PART 3 - Rules Governing Privacy
The primary purpose of this Part 3 is to protect the privacy interests of residential subscribers to telecommunications services subject to the jurisdiction of this Commission. Because wireless telephones used by individual subscribers are typically brought into their homes (and into other private residences), sometimes to the exclusion of landline telephone, the privacy interests of wireless customers are substantially the same as those of residential customers. Accordingly, for purposes of this Part 3, protected information includes "non-public information specific to a residential subscriber who is a natural person," including a wireless subscriber, "that is collected or developed by a carrier solely by virtue of the carrier-subscriber relationship."
The privacy interests of residential telephone subscribers encompass several distinct interests. These interests, which are protected by Article 1, Section 1 of the California Constitution, by certain provisions of the Public Utilities Code, and by many other California statutes, include:
(1) An interest in keeping communication over the telephone network confidential (protected by, inter alia, Public Utilities Code §§ 2885, 7903, 7905, 7906; see also Penal Code §§ 631, 632, 637, 637.1, 641);
(2) An interest in controlling the disclosure of information about the subscriber to third parties (protected by Public Utilities Code §§ 761.5, 2891-2894.10); and
(3) The right not to be disturbed by unwanted telephone solicitations (protected, under California law, by Public Utilities Code §§ 2871-2876 (regulating automatic dialing-announcing devices) and § 2894.10, and by the recently enacted California law on Unsolicited and Unwanted Telephone Solicitations (Bus. & Prof. Code §§ 17591-17595, the Do Not Call law)). Federal laws protecting this interest include the Telephone Consumer Protection Act of 1991 (47 U.S.C. § 227) and the Telemarketing and Consumer Fraud and Abuse Prevention Act (15 U.S.C. §§ 6101-6108).
In providing telecommunications services regulated by this Commission, carriers shall comply with 47 U.S.C. § 222 governing the use of CPNI, as that term is defined by 47 U.S.C. § 222(h), and with the Federal Communication Commission's implementing regulations, 47 C.F.R. §§ 64.001-64.009 (as amended by the Third Report and Order and Third Further Notice of Proposed Rulemaking in CC Docket Nos. 96-115/96-149/00-257 (Release No. FCC 02-214; 17 F.C.C.R. 14860 (July 25, 2002) ("Third Report and Order"))) provided, however, that whenever customer approval is required pursuant to 47 C.F.R. §64.2007 before disclosing CPNI, and any other Confidential Subscriber Information as defined by Public Utilities Code § 2891(a) and this Part, to a third party (including an affiliate of the carrier), carriers must obtain a subscriber's prior written consent (written opt-in approval) to the disclosure, as required by Public Utilities Code § 2891 and by this Rule.
As set forth in the following subsections, this Part 3 adopts most of the notice and safeguard requirements of the CPNI regulations (§§ 64.2007-64.2009), and applies them to all Confidential Subscriber Information, as California law defines that term.
Affiliate
A person that (directly or indirectly) owns or controls, is owned or controlled by, under common ownership or control with, another person. For purposes of this paragraph, the term "own" means to own an equity interest (or the equivalent thereof) of more than 10 percent.
Agent
A person (including an individual, partnership, association, joint-stock company, trust, corporation, or affiliate) acting on behalf of another person.
Approval
A subscriber's express, affirmative, prior consent, given to the carrier, to the carrier's use or disclosure of that subscriber's confidential subscriber information for a specified purpose.
Commercial Mobile Radio Service (CMRS)
For purposes of this Part 3, commercial mobile radio service is also referred to as wireless service.
Commission
California Public Utilities Commission, unless otherwise noted.
Communications-related Services
Telecommunications services, information services typically provided by telecommunications carriers, and services related to the provision or maintenance of customer premises equipment.
