Recently, the Federal Communications Commission revived an inquiry the Commission first launched in 2007 to investigate telecommunication carriers’ practices regarding the “privacy and security of information stored on mobile communications devices.” In 2007, the agency decided to postpone any official rulemaking after accepting arguments from major carriers that hardware manufacturers and customers were the only entities that actually had access to the data stored on personal devices and that carriers should not be held responsible for the decisions the manufactures and customers made in the storing and using of that data. One of the reasons the FCC was receptive to that explanation was that the agency at the time was primarily concerned with carriers erasing customer data from refurbished cell phones that were sold or redistributed to other customers, and the carriers’ argument was that this issue was not within their control.
Fast forward six years – the era of exponentially growing importance of mobile data – and there is little surprise that the FCC has re-launched the inquiry, citing carriers’ statements, including in Congressional testimony, that the companies gather and process customer-specific data.
The linchpin of the FCC’s renewed interest is the recent controversy in which software installed on mobile phones was shown to be collecting data from customers’ phones and transmitting that data to the carriers without the knowledge or consent of the customer. At the time, it was reported that each major carrier required the software to be installed on smart phones sold to customers, and that customers were not informed about the existence of the software or the software’s perpetual communication of customer-specific data to the customer’s carrier.
In re-launching the inquiry into carriers’ data privacy and security practices, the FCC argues that not informing customers about the software or its data practices may have violated the carriers’ responsibility pursuant to Section 222 of the Communications Act of 1934 to protect customer data “that is made available to a carrier solely by virtue of the carrier-customer relationship.” The law allows such data to be used only in “limited circumstances,” a term which is not defined in Section 222. It appears that one of the goals of the renewed inquiry is for the FCC to define the scope of the “limited circumstances.”
The FCC seeks public comment on the following issues, among others:
- Applicability of a carrier’s duty to protect customer information under Section 222(a) to this type of data
- The definition of customer information that applies to common carriers under Section 222(h)(1)
- If factors such as who manufactured and who sold the device, the service provider’s role in selecting software to place on devices, and the manner in which the collected information is used is relevant to the analysis
Considering the California AG settlement mentioned above, recent FTC actions against companies that have misrepresented how they collect and use customer information, and now the FCC inquiring into the practice of common carriers, it appears that there will be far more scrutiny and regulation over mobile data collection moving forward.