Federal Communications Commission, In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, Declaratory Ruling (CC Docket No. 96-115) (June 27, 2013) (Mobile Device CPNI Declaratory Ruling) (full-text).
the Declaratory Ruling makes clear that when mobile carriers use their control of customers' devices to collect information about customers' use of the network, including using preinstalled apps, and the carrier or its designee has access to or control over the information, carriers are required to protect that information in the same way they are required to protect CPNI on the network. This sensitive information can include telephone numbers that a customer has called and received calls from, the durations of calls, and the phone's location at the beginning and end of each call.
Carriers are allowed to collect this information and to use it to improve their networks and for customer support. Carriers' collection of this information can benefit consumers by enabling a carrier to detect a weak signal, a dropped call, or trouble with particular phone models. But if carriers collect CPNI in this manner, they must protect it.
The Declaratory Ruling does not impose any requirements on non-carrier, third-party developers of applications that consumers may install on their own. The ruling also does not adopt or propose any new rules regarding how carriers may use CPNI or how they must protect it.
The Commission will be able to take enforcement action in the event that a failure to take reasonable precautions causes a compromise of CPNI on a device. This clarification avoids what would otherwise be an important gap in privacy protections for consumers.