I think we badly need new CPNI rules for the industry. CPNI stands for ‘Customer Proprietary Network Information’ and are rules to govern the use of data that telcos and ISPs gather on their customers. CPNI rules are regulated by the FCC and I think it’s fully within their current mandate to update the rules to fit the modern world.
While CPNI is related to privacy issues it’s not exactly the same. CPNI rules involve how ISPs use the customer data that they must gather in order to make the network operate. Originally CPNI rules involved telephone call details – who we called, who called us, etc. Telcos have been prohibited by CPNI rules from using this kind of data without the express consent of a consumer (or else in response to a valid subpoena from law enforcement).
Today the telcos and ISPs gather a lot more information about us than just telephone calling information. For instance, a cellular company not only knows all of your call details, but they know where you are whenever you call, text or make a data connection from your cellphone. Every ISP knows every web search you make since they are the ones routing those requests to the Internet. If you buy newer ISP products like home automation they know all sorts of details that they can gather from monitoring motion detectors and other devices that are part of their service.
Such CPNI data is valuable because it can be used by the ISP to assemble a profile of each customer, particularly when CPNI data is matched with data gathered from other sources. Every large ISP has purchased a business arm that is aimed to help them monetize customer data. The ISPs are all envious of the huge advertising revenues generated by Facebook and Google and want to climb into the advertising game.
The FCC was given the authority to limit how carriers use customer proprietary data, granted by Section 222(b) of the Telecommunications Act of 1934. Those statutes specifically prohibit carriers from using CPNI data for marketing purposes. Over the years the FCC developed more specific CPNI rules that governed telcos. However, the FCC has not updated the specific CPNI rules to cover the wide range of data that ISPs gather on us today. Telcos still ask customers for permission to use their telephone records, but they are not required to get customer permission to track web sites we visit or our location when using a cellphone.
The FCC could invoke CPNI protections for companies that they regulate. It gets dicier for the FCC to expand CPNI rules past traditional carriers. All sorts of web companies also gather information on users. Google makes most of their money through their search engine. They not only charge companies to get higher ranking for Google searches, but they monetize customer data by building profiles of each user that they can market to advertisers. These profiles are supposedly very specific – they can direct advertisers to users who have searched for any specific topic, be it people searching for information about diabetes or those looking to buy a new truck.
There are many who argue that companies like Google should be brought under the same umbrella of rules as ISPs. The ISPs rightfully claim that companies like Google have a major market advantage. But the ISPs clearly prefer the regulatory world where no company is subject to CPNI rules.
There other web applications that are harder to justify as being related to CPNI. For example, a social network like Facebook gathers huge amounts of private data about its users – but those users voluntarily build profiles and share that data freely.
There are more complicated cases such as Amazon, which has been accused of using customer shopping data to develop its own product lines to directly compete with vendors selling on the Amazon platform. The company clearly uses customer data for their own marketing purposes – but Amazon is clearly not a carrier and it would be a huge stretch to pull them under the CPNI rules.
It’s likely that platforms like Facebook or Amazon would have to be regulated with new privacy rules rather than with CPNI rules. That requires an act of Congress, and it’s likely that any new privacy rules would apply to a whole large range of companies that use the web – the approach taken by the European Union.