Skip to content
DWT logo
People Services Insights
About Offices Careers
Search
People
Services
Insights
About
Offices
Careers
Search
Advisories
Communications

The Anonymization/De-identification Debate Moves to the FCC

Agency Seeks Comments on Petition That Could Severely Restrict Service Provider Ability to Use “Anonymized” Customer Information
By James M. Smith, Christin S. McMeley and K.C. Halm
01.06.14
Share
Print this page
As explained in our recent PrivSec blog post, on Dec. 11, 2013, a coalition of privacy advocates led by Public Knowledge filed a Petition for Declaratory Ruling with the FCC that, if granted, would significantly expand the scope of Customer Proprietary Network Information (CPNI) data that would be subject to heightened protections under the Commissions’ rules. Those rules limit the use and sharing of confidential customer-specific information by telecommunications carriers and other providers of telephone service, including cable operators and VoIP providers, absent the customer’s opt-in consent. Public Knowledge’s petition asks the Commission to rule that phone call data that has been “anonymized” or “de-identified” by removing personal identifiers, but which remains “individually identifiable,” is nonetheless CPNI that may not be shared with other companies or entities absent the customer’s consent. The FCC swiftly issued a Public Notice asking for comments on the Petition by Jan. 17, 2014, with reply comments to be filed by Feb. 3, 2014.

Background
Under Section 222 of the Communications Act and the FCC’s existing rules, CPNI includes “individually identifiable” information such as the time, date, destination, location, and network configuration of a customer’s telephone service that is known by the provider solely by virtue of the carrier-customer relationship, and information contained in customer bills. The statute and the FCC rules contain several exceptions to this definition of CPNI and allow providers to use CPNI under certain circumstances. One such exception allows service providers to use “aggregate customer information . . . from which individual customer identities and characteristics have been removed.” The FCC has also issued several interpretations regarding the scope and breadth of CPNI and its permitted uses; for example, it has ruled that customer name, address and telephone number do not constitute CPNI and may be disclosed and shared by service providers without prior consent, unless subject to other privacy protections. 

The Petition argues that the Commission should construe Section 222 to find that “all CPNI is either individually identifiable (and subject to the restrictions on use and sharing) or aggregate (and not subject to the restrictions).” It claims that the privacy policies of all four major mobile carriers (AT&T, Verizon, Sprint and T-Mobile) state that they reserve the right to share anonymized or de-identified customer records with third parties, and cites a press report that AT&T has sold such anonymized customer call records to the CIA. The Petition claims that even anonymized data can be manipulated to “re-identify” individuals, and therefore that the cited policies and practices violate the Act’s protection of CPNI. Thus, even where customers’ names, phone numbers and other identifying information are removed from service providers’ records, the petitioners argue that, if such data retains “individual customer characteristics,” it cannot be used without customer consent.

Implications of a Broad Construction of “Individually Identifiable” CPNI
Grant of the coalition’s petition by the FCC could be very problematic for voice service providers of all stripes. Such an interpretation would substantially expand the universe of data protected as CPNI even in the absence of any personally identifiable information; prohibit the use of data that the current rules allows under established FCC interpretations; and restrict the Commission from any future flexibility in interpreting the boundaries and limitations of the statute. In turn, such a ruling could severely limit service providers from using CPNI now or in the future for marketing or any other purposes, absent prior consent. 

Not only could a broad interpretation of the meaning of “individually identifiable” CPNI be problematic for those entities that regularly use CPNI, but a ruling that finds anonymized data is still subject to heightened protections could also be used as precedent in other contexts to limit use of anonymized data. The FTC has already extended protections to device identifiers in its amendments to the rules implementing the Children’s Online Privacy Protection Act (or COPPA) and is now considering the effect the “Internet of Things” has on the de-identification and anonymization of data. Similarly, the “Do Not Track” negotiations have yet to settle when “de-identified” data can be used and what “de-identification” even means.

A broad interpretation of the meaning of “individually identifiable” CPNI is also inconsistent with well-established guidelines from other agencies. NIST, for example, provides guidelines in which the adequacy of de-identification techniques is evaluated in the context of the security of databases against attack, restrictions on the anticipated recipient, and potential combination with other reasonably available information. The risk of re-identification need not be zero to be effective. Likewise, HIPAA recognizes that “de-identified” data can bear some risk of “re-identification,” but if the risk is very low and proper de-identification techniques are used, de-identified data may be put to beneficial uses, rather than being prohibited from all use. 

Service providers that use any form of anonymized CPNI, or other customer data that has been de-identified, should consider filing comments with the FCC on Jan. 17, 2014. Contact the authors or your Davis Wright Tremaine attorney contact for more information about this proceeding.

Related Articles

2025
Feature
Financial Services
New Administration Outlook: Helping You Navigate Post-Election Uncertainty in 2025 and Beyond Read More External Link
03.25.25
Publications
Artificial Intelligence
Co-author, "Privacy Law Issues for Developers and Deployers of Generative Artificial Intelligence," LexisNexis Read More External Link
02.27.25
Webinars
Privacy & Security
"Securing Americans' Sensitive Data: Understanding the DOJ's New Final Rule," Davis Wright Tremaine Webinar Read More
DWT logo
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.
Media Kit Affiliations Legal notices
Privacy policy Employees DWT Collaborate EEO

SUBSCRIBE
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.