On June 29, 2017, the FCC released an Order effectively reinstating voice-centric privacy rules, and reminding Internet Service Providers (ISPs) that they remain subject to Section 222 of the Communications Act of 1934, as amended (the Act). Through this order, the FCC clarified that annual CPNI compliance certification and recordkeeping requirements are again in effect, and carriers subject to these requirements must file an annual certification by March 1, 2018. Therefore, no annual certification will be required in 2017. The Order also dismisses 11 Petitions for Reconsideration of the 2016 Privacy Order, deeming the petitions moot since the 2016 Privacy Order and the rules adopted therein are no longer in effect.
The rules that will been reinstated in the Code of Federal Regulations (CFR) include the FCC’s CPNI rules in effect prior to the 2016 Privacy Order. As clients likely recall, the FCC’s 2016 Privacy Order was repealed under a resolution of disapproval invoked under the Congressional Review Act (see JSI’s March 30th e-Lert for additional details). While the 2016 Privacy Order was repealed, certain portions of that order that sought to harmonize voice and broadband privacy rules modified existing CPNI rules, causing confusion as to what rules are now currently in place. The current Order effectively removes 2016 Privacy Order rules from the CFR and reinstates voice CPNI rules 47 CFR § 64.2001 through § 64.2011, which include: customer notice requirements specific to opt-in, opt-out, and one-time use; safeguards required for use and disclosure of CPNI (including personnel training requirements, recordkeeping requirements for marketing campaigns using CPNI, supervisory review process and annual certifications); and notification of CPNI security breaches.
In effect, companies can travel back in their theoretical time machines to the fall of 2016, and reinstate the privacy rules and principles that were in effect at that time. However, clients are reminded that even in the fall of 2016, Sections 201, 202 and 222 of the Act governed more than just voice-centric CPNI, and carriers have been penalized for not applying reasonable security frameworks to both voice and broadband services. Therefore, JSI continues to recommend that carriers follow best industry practices, such as the FTC’s adopted NIST Framework for cybersecurity to protect customer data, in addition to following explicit CPNI rules.