Confidential Subscriber Information (CSI)
Non-public information specific to a subscriber who is a natural person that is collected or developed by a carrier solely by virtue of the carrier-subscriber relationship. This information includes customer proprietary network information (see definition below). Confidential subscriber information includes: (i) a residential subscriber's personal calling patterns, including any listing of the telephone or other access numbers called by the subscriber, but excluding the identification to the person called of the person calling and the telephone number from which the call was placed (e.g., by means of Caller ID), subject to the restrictions in Public Utilities Code § 2893, and also excluding billing information concerning the person calling that federal law or regulation requires a telephone corporation to provide to the person called; (ii) the residential subscriber's credit and other personal financial information, except when the corporation is ordered by the Commission to provide this information to any electrical, gas, heat, telephone, telegraph, or water corporation, or centralized credit check system, for the purpose of determining the creditworthiness of new utility subscribers; (iii) the services that the residential subscriber purchases from the corporation or from independent suppliers of information services who use the corporation's telephone or telegraph line to provide service to the residential subscriber; (iv) demographic information about individual residential subscribers, or aggregate information from which individual identities and characteristics have not been removed; and (v) a subscriber's name, address and telephone number if the subscriber has requested that such information be withheld from a printed or electronic directory. Confidential subscriber information does not include subscriber list information (defined below).
[Comment: This definition includes the type of nonpublic, personal information protected by Public Utilities Code § 2891.]
Customer
A person or entity to which the telecommunications carrier is currently providing service; a subscriber.
Customer Premises Equipment (CPE)
Equipment employed on the premises of a person (other than a carrier) to originate, route or terminate telecommunications.
Customer Proprietary Network Information (CPNI)
Information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer or a carrier; except that such term does not include subscriber list information (see 437 U.S.C. § 222; 437 C.F.R. § 64.2003(d) (incorporating statutory definition)).
Local Exchange Carrier (LEC)
Any person engaged in the provision of local telephone exchange service or exchange access. Such term does not include a person insofar as such person is engaged in the provision of commercial mobile radio service under § 332 (c) of the Federal Communications Act of 1934, except to the extent that the FCC finds that such service should be included in the definition of such term.
Opt-in Approval
A method for the carrier to obtain a subscriber's consent to the carrier using, disclosing, or permitting access to the subscriber's CSI. This approval method requires that the carrier obtain from the customer affirmative, express, prior consent allowing the carrier to use, disclose, or access the subscriber's CSI for a specified purpose or purposes, after providing the subscriber appropriate notification of the request consistent with the requirements set forth in these rules.
Person
"Person" includes an individual, partnership, association, joint-stock company, trust, or corporation.
Residential Subscriber
Residential subscribers of traditional land line telephone service, and all wireless subscribers who are subscribed as individuals. "Residential Service" does not include those wireless subscribers who are subscribed as a corporation, company, limited liability company, partnership, or other business entity.
Subscriber List Information (SLI)
Any information identifying the listed names of subscribers of a carrier and such subscribers' telephones numbers, addresses, or primary advertising classifications (as such classifications are assigned at the time of the establishment of such service), or any combination of such listed names, numbers, addresses, or classifications; and that the carrier or affiliate has published, caused to be published, or accepted for publication in any directory format. SLI does not include the name, address and telephone number of a subscriber who has requested that this information be withheld from a printed or electronic directory.
Telecommunications Carrier, or Carrier
Any provider of telecommunications services, except that such term does not include aggregators of telecommunications services (as defined in Section 226 of Title 7 United States Code).
Telecommunications Service
The offering of telecommunications for a fee directly to the public, or to such classes of users as to be effectively available directly to the public, regardless of the facilities used.
(1) Carriers shall comply with Public Utilities Code § 761.5 (Centralized Credit Check Services), §§ 2872-2875 (Automatic Dialing Devices), §§ 2891-2894.10 (Customer Right of Privacy), 47 U.S.C. § 222, and all other applicable state and federal statutes and regulations pertaining to the confidentiality of telephone communications and to the collection, use, disclosure and retention of confidential subscriber information as they may be amended from time to time.
