination requirement of
Section 272(c)(1).(47) Thus, to the extent CPNI is made available
to a BOC's affiliate, it must also be made available to
unaffiliated companies on the same terms and conditions as it is
made available to the affiliated company. Under NTIA's narrow
reading of "telecommunications service" in Section 222, a BOC
would have to provide notice and obtain customer consent whenever
it provided information to its affiliated company in any event.(48)
The Commission can minimize the impact of the nondiscrimination
provisions of Section 272 on a customer's privacy by allowing
consumers to determine whether they want CPNI to be made
available in these circumstances.
Specifically, the Commission's rules can require that when a
carrier seeks consent to provide information to its affiliated
companies, the same notice must also inform consumers that if
they consent to having their CPNI provided to a carrier's
affiliate, the requesting carrier would also have to provide
their CPNI to other nonaffiliated companies on the same terms and
conditions. For the most part, customers could register their
consent by "opting out." Where they wished to provide their
CPNI to a carrier's affiliated company but withhold it from non-affiliated companies, however, they would have to provide an
affirmative written response to the requesting carrier indicating
Such notice would place control over CPNI in consumers'
Under this approach, consumers would be able to determine the
level of privacy they want and whether they want to receive
marketing materials for other services not only from affilIated
companies, but also from unaffiliated companies. At the same
time, nonaffiliated companies would for the most part enjoy the
same access to CPNI as affiliated companies. As noted above,
where the carrier originates the disclosure of CPNI, customer
approval would be governed by Section 222(c)(1) and opt-out
consent for the most part would be sufficient.(49) As long as
customer control over CPNI is maintained through the provision of
adequate notice and opportunity for consent, NTIA believes that
both the privacy and competition policies embodied in Section 222
can be reconciled with the nondiscrimination and joint marketing
policies of the Act.
For the foregoing reasons, NTIA respectfully requests that the Commission adopt the recommendations contained herein.
Respectfully submitted, Larry Irving ________________________ Assistant Secretary for Barbara S. Wellbery Communications and Information Chief Counsel Shirl Kinney Deputy Assistant Secretary for Timothy R. Robinson Communications and Information Attorney-Adviser Kathryn C. Brown Jana Gagner Associate Administrator Attorney-Adviser Tim Sloan Alfred Lee Office of Policy Analysis and Development National Telecommunications and Information Administration U.S. Department of Commerce Room 4713 14th and Constitution Ave., N.W. Washington, D.C. 20230 (202) 482-1816 March 27, 1997
1. Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, Notice of Proposed Rulemaking, CC Docket No. 96-115, FCC No. 96-221, 11 FCC Rcd 12513 (1996) [hereinafter Notice].
2. See 47 U.S.C. §222(c)(1). The Act defines CPNI as "information that relates to the quantity, technical configuration, type, destination, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship." 47 U.S.C. §222(f)(1)(A).
3. An on-line research service caused tremendous public outrage last year when it released a subscriber service that allegedly provided access to a database of more than 300 million names, addresses, aliases, maiden names, and social security numbers. See Wagner, Rumors Fuel Privacy Angst, ComputerWorld 1 (Sept. 23, 1996). Thousands of calls, faxes, and e-mails streamed in to the service requesting that personal information be purged from the database. Id. Although some of the resulting furor may have been caused by rumors ultimately said to be untrue about the nature of the information available (e.g., mothers' maiden names and social security numbers), the readiness of consumers to believe these rumors and the associated uproar suggest great public anxiety about the extent to which personal information is readily available and how subscribers' concerns about privacy have become more acute.
4. It has been estimated that a $5 billion dollar market could arise over the next three years for the distribution of personal information over the World Wide Web to businesses and consumers. Indeed, several firms are now designing software to enable Internet users to make queries of databases about individuals. See Foley and Caldwell, Dangerous Data: Linking Data Warehouses to the Web Can Bring in Billions of Dollars -- and Violate Your Customers' Privacy, Info. Wk. (Sept. 30, 1996).
