Background
Rapidly changing technology has made protecting consumer privacy increasingly challenging. Telecommunications and utility companies have the ability to collect and maintain a wealth of information about their customers, including detailed usage histories that allow behavioral profiling. This information is valuable to third-party companies seeking to build detailed consumer profiles, creating a financial incentive for the sale of such data. This raises serious privacy concerns (see also Chapter 11, Financial Services and Consumer Products: Information Privacy; and Chapter 7, Health: Health Information Technology).
CPNI privacy—customer proprietary network information (CPNI) details calling patterns, services, product selections, and usage history for customers; this information is often obtained without the permission of the account holder. The flow of personal information over the Internet and other advanced communications services and devices has increased the risk that private information will become public. For example, CPNI is widely available and may be purchased online from data brokers and private investigators. Lax provider security makes “pretexting” (gaining access to personal information by pretending to be the account holder) relatively easy.
In 2007, the Federal Communications Commission (FCC) issued regulations requiring carriers to obtain opt-in consent from customers before disclosing their CPNI to a carrier’s joint-venture partner or an independent contractor for marketing. The rules also allow states to put in place additional consumer safeguards to enhance CPNI protections.
Recognizing that broadband deployment has raised concerns about consumers’ privacy, in 2016 the FCC adopted additional rules to give broadband customers better tools for controlling how Internet service providers (ISPs) may use their personal information. The rules require consumers to opt-in before the ISP can share "sensitive" information, which is defined as geolocation, health and financial information, children's information, app usage, web browsing history, and content of online communications.
Wireless communication privacy—the rapid spread of mobile communication technology raises a number of privacy concerns. One is that privacy notices delivered on mobile devices are overly long and complex, making the notices difficult for consumers to understand. The Federal Trade Commission (FTC) has called for the development of short, standardized, and meaningful privacy disclosures in order to make them more accessible to those viewing them on small screens.
The FTC has also identified the highly sensitive nature of geolocation data gathered through mobile devices. Knowing the specific location of an individual is particularly useful in identifying (or re-identifying) individuals using disparate bits of data, so limits on the collection, retention, and sharing of such data are necessary. The FTC is continuing to monitor developments in the mobile arena and to target deceptive and unfair practices in the wireless market.
Utility privacy—the ability to retrieve, analyze, and respond to much more precise and detailed data is a major benefit of utility network modernization and use of smart meters. Yet these same technologies raise a number of privacy issues surrounding the collection, retention, and use of individual utility consumers’ utility usage data. Further, the transmission of data from the utility customer’s dwelling creates concerns about security breaches and a subsequent loss of personal privacy.
Privacy Protections in the Use of Telecommunication and Utility Services: Policy
Privacy safeguards
Federal policymakers should ensure that all consumers are protected against unauthorized access to or use of personal data, such as information on usage, billing and payments.
Federal policymakers should require telecommunications and utility companies to provide consumers with the opportunity to determine whether their nonpublicly available and personally identifiable information should be used or disclosed for purposes other than those for which the information was originally provided.
States should:
- require telecommunications and utility companies to protect a customer’s usage, billing, payment, and other personal data from disclosure unless it has been authorized by the customer or is necessary to provide services the customer has requested;
- ensure that consumers are informed about easily accessible and usable avenues for redress if their personal information is inappropriately disclosed or used and that they have the right to correct the listing of their personal information if it is false or inaccurate; and
- establish rules to specify the procedures by which customers can provide authorization for disclosures and be informed of their privacy rights.
Mobile device privacy
Privacy disclosures delivered via mobile devices should be short, meaningful, and easily accessible on smaller screens.
Standards protecting the privacy of mobile device users should be established governing the collection, transfer, use, and disposal of location data gathered through mobile devices.
Utility data privacy
Policymakers should build strong privacy protections into any system design prior to deployment to ensure that:
- privacy of customer information is the default setting;
- data collection is limited to only what is necessary for operations, and data are retained only for as long as necessary;
- privacy protections exist throughout the entire life cycle of any personal information collected; and
- affirmative consent from customers is obtained before utilities disclose personally identifiable data to affiliates or third parties for purposes other than account management and billing, and that third parties agree to maintain the same level of privacy of customer data.