(2) Carriers customer record retention and disclosure policy must comply with all applicable provisions of the Information Practices Act of 1977 (see Title 1.81 (Customer Records) and Title 1.81.1 (Confidentiality of Social Security Numbers) (Cal. Civil Code §§ 1798.80-1798.84, 1798.85-1798.86)).
(3) Carriers shall not make telephone solicitation calls to telephone numbers included on the federal Do Not Call List unless authorized by law, and shall comply with subscriber requests that the carrier make no further telephone solicitation calls.
[Comment: Regulations issued by the Federal Trade Commission (16 C.F.R. Part 310) and the Federal Communications Commission (47 C.F.R § 64.1200) established a federal Do Not Call List and define certain exceptions to the general prohibition on telephone solicitation calls to telephone numbers on that list. Some of those exceptions become inapplicable once the subscriber has asked that a particular solicitor cease making solicitation calls, and such requests must also be honored even if the telephone number is not on the Do Not Call List. California law (Business & Professions Code § 17590-17595) also prohibits telephone solicitation calls to California telephone numbers on the federal Do Not Call List.]
(1) Except as provided by Public Utilities Code § 2891 and this Section [Section D of Part 3], no telecommunications carrier shall make a residential subscriber's Confidential Subscriber Information available to any other person or corporation (including an affiliate) without first obtaining the residential subscriber's affirmative consent (approval), in writing. The subscriber's consent must be obtained by means of opt-in approval.
(2) Telecommunications carriers may disclose CSI to affiliates or to other third parties without the subscriber's prior consent, to the extent necessary to initiate, provide, bill and collect for the services that the carrier is providing to the subscriber, or that the subscriber has requested from the carrier. When a carrier discloses CSI to a third party pursuant to this section, the carrier must have control over the uses of the information by the third party in compliance with all applicable federal and state privacy laws and regulations and this General Order.
[Comment: The subscriber consent requirement set forth in § 2891 does not apply to "information transmitted between telephone or telegraph corporations pursuant to the furnishing of telephone service between or within service areas." (§ 2891(d)(8).)]
(a) A wireless provider may use, disclose, or permit access to CSI derived from its provision of CMRS, without customer approval, for the provision of CPE and information service(s).
(b) A wireline carrier may use, disclose or permit access to CSI derived from its provision of local exchange service or interexchange service, without customer approval, for the provision of CPE and call answering, voice mail or messaging, voice storage and retrieval services, fax storage and forward, and protocol conversion.
(c) A telecommunications carrier may not use, disclose or permit access to CSI to identify or track customers that call competing service providers. For example, a local exchange carrier may not use local service CSI to track all customers that call local service competitors.
(3) A telecommunications carrier may use, disclose, or permit access to CSI, without customer approval, for the following purposes:
(a) A telecommunications carrier may use, disclose, or permit access to CSI, without customer approval, in its provision of inside wiring installation, maintenance, and repair services.
(b) CMRS providers may use, disclose, or permit access to CSI for the purpose of conducting research on the health effects of CMRS.
(c) LECs and CMRS providers may use CSI, without customer approval, to market services formerly known as adjunct-to-basic services, such as, but not limited to, speed dialing, computer-provided directory assistance, call monitoring, call tracing, call blocking, call return, repeat dialing, call tracking, call waiting, Caller ID, call forwarding, and certain Centrex features.
(d) Other types of subscriber information that carriers may use without subscriber approval include:
(A) Information provided by residential subscribers for inclusion in the corporation's directory of subscribers;
(B) Information customarily provided by the corporation through directory assistance services;
(C) Postal ZIP Code information;
(D) Information provided under supervision of the Commission to a collection agency by the telephone corporation exclusively for the collection of unpaid debts;
(E) Information provided to an emergency service agency responding to a 911 telephone call or any other call communicating an imminent threat to life or property;
(F) Information provided to a law enforcement agency in response to lawful process;
[Comment re: information provided in response to lawful process. This rule is not intended either to limit or to expand the rights or obligations by which law enforcement agencies may lawfully obtain information under Public Utilities Code § 2891, Code of Civil Procedure §§ 1985.3(c) and (f) or any other lawful authority.]
