Telecommunications carriers and providers of interconnected VoIP service with access to certain kinds of customer information collected through mobile devices are subject to existing privacy rules governing their use and disclosure of that information, the Federal Communications Commission announced in a declaratory ruling adopted at its June 27 meeting.  Significantly, the decision makes clear that third-party applications, device manufacturers and operating system developers are not covered. 

The ruling addresses the scope of the FCC’s rules governing Customer Proprietary Network Information (CPNI). A federal statute — Section 222 of the Communications Act — requires carriers “to protect the confidentiality of proprietary information” relating to customers, which is defined as information in customers’ bills and other information “that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.” This includes information about numbers dialed and received, the length and frequency of calls, and the locations where calls are made.

Under the statute and the FCC’s implementing rules, carriers may use individually identifiable CPNI to provide the services customers have purchased and to market similar or related services offered by the carrier — for example, a wireless carrier can use CPNI to market its other wireless plans or add-on features to a wireless subscriber. However, the rules require carriers to obtain customers’ consent (either opt-in or opt-out) before using CPNI for most other purposes, such as marketing long-distance service to wireless customers or sharing the information with third parties. Carriers also are required to “take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.”

In its June 27 ruling, the FCC stated that the CPNI rules apply to information collected by mobile devices if the information is within the statutory definition, is collected at the carrier’s direction, and the carrier or its designee has access to or control over the information. The rules apply to CPNI “that a carrier causes to be stored on its customer’s device in order to allow the information to be shared with the carrier,” even if the information has not yet been transmitted to the carrier, the ruling stated.  That means, for instance, that a carrier must take reasonable precautions to protect CPNI stored on a mobile device from unauthorized access and disclosure by third-party applications installed on the device, according to the ruling.

The ruling appears to stem from the FCC’s investigation into the Carrier IQ software included on some handsets, which was prompted by security concerns first raised in November 2011. The software is designed to collect diagnostic data for carriers’ use, but on some handsets the software was configured in a way that allowed unauthorized access to and use of this data.  The FCC’s ruling noted, however, that it was not reaching any conclusions about whether any carrier’s use of the Carrier IQ software had violated the CPNI provisions.

The FCC’s ruling also emphasized that it was not intended to change any existing rules or to prevent carriers from collecting CPNI, which the ruling noted can benefit consumers by enabling carriers to respond to customer requests and to detect network and equipment problems, among other permitted uses. Both the ruling and separate statements by interim Chairwoman Mignon Clyburn and Commissioner Jessica Rosenworcel emphasized the limited nature of the FCC’s CPNI rules, stating that the rules apply only to communications service providers and not to manufacturers or app providers that collect information for their own purposes — even if the information would be considered CPNI if collected on a carrier’s behalf.