After a brief hiatus, customer proprietary network information rules are back in the Code of Federal Regulations where they have remained unchanged for the greater part of the last decade.

And there they will remain for the foreseeable future, thanks to Congress’ use of the Congressional Review Act.

Not too long ago, CPNI rules were slated for elimination. When the Federal Communications Commission under Chairman Tom Wheeler adopted new privacy rules late last year, the FCC planned to phase out existing CPNI-specific rules, such as the annual CPNI certification and the disclosure safeguards rule. In place of CPNI rules, the FCC planned to implement an overarching telecommunications privacy regime that would protect more types of personal data and cover more telecommunications companies, including internet service providers. But the plan was instantly put into jeopardy after the 2016 election, and within five months, Congress eliminated the Wheeler privacy rules using its CRA authority.

Congress rarely resorts to using the CRA to reverse an agency’s rule, but when Congress does so, there are two main results: First, the CRA action returns the regulatory structure to the status quo ante (the previously existing state of affairs); and second, the CRA prevents the agency from reissuing the rule in “substantially the same form.” Accordingly, Congress’ CRA legislation brought back CPNI rules and tied the FCC’s hands with regard to future changes to CPNI and privacy regulation, generally.

In this sense, the reincarnation of the CPNI rules is emblematic of the emerging axiom of the Trump administration: Regulations predating the Obama years stay, but any rule written after 2008 must go. Last revised in 2007, the CPNI rules are ancient by technology standards, clunky and overly prescriptive. But with Washington dead set on reversing Obama-era regulations, outdated CPNI rules are good enough.

CPNI, reimagined

CPNI rules are the only customer data privacy rules the FCC has ever enforced. CPNI is defined as “information such as the phone numbers called by a consumer; the frequency, duration, and timing of such calls; and any services purchased by the consumer, such as call waiting,” according to the FCC. Carriers are restricted in how they use CPNI for marketing purposes and are required to take specific steps to protect CPNI from unauthorized access.

Under Chairman Wheeler, the FCC reimagined its privacy mission and rewrote its privacy rules accordingly. The new rules expanded the FCC’s privacy oversight to internet service providers, leading to a backlash that eventually sunk the new rules. But the new rules were broader even than that, applying to substantially all telecommunications carriers in the marketplace, including traditional telecommunications companies and interconnected VoIP providers. And in an effort to harmonize all the rules, the Wheeler FCC planned to eliminate unnecessary CPNI rule burdens on businesses and remove outdated provisions.

In an effort to harmonize all the rules, the Wheeler FCC planned to eliminate unnecessary CPNI rule burdens on businesses and remove outdated provisions.

Here’s what the new rules would have done: First, the FCC eliminated the annual CPNI certification requirement and the requirement to retain records of marketing campaigns using CPNI. This new rule became effective in January 2017, and about 88 percent of carriers followed through and did not file their annual certification in March 2017.

The FCC explained, “eliminating these requirements reduced burdens for all carriers … We find that carriers are likely to keep records necessary to allow for any necessary enforcement without the need for specific requirements.” But the FCC’s arguments no longer matter. Congress has spoken, and the CPNI certification is back, indefinitely. Carriers will be required to file their certification March 1, 2018, and have Congress to thank for the requirement.

Another action that the Wheeler FCC took was to create a broad business customer exemption for providers of telecommunications services. The rule would have allowed telecommunications carriers to “bind themselves contractually to privacy and data security regimes other than” the FCC’s privacy rule. In order to take advantage of this exemption, carriers merely had to address all the issues in the privacy rule — transparency, choice, data security and data breach notification — in their customer contract and provide a way for customers to communicate with the carrier about privacy and data security concerns.

For carriers focused on the business-to-business marketplace, this exemption would have significantly reduced CPNI burdens. But again, Congress had no interest in delving into details. By using the CRA, Congress disapproved of the FCC’s business customer exemption just like it disapproved of the rest of the privacy rules.

