California Public Utilities Commission Denies Request to Develop Privacy Standards for Wireless Carriers and Mobile Applications

By Jane J. Whang After a year in which the California Legislature passed a spate of privacy laws, wireless providers and third party mobile application providers do not need to add privacy regulations from the California Public Utilities Commission (“CPUC”) to their growing list of privacy compliance requirements.  At its January 16, 2014 meeting, the CPUC voted 3-2 to deny a petition filed in November 2012 by consumer advocates requesting the CPUC to open a rulemaking to, among other things, review the privacy practices of telephone corporations and, in particular, to develop privacy standards for wireless carriers and third parties (such as mobile applications) that gain access to wireless consumers’ personal information.  (See P.12-11-006). Click here to read the decision. The petition was filed by several consumer groups, including Consumer Federation of California, The Utility Reform Network, and the Privacy Rights Clearinghouse.  The consumer advocates cited the “profound transformation” of mobile phones and technological capabilities of such phones, including tracking capabilities, as a basis to review whether privacy of telephone consumers (particularly of wireless services) are adequately protected by existing laws and regulations. During the CPUC’s consideration of the petition, wireless providers, including AT&T Mobility and CTIA filed comments to oppose the petition.  In addition to pointing out that the CPUC lacks jurisdiction over mobile applications, CTIA cited several laws already addressing concerns raised by the petition, such as the California Online Privacy Protection Act and federal CPNI rules, and pointed to other agencies (including the FCC, the FTC and the California Attorney General’s Office) that actively enforce privacy laws and requirements. The CPUC agreed with the opposing parties that various California and federal laws and regulations already address privacy issues related to telephone companies, finding that the petition failed to identify “gaps in existing privacy laws and regulations, as well as examples of actual instances of harm from such privacy violations.”  The CPUC also observed that the third-party mobile applications referred to in the petition are already addressed by existing state laws and policies that “are primarily enforced by entities other than [the CPUC].”  However, the Decision recognized that due to “rapid changes in communications-related technologies” and services supported by new technologies, new concerns related to telecommunications company privacy practices may arise that are not addressed by existing laws.  Accordingly, the Decision stated that the CPUC would continue to track developments and may reassess the need for a rulemaking in the future.