The FCC continues to take a more active role in privacy with its enforcement of the customer propriety network information (“CPNI”) regulations. Recently, the FCC released Forfeiture Orders against the three largest mobile network operators for failing to safeguard CPNI. As we wrote about in our sister blog, violating FCC CPNI rules came with the cost of $57.3 million, $46.9 million, $12.2 million, and $80.1 million in fines to AT&T, Verizon, Sprint, and T-Mobile respectively.
CPNI is defined to include location information made available to the carrier by the carrier-customer relationship. Carriers are required to protect the confidentiality of CPNI and generally, may only share CPNI with customers’ affirmative, express consent.
The FCC found the carriers ran afoul of this opt-in requirement by selling access to their customers’ location information to companies known as location information aggregators. These location information aggregators then resold access to such information to third-party location-based service providers, or, in some cases, to intermediaries who went on to resell such information to location-based service providers.
Putting it into Practice: This case is a reminder for carriers to look at their agreements with entities to whom they give access to CPNI, and ensure that there are obligations to for the other party to comply with CPNI regulations.