Comments of Public Counsel Washington Attorney General Washington Utilities and Transportation Commission Preproposal Notice of Inquiry (CR 101) Customer Proprietary Network Information (CPNI) UT-971514 Introduction Public Counsel files these comments pursuant to the Commission=s Notice of December 16, 1997. This proceeding is an outgrowth of the Commission=s prior rulemaking on consumer protection issues, Docket UT-960942. Public Counsel filed comments and proposed rule language on these issues in that docket. A copy of the previously proposed rule regarding privacy is attached to these comments as Appendix A. The underlying context for this NOI regarding customer information is the Telecommunications Act of 1996 (Act or 1996 Act), which addresses the appropriate use and protection of customer proprietary network information (CPNI) in Section 222. The FCC issued a Notice of Proposed Rulemaking on May 17, 1996 seeking comment on Aproposed regulations to specify in more detail and clarify the obligations of telecommunications carriers with respect to the use and protection of CPNI and other customer information.@ In the Matter of the Implementation of the Telecommunications Act of 1996: Telecommunications Carriers= Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, FCC 96-221 (CPNI NPRM), & 1 Comments were filed in June 1996. The FCC has yet to adopt rules or take other formal action based on the NPRM. As noted above, this Commission conducted rulemaking in Docket UT-960942 and adopted rules relating to directories, slamming and CPNI. WAC 480-120-042, 480-120-139. After a petition by USWC, GTE, and others, the Commission agreed to waive WAC 480-120-139(5)(a) regarding the use of CPNI, through January 31, 1998. The handling of customer information by telecommunications companies raises two significant issues: protection of customer privacy and competitive fairness. For a good general discussion of both aspects of customer information, see Utility Customer Information: Privacy and Competitive Implications, National Regulatory Research Institute, NRRI 92-11 (September 1992) While the genesis of this particular proceeding to reevaluate the existing rule lies in telecommunications companies= concerns about their ability to use information for marketing, Public Counsel urges the Commission to keep these two preeminent policy goals in mind in any reexamination of the rule and of proposed new provisions. Public Counsel notes that the CR 101 Preproposal Statement of Inquiry and the Notice of December 16, 1997, both refer to the Commission=s intention to explore the need for rulemaking regarding Aprivacy protection.@ Public Counsel urges the Commission not to consider amending the rule solely to accommodate industry concerns about marketing. If any changes are made to the rule, improvements to the protection of customer privacy and the advancement of competitive fairness should be achieved. Comments In the event, that the Commission decides to amend the existing rules, Public Counsel recommends that any revised rule contain at least the following elements, as contained in the attached proposed rules: C. A statement of the duty of telecommunications companies to protect privacy of Acustomer proprietary network information@ and Asubscriber personal information@; C. A prohibition on disclosure of customer information without prior written authorization; $. A requirement that customers be given annual notice of their privacy rights, and the ability to place their names on a Ado not call@ list; C. A statement of reasonable exceptions (e.g. for directory publishing, emergency assistance) and the permissible use of aggregate CPNI; C. Limits on a company=s use of CPNI to market to its own customers; and C. Definitions of Acustomer proprietary network information@ and Asubscriber personal information.@ The Duty To Protect Privacy The current rule does not contain an express statement of a telecommunications company=s duty to protect privacy. Public Counsel recommends adoption of such a provision, modeled on Section 222(a) of the Telecommunications Act of 1996, but expanded to include protection for subscriber personal information not included in the definition of CPNI. Subscriber personal information includes personal calling pattern, credit or personal financial information, services that are purchased and demographic information. Prohibition On Disclosure Of Information Without Prior Written Authorization The existing rule clearly prohibits disclosure of CPNI with narrow exceptions. WAC 480-120-139(5)(b). It does not, however, prohibit disclosure of other subscriber personal information, nor does it contain a prior written authorization requirement. An alternative approach is set out in the draft rule. The Commission, in comments filed in the FCC CPNI rulemaking, supported imposition of a written authorization requirement prior to disclosure. Comments of Washington UTC, CC Docket 96-115, June 10, 1996, pp. 8-9. As noted below, oral authorization is sufficient in the case of inbound marketing that the company wishes to conduct during a customer-initiated call. Annual Notice of Rights It is critical that subscribers understand the type of information retained by carriers, what rights they have with respect to the information, and how to give and rescind authorization for use of the information. Without such knowledge, ability of customers to protect their privacy is seriously impaired. Customers should receive individual written notice. A bill insert could be used for this purpose. It should be accompanied by a postcard to be returned if the customer wishes to authorize use or disclosure of his or her information. A notice of privacy rights should also be included in the directory published by the telecommunications company. As part of the required notice, customers should be notified of their right to place their name on a Ado not call@ list if they do not wish to receive marketing solicitations