5. See, e.g., Amendment to Sections 64.702 of the Commission's Rules and Regulations, Report and Order, 2 FCC Rcd 3072, 3096 modified on reconsideration, 3 FCC Rcd 1150 (1988) (the Commission exempts carriers from providing notice about CPNI use to single-line users to reduce carriers' administrative expenses but requires provision of notice about CPNI use to those customers with CPNI having greater marketing value and whose purchase of enhanced services would most likely raise competitive concerns)(See Notice, supra note 1, ¶3 n. 9 for full citation of these proceedings). See also Computer III Remand Proceedings, Report and Order, 6 FCC Rcd 7571, 7611-12, n. 159 (1991) (internal Bell Operating Company use of small subscriber CPNI does not raise significant privacy concerns).
6. H.R. Rep. No. 104-458, 104th Cong., 2d Sess. 205 (1996)[hereinafter Conference Report].
7. See id.
8. Participants in the IITF's Privacy Working Group were NTIA, the Bureau of Census, the Office of Management and Budget, the Department of Justice, the Department of Treasury, the Internal Revenue Service, the Department of Health and Human Services, the Federal Trade Commission, the Office of Consumer Affairs, the National Science Foundation, the National Archives and Records Administration, the Social Security Administration, and the Postal Service. The IITF privacy principles build upon pre-existing, international privacy guidelines, which include those adopted by the Organization for Economic Cooperation and Development in 1980. See IITF Privacy Working Group, Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information 3 (1995) [hereinafter IITF Report].
9. National Telecommunications and Info. Admin., U.S. Dep't. Of Commerce, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information (1995) [hereinafter Privacy Report].
10. See Notice, supra note 1, ¶22 (the Commission tentatively concluded that "telecommunications service" should be based on traditional service distinctions including local, interexchange, and commercial mobile radio service). Some comments have expressed support for an even broader, alternative definition. Under this "package" definition, carriers could use CPNI derived from a discrete service offering to market a second service or group of services that the carrier has packaged together with the first service. See Comments of US West at 15; Comments of BellSouth at 17. All comments referenced now and hereinafter were filed in response to the Notice on or around June 11, 1996.
11. See infra Part V (arguing that a narrow definition of telecommunications service also eases somewhat the tensions between §§222 and 272 of the Act).
12. See Comments of AT&T at 12; Comments of BellSouth at 10.
13. 47 U.S.C. §222(c)(1)(emphasis added). The Commission correctly points to the use of the singular articles "a" and "the" to divine Congress's intent that carriers are to be prohibited "from using CPNI obtained from the provision of one service for marketing or other purposes in connection with the provision of another service." Notice, supra note 1, ¶21. The Commission, however, then strays from its logical path and tentatively concludes that it should demarcate telecommunications services based on "traditional service distinctions." Id. ¶22.
14. Notwithstanding this clear language, some commenters contend that a broader definition of telecommunications service comports better with the customer-carrier relationship. See Comments of GTE at 10; Comments of SBC at 5. According to those commenters, "consumers reasonably expect carriers with whom they have a business relationship to use internally information . . . to improve the range and level of service provided to that customer." Comments of SBC at 8. If that expectation is indeed the case for most consumers, they will readily consent to use of their CPNI. See infra Parts III.A at 19-22 and III.C at 24-27; see also Part V at 33-35.
15. Compare 47 U.S.C. §222(c)(1)(A) with 47 U.S.C. §222(c)(1)(B).
16. Under the package definition, a carrier could load service packages with one or more popular service offerings, thus allowing them to use CPNI derived from any telecommunications service within that package to market numerous, unrelated packages.
17. See Notice, supra note 1, ¶26. The Commission's existing CPNI rules prevent only the use of CPNI from regulated services to provide enhanced services and customer premises equipment, which are unregulated services. The Act, however, restricts the cross-utilization of CPNI derived from any telecommunications service to provide another service, regardless of whether the services are regulated. See 47 U.S.C. §222(c).
