FCC REACHES $7.4 MILLION SETTLEMENT WITH VERIZON TO RESOLVE CONSUMER PRIVACY INVESTIGATION
September 10, 2014
On September 3, 2014, the Federal Communications Commission (“FCC” or “Commission”) announced that it had reached a $7.4 million settlement with Verizon to resolve an investigation by the Commission’s Enforcement Bureau into the company’s use of personal consumer information for marketing purposes. This represents the largest such payment in FCC history for settling an investigation related to the alleged misuse of Customer Proprietary Network Information (“CPNI”).
The FCC has imposed specific requirements on telecommunications carriers and interconnected VoIP providers regarding the use of CPNI and what they must do to protect it from disclosure. For example, telecommunications carriers and interconnected VoIP providers may use, disclose or permit access to CPNI only in certain limited circumstances, including: (1) after obtaining the customer’s explicit consent; (2) to support the provision of the specific service from which the CPNI was derived; and (3) as required by law. The FCC also requires telecommunications carriers and interconnected VoIP providers to report to both its customers and appropriate law enforcement officials any unauthorized disclosure of CPNI. Finally, telecommunications carriers and interconnected VoIP providers must submit annual certifications to the FCC that they are in compliance with the CPNI requirements.
With respect to Verizon, the Commission’s Enforcement Bureau alleges that, beginning in 2006 and continuing for several years thereafter, Verizon failed to generate required CPNI consent notices to approximately two million customers, which effectively precluded them from denying Verizon permission to access or use their CPNI. In addition, the Enforcement Bureau alleges that Verizon failed to notify the FCC of these problems until 126 days after their discovery.
Under the terms of its settlement with the FCC, in addition to the aforementioned payment, Verizon must also include opt-out notices on every bill sent to a customer, not just the customer’s first bill, and it must put systems in place to monitor and test its billing systems to ensure that customers are receiving proper notices of their privacy rights. If Verizon detects any problems with these procedures or any other CPNI-related compliance problems, it must report the issue to the FCC within five (5) business days. The full text of the FCC press release detailing the terms of Verizon’s settlement with the FCC can be found here.
Although the above provides a brief overview of the FCC’s CPNI requirements, it is not an exhaustive list. As this case illustrates, the FCC takes CPNI compliance issues very seriously and will impose heavy sanctions on those companies that it believes to be in violation of these requirements. Companies that have concerns regarding their compliance with the FCC’s CPNI rules should contact regulatory counsel immediately.
If you have any additional questions regarding your company’s potential exposure with respect to CPNI or other data privacy issues, please contact Rob Gastner at 202.659.6674.