(G) Information which is required by the Commission pursuant to its jurisdiction and control over telephone and telegraph corporations;
(H) Information transmitted between telephone or telegraph corporations pursuant to the furnishing of telephone service between or within service areas;
(I) Information required to be provided by the corporation pursuant to rules and orders of the Commission or the Federal Communications Commission regarding the provision over telephone lines by parties other than the telephone and telegraph corporations of telephone or information services;
(J) The name and address of the lifeline customers of a telephone corporation provided by that telephone corporation to a public utility for the sole purpose of low-income ratepayer assistance outreach efforts; and
(K) Information provided in response to a request pursuant to Penal Code § 530.8.
[Comment: This list of exceptions to the approval requirement is taken from Public Utilities Code § 2891(d).]
(1) Carriers must obtain a residential subscriber's approval in writing. Written approval may be obtained by electronic means as provided in Part 2 of this General Order (Definitions: "Written; In Writing").
(a) Approval or disapproval to use, disclose, or permit access to a subscriber's CSI obtained by a carrier must remain in effect until the subscriber revokes or limits such approval or disapproval.
(b) A carrier must maintain records of approval for at least one year.
(2) Use of Opt-In Approval Processes
(a) A telecommunications carrier may, subject to opt-in approval, disclose its subscriber's individually identifiable CSI, for the purpose of marketing communications-related services to that subscriber, to (i) its agents, (ii) its affiliates that provide communications-related services, and (iii) its joint venture partners and independent contractors. A telecommunications carrier may also permit such persons or entities to obtain access to such CSI for such purposes. Any such disclosure to or access provided to joint venture partners and independent contractors shall be subject to the safeguards set forth in the following paragraph.
(b) Joint Venture/Contractor Safeguards: A telecommunications carrier that discloses or provides access to CSI to its joint venture partners or independent contractors shall enter into confidentiality agreements with independent contractors or joint venture partners that comply with the following requirements. The confidentiality agreement shall: (i) require that the independent contractor or joint venture partner use the CSI only for the purpose of marketing or providing the communications-related services for which that CSI has been provided; (ii) prohibit the independent contractor or joint venture partner from using, allowing access to, or disclosing the CSI to any other party, unless required by law to make such disclosure; (iii) require that the independent contractor or joint venture partner have appropriate protections in place to ensure the ongoing confidentiality of subscribers' CSI.
(c) Except for use and disclosure of CSI that is expressly permitted without subscriber approval pursuant to § 2891 (and Part 3, Section D of this General Order), a carrier may use, disclose, or permit access to a subscriber's CSI only with the express, written, prior consent of the subscriber (i.e. the subscriber's opt-in approval).
F. Notice Required for Use of CSI
(1) Notification Generally
(a) Prior to any solicitation for subscriber approval, a telecommunications carrier must provide notification to the subscriber of the subscriber's right to restrict use of, disclosure of, and access to that subscriber's CSI.
(b) A telecommunications carrier must maintain records of notification, whether oral, written or electronic, for at least one year.
(2) Individual notice to subscribers must be provided when soliciting approval to use, disclose, or permit access to subscribers' CSI.
(3) Content of Notice: Subscriber notification must provide sufficient information to enable the subscriber to make an informed decision as to whether to permit a carrier to use, disclose, or permit access to, the subscriber's CSI.
(a) The notification must state that the subscriber has a right, and the carrier has a duty, under federal law to protect the confidentiality of CSI.
(b) The notification must specify the types of information that constitute CSI and contain a clear explanation of the purpose(s) for which the subscriber's CSI may be used and to whom it may be disclosed for purposes unrelated to the initiation, provision, billing or collection of payment for service. It must inform the subscriber that he or she has a right not to approve those uses, and to withdraw approval to CSI at any time.