Another common sense change to CPNI rules was the intended elimination by the Wheeler FCC of the convoluted disclosure safeguards rule in favor of a broader data security rule.

Another common sense change to CPNI rules was the intended elimination by the Wheeler FCC of the convoluted disclosure safeguards rule in favor of a broader data security rule. To address pretexting fraud, the FCC more than a decade ago implemented customer authentication rules requiring that telecommunications companies require passwords and other mechanisms for protecting customer data from unauthorized access. These were common sense rules in their day, but today, they are neither necessary nor sufficient.

As the Wheeler FCC found, “this is a complex area where providers need the flexibility to adapt their practices to new threats.” Accordingly, the FCC dispensed with customer authentication rules and instead adopted a baseline data security rule requiring that carriers take “reasonable measures” to protect customer data. Regardless, when Congress passed the CRA legislation, it voted against the baseline data security rule and the data security flexibility that rule would have ensured for carriers.

Solving consent 

Now, admittedly, not all of the Wheeler privacy rules would have reduced burdens on businesses. But even the most controversial new rule, the consent rule, would have improved on the CPNI rule. The CPNI consent rule is purpose based: If CPNI is to be used to market categories of services a customer does not already subscribe to, the carrier must obtain opt-out consent. For marketing of services a customer subscribes to, no consent is required.

In comparison, the Wheeler privacy rules were based on the sensitivity of data. If a carrier were to use or share customer data, including for marketing, the carrier would be required to allow a customer to opt-out. If the data to be used or shared was considered “sensitive,” then a customer would be required to opt-in. 

This sensitivity-based regime is in line with Federal Trade Commission guidelines and would have simplified compliance. Rather than require companies to differentiate between marketing campaigns or to anger customers seeking to opt-out only to learn they are not able to do so, the Wheeler privacy rule would have streamlined the opt-out process.

But again, Congress was not interested in consumer control or the harmonization of privacy regulation with FTC standards when it passed the CRA. And now, CPNI rules, no matter how convoluted or burdensome, are here to stay. 

But again, Congress was not interested in consumer control or the harmonization of privacy regulation with FTC standards when it passed the CRA. And now, CPNI rules, no matter how convoluted or burdensome, are here to stay. 

A future without options?

By passing the CRA legislation eliminating FCC privacy rules and restoring CPNI rules, Congress has taken action that does not permit the FCC to issue a regulation in “substantially the same form” without future Congressional intervention.

That appears to be just fine for the FCC’s leadership. In June, the FCC released a ministerial Order restoring CPNI rules without any notice or comment period. Other than a critical statement by the lone Democratic Commissioner Mignon Clyburn, the Order amounted to an emotionless return to the past without any clues as to future CPNI policy.

But the industry and future FCC commissioners should not give up on making changes to CPNI rules simply because of the CRA. For one thing, the law preventing re-issuance of the regulation in “substantially the same form” has never truly been tested and certainly has not been tested in an FCC context.

For example, the Wheeler FCC’s new privacy rules were supposed to apply to “customer proprietary information,” which would have included not only CPNI but also personally identifiable information and the content of communications. If the FCC reissued the consent rule or the data security rule and applied the rule only to CPNI, that is a substantially different rule.

Also, the business customer exemption requires contracts to specifically address transparency, choice, data security, and data breach notification, all of which were elements in the Wheeler privacy rules. A CPNI-specific business customer exemption could be substantially different if it applied to CPNI-specific elements of the CPNI rule. 

But the same logic does not apply to the CPNI certification. Because the Wheeler FCC eliminated the CPNI certification explicitly, any future FCC action that again explicitly eliminates the CPNI certification would be “substantially similar.”

Perhaps a court would take a lenient approach, allowing the FCC to eliminate the CPNI certification requirement again because the CRA only says that a rule may not be reissued and does not use the words “may not be re-eliminated.”

But for now, the CPNI certification requirement is here to stay. Perhaps for a long time. 

photo credit: Geoff Livingston US Capitol via photopin (license)