Key Takeaways: The Federal Communications Commission (“FCC”) sent a loud message to the telecommunications industry: the era of lax CPNI compliance is over.

• Mobile network operators (MNOs), mobile virtual network operators, Internet Service Providers, and Voice-Over-IP providers, and other operators subject to the FCC’s CPNI rules should be aware of the FCC’s expansive view as to the kinds of data subject to the CPNI rules.
• Specifically, providers should be aware of the FCC’s increasing efforts to regulate more aspects of the wireless ecosystem, including subscriber location information and geolocation data, under the umbrella of “CPNI.”
• Going forward, providers should carefully consider compliance with CPNI rules as they seek to monetize or share subscriber data with third parties and downstream commercial providers.

On April 29, 2024, the Commission released Forfeiture Orders against the three largest MNOs for failing to safeguard customer proprietary network information (“CPNI”). These Orders came after responses from AT&T, Inc. (“AT&T”), Verizon Communications (“Verizon”), Sprint Corporation (“Sprint”), and T-Mobile USA (“T-Mobile,” collectively the “Carriers”) to the respective Notices of Apparent Liability for Forfeiture and Admonishment (“NAL”) previously issued by the FCC. Ultimately, the Commission found the Carriers violated the FCC CPNI rules, issuing $57.3 million, $46.9 million, $12.2 million, and $80.1 million in fines to AT&T, Verizon, Sprint, and T-Mobile respectively.

As background, the Communications Act defines CPNI as information relating to the “quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier” that is “made available to the carrier by the customer solely by virtue of the carrier-customer relationship.”[1] Carriers are required to protect the confidentiality of certain customer data, including CPNI.[2]

The Commission has previously advised that providers subject to CPNI rules have a duty to take “every reasonable precaution” to safeguard their customers’ information.[3] Among other requirements, providers are required to employ “reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.”[4] Further, before sharing most kinds of CPNI, providers must obtain a customer’s “affirmative, express consent” before using, disclosing, or permitting access to that customer’s CPNI.[5]

In the Forfeiture Orders, the FCC determined that the Carriers ran afoul of this opt-in requirement. In particular, the Carriers sold access to their customers’ location information to companies known as “location information aggregators,” who then resold access to such information to third-party location-based service (“LBS”) providers, or, in some cases, to intermediaries who went on to resell such information to LBS providers.

Notably, in these instances the customer’s location was determined based on when and where the device made contact with the carrier’s cell site (even if idle), not necessarily when the device was in active use for a call. Specifically, the FCC concluded that information related to the authentication of a device via the pinging of a Carrier’s tower was sufficient to constitute CPNI, and the Carriers’ failure to take “reasonable measures” to guard this CPNI against unauthorized access merited the substantial forfeiture amounts.

Providers should be aware that customer location information subject to the FCC’s jurisdiction as “relating to a telecommunications service” need not be generated by an actual voice call in order to constitute CPNI. These Orders signal that the current FCC is prepared to take an expansive interpretation of the kinds of data that constitute CPNI. Accordingly, providers should carefully review their agreements with any third-parties (e.g., vendors, consultants, or commercial partners) who receive access to subscriber or customer data.

Importantly, providers should also be aware that each third-party LBS provider or aggregator that had access to customer location information for more than 30 days after the public reporting on the Carriers’ practice of selling access to customer location information was determined to be a discrete continuing violation—resulting in the substantial forfeiture amounts.

In response to the AT&T Order, AT&T has appealed the decision to the Fifth Circuit Court of Appeals, arguing that the Order is arbitrary and capricious and the location data at issue does not meet the definition of CPNI. We will continue to follow this appeal closely given the significant impact on the use and sharing of subscriber data.

FOOTNOTES

[1] 47 U.S.C. § 222(c), (h)(1)(A) (emphasis added).

[2] 47 U.S.C. § 222(a).

[3] Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, Report and Order and Further Notice of Proposed Rulemaking, 22 FCC Rcd 6927, 6959, para. 64 (2007).

[4] 47 CFR § 64.2010(a).

[5] 47 CFR § 64.2003(k).