On June 27, the FCC issued a declaratory ruling that its Customer Proprietary Network Information (CPNI) privacy rules apply to customer-specific information stored on wireless devices, if the wireless carrier has caused the information to be stored on the device and has access to or control over that information. Thus, for example, customer-specific information stored in a cellphone via preinstalled apps, such as data on phone numbers called, the location from which the calls were made, and the time and duration of calls must be protected from disclosure by the carrier. The FCC stressed that the ruling is limited in scope and does not apply to device manufacturers or third-party app developers.
The type of information considered “CPNI” is customer-specific personal information that “relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship ,” as well as billing information. Carriers must safeguard CPNI and are restricted in their use or disclosure of such information to third parties, and must notify customers of breaches of their CPNI. The FCC warned that any failure to protect CPNI on wireless devices may result in enforcement actions, including forfeitures.