As privacy professionals, our foundational principles should always serve as our North Star. Principles like transparency, autonomy and choice guide us in our practice, even when other markers fail to point the way.
If the principles are Polaris, the policies and procedures we deploy to properly safeguard personal information decorate the remainder of our professional firmament. Unlike our principles, they should not be static; they are never fixed in place. The best practices we use in any given situation are responsive to the ever-changing context of privacy.
Though the contextual factors we weigh in building privacy programs may not be as predictable as sidereal time, their diffuse signals should together at least give us a heading, if not specific compliance coordinates.
Like a sailor checking his astrolabe, privacy teams must constantly make fine-tuned adjustments to consider shifting circumstances, whether driven by changes in consumer expectations, new technical realities or updated compliance obligations.
The long-awaited geolocation enforcement actions finalized this week by the U.S. Federal Communications Commission against all major U.S. mobile phone carriers are a perfect illustration of why active privacy navigation is essential, even when specific compliance obligations are in place — Full disclosure: your humble columnist interned with a telecommunications company during the summer of 2014.
Telecommunications carriers in the U.S. are under special obligations due to the Communications Act of 1934, which has been updated many times via statute and regulation. These rules include privacy restrictions for customer proprietary network information. CPNI must be treated with care, but the specifics about the scope of CPNI and how it should be handled have shifted in keeping with changing norms and expectations.
In fact, the story of CPNI mirrors the general story of the strengthening approach to consent in the U.S.
Since mobile phones first became ubiquitous, everything about their operation, the sensors they use and the broader marketplace has changed. Consumer expectations about their mobile privacy have shifted. Regulatory interventions have evolved. And technology has rapidly advanced.
Until 2007, the FCC considered a customer's "opt-out approval" as sufficient to share CPNI with third parties for certain purposes. This reflected the dominant idea until that time, which was rapidly going out of fashion, that the legal fiction of contractual consent was all that was necessary to achieve the principle of choice.
When the FCC updated the CPNI rules in 2007, the agency made clear that it was doing so because of technical developments that made it increasingly easy for data brokers and others to gain access to CPNI without the awareness of consumers.
Section 222 of the Communications Act defines CPNI as "information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship."
Today, as location information is increasingly afforded the protection due other sensitive data, including opt-in consent, it is not at all surprising to see location on this list. But at the time of the 2007 update, location services on mobile devices were predominantly made possible via the interaction between mobile phones and network towers, not through GPS signals.
This distinction is notable not just because of the difference in precision and accuracy of the different technologies, but also because no companies outside of the telecom space had ready access to mobility data in 2007.
2007 also happened to be a milestone year for the development of mobile phones. The first iPhone was released in 2007, without GPS capabilities. At the high end of the hardware market, the Nokia N95 was a "powerhouse" with its built-in GPS, 5-megapixel camera, Wi-Fi capabilities — and a design still lacking a touch screen.
GPS changed everything for mobile devices, transforming them into navigational tools, while also embedding sensors that could share location information with a much wider array of actors than the telecommunications carrier alone. Privacy norms struggled to keep up with this rapidly advancing technical reality, whether in the context of Fourth Amendment jurisprudence or Federal Trade Commission enforcement of commercial practices related to location data.
Meanwhile, telecommunications carriers found themselves bound to restrictions on certain types of location data that other companies — including Big Tech companies increasingly seen as general competitors — were not subject to. These market pressures sent a strong signal to the industry that location data was an untapped revenue stream. Perhaps this drowned out other signals about the expectations of the sensitive nature of this data were. After all, others were, and still are — as FCC Commissioner Brendan Carr mentions briefly in his dissenting statement — collecting and selling location data.
According to the forfeiture orders against AT&T, T-Mobile, Verizon and Sprint, the companies each set up a Location-Based Service program, through which location data was sold to aggregators, who further sold it to vetted third-parties. Each company allegedly passed its obligations to collect user consent down to the aggregation companies.
FCC Commissioner Geoffrey Starks put it bluntly in his statement released with the original notice of apparent liability to the telecom companies in 2020:
"Regrettably, these investigations show that carriers did not heed (the opt-in consent warning). Despite the clear message from the FCC, these carriers did not treat the protection of their customers' data as a key responsibility. Instead, they delegated responsibility for protecting this sensitive information to aggregators and third-party location service providers. They subjected these arrangements to varying degrees of oversight, but all were ineffective and failed to prevent the problem. Significant penalties are more than justified."
Notable here is the fact that, from the FCC's perspective, the entire industry bought into a collective misconception that certain types of location data fell outside of the CPNI restrictions. The industry failed to adapt to a changing world in a manner that fully incorporated the contextual nature of privacy.
The companies maintain that the location data at issue in this action is not subject to the CPNI rules. The FCC quotes AT&T, for example, as arguing that the location data was "generated via a different mechanism than is used to ensure connectivity to the network." But the FCC concludes that, even if this is true, consumers were not provided with an opportunity to reject the separate collection and use of location data for this purpose.
Even more important to the FCC is the relationship between the subscriber and the telecom company. CPNI safeguards are in place by reference to the customer-carrier relationship. If customers are providing data because of a trusted relationship with the carrier and an expectation that such data is necessary to provide the service, it is incumbent on the company to take the consumer's general expectations into account.
Privacy is contextual for many reasons, but one that we often overlook is the context of the relationship between an individual company and its customers. Even though it may lead to differences in market opportunities, this means that some companies are under heightened expectations of privacy.
Regulatory interventions can always change this dynamic — proposed comprehensive federal legislation would treat mobile carriers the same as other companies and place them under the FTC's authority. In the absence of such interventions, companies must be clear eyed in their measure of the particular relationships they enjoy with their customers, among all the other factors they weigh in creating a lasting privacy program.
If, on the other hand, privacy programs are designed to meet minimal legally justified standards under a strict interpretation of compliance obligations, they may fail to take account of the shifting circumstances around them — and eventually find themselves lost at sea.
Upcoming happenings:
- 9-10 May: The Privacy + Security Forum at George Washington University.
- 21 May, 17:00 ET: IAPP's D.C. KnowledgeNet hosts a panel titled "U.S. State Privacy Laws: Compliance in an evolving landscape" (SEI).
Please send feedback, updates and CPNI to cobun@iapp.org.