18. The express language contained in Section 222(c)(1)
supports this conclusion. See 47 C.F.R.
§222(a)(providing that "[e]very telecommunications
carrier has a duty to protect the confidentiality of
proprietary information of, and relating to . . .
customers . . . .")(emphasis added). There are no
exceptions in either the statute or the legislative
history to support an interpretation that the Act should
apply only to select telecommunications carriers.
Furthermore, neither the Act nor its history suggest that
the Commission has latitude to regulate some carriers,
such as the monopoly local exchange carriers, while
forbearing from regulating other carriers having less
market power. But see Comments of MCI at 10; Comments of
Sprint at 6.
Under newly added Section 10 of the Act, Congress requires the Commission to forbear from regulating a telecommunications carrier or telecommunications service if such regulation is not necessary to, among other things, protect consumers and promote the public interest. See 47 U.S.C. §160(a). Invoking Section 10 in this instance would be inappropriate, however, because
§§222(a) and 222(c)(1) are "necessary for the protection of [the privacy interests] of consumers." 47 U.S.C. §160(a)(2).
19. For example, these regulations require some telecommunications carriers -- namely the Bell Operating Companies and AT&T -- to notify multiline subscribers that they may allow or restrict internal use and disclosure of their CPNI to third-party vendors and service providers. See Notice, supra note 1, ¶3 n. 8-9. As a result, the existing regime falls short of promoting the legitimate privacy interests of single-line subscribers -- most of whom are residential subscribers and the primary intended beneficiaries of the Act -- and the single- and multi-line subscribers of all other telecommunications carriers. The existing regulations further discriminate against the privacy interests of the Bell Operating Companies' and GTE's non-business subscribers as well as all AT&T's subscribers whose CPNI may be used without prior authorization. Id.
20. See Comments of NYNEX at 4; Comments of MFS at 5; Comments of BellSouth at 23. See also Comments of Cable & Wireless at 5 (advance notice would better ensure customer understanding and help establish baseline uniformity among carriers). Some carriers have already begun to extol their privacy policies as part of their marketing strategies. For example, AT&T maintains an Internet home page directed at residential, long-distance subscribers that enables them to switch from their existing carrier to AT&T. As part of its marketing pitch, AT&T advises prospective subscribers about its commitment to maintaining privacy over subscriber information. See AT&T Corp. Web Page, <http:www.att.com>.
21. See infra Part IV.
22. Notice should leave subscribers with a clear understanding of how a carrier will use CPNI, especially for non-obvious purposes. NTIA does not suggest that carriers should have to advise subscribers about every conceivable use of their CPNI, but rather, it should advise subscribers generally that their CPNI may be used for developing and marketing new and additional telecommunications and information services. If a carrier plans to make CPNI available to its affiliates and falls within the requirements of Section 272, such notice should also indicate that a customer's CPNI will have to be made available to other carriers if it is made available to a carrier's affiliates. See 47 U.S.C. §272.
23. IITF Report, supra note 8, at 21 (referring to the Notice Principle as the "crux" of all principles of fair information practices). The House of Representatives defined three fundamental principles that are necessary to protect all consumers. These principles include (I) the right of consumers to know the specific information that is being collected about them; (ii) the right of consumers to have proper notice that such information is being used for other purposes; and (iii) the right of consumers to stop the reuse or sale of that information. See Conference Report, supra note 6, at 204; IITF Report, supra note 8, at 7.
24. See id. (stating that the goal of the notice principle is to ensure that an individual has sufficient information in an understandable form to make an informed decision). NTIA supports annual provision of notice by carriers to inform subscribers about their information handling practices. Annual notice will benefit subscribers by reminding them of their CPNI rights and advising them of any changes to their carriers' information handling practices. If a carrier changes its information policies substantially within the annual term, however, it should have to provide new notice before proceeding to use its subscribers' CPNI.
