By now, most people know that in its recent Open Internet Order adopted on February 26, 2015, the FCC reclassified internet access services as common carrier “telecommunications services” subject to FCC jurisdiction under the Telecommunications Act of 1996. The Order imposes a new regulatory framework on internet providers and, among many other things, augurs a sea change in how internet providers and their business partners may use certain data, including a class of information called Customer Proprietary Network Information (“CPNI”).
CPNI is defined as “(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier.” See 2007 FCC CPNI Order.
Outside of telecom insiders, most people have probably never heard of CPNI or the FCC’s specific regulations on their use. But later this month, new rules on collection, disclosure, consent and use of CPNI in the internet context will be take center stage as the FCC decides whether and to what extent previously-exempt internet service providers and their business partners are bound by CPNI rules that phone and cable companies have observed for years.
Of course, the Devil’s in the details. Current CPNI rules, for example, prevent phone companies from sharing the phone numbers a customer calls or receives without express consent. How that rule translates in the internet context, where the entire notion of internet marketing relies on some measure of tracking, is less clear. But some restrictions on the current system is likely, with the FCC indicating that many of the same consumer privacy concerns applicable to phone companies are present with internet providers:
[c]onsumers’ privacy needs are no less important when consumers communicate over and use broadband Internet access than when they rely on [telephone] services. As broadband Internet access service users access and distribute information online, the information is sent through their broadband provider. Broadband providers serve as a necessary conduit for information passing between an Internet user and Internet sites or other Internet users, and are in a position to obtain vast amounts of personal and proprietary information about their customers. Absent appropriate privacy protections, use or disclosure of that information could be at odds with those customers’ interests.
In short, if your business relies on or uses tracking data on consumer internet traffic or behavior in any way (e.g., customized ad buys, cookies, big data algorithms, mobile payments processing), there’s a good chance that the forthcoming new CPNI rules will affect you in some way.
For now, ISP’s have a reprieve, and the FCC has stated that it will forbear from applying its existing rules because they are “not well suited to broadband Internet access service.” In particular, the FCC found that existing rules are more focused on concerns that have been associated with voice telephone service and do not address many of the types of sensitive information to which broadband providers (more so than phone companies) are likely to have access.
These comments suggest the possibility that the new CPNI rules may be more strict than the current ones for phone companies. FCC Chairman Tom Wheeler has announced that the agency will hold a workshop on April 28 for stakeholders to discuss details, with final rules probably coming out in Q3 or Q4 of 2015.