EPIC to Propose First CPNI Regulations for Handset Makers
The Electronic Privacy Information Center (EPIC) will ask the FCC to expand customer proprietary network information (CPNI) rules to cover handset manufacturers and not just carriers, Staff Counsel Melissa Ngo said Thursday during a Federal Communications Bar Association lunch. Meanwhile, Bennett Ross, chairman of the telephony practice at Wiley Rein, said parts of the CPNI rules approved by the FCC in March (CD March 15 p2) are causing major confusion for carriers.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
EPIC’s 2005 petition asking the FCC to beef up its CPNI rules was a critical factor in sparking agency action. Ngo said the rules should be further tightened to require handset makers to build into sets a feature allowing them to be easily cleared of all personal information.
“People have sold cellphones and PDAs on eBay and thought they had cleared their information off,” Ngo said: “It’s still on there: Your client information, your medication information, your doctor’s information, things like that.” EPIC also will ask the FCC to expand situations in which consumers will be required to affirmatively “opt in” before their data are shared.
“Most consumers don’t even know what CPNI is,” she said.
“They can’t really know what exactly they're agreeing to with these kind of opt-out notices that are often placed with a lot of other information that they just ignore form the carriers.” She said EPIC will ask for other changes including expanded password protection, better audit trails, data encryption requirements and limits on the access employees have to CPNI and on data retention.
Ross said he expects carriers to file at the FCC seeking reconsideration or clarification of parts of its new CPNI regulations, which will kick off some time after Dec. 8, following clearance by the Office of Management and Budget.
One major area of confusion is a conflict between the FCC’s CPNI rules and the March order stating when a carrier has to report a CPNI has been compromised. Current rules appear to require notification of a customer, the FBI and Secret Service even when a customer representative of a carrier inadvertently sees data and even when no harm could even potentially occur, Ross said.
One area of confusion, Ross said, is that the order seems to permit sharing data with the “agent” of a carrier but not with joint venture partners or independent contractors for marketing purposes. “It’s an interesting problem,” he said, noting that an agent is defined differently from a partner in various states. “Typically, agency law is a matter of state law. If you're operating a call center in Illinois that serves 40 states do you look to Illinois law? Who gets to make that determination?”
Another area of confusion is a requirement that carriers establish a password for existing customers without resorting to the use of “readily available biographical information” for customer authentication, Ross said: “One of the more challenging aspects of implementing this order is for carriers to make sure that they have a firm understanding of what readily available biographical information actually means.”