(c) The notification must advise the subscriber of the precise steps the subscriber must take in order to grant or deny access to CSI, and must clearly state that a denial of approval will not affect the provision of any services to which he or she subscribes. However, carriers may provide a brief statement, in clear and neutral language, describing consequences directly resulting from the lack of access to CSI.
(d) The notification must be comprehensible and must not be misleading.
(e) If written notification is provided, it must be clear and conspicuous (i.e., it must be clearly legible, use sufficiently large type, and if provided along with other written materials, be placed so as to be readily apparent to a subscriber).
(f) If any portion of a notification is translated into another language, then all portions of the notification must be translated into that language.
(g) A carrier may state in the notification that the subscriber's approval to use CSI may enhance the carrier's ability to offer products and services tailored to the subscriber's needs. A carrier also may state in the notification that it may be compelled to disclose CSI to any person upon affirmative written request by the subscriber.
(h) A carrier may not include in the notification any statement attempting to encourage a subscriber to freeze third-party access to CSI.
(i) The notification must state that any approval, or denial of approval for the use of CSI outside of the service to which the subscriber already subscribes from that carrier is valid until the subscriber affirmatively revokes or limits such approval or denial.
(j) A telecommunications carrier's solicitation for approval must be proximate to the notification of a subscriber's CSI rights.
(4) Notice Requirements Specific to One-Time Use of CSI: Carriers may use oral notice to obtain limited, one-time use of CSI for inbound and outbound subscriber telephone contacts for the duration of the call. The contents of any such notification must comply with the requirements of subsection (3) of this section, except that telecommunications carriers may omit any of the following notice provisions if not relevant to the limited use for which the carrier seeks CSI:
(a) Carriers need not advise subscribers that they may share CSI with their affiliates or third parties and need not name those entitles, if the limited CSI usage will not result in use by, or disclosure to an affiliate or third party.
(b) Carriers need not disclose the means by which a subscriber can deny or withdraw future access to CSI, so long as carriers explain to subscribers that the scope of the approval the carrier seeks is limited to one-time use.
(c) Carriers may omit disclosure of the precise steps a subscriber must take in order to grant or deny access to CSI, as long as the carrier clearly communicates that the subscriber can deny access to his CSI for the call.
G. Safeguards Required for Use of CSI
(1) Carriers must implement a system by which the status of a subscriber's CSI approval can be clearly established prior to the use of CSI.
(2) Carriers must train their personnel as to when they are, and are not, authorized to use CSI, and carriers must have an express disciplinary process in place.
(3) All carriers shall maintain a record, electronically or in some other manner, of their own and their affiliates' sales and marketing campaigns that use their subscribers' CSI. All carriers shall maintain a record of all instances where CSI was disclosed or provided to third parties, or where third parties were allowed access to CSI. The record must include a description of each campaign, the specific CSI that was used in the campaign, and what products and services were offered as a part of the campaign. Carriers shall retain the record for a minimum of one year.
(4) Carriers must establish a supervisory review process regarding carrier compliance with the rules in this subpart for outbound marketing situations and maintain records of carrier compliance for a minimum period of one year. Specifically, sales personnel must obtain supervisory approval of any proposed outbound marketing request for subscriber approval.
(5) A carrier must have a corporate officer, as an agent of the carrier, sign a compliance certificate on an annual basis stating that the officer has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules in this subpart. The carrier must provide a statement accompanying the certificate explaining how its operating procedures ensure that it is, or is not, in compliance with the rules in this subpart.
H. Compliance with Commission Decisions
Carriers shall comply with Commission Decision 97-01-042, relating to subscriber directory listing and access to directory listing information, and with the rules set forth in Decision 92860 and Decision 93361, Appendix A, Nonpublished Service, and Appendix B, Release of Credit Information and Calling Records, as modified, which address the release of nonpublished information, calling records and credit information of all subscribers.