25. For example, if a subscriber does not permit a carrier to use his/her CPNI to market other services, the carrier will be unable to target marketing materials to that subscriber. See IITF Report, supra note 8, at 9, 14 (stressing that the notice and awareness principles require both information users who collect personal information to provide, and consumers who provide personal information to receive, adequate relevant information about the consequences of providing or withholding information).
26. The costs of providing notice and obtaining subscriber consent are relatively small. Carriers can minimize costs of providing notice to subscribers by, for example, including inserts in billings and other mailings to subscribers. In addition, these costs may be offset by cost-savings that some carriers could achieve as a result of providing subscribers with notice. Anecdotal evidence from firms that provide notice to consumers regarding their intended uses of consumer information and response mechanisms for those consumers, suggests that these costs are minimal. In addition, some of these firms report that these processes render their mailings more targeted and thus more cost-effective.
27. Notice should further advise subscribers that they may direct their existing carrier(s), in writing, to disclose their CPNI to designated third parties. Upon receiving written requests from subscribers, carriers must make such disclosure under the Act. See 47 U.S.C. §222(c)(2)(entitled "Disclosure on Request by Customers"). Of course, telecommunications carriers who receive CPNI, pursuant to a subscriber's written request, should also be required to notify subscribers about their CPNI handling practices before using or disclosing that information. See 47 U.S.C. §222(c)(1)("a telecommunications carrier that receives or obtains customer proprietary network information . . .")(emphasis added).
28. See Comments of AT&T at 7 (asserting that a firms' ability to use CPNI will encourage development and marketing of other new telecommunications services).
29. Notice, supra note 1, ¶28.
30. Even though providing adequate notice will present costs to telecommunications carriers, NTIA believes it is essential to inform subscribers about the use of their CPNI and their rights regarding that information. Written notice has been thought to be preferable to oral notice because it would reduce the likelihood of omissions by the notice giver, afford a subscriber more time to deliberate about whether to consent, and provide subscribers with a record of their rights and courses of redress. The transition to an electronic world, however, may be changing that equation.
31. See Privacy Report, supra note 9, at 25.
32. Many companies that do use opt-out forms of consent report that opt-out rates tend to be small -- in the three to five percent range.
33. See Privacy Report, supra note 9, at 25; see also Comments of BellSouth at 18-20 (supporting NTIA's modified contractual approach in dealing with notice and consent issues). Although BellSouth supports NTIA's privacy framework, NTIA takes issue with BellSouth's application of its privacy framework as it relates to BellSouth's proposed definition for "telecommunications service" under Section 222(c)(1). See supra, note 10 and accompanying text.
34. Obviously, any such consent would also have to be provided by a date certain or it could obviate carrier efforts to use opt-out consent.
35. At the same time, however, carriers must comply with Section 272 of the Act, which regards nondiscrimination requirements for Bell Operating Companies. If a Bell Operating Company shares CPNI with its Section 272 affiliate, it must also share the information with third parties, and if it is not willing to share the information with third parties, it cannot share it with its Section 272 affiliate, except as discussed supra in Part V at 34-35. See 47 U.S.C. § 272 (e).
36. As stated in the Privacy Report, different standards should apply to sensitive information. See Privacy Report, supra note 9, at 25. Some CPNI may involve information that appears sensitive, e.g., calls to and from AIDS clinics, women's shelters, and adult hotlines. For this reason, the Commission should examine the extent to which CPNI includes sensitive information. To the extent the Commission concludes that CPNI involves sensitive information, NTIA believes that affirmative consumer consent should be required before this information is released. See id.
37. 37 Notice, supra note 1, ¶17.
38. 38 See 47 U.S.C. §§251-54.
