Customer proprietary network information explained

Customer proprietary network information (CPNI) is the data collected by telecommunications companies about a consumer's telephone service.^[1] It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and certain other information that appears on the consumer's telephone bill.^[2] CPNI may also include account/subscriber information such as the number of lines.

CPNI is protected and regulated by the Federal Communications Commission. Privacy rules primarily apply to individually identifiable CPNI, meaning CPNI data that is linked or linkable to a particular person through other data such as a wireless account number, wireless phone number or email address. However, data such as name, address and phone number are not themselves CPNI.^[3] CPNI does not include financial information or sensitive personal information such as Social Security Numbers or credit card information.^[4]

Telemarketers or customer service agents working on behalf of telephone companies must go through an additional customer authentication layer (typically a PIN, or last four digits of the stored payment method) and ask for the customer's consent prior to accessing the billing information or before using or sharing that information.

Description

The U.S. Telecommunications Act of 1996 granted the Federal Communications Commission (FCC) authority to regulate how CPNI can be used, and to enforce related consumer information privacy provisions.^[5] The rules in the 2007 FCC CPNI Order further restrict CPNI use and created new notification and reporting requirements.^[6]

The rules in the 2007 CPNI Order include:

• Limits the information which carriers may provide to third-party marketing firms without first securing the affirmative consent of their customers
• Defines when and how customer service representatives may share call details
• Creates new notification and reporting obligations for carriers (including identity verification procedures)
• Verification process must match what is shown with the company placing the call.

Note that as long as an affiliate is "communications" related, the FCC has ruled that CPNI is under an opt-out approach (can be shared without your explicit permission). A phone company is not permitted to sell or otherwise disclose CPNI information, such as numbers you call, when you called them, where you were when you called them, or any other personally identifying information, except subject to either such exceptions are provided in the statute or regulations, or with approval of the customer. Law enforcement access to CPNI ordinarily requires proper judicial approval, but some data about telecommunications customers can be shared or sold to "communications" related companies.^[7] One can verify this by checking rule 64.2007(b)(1) and footnote 137 in the 2007 CPNI order.

The 2007 CPNI Order does not revise all CPNI rules. For example, the rule revisions adopted in the Order do not limit a carrier's ability to use CPNI to perform billing and collections functions, restrict CPNI use to effect maintenance and repair activity, or impact responses to lawful subpoenas.

Fines for failure to comply with CPNI rules can be substantial. In 2024, the FCC settled with TracFone Wireless and AT&T for $16 million and $13 million, respectively, for violations of the CPNI rules.^{[8] [9]}

See also

• Call detail record
• Electronic Communications Privacy Act (ECPA)
• Internet Protocol Detail Record
• Mobile identity management
• Pen register
• Telecommunications data retention

References

1. Web site: 2011-03-03. Customer Privacy. 2021-09-04. Federal Communications Commission. en.
2. Web site: Krebs . Brian . Why You Should Opt Out of Sharing Data With Your Mobile Provider – Krebs on Security . Krebs on Security . 31 October 2024 . 20 March 2023.
3. Federal Communications Commission, Implementation of the Telecommunications Act of 1996; Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information (May 21, 1998)
4. Web site: 2023-03-23. Customer Privacy.
5. Economides. Nicholas. 1999-12-01. The Telecommunications Act of 1996 and its impact1Presented at the Annual Telecommunications Policy Conference, Tokyo, Japan, 4 December 1997. I thank Hajime Hori, Bob Kargoll, Steve Levinson, and two anonymous referees for helpful comments.1. Japan and the World Economy. en. 11. 4. 455–483. 10.1016/S0922-1425(98)00056-5. 0922-1425. free.
6. http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-22A1.pdf FCC CPNI Order
7. Web site: Combest. Chris. So just what is customer proprietary network information (CPNI), and is it still relevant?. 1stel. 16 November 2015 . https://web.archive.org/web/20160304121943/https://blog.1stel.com/so-just-what-is-cpni-and-is-it-still-relevant/ . March 4, 2016 . dead.
8. Web site: Starks . Tim . FCC, Tracfone Wireless reach $16M cyber and privacy settlement . CyberScoop . 31 October 2024 . 22 July 2024.
9. Web site: AT&T Data Breach: Telco Reaches $13M Settlement With FCC . The Cyber Express . 31 October 2024 . 18 September 2024.

6389881560

External links

• CPNI Information
• FCC What Your Telephone Company Knows About You (And Controlling How They Use It)
• FCC CPNI Order - April 2, 2007
• www.fcc.gov - Protecting Your Telephone Calling Records