from their own or other companies. Public Counsel recommends that the Commission establish such a list. A Commission-maintained Ado not call@ list could be used for this purpose, as well as for purposes of the general telephone solicitation rules. WAC 480-120-087. Customers with nonpublished or unlisted numbers already have the option of requesting that they not receive solicitation or telemarketing calls from their carrier. WAC 480-120-139(5)(c). This option should be extended to all customers, even if the Commission does not wish to establish its general Ado not call@ list. Exceptions Reasonable exceptions can be made for the use and disclosure of CPNI. These should include directory information, directory assistance services (except unlisted or nonpublished numbers); information provided to an emergency assistance agency; information provided to a law enforcement agency in response to lawful process; information required by regulatory agencies; and information released to credit reporting agencies and debt collection agencies in conformance with state and federal law. Consistent with the federal statute the rule should also provide for the use of aggregate (non-customer specific CPNI). This specific provision is related to fair competitive use rather than privacy concerns and could be incorporated in a separate fair use rule. Limits on Use of CPNI The rule should provide at a minimum that a telecommunications company that obtains customer information in the provision of a service to its subscriber may only use, disclose, or provide access to CPNI or subscriber personal information to provide the specific service. Unless the subscriber approves in writing, the company should be barred from using the information to market its services unless the information is accessed in response to a call initiated by the subscriber and the subscriber orally approves of the use of such information. Companies= use of their customers= CPNI for so-called Aoutbound@ marketing (company-initiated) is a central issue in this proceeding. The temporary waiver of the existing rule was granted in response to company concerns about marketing to their own customers. The starting point for an analysis of this issue is Section 222 of the 1996 Act. Section 222(c)(1) states that a carrier that receives or obtains CPNI through its provision of a telecommunications service: shall only use, disclose or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories. The only stated exception is for Ainbound@ (customer-initiated) marketing after the customer consents. 47 USC ' 222(d) The primary debate regarding interpretation of Section 222(c)(1) comes in the treatment of marketing and in the definition of telecommunications services. Section 222(c)(1) does not refer to marketing. The FCC, however, appears to treat marketing as a part of service provision. See, e.g., CPNI NPRM, & 23. The FCC does not explain in the NPRM why marketing is treated as part of service provision. Under this interpretation, once a company provides a service to a customer, it may use that customer=s CPNI to initiate marketing efforts directed at that customer, so long as they involve that same service. The FCC=s inclusion of marketing as part of service provision does not appear consistent with the privacy protection goals of the statute, since it exposes customers to intrusive targeted marketing. The definition of a Atelecommunication service@ for purposes of the statute is additionally important because the manner in which service is defined will determine the extent to which Across-marketing@ of services is limited. The FCC NPRM tentatively concludes that Atraditional service distinctions@ should be employed. CPNI NPRM, & 22 These are: C. local (including short-haul toll) C. interexchange (including interstate, intrastate and international long-distance offerings as well as short-haul toll) C. commercial mobile radio services As a practical matter, maintaining appropriate distinctions between different categories of telecommunications services advances the purposes of the statute. By limiting the extent of cross-marketing in this fashion, customers are in turn protected from increased levels of marketing and solicitation contacts. Definitions Of ACustomer Proprietary Network Information@ And ASubscriber Personal Information@ The current rule does not define CPNI, aggregate CPNI, subscriber personal information, or subscriber list information. At a minimum, the Section 222 definition of CPNI should be included. To the extent other terms are incorporated in a revised rule, definitions should also be included. Fair Competitive Use of CPNI Rules governing fair competitive use of CPNI are also important. The following areas should be addressed: C. CPNI obtained from another telecommunications company may only be used for the provision of service and not for marketing. C. Companies making aggregate CPNI available to their affiliates must make the information available to competitors under the same rates, terms, and conditions. C. Telecommunications companies have the duty to protect the confidentiality of proprietary information received from other carriers. C. Carriers who provide exchange services and gather subscriber list information should be required to make the information available on a non-discriminatory basis. The Commission should consider whether it is appropriate to create separate sections of the rules for privacy and for the competitive fairness requirements. Conclusion Public Counsel urges the Commission to use this opportunity to take a comprehensive look at both privacy and competitive fairness issues arising from the use of customer information. These are significant matters, particularly customer privacy. The companies= interests in marketing do not outweigh these other important concerns. DATED this 8th day of January, 1998. CHRISTINE O. GREGOIRE Attorney General Simon J. ffitch Assistant Attorney General Public Counsel Section