39. 47 U.S.C. §222. This reading of subsection 222(c) is supported further by subsection 222(e). Subsection 222(e) prescribes rules relating to the provision of subscriber list information by carriers providing telephone exchange service, which traditionally encompasses local service and comparable services. See 47 U.S.C. §153(47). As subsection (e) is structured as an exception to subsection (c), subsection (c) must clearly encompass both interstate and intrastate telecommunications services.
40. See 47 U.S.C. §§251-254.
41. Promoting privacy and competition are the twin goals
of the Commission's regulations. See Conference Report,
supra note 6, at 205.
We note that the overall thrust of the Act, as well as economic and technological trends, are eroding the traditional distinction between intrastate and intrastate service and give further credence to this view of Section 222.
42. California v. FCC, 39 F.3d 919, 931033 (9th Cir. 1994), cert. denied, __ U.S. __, 115 S. Ct. 1427 (1995).
43. 43 The Commission preempted State privacy protections that interfered with its Federal CPNI regulations in 1991. See Computer III Remand Proceedings: Bell Operating Company Safeguards and Tier I Local Exchange Company Safeguards, Report and Order, CC Docket No. 90-623, 6 FCC Rcd 7571, 7631 (1991).
44. 44 The Commission may preempt a State regulation that impedes a valid Federal regulatory objective. See Louisiana Public Service Commission v. FCC, 476 U.S. 355, 375 n.4 (1986); National Ass'n of Regulatory Util. Comm'rs v FCC, 880 F.2d 422, 429-30 (D.C. Cir. 1989); Public Service Commission of Maryland v. FCC, 909 F.2d 1510, 1515 (D.C. Cir. 1990); California v. FCC, 905 F.2d 1217, 1243 (9th Cir. 1990); California v. FCC, 39 F.3d 919, 931-33 (9th Cir. 1994), cert. denied, __ U.S. __, 115 S. Ct. 1427 (1995); and California v. FCC, 75 F.3d 1350 (9th Cir. 1996).
45. Common Carrier Bureau Seeks Further Comment on Specific Questions in CPNI Rulemaking, FCC Public Notice, CC Docket No. 96-115, DA 97-385 (Feb. 20, 1997).
46. See Conference Report, supra note 6, at 1, 205.
47. Implementation of the Non-Accounting Safeguards of Section 271 and 272 of the Communications Act of 1934, as amended, CC Docket No. 96-149, First Report and Order and Further Notice of Proposed Rulemaking, FCC 96-489, ¶222 (Dec. 24, 1996),
48. See supra, Part II.A at 9-14, Part III.A at 19-22. By its very nature, a carrier's affiliate provides a different type of "telecommunications service" than the carrier itself. (If it were providing the same service, no affiliate would be required.) As Section 222 allows access to and use and disclosure of CPNI only for the telecommunications service in which it was derived, notice and consent would be required before a carrier could share CPNI with an affiliate. See 47 U.S.C. §222(c)(1).
49. Section 222(c)(2) requires that a carrier "shall disclose customer proprietary network information, upon affirmative written request by the customer..." (emphasis added) while Section 222(c)(1) is silent as to the requisite form of a customer's approval. Section 222(c)(2) deals with customer initiated requests for disclosure for CPNI and makes such disclosure mandatory, while Section 222(c)(1) deals with carrier initiated disclosures that are permissive. Given these distinctions, there is no basis for concluding that the same type of consent is required for both provisions and that a customer must also provide affirmative written consent before a carrier may disclose CPNI under Section 222(c)(1). Congress clearly distinguished between the two types of disclosure, specifying affirmative written consent under Section 222(c)(2) perhaps as a means of ensuring that such information was indeed transmitted when requested by a customer. Given that disclosures under Section 222(c)(2) are customer-initiated, NTIA would also conclude that if a customer requests disclosure to a company affiliated with the carrier, CPNI would not have to be provided to unaffiliated companies pursuant to that request. The Commission would, however, have to be vigilant about the potential for carrier manipulation in such instances.