FCC: Yes, Existing CPNI Rules Apply to Some Information Collected on Mobile Devices
A June 27 FCC ruling has clarified that mobile carriers may be subject to CPNI obligations as to information that they cause to be collected by mobile devices—even when a carrier has neither received or obtained that information. However, the ruling neither expanded nor changed the substance or scope of Commission’s Customer Proprietary Network Information (“CPNI”) rules. The declaratory ruling and Commission action were largely in response to revelations that some mobile carriers caused diagnostic software provided by Carrier IQ to be installed on some mobile devices. This software, which was often pre-installed on devices before they were sold to consumers, provided carriers with information about how the device and network were functioning, including information about calls made and received by users.
This call information is referred to as CPNI – which includes “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.” 47 U.S.C. § 222.
The crux of the FCC’s declaratory ruling is that the statutory definition includes “information that telecommunications carriers cause to be stored on their customers’ devices when carriers or their designees have access to or control over that information.” (emphasis added) This is regardless of “whether the carrier itself installs, or directs the installation of, the software that collects the information, and whether the information is shared directly with the carrier or with its designee.”
The Commission declined to provide further guidance on when information “relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service” in the mobile context.
The FCC did not adopt any new CPNI rules directed at mobile carriers or change the fact that mobile carriers have been subject to the CPNI rules for years; rather, the FCC explained that existing statutory and regulatory obligations apply to CPNI that a mobile carrier causes to be collected on mobile devices. These include the statutory duties to protect the confidentiality and prevent unauthorized disclosure of CPNI, as well as the regulatory obligations to take reasonable precautions to prevent unauthorized disclosure.
Existing law provides that, without a customer’s consent, a carrier only may use CPNI “in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service.” 47 U.S.C. § 222(c). The FCC noted that “these provisions should allow a carrier that collects CPNI from customers’ devices to use that information to assess and improve the performance of its network and to provide information to customer-support representatives without the customer’s specific approval.” The Commission also explained that neither the statute nor the CPNI rules restrict a carrier’s ability to use, disclose, or permit access to aggregate customer information.
Some commenters had claimed that carriers generally cannot restrict the ability of third party applications to access data that the carriers cause to be stored on mobile devices. The FCC responded that, assuming this claim is correct, carriers must still take reasonable precautions to protect CPNI that they cause to be collected on mobile devices against unauthorized access by such third party applications, “whether by storing the CPNI in a location or form that it is protected or otherwise.”